diff options
| author | Adam Jackson <ajax@redhat.com> | 2014-11-10 12:13:38 -0500 |
|---|---|---|
| committer | Mike Gabriel <mike.gabriel@das-netzwerkteam.de> | 2015-02-14 16:14:32 +0100 |
| commit | d0fcbc8a6ca82df82c410d0f8f9062b05fa5ec8d (patch) | |
| tree | 9e661d21032c04bcb0d569460defb87ba60e4bc4 | |
| parent | cdf0c3e65670c797a4fd0617d44d2bdff4011815 (diff) | |
| download | nx-libs-d0fcbc8a6ca82df82c410d0f8f9062b05fa5ec8d.tar.gz nx-libs-d0fcbc8a6ca82df82c410d0f8f9062b05fa5ec8d.tar.bz2 nx-libs-d0fcbc8a6ca82df82c410d0f8f9062b05fa5ec8d.zip | |
glx: Additional paranoia in __glXGetAnswerBuffer / __GLX_GET_ANSWER_BUFFER (v2) [CVE-2014-8093 3/6]
If the computed reply size is negative, something went wrong, treat it
as an error.
v2: Be more careful about size_t being unsigned (Matthieu Herrb)
v3: SIZE_MAX not SIZE_T_MAX (Alan Coopersmith)
v4: backport to nx-libs 3.6.x (Mike DePaulo)
Reviewed-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>
| -rw-r--r-- | nx-X11/programs/Xserver/GL/glx/unpack.h | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/nx-X11/programs/Xserver/GL/glx/unpack.h b/nx-X11/programs/Xserver/GL/glx/unpack.h index 723fb85f3..94bdae8f9 100644 --- a/nx-X11/programs/Xserver/GL/glx/unpack.h +++ b/nx-X11/programs/Xserver/GL/glx/unpack.h @@ -89,7 +89,8 @@ extern xGLXSingleReply __glXReply; ** pointer. */ #define __GLX_GET_ANSWER_BUFFER(res,cl,size,align) \ - if ((size) > sizeof(answerBuffer)) { \ + if (size < 0) return BadLength; \ + else if ((size) > sizeof(answerBuffer)) { \ int bump; \ if ((cl)->returnBufSize < (size)+(align)) { \ (cl)->returnBuf = (GLbyte*)Xrealloc((cl)->returnBuf, \ |