File U_glx_06_length_checking_for_glxrender_requests... of Package xorg-x11-server

Overview Repositories Revisions Requests Users Attributes Meta

File U_glx_06_length_checking_for_glxrender_requests.patch of Package xorg-x11-server

Subject: glx: Length checking for GLXRender requests
References: bnc#882226
Patch-Mainline: Upstream
Signed-off-by: Michal Srb <msrb@suse.com>

From: Julien Cristau <jcristau@debian.org>

Signed-off-by: Julien Cristau <jcristau@debian.org>
---
 glx/glxcmds.c | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/glx/glxcmds.c b/glx/glxcmds.c
index f8328af..41eb87a 100644
--- a/glx/glxcmds.c
+++ b/glx/glxcmds.c
@@ -2023,7 +2023,7 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
     left = (req->length << 2) - sz_xGLXRenderReq;
     while (left > 0) {
         __GLXrenderSizeData entry;
-        int extra;
+        int extra = 0;
         __GLXdispatchRenderProcPtr proc;
         int err;
 
@@ -2042,6 +2042,10 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
         cmdlen = hdr->length;
         opcode = hdr->opcode;
 
+        if (left < cmdlen || cmdlen < 0) {
+            return BadLength;
+        }
+
         /*
          ** Check for core opcodes and grab entry data.
          */
@@ -2055,6 +2059,10 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
             return __glXError(GLXBadRenderRequest);
         }
 
+        if (cmdlen < entry.bytes) {
+            return BadLength;
+        }
+
         if (entry.varsize) {
             /* variable size command */
             extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE,
@@ -2062,17 +2070,9 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
             if (extra < 0) {
                 return BadLength;
             }
-            if (cmdlen != __GLX_PAD(entry.bytes + extra)) {
-                return BadLength;
-            }
         }
-        else {
-            /* constant size command */
-            if (cmdlen != __GLX_PAD(entry.bytes)) {
-                return BadLength;
-            }
-        }
-        if (left < cmdlen) {
+
+        if (cmdlen != safe_pad(safe_add(entry.bytes, extra))) {
             return BadLength;
         }
 
-- 
1.9.0

_______________________________________________
xorg-security mailing list
xorg-security@lists.x.org
http://lists.x.org/mailman/listinfo/xorg-security

Places

File U_glx_06_length_checking_for_glxrender_requests.patch of Package xorg-x11-server

Places