diff options
| author | Adam Jackson <ajax@redhat.com> | 2014-11-10 12:13:48 -0500 |
|---|---|---|
| committer | Mike Gabriel <mike.gabriel@das-netzwerkteam.de> | 2015-02-14 16:14:32 +0100 |
| commit | 1ea1cd8c4f93b0c03e5b34fe174b3fc9f27c7dfa (patch) | |
| tree | 3272f3405970a830bfeb82387af1ca6ee37eda8e /nx-X11/programs/Xserver/GL/glx/glxcmds.c | |
| parent | 9c558f9ca2c0d4e34fa71dff272ed1c39c22cd9d (diff) | |
| download | nx-libs-1ea1cd8c4f93b0c03e5b34fe174b3fc9f27c7dfa.tar.gz nx-libs-1ea1cd8c4f93b0c03e5b34fe174b3fc9f27c7dfa.tar.bz2 nx-libs-1ea1cd8c4f93b0c03e5b34fe174b3fc9f27c7dfa.zip | |
glx: Pass remaining request length into ->varsize (v2) [CVE-2014-8098 8/8] (V3)
v2: Handle more multiplies in indirect_reqsize.c (Julien Cristau)
v3: RHEL5 backport
v4: backport to nx-libs 3.6.x (Mike DePaulo)
Reviewed-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Diffstat (limited to 'nx-X11/programs/Xserver/GL/glx/glxcmds.c')
| -rw-r--r-- | nx-X11/programs/Xserver/GL/glx/glxcmds.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/nx-X11/programs/Xserver/GL/glx/glxcmds.c b/nx-X11/programs/Xserver/GL/glx/glxcmds.c index 20c12f3f9..a1bb25975 100644 --- a/nx-X11/programs/Xserver/GL/glx/glxcmds.c +++ b/nx-X11/programs/Xserver/GL/glx/glxcmds.c @@ -1490,7 +1490,7 @@ int __glXRender(__GLXclientState *cl, GLbyte *pc) if (entry->varsize) { /* variable size command */ - extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, False); + extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, False, left - __GLX_RENDER_HDR_SIZE); if (extra < 0) { return BadLength; } @@ -1563,6 +1563,7 @@ int __glXRenderLarge(__GLXclientState *cl, GLbyte *pc) if (cl->largeCmdRequestsSoFar == 0) { __GLXrenderSizeData *entry; int extra = 0, cmdlen; + int left = (req->length << 2) - sz_xGLXRenderLargeReq; /* ** This is the first request of a multi request command. ** Make enough space in the buffer, then copy the entire request. @@ -1608,7 +1609,8 @@ int __glXRenderLarge(__GLXclientState *cl, GLbyte *pc) ** be computed from its parameters), all the parameters needed ** will be in the 1st request, so it's okay to do this. */ - extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, False); + extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, False, + left - __GLX_RENDER_LARGE_HDR_SIZE); if (extra < 0) { return BadLength; } |