From 1ea1cd8c4f93b0c03e5b34fe174b3fc9f27c7dfa Mon Sep 17 00:00:00 2001 From: Adam Jackson Date: Mon, 10 Nov 2014 12:13:48 -0500 Subject: glx: Pass remaining request length into ->varsize (v2) [CVE-2014-8098 8/8] (V3) v2: Handle more multiplies in indirect_reqsize.c (Julien Cristau) v3: RHEL5 backport v4: backport to nx-libs 3.6.x (Mike DePaulo) Reviewed-by: Julien Cristau Reviewed-by: Michal Srb Reviewed-by: Andy Ritger Signed-off-by: Adam Jackson Signed-off-by: Alan Coopersmith Signed-off-by: Fedora X Ninjas Signed-off-by: Dave Airlie --- nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c') diff --git a/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c b/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c index 2e228c083..33a748a24 100644 --- a/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c +++ b/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c @@ -541,7 +541,8 @@ int __glXSwapRender(__GLXclientState *cl, GLbyte *pc) if (entry->varsize) { /* variable size command */ - extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, True); + extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, True, + left - __GLX_RENDER_HDR_SIZE); if (extra < 0) { return BadLength; } @@ -620,6 +621,7 @@ int __glXSwapRenderLarge(__GLXclientState *cl, GLbyte *pc) if (cl->largeCmdRequestsSoFar == 0) { __GLXrenderSizeData *entry; int extra = 0; + int left = (req->length << 2) - sz_xGLXRenderLargeReq; size_t cmdlen; /* ** This is the first request of a multi request command. @@ -667,7 +669,8 @@ int __glXSwapRenderLarge(__GLXclientState *cl, GLbyte *pc) ** be computed from its parameters), all the parameters needed ** will be in the 1st request, so it's okay to do this. */ - extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, True); + extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, True, + left - __GLX_RENDER_LARGE_HDR_SIZE); if (extra < 0) { return BadLength; } -- cgit v1.2.3