aboutsummaryrefslogtreecommitdiff
path: root/nxcomp/RenderExtension.cpp
diff options
context:
space:
mode:
authorAdam Jackson <ajax@redhat.com>2014-11-10 12:13:36 -0500
committerMike Gabriel <mike.gabriel@das-netzwerkteam.de>2015-02-14 16:14:32 +0100
commit5c43bb2484414b37115dac56dc76f1ecf4c05837 (patch)
tree4009cbea4fc311b17d4a965f5e5019600e77989e /nxcomp/RenderExtension.cpp
parentcea44678dd6a9418460ead314fb2106924b081f7 (diff)
downloadnx-libs-5c43bb2484414b37115dac56dc76f1ecf4c05837.tar.gz
nx-libs-5c43bb2484414b37115dac56dc76f1ecf4c05837.tar.bz2
nx-libs-5c43bb2484414b37115dac56dc76f1ecf4c05837.zip
glx: Be more paranoid about variable-length requests [CVE-2014-8093 1/6] (v2)
If the size computation routine returns -1 we should just reject the request outright. Clamping it to zero could give an attacker the opportunity to also mangle cmdlen in such a way that the subsequent length check passes, and the request would get executed, thus passing data we wanted to reject to the renderer. v3: backport to nx-libs 3.6.x (Mike DePaulo) v2: backport to RHEL5 - fix swap paths Reviewed-by: Keith Packard <keithp@keithp.com> Reviewed-by: Julien Cristau <jcristau@debian.org> Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Fedora X Ninjas <x@fedoraproject.org> Signed-off-by: Dave Airlie <airlied@redhat.com> fixup swaps
Diffstat (limited to 'nxcomp/RenderExtension.cpp')
0 files changed, 0 insertions, 0 deletions