diff options
author | Adam Jackson <ajax@redhat.com> | 2014-11-10 12:13:48 -0500 |
---|---|---|
committer | Mike Gabriel <mike.gabriel@das-netzwerkteam.de> | 2015-02-14 16:14:32 +0100 |
commit | 1ea1cd8c4f93b0c03e5b34fe174b3fc9f27c7dfa (patch) | |
tree | 3272f3405970a830bfeb82387af1ca6ee37eda8e /nx-X11/programs/Xserver/GL/glx/rensize.c | |
parent | 9c558f9ca2c0d4e34fa71dff272ed1c39c22cd9d (diff) | |
download | nx-libs-1ea1cd8c4f93b0c03e5b34fe174b3fc9f27c7dfa.tar.gz nx-libs-1ea1cd8c4f93b0c03e5b34fe174b3fc9f27c7dfa.tar.bz2 nx-libs-1ea1cd8c4f93b0c03e5b34fe174b3fc9f27c7dfa.zip |
glx: Pass remaining request length into ->varsize (v2) [CVE-2014-8098 8/8] (V3)
v2: Handle more multiplies in indirect_reqsize.c (Julien Cristau)
v3: RHEL5 backport
v4: backport to nx-libs 3.6.x (Mike DePaulo)
Reviewed-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Diffstat (limited to 'nx-X11/programs/Xserver/GL/glx/rensize.c')
-rw-r--r-- | nx-X11/programs/Xserver/GL/glx/rensize.c | 125 |
1 files changed, 67 insertions, 58 deletions
diff --git a/nx-X11/programs/Xserver/GL/glx/rensize.c b/nx-X11/programs/Xserver/GL/glx/rensize.c index 9bf0d00e9..dc3475e7f 100644 --- a/nx-X11/programs/Xserver/GL/glx/rensize.c +++ b/nx-X11/programs/Xserver/GL/glx/rensize.c @@ -48,7 +48,7 @@ (((a & 0xff000000U)>>24) | ((a & 0xff0000U)>>8) | \ ((a & 0xff00U)<<8) | ((a & 0xffU)<<24)) -int __glXCallListsReqSize(GLbyte *pc, Bool swap ) +int __glXCallListsReqSize(GLbyte *pc, Bool swap, int reqlen) { GLsizei n = *(GLsizei *)(pc + 0); GLenum type = *(GLenum *)(pc + 4); @@ -60,7 +60,7 @@ int __glXCallListsReqSize(GLbyte *pc, Bool swap ) return n * __glCallLists_size( type ); } -int __glXFogivReqSize(GLbyte *pc, Bool swap ) +int __glXFogivReqSize(GLbyte *pc, Bool swap, int reqlen) { GLenum pname = *(GLenum *)(pc + 0); if (swap) { @@ -69,12 +69,12 @@ int __glXFogivReqSize(GLbyte *pc, Bool swap ) return 4 * __glFogiv_size( pname ); /* defined in samplegl lib */ } -int __glXFogfvReqSize(GLbyte *pc, Bool swap ) +int __glXFogfvReqSize(GLbyte *pc, Bool swap, int reqlen) { - return __glXFogivReqSize( pc, swap ); + return __glXFogivReqSize( pc, swap, reqlen); } -int __glXLightfvReqSize(GLbyte *pc, Bool swap ) +int __glXLightfvReqSize(GLbyte *pc, Bool swap, int reqlen) { GLenum pname = *(GLenum *)(pc + 4); if (swap) { @@ -83,12 +83,12 @@ int __glXLightfvReqSize(GLbyte *pc, Bool swap ) return 4 * __glLightfv_size( pname ); /* defined in samplegl lib */ } -int __glXLightivReqSize(GLbyte *pc, Bool swap ) +int __glXLightivReqSize(GLbyte *pc, Bool swap, int reqlen) { - return __glXLightfvReqSize( pc, swap ); + return __glXLightfvReqSize( pc, swap, reqlen); } -int __glXLightModelfvReqSize(GLbyte *pc, Bool swap ) +int __glXLightModelfvReqSize(GLbyte *pc, Bool swap, int reqlen) { GLenum pname = *(GLenum *)(pc + 0); if (swap) { @@ -97,12 +97,12 @@ int __glXLightModelfvReqSize(GLbyte *pc, Bool swap ) return 4 * __glLightModelfv_size( pname ); /* defined in samplegl lib */ } -int __glXLightModelivReqSize(GLbyte *pc, Bool swap ) +int __glXLightModelivReqSize(GLbyte *pc, Bool swap, int reqlen) { - return __glXLightModelfvReqSize( pc, swap ); + return __glXLightModelfvReqSize( pc, swap, reqlen); } -int __glXMaterialfvReqSize(GLbyte *pc, Bool swap ) +int __glXMaterialfvReqSize(GLbyte *pc, Bool swap, int reqlen) { GLenum pname = *(GLenum *)(pc + 4); if (swap) { @@ -111,12 +111,12 @@ int __glXMaterialfvReqSize(GLbyte *pc, Bool swap ) return 4 * __glMaterialfv_size( pname ); /* defined in samplegl lib */ } -int __glXMaterialivReqSize(GLbyte *pc, Bool swap ) +int __glXMaterialivReqSize(GLbyte *pc, Bool swap, int reqlen) { - return __glXMaterialfvReqSize( pc, swap ); + return __glXMaterialfvReqSize( pc, swap, reqlen); } -int __glXTexGendvReqSize(GLbyte *pc, Bool swap ) +int __glXTexGendvReqSize(GLbyte *pc, Bool swap, int reqlen) { GLenum pname = *(GLenum *)(pc + 4); if (swap) { @@ -125,7 +125,7 @@ int __glXTexGendvReqSize(GLbyte *pc, Bool swap ) return 8 * __glTexGendv_size( pname ); /* defined in samplegl lib */ } -int __glXTexGenfvReqSize(GLbyte *pc, Bool swap ) +int __glXTexGenfvReqSize(GLbyte *pc, Bool swap, int reqlen) { GLenum pname = *(GLenum *)(pc + 4); if (swap) { @@ -134,12 +134,12 @@ int __glXTexGenfvReqSize(GLbyte *pc, Bool swap ) return 4 * __glTexGenfv_size( pname ); /* defined in samplegl lib */ } -int __glXTexGenivReqSize(GLbyte *pc, Bool swap ) +int __glXTexGenivReqSize(GLbyte *pc, Bool swap, int reqlen) { - return __glXTexGenfvReqSize( pc, swap ); + return __glXTexGenfvReqSize( pc, swap, reqlen); } -int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap ) +int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen) { GLenum pname = *(GLenum *)(pc + 4); if (swap) { @@ -148,12 +148,12 @@ int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap ) return 4 * __glTexParameterfv_size( pname ); /* defined in samplegl lib */ } -int __glXTexParameterivReqSize(GLbyte *pc, Bool swap ) +int __glXTexParameterivReqSize(GLbyte *pc, Bool swap, int reqlen) { - return __glXTexParameterfvReqSize( pc, swap ); + return __glXTexParameterfvReqSize( pc, swap, reqlen); } -int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap ) +int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap, int reqlen) { GLenum pname = *(GLenum *)(pc + 4); if (swap) { @@ -162,12 +162,12 @@ int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap ) return 4 * __glTexEnvfv_size( pname ); /* defined in samplegl lib */ } -int __glXTexEnvivReqSize(GLbyte *pc, Bool swap ) +int __glXTexEnvivReqSize(GLbyte *pc, Bool swap, int reqlen ) { - return __glXTexEnvfvReqSize( pc, swap ); + return __glXTexEnvfvReqSize( pc, swap, reqlen); } -int __glXMap1dReqSize(GLbyte *pc, Bool swap ) +int __glXMap1dReqSize(GLbyte *pc, Bool swap, int reqlen ) { GLenum target; GLint order; @@ -183,7 +183,7 @@ int __glXMap1dReqSize(GLbyte *pc, Bool swap ) return safe_mul(8, safe_mul(__glMap1d_size(target), order)); } -int __glXMap1fReqSize(GLbyte *pc, Bool swap ) +int __glXMap1fReqSize(GLbyte *pc, Bool swap, int reqlen ) { GLenum target; GLint order; @@ -205,7 +205,7 @@ static int Map2Size(int k, int majorOrder, int minorOrder) return safe_mul(k, safe_mul(majorOrder, minorOrder)); } -int __glXMap2dReqSize(GLbyte *pc, Bool swap ) +int __glXMap2dReqSize(GLbyte *pc, Bool swap, int reqlen) { GLenum target; GLint uorder, vorder; @@ -221,7 +221,7 @@ int __glXMap2dReqSize(GLbyte *pc, Bool swap ) return safe_mul(8, Map2Size(__glMap2d_size(target), uorder, vorder)); } -int __glXMap2fReqSize(GLbyte *pc, Bool swap ) +int __glXMap2fReqSize(GLbyte *pc, Bool swap, int reqlen) { GLenum target; GLint uorder, vorder; @@ -237,7 +237,7 @@ int __glXMap2fReqSize(GLbyte *pc, Bool swap ) return safe_mul(4, Map2Size(__glMap2f_size(target), uorder, vorder)); } -int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap ) +int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap, int reqlen) { GLint mapsize; mapsize = *(GLint *)(pc + 4); @@ -247,12 +247,12 @@ int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap ) return 4 * mapsize; } -int __glXPixelMapuivReqSize(GLbyte *pc, Bool swap ) +int __glXPixelMapuivReqSize(GLbyte *pc, Bool swap, int reqlen) { - return __glXPixelMapfvReqSize( pc, swap ); + return __glXPixelMapfvReqSize( pc, swap, reqlen); } -int __glXPixelMapusvReqSize(GLbyte *pc, Bool swap ) +int __glXPixelMapusvReqSize(GLbyte *pc, Bool swap, int reqlen) { GLint mapsize; mapsize = *(GLint *)(pc + 4); @@ -458,7 +458,7 @@ int __glXImageSize( GLenum format, GLenum type, GLenum target, } -int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap ) +int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap, int reqlen) { __GLXdispatchDrawPixelsHeader *hdr = (__GLXdispatchDrawPixelsHeader *) pc; GLenum format = hdr->format; @@ -482,7 +482,7 @@ int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap ) 0, rowLength, 0, skipRows, alignment ); } -int __glXBitmapReqSize(GLbyte *pc, Bool swap ) +int __glXBitmapReqSize(GLbyte *pc, Bool swap, int reqlen) { __GLXdispatchBitmapHeader *hdr = (__GLXdispatchBitmapHeader *) pc; GLint w = hdr->width; @@ -502,7 +502,7 @@ int __glXBitmapReqSize(GLbyte *pc, Bool swap ) 0, rowLength, 0, skipRows, alignment ); } -int __glXTexImage1DReqSize(GLbyte *pc, Bool swap ) +int __glXTexImage1DReqSize(GLbyte *pc, Bool swap, int reqlen) { __GLXdispatchTexImageHeader *hdr = (__GLXdispatchTexImageHeader *) pc; GLenum target = hdr->target; @@ -531,7 +531,7 @@ int __glXTexImage1DReqSize(GLbyte *pc, Bool swap ) 0, rowLength, 0, skipRows, alignment ); } -int __glXTexImage2DReqSize(GLbyte *pc, Bool swap ) +int __glXTexImage2DReqSize(GLbyte *pc, Bool swap, int reqlen) { __GLXdispatchTexImageHeader *hdr = (__GLXdispatchTexImageHeader *) pc; GLenum target = hdr->target; @@ -578,13 +578,14 @@ int __glXTypeSize(GLenum enm) } } -int __glXDrawArraysSize( GLbyte *pc, Bool swap ) +int __glXDrawArraysSize( GLbyte *pc, Bool swap, int reqlen) { __GLXdispatchDrawArraysHeader *hdr = (__GLXdispatchDrawArraysHeader *) pc; __GLXdispatchDrawArraysComponentHeader *compHeader; GLint numVertexes = hdr->numVertexes; GLint numComponents = hdr->numComponents; GLint arrayElementSize = 0; + GLint x, size; int i; if (swap) { @@ -593,6 +594,13 @@ int __glXDrawArraysSize( GLbyte *pc, Bool swap ) } pc += sizeof(__GLXdispatchDrawArraysHeader); + reqlen -= sizeof(__GLXdispatchDrawArraysHeader); + + size = safe_mul(sizeof(__GLXdispatchDrawArraysComponentHeader), + numComponents); + if (size < 0 || reqlen < 0 || reqlen < size) + return -1; + compHeader = (__GLXdispatchDrawArraysComponentHeader *) pc; for (i=0; i<numComponents; i++) { @@ -636,23 +644,24 @@ int __glXDrawArraysSize( GLbyte *pc, Bool swap ) return -1; } - arrayElementSize += __GLX_PAD(numVals * __glXTypeSize(datatype)); + x = safe_pad(safe_mul(numVals, __glXTypeSize(datatype))); + if ((arrayElementSize = safe_add(arrayElementSize, x)) < 0) + return -1; pc += sizeof(__GLXdispatchDrawArraysComponentHeader); } - return ((numComponents * sizeof(__GLXdispatchDrawArraysComponentHeader)) + - (numVertexes * arrayElementSize)); + return safe_add(size, safe_mul(numVertexes, arrayElementSize)); } -int __glXPrioritizeTexturesReqSize(GLbyte *pc, Bool swap ) +int __glXPrioritizeTexturesReqSize(GLbyte *pc, Bool swap, int reqlen) { GLint n = *(GLsizei *)(pc + 0); if (swap) n = SWAPL(n); return(8*n); /* 4*n for textures, 4*n for priorities */ } -int __glXTexSubImage1DReqSize(GLbyte *pc, Bool swap ) +int __glXTexSubImage1DReqSize(GLbyte *pc, Bool swap, int reqlen) { __GLXdispatchTexSubImageHeader *hdr = (__GLXdispatchTexSubImageHeader *) pc; GLenum format = hdr->format; @@ -674,7 +683,7 @@ int __glXTexSubImage1DReqSize(GLbyte *pc, Bool swap ) 0, rowLength, 0, skipRows, alignment ); } -int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap ) +int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap, int reqlen) { __GLXdispatchTexSubImageHeader *hdr = (__GLXdispatchTexSubImageHeader *) pc; GLenum format = hdr->format; @@ -698,7 +707,7 @@ int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap ) 0, rowLength, 0, skipRows, alignment ); } -int __glXTexImage3DReqSize(GLbyte *pc, Bool swap ) +int __glXTexImage3DReqSize(GLbyte *pc, Bool swap, int reqlen) { __GLXdispatchTexImage3DHeader *hdr = (__GLXdispatchTexImage3DHeader *) pc; GLenum target = hdr->target; @@ -735,7 +744,7 @@ int __glXTexImage3DReqSize(GLbyte *pc, Bool swap ) } } -int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap ) +int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap, int reqlen) { __GLXdispatchTexSubImage3DHeader *hdr = (__GLXdispatchTexSubImage3DHeader *) pc; @@ -772,7 +781,7 @@ int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap ) } } -int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap ) +int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap, int reqlen) { __GLXdispatchConvolutionFilterHeader *hdr = (__GLXdispatchConvolutionFilterHeader *) pc; @@ -795,7 +804,7 @@ int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap ) 0, rowLength, 0, 0, alignment ); } -int __glXConvolutionFilter2DReqSize(GLbyte *pc, Bool swap ) +int __glXConvolutionFilter2DReqSize(GLbyte *pc, Bool swap, int reqlen) { __GLXdispatchConvolutionFilterHeader *hdr = (__GLXdispatchConvolutionFilterHeader *) pc; @@ -841,7 +850,7 @@ int __glXConvolutionParameterfvSize(GLenum pname) return __glXConvolutionParameterivSize(pname); } -int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap ) +int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap, int reqlen) { GLenum pname = *(GLenum *)(pc + 4); if (swap) { @@ -850,12 +859,12 @@ int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap ) return 4 * __glXConvolutionParameterivSize( pname ); } -int __glXConvolutionParameterfvReqSize(GLbyte *pc, Bool swap ) +int __glXConvolutionParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen) { - return __glXConvolutionParameterivReqSize( pc, swap ); + return __glXConvolutionParameterivReqSize( pc, swap, reqlen); } -int __glXSeparableFilter2DReqSize(GLbyte *pc, Bool swap ) +int __glXSeparableFilter2DReqSize(GLbyte *pc, Bool swap, int reqlen) { __GLXdispatchConvolutionFilterHeader *hdr = (__GLXdispatchConvolutionFilterHeader *) pc; @@ -904,7 +913,7 @@ int __glXColorTableParameterivSize(GLenum pname) return __glXColorTableParameterfvSize(pname); } -int __glXColorTableReqSize(GLbyte *pc, Bool swap ) +int __glXColorTableReqSize(GLbyte *pc, Bool swap, int reqlen) { __GLXdispatchColorTableHeader *hdr = (__GLXdispatchColorTableHeader *) pc; @@ -939,7 +948,7 @@ int __glXColorTableReqSize(GLbyte *pc, Bool swap ) 0, rowLength, 0, 0, alignment ); } -int __glXColorSubTableReqSize(GLbyte *pc, Bool swap ) +int __glXColorSubTableReqSize(GLbyte *pc, Bool swap, int reqlen) { __GLXdispatchColorSubTableHeader *hdr = (__GLXdispatchColorSubTableHeader *) pc; @@ -962,7 +971,7 @@ int __glXColorSubTableReqSize(GLbyte *pc, Bool swap ) 0, rowLength, 0, 0, alignment ); } -int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap ) +int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen) { GLenum pname = *(GLenum *)(pc + 4); if (swap) { @@ -971,13 +980,13 @@ int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap ) return 4 * __glXColorTableParameterfvSize(pname); } -int __glXColorTableParameterivReqSize(GLbyte *pc, Bool swap ) +int __glXColorTableParameterivReqSize(GLbyte *pc, Bool swap, int reqlen) { /* no difference between fv and iv versions */ - return __glXColorTableParameterfvReqSize(pc, swap); + return __glXColorTableParameterfvReqSize(pc, swap, reqlen); } -int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap ) +int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap, int reqlen) { GLenum pname = *(GLenum *)(pc + 0); if (swap) { @@ -986,8 +995,8 @@ int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap ) return 4 * __glPointParameterfvEXT_size( pname ); } -int __glXPointParameterivReqSize(GLbyte *pc, Bool swap ) +int __glXPointParameterivReqSize(GLbyte *pc, Bool swap, int reqlen) { /* no difference between fv and iv versions */ - return __glXPointParameterfvARBReqSize(pc, swap); + return __glXPointParameterfvARBReqSize(pc, swap, reqlen); } |