Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Maintenance:3335
xorg-x11-server.openSUSE_12.3_Update
U_glx_Be_more_strict_about_rejecting_invalid_im...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File U_glx_Be_more_strict_about_rejecting_invalid_image_sizes.patch of Package xorg-x11-server.openSUSE_12.3_Update
Subject: glx: Be more strict about rejecting invalid image sizes References: bnc#907268, CVE-2014-8093 Patch-Mainline: Upstream Signed-off-by: Michal Srb <msrb@suse.com> Before this we'd just clamp the image size to 0, which was just hideously stupid; if the parameters were such that they'd overflow an integer, you'd allocate a small buffer, then pass huge values into (say) ReadPixels, and now you're scribbling over arbitrary server memory. Reviewed-by: Keith Packard <keithp@keithp.com> Reviewed-by: Julien Cristau <jcristau@debian.org> Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> --- glx/singlepix.c | 16 ++++++++-------- glx/singlepixswap.c | 16 ++++++++-------- 2 files changed, 16 insertions(+), 16 deletions(-) Index: xorg-server-1.14.3.901/glx/singlepix.c =================================================================== --- xorg-server-1.14.3.901.orig/glx/singlepix.c +++ xorg-server-1.14.3.901/glx/singlepix.c @@ -69,7 +69,7 @@ __glXDisp_ReadPixels(__GLXclientState * lsbFirst = *(GLboolean *) (pc + 25); compsize = __glReadPixels_size(format, type, width, height); if (compsize < 0) - compsize = 0; + return BadLength; CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, swapBytes)); CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_LSB_FIRST, lsbFirst)); @@ -134,7 +134,7 @@ __glXDisp_GetTexImage(__GLXclientState * compsize = __glGetTexImage_size(target, level, format, type, width, height, depth); if (compsize < 0) - compsize = 0; + return BadLength; CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, swapBytes)); __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1); @@ -232,9 +232,9 @@ GetSeparableFilter(__GLXclientState * cl compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1); if (compsize < 0) - compsize = 0; + return BadLength; if (compsize2 < 0) - compsize2 = 0; + return BadLength; compsize = __GLX_PAD(compsize); compsize2 = __GLX_PAD(compsize2); @@ -315,7 +315,7 @@ GetConvolutionFilter(__GLXclientState * */ compsize = __glGetTexImage_size(target, 1, format, type, width, height, 1); if (compsize < 0) - compsize = 0; + return BadLength; CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, swapBytes)); __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1); @@ -386,7 +386,7 @@ GetHistogram(__GLXclientState * cl, GLby */ compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1); if (compsize < 0) - compsize = 0; + return BadLength; CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, swapBytes)); __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1); @@ -447,7 +447,7 @@ GetMinmax(__GLXclientState * cl, GLbyte compsize = __glGetTexImage_size(target, 1, format, type, 2, 1, 1); if (compsize < 0) - compsize = 0; + return BadLength; CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, swapBytes)); __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1); @@ -513,7 +513,7 @@ GetColorTable(__GLXclientState * cl, GLb */ compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1); if (compsize < 0) - compsize = 0; + return BadLength; CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, swapBytes)); __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1); Index: xorg-server-1.14.3.901/glx/singlepixswap.c =================================================================== --- xorg-server-1.14.3.901.orig/glx/singlepixswap.c +++ xorg-server-1.14.3.901/glx/singlepixswap.c @@ -79,7 +79,7 @@ __glXDispSwap_ReadPixels(__GLXclientStat lsbFirst = *(GLboolean *) (pc + 25); compsize = __glReadPixels_size(format, type, width, height); if (compsize < 0) - compsize = 0; + return BadLength; CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, !swapBytes)); CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_LSB_FIRST, lsbFirst)); @@ -155,7 +155,7 @@ __glXDispSwap_GetTexImage(__GLXclientSta compsize = __glGetTexImage_size(target, level, format, type, width, height, depth); if (compsize < 0) - compsize = 0; + return BadLength; CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, !swapBytes)); __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1); @@ -267,9 +267,9 @@ GetSeparableFilter(__GLXclientState * cl compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1); if (compsize < 0) - compsize = 0; + return BadLength; if (compsize2 < 0) - compsize2 = 0; + return BadLength; compsize = __GLX_PAD(compsize); compsize2 = __GLX_PAD(compsize2); @@ -358,7 +358,7 @@ GetConvolutionFilter(__GLXclientState * */ compsize = __glGetTexImage_size(target, 1, format, type, width, height, 1); if (compsize < 0) - compsize = 0; + return BadLength; CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, !swapBytes)); __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1); @@ -437,7 +437,7 @@ GetHistogram(__GLXclientState * cl, GLby */ compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1); if (compsize < 0) - compsize = 0; + return BadLength; CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, !swapBytes)); __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1); @@ -505,7 +505,7 @@ GetMinmax(__GLXclientState * cl, GLbyte compsize = __glGetTexImage_size(target, 1, format, type, 2, 1, 1); if (compsize < 0) - compsize = 0; + return BadLength; CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, !swapBytes)); __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1); @@ -577,7 +577,7 @@ GetColorTable(__GLXclientState * cl, GLb */ compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1); if (compsize < 0) - compsize = 0; + return BadLength; CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, !swapBytes)); __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
