Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:frispete:RemoteDesktop
xorg-x11-server
U_glx_Be_more_paranoid_about_variable_length_re...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File U_glx_Be_more_paranoid_about_variable_length_requests.patch of Package xorg-x11-server
Subject: glx: Be more paranoid about variable-length requests References: bnc#907268, CVE-2014-8093 Patch-Mainline: Upstream Signed-off-by: Michal Srb <msrb@suse.com> If the size computation routine returns -1 we should just reject the request outright. Clamping it to zero could give an attacker the opportunity to also mangle cmdlen in such a way that the subsequent length check passes, and the request would get executed, thus passing data we wanted to reject to the renderer. Reviewed-by: Keith Packard <keithp@keithp.com> Reviewed-by: Julien Cristau <jcristau@debian.org> Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> --- glx/glxcmds.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/glx/glxcmds.c b/glx/glxcmds.c index 8d3fa9f..0521b58 100644 --- a/glx/glxcmds.c +++ b/glx/glxcmds.c @@ -2060,7 +2060,7 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc) extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE, client->swapped); if (extra < 0) { - extra = 0; + return BadLength; } if (cmdlen != __GLX_PAD(entry.bytes + extra)) { return BadLength; @@ -2177,7 +2177,7 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc) extra = (*entry.varsize) (pc + __GLX_RENDER_LARGE_HDR_SIZE, client->swapped); if (extra < 0) { - extra = 0; + return BadLength; } /* large command's header is 4 bytes longer, so add 4 */ if (cmdlen != __GLX_PAD(entry.bytes + 4 + extra)) { -- 1.7.9.2
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor