diff options
author | Mike DePaulo <mikedep333@gmail.com> | 2015-01-10 12:03:47 -0500 |
---|---|---|
committer | Mike DePaulo <mikedep333@gmail.com> | 2015-01-10 12:06:49 -0500 |
commit | 7e1c3b94f42dfc5e52f0f724b6bf7d03e3b743e3 (patch) | |
tree | f2a4bfed7809a8e0bf4d06ec56a80191badba48b /xorg-server/glx/singlepixswap.c | |
parent | 212ca5c6023b6b7455ad64b2c29aeff82f301a03 (diff) | |
download | vcxsrv-7e1c3b94f42dfc5e52f0f724b6bf7d03e3b743e3.tar.gz vcxsrv-7e1c3b94f42dfc5e52f0f724b6bf7d03e3b743e3.tar.bz2 vcxsrv-7e1c3b94f42dfc5e52f0f724b6bf7d03e3b743e3.zip |
Fix CVE-2014-8091..8103. Patches were ported from Ubuntu 14.04 (xorg-server 1.15.1)
Diffstat (limited to 'xorg-server/glx/singlepixswap.c')
-rw-r--r-- | xorg-server/glx/singlepixswap.c | 50 |
1 files changed, 37 insertions, 13 deletions
diff --git a/xorg-server/glx/singlepixswap.c b/xorg-server/glx/singlepixswap.c index b1ed6cec7..fa373faad 100644 --- a/xorg-server/glx/singlepixswap.c +++ b/xorg-server/glx/singlepixswap.c @@ -56,6 +56,8 @@ __glXDispSwap_ReadPixels(__GLXclientState * cl, GLbyte * pc) int error; char *answer, answerBuffer[200]; + REQUEST_FIXED_SIZE(xGLXSingleReq, 28); + __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { @@ -78,7 +80,7 @@ __glXDispSwap_ReadPixels(__GLXclientState * cl, GLbyte * pc) lsbFirst = *(GLboolean *) (pc + 25); compsize = __glReadPixels_size(format, type, width, height); if (compsize < 0) - compsize = 0; + return BadLength; glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes); glPixelStorei(GL_PACK_LSB_FIRST, lsbFirst); @@ -117,6 +119,8 @@ __glXDispSwap_GetTexImage(__GLXclientState * cl, GLbyte * pc) char *answer, answerBuffer[200]; GLint width = 0, height = 0, depth = 1; + REQUEST_FIXED_SIZE(xGLXSingleReq, 20); + __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { @@ -147,7 +151,7 @@ __glXDispSwap_GetTexImage(__GLXclientState * cl, GLbyte * pc) compsize = __glGetTexImage_size(target, level, format, type, width, height, depth); if (compsize < 0) - compsize = 0; + return BadLength; glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes); __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1); @@ -187,6 +191,8 @@ __glXDispSwap_GetPolygonStipple(__GLXclientState * cl, GLbyte * pc) __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_FIXED_SIZE(xGLXSingleReq, 4); + __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { @@ -254,15 +260,13 @@ GetSeparableFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag) compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1); compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1); - if (compsize < 0) - compsize = 0; - if (compsize2 < 0) - compsize2 = 0; - compsize = __GLX_PAD(compsize); - compsize2 = __GLX_PAD(compsize2); + if ((compsize = safe_pad(compsize)) < 0) + return BadLength; + if ((compsize2 = safe_pad(compsize2)) < 0) + return BadLength; glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes); - __GLX_GET_ANSWER_BUFFER(answer, cl, compsize + compsize2, 1); + __GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1); __glXClearErrorOccured(); glGetSeparableFilter(*(GLenum *) (pc + 0), *(GLenum *) (pc + 4), *(GLenum *) (pc + 8), answer, answer + compsize, NULL); @@ -288,7 +292,9 @@ int __glXDispSwap_GetSeparableFilter(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); return GetSeparableFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); } @@ -296,7 +302,9 @@ int __glXDispSwap_GetSeparableFilterEXT(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); return GetSeparableFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); } @@ -341,7 +349,7 @@ GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag) */ compsize = __glGetTexImage_size(target, 1, format, type, width, height, 1); if (compsize < 0) - compsize = 0; + return BadLength; glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes); __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1); @@ -370,7 +378,9 @@ int __glXDispSwap_GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); return GetConvolutionFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); } @@ -378,7 +388,9 @@ int __glXDispSwap_GetConvolutionFilterEXT(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); return GetConvolutionFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); } @@ -418,7 +430,7 @@ GetHistogram(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag) */ compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1); if (compsize < 0) - compsize = 0; + return BadLength; glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes); __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1); @@ -444,7 +456,9 @@ int __glXDispSwap_GetHistogram(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); return GetHistogram(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); } @@ -452,7 +466,9 @@ int __glXDispSwap_GetHistogramEXT(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); return GetHistogram(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); } @@ -486,7 +502,7 @@ GetMinmax(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag) compsize = __glGetTexImage_size(target, 1, format, type, 2, 1, 1); if (compsize < 0) - compsize = 0; + return BadLength; glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes); __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1); @@ -510,7 +526,9 @@ int __glXDispSwap_GetMinmax(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); return GetMinmax(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); } @@ -518,7 +536,9 @@ int __glXDispSwap_GetMinmaxEXT(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); return GetMinmax(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); } @@ -557,7 +577,7 @@ GetColorTable(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag) */ compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1); if (compsize < 0) - compsize = 0; + return BadLength; glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes); __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1); @@ -584,7 +604,9 @@ int __glXDispSwap_GetColorTable(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); return GetColorTable(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); } @@ -592,6 +614,8 @@ int __glXDispSwap_GetColorTableSGI(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); return GetColorTable(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); } |