Overview

File U_08-glx-Work-around-wrong-request-lengths-sent-by-mesa.patch of Package xorg-x11-server.import5766

From: Julien Cristau <jcristau@debian.org>
Date: Sun Jan 23 13:35:54 2011 +0100
Subject: [PATCH] glx: Work around wrong request lengths sent by mesa
Patch-Mainline: Upstream
Git-commit: 402b329c3aa8ddbebaa1f593306a02d4cd6fed26
References: bnc #648278, CVE-2010-4818
Signed-off-by: Egbert Eich <eich@suse.de>

mesa used to send too long requests for GLXDestroyPixmap,
GLXDestroyWindow, GLXChangeDrawableAttributes, GLXGetDrawableAttributes
and GLXGetFBConfigsSGIX.

Fixes a regression introduced in ec9c97c6bf70b523bc500bd3adf62176f1bb33a4
X.Org bug#33324 <https://bugs.freedesktop.org/show_bug.cgi?id=33324>

Reported-by: xunx.fang@intel.com
Signed-off-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Adam Jackson <ajax@redhat.com>
---
 glx/glxcmds.c     |   19 +++++++++++++++----
 glx/glxcmdsswap.c |   12 +++++++-----
 2 files changed, 22 insertions(+), 9 deletions(-)

--- xorg-server-1.6.5.orig/glx/glxcmds.c
+++ xorg-server-1.6.5/glx/glxcmds.c
@@ -1113,7 +1113,8 @@ int __glXDisp_GetFBConfigsSGIX(__GLXclie
 {
     ClientPtr client = cl->client;
     xGLXGetFBConfigsSGIXReq *req = (xGLXGetFBConfigsSGIXReq *) pc;
-    REQUEST_SIZE_MATCH(xGLXGetFBConfigsSGIXReq);
+    /* work around mesa bug, don't use REQUEST_SIZE_MATCH */
+    REQUEST_AT_LEAST_SIZE(xGLXGetFBConfigsSGIXReq);
     return DoGetFBConfigs(cl, req->screen);
 }
 
@@ -1341,7 +1342,9 @@ int __glXDisp_DestroyPixmap(__GLXclientS
     ClientPtr client = cl->client;
     xGLXDestroyPixmapReq *req = (xGLXDestroyPixmapReq *) pc;
 
-    REQUEST_SIZE_MATCH(xGLXDestroyPixmapReq);
+    /* should be REQUEST_SIZE_MATCH, but mesa's glXDestroyPixmap used to set
+     * length to 3 instead of 2 */
+    REQUEST_AT_LEAST_SIZE(xGLXDestroyPixmapReq);
 
     return DoDestroyDrawable(cl, req->glxpixmap, GLX_DRAWABLE_PIXMAP);
 }
@@ -1470,7 +1473,13 @@ int __glXDisp_ChangeDrawableAttributes(_
 	client->errorValue = req->numAttribs;
 	return BadValue;
     }
+#if 0
+    /* mesa sends an additional 8 bytes */
     REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3);
+#else
+    if (((sizeof(xGLXChangeDrawableAttributesReq) + (req->numAttribs << 3)) >> 2) < client->req_len)
+	    return BadLength;
+#endif
 
     return DoChangeDrawableAttributes(cl->client, req->drawable,
 				      req->numAttribs, (CARD32 *) (req + 1));
@@ -1532,7 +1541,8 @@ int __glXDisp_DestroyWindow(__GLXclientS
     ClientPtr client = cl->client;
     xGLXDestroyWindowReq *req = (xGLXDestroyWindowReq *) pc;
 
-    REQUEST_SIZE_MATCH(xGLXDestroyWindowReq);
+    /* mesa's glXDestroyWindow used to set length to 3 instead of 2 */
+    REQUEST_AT_LEAST_SIZE(xGLXDestroyWindowReq);
 
     return DoDestroyDrawable(cl, req->glxwindow, GLX_DRAWABLE_WINDOW);
 }
@@ -1849,7 +1859,8 @@ int __glXDisp_GetDrawableAttributes(__GL
     ClientPtr client = cl->client;
     xGLXGetDrawableAttributesReq *req = (xGLXGetDrawableAttributesReq *)pc;
 
-    REQUEST_SIZE_MATCH(xGLXGetDrawableAttributesReq);
+    /* this should be REQUEST_SIZE_MATCH, but mesa sends an additional 4 bytes */
+    REQUEST_AT_LEAST_SIZE(xGLXGetDrawableAttributesReq);
 
     return DoGetDrawableAttributes(cl, req->drawable);
 }
--- xorg-server-1.6.5.orig/glx/glxcmdsswap.c
+++ xorg-server-1.6.5/glx/glxcmdsswap.c
@@ -282,7 +282,7 @@ int __glXDispSwap_GetFBConfigsSGIX(__GLX
     xGLXGetFBConfigsSGIXReq *req = (xGLXGetFBConfigsSGIXReq *) pc;
     __GLX_DECLARE_SWAP_VARIABLES;
 
-    REQUEST_SIZE_MATCH(xGLXGetFBConfigsSGIXReq);
+    REQUEST_AT_LEAST_SIZE(xGLXGetFBConfigsSGIXReq);
 
     __GLX_SWAP_INT(&req->screen);
     return __glXDisp_GetFBConfigsSGIX(cl, pc);
@@ -371,7 +371,7 @@ int __glXDispSwap_DestroyPixmap(__GLXcli
     xGLXDestroyGLXPixmapReq *req = (xGLXDestroyGLXPixmapReq *) pc;
     __GLX_DECLARE_SWAP_VARIABLES;
 
-    REQUEST_SIZE_MATCH(xGLXDestroyGLXPixmapReq);
+    REQUEST_AT_LEAST_SIZE(xGLXDestroyGLXPixmapReq);
 
     __GLX_SWAP_SHORT(&req->length);
     __GLX_SWAP_INT(&req->glxpixmap);
@@ -480,7 +480,9 @@ int __glXDispSwap_ChangeDrawableAttribut
 	client->errorValue = req->numAttribs;
 	return BadValue;
     }
-    REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3);
+    if (((sizeof(xGLXChangeDrawableAttributesReq) + (req->numAttribs << 3)) >> 2) < client->req_len)
+	return BadLength;
+
     attribs = (CARD32*)(req + 1);
     __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
 
@@ -546,7 +548,7 @@ int __glXDispSwap_DestroyWindow(__GLXcli
     xGLXDestroyWindowReq *req = (xGLXDestroyWindowReq *) pc;
     __GLX_DECLARE_SWAP_VARIABLES;
 
-    REQUEST_SIZE_MATCH(xGLXDestroyWindowReq);
+    REQUEST_AT_LEAST_SIZE(xGLXDestroyWindowReq);
 
     __GLX_SWAP_INT(&req->glxwindow);
 
@@ -746,7 +748,7 @@ int __glXDispSwap_GetDrawableAttributes(
     xGLXGetDrawableAttributesReq *req = (xGLXGetDrawableAttributesReq *)pc;
     __GLX_DECLARE_SWAP_VARIABLES;
 
-    REQUEST_SIZE_MATCH(xGLXGetDrawableAttributesReq);
+    REQUEST_AT_LEAST_SIZE(xGLXGetDrawableAttributesReq);
 
     __GLX_SWAP_SHORT(&req->length);
     __GLX_SWAP_INT(&req->drawable);
openSUSE Build Service is sponsored by
Places