Commit 23fe7718 authored by Adam Jackson's avatar Adam Jackson 💣 Committed by Alan Coopersmith

glx: Be more paranoid about variable-length requests [CVE-2014-8093 1/6]

If the size computation routine returns -1 we should just reject the
request outright.  Clamping it to zero could give an attacker the
opportunity to also mangle cmdlen in such a way that the subsequent
length check passes, and the request would get executed, thus passing
data we wanted to reject to the renderer.
Reviewed-by: Keith Packard's avatarKeith Packard <keithp@keithp.com>
Reviewed-by: Julien Cristau's avatarJulien Cristau <jcristau@debian.org>
Reviewed-by: default avatarMichal Srb <msrb@suse.com>
Reviewed-by: default avatarAndy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson's avatarAdam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith's avatarAlan Coopersmith <alan.coopersmith@oracle.com>
parent f4afd53f
......@@ -2062,7 +2062,7 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE,
client->swapped);
if (extra < 0) {
extra = 0;
return BadLength;
}
if (cmdlen != __GLX_PAD(entry.bytes + extra)) {
return BadLength;
......@@ -2179,7 +2179,7 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
extra = (*entry.varsize) (pc + __GLX_RENDER_LARGE_HDR_SIZE,
client->swapped);
if (extra < 0) {
extra = 0;
return BadLength;
}
/* large command's header is 4 bytes longer, so add 4 */
if (cmdlen != __GLX_PAD(entry.bytes + 4 + extra)) {
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment