aboutsummaryrefslogtreecommitdiff
path: root/nx-X11/programs/Xserver/GL/glx/rensize.c
diff options
context:
space:
mode:
authorAdam Jackson <ajax@redhat.com>2014-11-10 12:13:48 -0500
committerMike Gabriel <mike.gabriel@das-netzwerkteam.de>2015-02-14 16:14:32 +0100
commit1ea1cd8c4f93b0c03e5b34fe174b3fc9f27c7dfa (patch)
tree3272f3405970a830bfeb82387af1ca6ee37eda8e /nx-X11/programs/Xserver/GL/glx/rensize.c
parent9c558f9ca2c0d4e34fa71dff272ed1c39c22cd9d (diff)
downloadnx-libs-1ea1cd8c4f93b0c03e5b34fe174b3fc9f27c7dfa.tar.gz
nx-libs-1ea1cd8c4f93b0c03e5b34fe174b3fc9f27c7dfa.tar.bz2
nx-libs-1ea1cd8c4f93b0c03e5b34fe174b3fc9f27c7dfa.zip
glx: Pass remaining request length into ->varsize (v2) [CVE-2014-8098 8/8] (V3)
v2: Handle more multiplies in indirect_reqsize.c (Julien Cristau) v3: RHEL5 backport v4: backport to nx-libs 3.6.x (Mike DePaulo) Reviewed-by: Julien Cristau <jcristau@debian.org> Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Fedora X Ninjas <x@fedoraproject.org> Signed-off-by: Dave Airlie <airlied@redhat.com>
Diffstat (limited to 'nx-X11/programs/Xserver/GL/glx/rensize.c')
-rw-r--r--nx-X11/programs/Xserver/GL/glx/rensize.c125
1 files changed, 67 insertions, 58 deletions
diff --git a/nx-X11/programs/Xserver/GL/glx/rensize.c b/nx-X11/programs/Xserver/GL/glx/rensize.c
index 9bf0d00e9..dc3475e7f 100644
--- a/nx-X11/programs/Xserver/GL/glx/rensize.c
+++ b/nx-X11/programs/Xserver/GL/glx/rensize.c
@@ -48,7 +48,7 @@
(((a & 0xff000000U)>>24) | ((a & 0xff0000U)>>8) | \
((a & 0xff00U)<<8) | ((a & 0xffU)<<24))
-int __glXCallListsReqSize(GLbyte *pc, Bool swap )
+int __glXCallListsReqSize(GLbyte *pc, Bool swap, int reqlen)
{
GLsizei n = *(GLsizei *)(pc + 0);
GLenum type = *(GLenum *)(pc + 4);
@@ -60,7 +60,7 @@ int __glXCallListsReqSize(GLbyte *pc, Bool swap )
return n * __glCallLists_size( type );
}
-int __glXFogivReqSize(GLbyte *pc, Bool swap )
+int __glXFogivReqSize(GLbyte *pc, Bool swap, int reqlen)
{
GLenum pname = *(GLenum *)(pc + 0);
if (swap) {
@@ -69,12 +69,12 @@ int __glXFogivReqSize(GLbyte *pc, Bool swap )
return 4 * __glFogiv_size( pname ); /* defined in samplegl lib */
}
-int __glXFogfvReqSize(GLbyte *pc, Bool swap )
+int __glXFogfvReqSize(GLbyte *pc, Bool swap, int reqlen)
{
- return __glXFogivReqSize( pc, swap );
+ return __glXFogivReqSize( pc, swap, reqlen);
}
-int __glXLightfvReqSize(GLbyte *pc, Bool swap )
+int __glXLightfvReqSize(GLbyte *pc, Bool swap, int reqlen)
{
GLenum pname = *(GLenum *)(pc + 4);
if (swap) {
@@ -83,12 +83,12 @@ int __glXLightfvReqSize(GLbyte *pc, Bool swap )
return 4 * __glLightfv_size( pname ); /* defined in samplegl lib */
}
-int __glXLightivReqSize(GLbyte *pc, Bool swap )
+int __glXLightivReqSize(GLbyte *pc, Bool swap, int reqlen)
{
- return __glXLightfvReqSize( pc, swap );
+ return __glXLightfvReqSize( pc, swap, reqlen);
}
-int __glXLightModelfvReqSize(GLbyte *pc, Bool swap )
+int __glXLightModelfvReqSize(GLbyte *pc, Bool swap, int reqlen)
{
GLenum pname = *(GLenum *)(pc + 0);
if (swap) {
@@ -97,12 +97,12 @@ int __glXLightModelfvReqSize(GLbyte *pc, Bool swap )
return 4 * __glLightModelfv_size( pname ); /* defined in samplegl lib */
}
-int __glXLightModelivReqSize(GLbyte *pc, Bool swap )
+int __glXLightModelivReqSize(GLbyte *pc, Bool swap, int reqlen)
{
- return __glXLightModelfvReqSize( pc, swap );
+ return __glXLightModelfvReqSize( pc, swap, reqlen);
}
-int __glXMaterialfvReqSize(GLbyte *pc, Bool swap )
+int __glXMaterialfvReqSize(GLbyte *pc, Bool swap, int reqlen)
{
GLenum pname = *(GLenum *)(pc + 4);
if (swap) {
@@ -111,12 +111,12 @@ int __glXMaterialfvReqSize(GLbyte *pc, Bool swap )
return 4 * __glMaterialfv_size( pname ); /* defined in samplegl lib */
}
-int __glXMaterialivReqSize(GLbyte *pc, Bool swap )
+int __glXMaterialivReqSize(GLbyte *pc, Bool swap, int reqlen)
{
- return __glXMaterialfvReqSize( pc, swap );
+ return __glXMaterialfvReqSize( pc, swap, reqlen);
}
-int __glXTexGendvReqSize(GLbyte *pc, Bool swap )
+int __glXTexGendvReqSize(GLbyte *pc, Bool swap, int reqlen)
{
GLenum pname = *(GLenum *)(pc + 4);
if (swap) {
@@ -125,7 +125,7 @@ int __glXTexGendvReqSize(GLbyte *pc, Bool swap )
return 8 * __glTexGendv_size( pname ); /* defined in samplegl lib */
}
-int __glXTexGenfvReqSize(GLbyte *pc, Bool swap )
+int __glXTexGenfvReqSize(GLbyte *pc, Bool swap, int reqlen)
{
GLenum pname = *(GLenum *)(pc + 4);
if (swap) {
@@ -134,12 +134,12 @@ int __glXTexGenfvReqSize(GLbyte *pc, Bool swap )
return 4 * __glTexGenfv_size( pname ); /* defined in samplegl lib */
}
-int __glXTexGenivReqSize(GLbyte *pc, Bool swap )
+int __glXTexGenivReqSize(GLbyte *pc, Bool swap, int reqlen)
{
- return __glXTexGenfvReqSize( pc, swap );
+ return __glXTexGenfvReqSize( pc, swap, reqlen);
}
-int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap )
+int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen)
{
GLenum pname = *(GLenum *)(pc + 4);
if (swap) {
@@ -148,12 +148,12 @@ int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap )
return 4 * __glTexParameterfv_size( pname ); /* defined in samplegl lib */
}
-int __glXTexParameterivReqSize(GLbyte *pc, Bool swap )
+int __glXTexParameterivReqSize(GLbyte *pc, Bool swap, int reqlen)
{
- return __glXTexParameterfvReqSize( pc, swap );
+ return __glXTexParameterfvReqSize( pc, swap, reqlen);
}
-int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap )
+int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap, int reqlen)
{
GLenum pname = *(GLenum *)(pc + 4);
if (swap) {
@@ -162,12 +162,12 @@ int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap )
return 4 * __glTexEnvfv_size( pname ); /* defined in samplegl lib */
}
-int __glXTexEnvivReqSize(GLbyte *pc, Bool swap )
+int __glXTexEnvivReqSize(GLbyte *pc, Bool swap, int reqlen )
{
- return __glXTexEnvfvReqSize( pc, swap );
+ return __glXTexEnvfvReqSize( pc, swap, reqlen);
}
-int __glXMap1dReqSize(GLbyte *pc, Bool swap )
+int __glXMap1dReqSize(GLbyte *pc, Bool swap, int reqlen )
{
GLenum target;
GLint order;
@@ -183,7 +183,7 @@ int __glXMap1dReqSize(GLbyte *pc, Bool swap )
return safe_mul(8, safe_mul(__glMap1d_size(target), order));
}
-int __glXMap1fReqSize(GLbyte *pc, Bool swap )
+int __glXMap1fReqSize(GLbyte *pc, Bool swap, int reqlen )
{
GLenum target;
GLint order;
@@ -205,7 +205,7 @@ static int Map2Size(int k, int majorOrder, int minorOrder)
return safe_mul(k, safe_mul(majorOrder, minorOrder));
}
-int __glXMap2dReqSize(GLbyte *pc, Bool swap )
+int __glXMap2dReqSize(GLbyte *pc, Bool swap, int reqlen)
{
GLenum target;
GLint uorder, vorder;
@@ -221,7 +221,7 @@ int __glXMap2dReqSize(GLbyte *pc, Bool swap )
return safe_mul(8, Map2Size(__glMap2d_size(target), uorder, vorder));
}
-int __glXMap2fReqSize(GLbyte *pc, Bool swap )
+int __glXMap2fReqSize(GLbyte *pc, Bool swap, int reqlen)
{
GLenum target;
GLint uorder, vorder;
@@ -237,7 +237,7 @@ int __glXMap2fReqSize(GLbyte *pc, Bool swap )
return safe_mul(4, Map2Size(__glMap2f_size(target), uorder, vorder));
}
-int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap )
+int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap, int reqlen)
{
GLint mapsize;
mapsize = *(GLint *)(pc + 4);
@@ -247,12 +247,12 @@ int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap )
return 4 * mapsize;
}
-int __glXPixelMapuivReqSize(GLbyte *pc, Bool swap )
+int __glXPixelMapuivReqSize(GLbyte *pc, Bool swap, int reqlen)
{
- return __glXPixelMapfvReqSize( pc, swap );
+ return __glXPixelMapfvReqSize( pc, swap, reqlen);
}
-int __glXPixelMapusvReqSize(GLbyte *pc, Bool swap )
+int __glXPixelMapusvReqSize(GLbyte *pc, Bool swap, int reqlen)
{
GLint mapsize;
mapsize = *(GLint *)(pc + 4);
@@ -458,7 +458,7 @@ int __glXImageSize( GLenum format, GLenum type, GLenum target,
}
-int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap )
+int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap, int reqlen)
{
__GLXdispatchDrawPixelsHeader *hdr = (__GLXdispatchDrawPixelsHeader *) pc;
GLenum format = hdr->format;
@@ -482,7 +482,7 @@ int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap )
0, rowLength, 0, skipRows, alignment );
}
-int __glXBitmapReqSize(GLbyte *pc, Bool swap )
+int __glXBitmapReqSize(GLbyte *pc, Bool swap, int reqlen)
{
__GLXdispatchBitmapHeader *hdr = (__GLXdispatchBitmapHeader *) pc;
GLint w = hdr->width;
@@ -502,7 +502,7 @@ int __glXBitmapReqSize(GLbyte *pc, Bool swap )
0, rowLength, 0, skipRows, alignment );
}
-int __glXTexImage1DReqSize(GLbyte *pc, Bool swap )
+int __glXTexImage1DReqSize(GLbyte *pc, Bool swap, int reqlen)
{
__GLXdispatchTexImageHeader *hdr = (__GLXdispatchTexImageHeader *) pc;
GLenum target = hdr->target;
@@ -531,7 +531,7 @@ int __glXTexImage1DReqSize(GLbyte *pc, Bool swap )
0, rowLength, 0, skipRows, alignment );
}
-int __glXTexImage2DReqSize(GLbyte *pc, Bool swap )
+int __glXTexImage2DReqSize(GLbyte *pc, Bool swap, int reqlen)
{
__GLXdispatchTexImageHeader *hdr = (__GLXdispatchTexImageHeader *) pc;
GLenum target = hdr->target;
@@ -578,13 +578,14 @@ int __glXTypeSize(GLenum enm)
}
}
-int __glXDrawArraysSize( GLbyte *pc, Bool swap )
+int __glXDrawArraysSize( GLbyte *pc, Bool swap, int reqlen)
{
__GLXdispatchDrawArraysHeader *hdr = (__GLXdispatchDrawArraysHeader *) pc;
__GLXdispatchDrawArraysComponentHeader *compHeader;
GLint numVertexes = hdr->numVertexes;
GLint numComponents = hdr->numComponents;
GLint arrayElementSize = 0;
+ GLint x, size;
int i;
if (swap) {
@@ -593,6 +594,13 @@ int __glXDrawArraysSize( GLbyte *pc, Bool swap )
}
pc += sizeof(__GLXdispatchDrawArraysHeader);
+ reqlen -= sizeof(__GLXdispatchDrawArraysHeader);
+
+ size = safe_mul(sizeof(__GLXdispatchDrawArraysComponentHeader),
+ numComponents);
+ if (size < 0 || reqlen < 0 || reqlen < size)
+ return -1;
+
compHeader = (__GLXdispatchDrawArraysComponentHeader *) pc;
for (i=0; i<numComponents; i++) {
@@ -636,23 +644,24 @@ int __glXDrawArraysSize( GLbyte *pc, Bool swap )
return -1;
}
- arrayElementSize += __GLX_PAD(numVals * __glXTypeSize(datatype));
+ x = safe_pad(safe_mul(numVals, __glXTypeSize(datatype)));
+ if ((arrayElementSize = safe_add(arrayElementSize, x)) < 0)
+ return -1;
pc += sizeof(__GLXdispatchDrawArraysComponentHeader);
}
- return ((numComponents * sizeof(__GLXdispatchDrawArraysComponentHeader)) +
- (numVertexes * arrayElementSize));
+ return safe_add(size, safe_mul(numVertexes, arrayElementSize));
}
-int __glXPrioritizeTexturesReqSize(GLbyte *pc, Bool swap )
+int __glXPrioritizeTexturesReqSize(GLbyte *pc, Bool swap, int reqlen)
{
GLint n = *(GLsizei *)(pc + 0);
if (swap) n = SWAPL(n);
return(8*n); /* 4*n for textures, 4*n for priorities */
}
-int __glXTexSubImage1DReqSize(GLbyte *pc, Bool swap )
+int __glXTexSubImage1DReqSize(GLbyte *pc, Bool swap, int reqlen)
{
__GLXdispatchTexSubImageHeader *hdr = (__GLXdispatchTexSubImageHeader *) pc;
GLenum format = hdr->format;
@@ -674,7 +683,7 @@ int __glXTexSubImage1DReqSize(GLbyte *pc, Bool swap )
0, rowLength, 0, skipRows, alignment );
}
-int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap )
+int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap, int reqlen)
{
__GLXdispatchTexSubImageHeader *hdr = (__GLXdispatchTexSubImageHeader *) pc;
GLenum format = hdr->format;
@@ -698,7 +707,7 @@ int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap )
0, rowLength, 0, skipRows, alignment );
}
-int __glXTexImage3DReqSize(GLbyte *pc, Bool swap )
+int __glXTexImage3DReqSize(GLbyte *pc, Bool swap, int reqlen)
{
__GLXdispatchTexImage3DHeader *hdr = (__GLXdispatchTexImage3DHeader *) pc;
GLenum target = hdr->target;
@@ -735,7 +744,7 @@ int __glXTexImage3DReqSize(GLbyte *pc, Bool swap )
}
}
-int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap )
+int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap, int reqlen)
{
__GLXdispatchTexSubImage3DHeader *hdr =
(__GLXdispatchTexSubImage3DHeader *) pc;
@@ -772,7 +781,7 @@ int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap )
}
}
-int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap )
+int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap, int reqlen)
{
__GLXdispatchConvolutionFilterHeader *hdr =
(__GLXdispatchConvolutionFilterHeader *) pc;
@@ -795,7 +804,7 @@ int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap )
0, rowLength, 0, 0, alignment );
}
-int __glXConvolutionFilter2DReqSize(GLbyte *pc, Bool swap )
+int __glXConvolutionFilter2DReqSize(GLbyte *pc, Bool swap, int reqlen)
{
__GLXdispatchConvolutionFilterHeader *hdr =
(__GLXdispatchConvolutionFilterHeader *) pc;
@@ -841,7 +850,7 @@ int __glXConvolutionParameterfvSize(GLenum pname)
return __glXConvolutionParameterivSize(pname);
}
-int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap )
+int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap, int reqlen)
{
GLenum pname = *(GLenum *)(pc + 4);
if (swap) {
@@ -850,12 +859,12 @@ int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap )
return 4 * __glXConvolutionParameterivSize( pname );
}
-int __glXConvolutionParameterfvReqSize(GLbyte *pc, Bool swap )
+int __glXConvolutionParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen)
{
- return __glXConvolutionParameterivReqSize( pc, swap );
+ return __glXConvolutionParameterivReqSize( pc, swap, reqlen);
}
-int __glXSeparableFilter2DReqSize(GLbyte *pc, Bool swap )
+int __glXSeparableFilter2DReqSize(GLbyte *pc, Bool swap, int reqlen)
{
__GLXdispatchConvolutionFilterHeader *hdr =
(__GLXdispatchConvolutionFilterHeader *) pc;
@@ -904,7 +913,7 @@ int __glXColorTableParameterivSize(GLenum pname)
return __glXColorTableParameterfvSize(pname);
}
-int __glXColorTableReqSize(GLbyte *pc, Bool swap )
+int __glXColorTableReqSize(GLbyte *pc, Bool swap, int reqlen)
{
__GLXdispatchColorTableHeader *hdr =
(__GLXdispatchColorTableHeader *) pc;
@@ -939,7 +948,7 @@ int __glXColorTableReqSize(GLbyte *pc, Bool swap )
0, rowLength, 0, 0, alignment );
}
-int __glXColorSubTableReqSize(GLbyte *pc, Bool swap )
+int __glXColorSubTableReqSize(GLbyte *pc, Bool swap, int reqlen)
{
__GLXdispatchColorSubTableHeader *hdr =
(__GLXdispatchColorSubTableHeader *) pc;
@@ -962,7 +971,7 @@ int __glXColorSubTableReqSize(GLbyte *pc, Bool swap )
0, rowLength, 0, 0, alignment );
}
-int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap )
+int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen)
{
GLenum pname = *(GLenum *)(pc + 4);
if (swap) {
@@ -971,13 +980,13 @@ int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap )
return 4 * __glXColorTableParameterfvSize(pname);
}
-int __glXColorTableParameterivReqSize(GLbyte *pc, Bool swap )
+int __glXColorTableParameterivReqSize(GLbyte *pc, Bool swap, int reqlen)
{
/* no difference between fv and iv versions */
- return __glXColorTableParameterfvReqSize(pc, swap);
+ return __glXColorTableParameterfvReqSize(pc, swap, reqlen);
}
-int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap )
+int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap, int reqlen)
{
GLenum pname = *(GLenum *)(pc + 0);
if (swap) {
@@ -986,8 +995,8 @@ int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap )
return 4 * __glPointParameterfvEXT_size( pname );
}
-int __glXPointParameterivReqSize(GLbyte *pc, Bool swap )
+int __glXPointParameterivReqSize(GLbyte *pc, Bool swap, int reqlen)
{
/* no difference between fv and iv versions */
- return __glXPointParameterfvARBReqSize(pc, swap);
+ return __glXPointParameterfvARBReqSize(pc, swap, reqlen);
}