From 7e1c3b94f42dfc5e52f0f724b6bf7d03e3b743e3 Mon Sep 17 00:00:00 2001 From: Mike DePaulo Date: Sat, 10 Jan 2015 12:03:47 -0500 Subject: Fix CVE-2014-8091..8103. Patches were ported from Ubuntu 14.04 (xorg-server 1.15.1) --- xorg-server/glx/indirect_reqsize.c | 152 ++++++++++++++++++------------------- 1 file changed, 75 insertions(+), 77 deletions(-) (limited to 'xorg-server/glx/indirect_reqsize.c') diff --git a/xorg-server/glx/indirect_reqsize.c b/xorg-server/glx/indirect_reqsize.c index a87f7d230..e67c84722 100644 --- a/xorg-server/glx/indirect_reqsize.c +++ b/xorg-server/glx/indirect_reqsize.c @@ -40,25 +40,23 @@ #include "indirect_size.h" #include "indirect_reqsize.h" -#define __GLX_PAD(x) (((x) + 3) & ~3) - #if defined(__CYGWIN__) || defined(__MINGW32__) # undef HAVE_ALIAS #endif #ifdef HAVE_ALIAS # define ALIAS2(from,to) \ - GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap ) \ + GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap, int reqlen ) \ __attribute__ ((alias( # to ))); # define ALIAS(from,to) ALIAS2( from, __glX ## to ## ReqSize ) #else # define ALIAS(from,to) \ - GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap ) \ - { return __glX ## to ## ReqSize( pc, swap ); } + GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap, int reqlen ) \ + { return __glX ## to ## ReqSize( pc, swap, reqlen ); } #endif int -__glXCallListsReqSize( const GLbyte * pc, Bool swap ) +__glXCallListsReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei n = *(GLsizei *)(pc + 0); GLenum type = * (GLenum *)(pc + 4); @@ -70,11 +68,11 @@ GLenum type = * (GLenum *)(pc + 4); } compsize = __glCallLists_size(type); - return __GLX_PAD((compsize * n)); + return safe_pad(safe_mul(compsize, n)); } int -__glXBitmapReqSize( const GLbyte * pc, Bool swap ) +__glXBitmapReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLint row_length = * (GLint *)(pc + 4); GLint image_height = 0; @@ -98,7 +96,7 @@ GLsizei height = *(GLsizei *)(pc + 24); } int -__glXFogfvReqSize( const GLbyte * pc, Bool swap ) +__glXFogfvReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLenum pname = * (GLenum *)(pc + 0); GLsizei compsize; @@ -108,11 +106,11 @@ GLenum pname = * (GLenum *)(pc + 0); } compsize = __glFogfv_size(pname); - return __GLX_PAD((compsize * 4)); + return safe_pad(safe_mul(compsize, 4)); } int -__glXLightfvReqSize( const GLbyte * pc, Bool swap ) +__glXLightfvReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLenum pname = * (GLenum *)(pc + 4); GLsizei compsize; @@ -122,11 +120,11 @@ GLenum pname = * (GLenum *)(pc + 4); } compsize = __glLightfv_size(pname); - return __GLX_PAD((compsize * 4)); + return safe_pad(safe_mul(compsize, 4)); } int -__glXLightModelfvReqSize( const GLbyte * pc, Bool swap ) +__glXLightModelfvReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLenum pname = * (GLenum *)(pc + 0); GLsizei compsize; @@ -136,11 +134,11 @@ GLenum pname = * (GLenum *)(pc + 0); } compsize = __glLightModelfv_size(pname); - return __GLX_PAD((compsize * 4)); + return safe_pad(safe_mul(compsize, 4)); } int -__glXMaterialfvReqSize( const GLbyte * pc, Bool swap ) +__glXMaterialfvReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLenum pname = * (GLenum *)(pc + 4); GLsizei compsize; @@ -150,11 +148,11 @@ GLenum pname = * (GLenum *)(pc + 4); } compsize = __glMaterialfv_size(pname); - return __GLX_PAD((compsize * 4)); + return safe_pad(safe_mul(compsize, 4)); } int -__glXPolygonStippleReqSize( const GLbyte * pc, Bool swap ) +__glXPolygonStippleReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLint row_length = * (GLint *)(pc + 4); GLint image_height = 0; @@ -174,7 +172,7 @@ __glXPolygonStippleReqSize( const GLbyte * pc, Bool swap ) } int -__glXTexParameterfvReqSize( const GLbyte * pc, Bool swap ) +__glXTexParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLenum pname = * (GLenum *)(pc + 4); GLsizei compsize; @@ -184,11 +182,11 @@ GLenum pname = * (GLenum *)(pc + 4); } compsize = __glTexParameterfv_size(pname); - return __GLX_PAD((compsize * 4)); + return safe_pad(safe_mul(compsize, 4)); } int -__glXTexImage1DReqSize( const GLbyte * pc, Bool swap ) +__glXTexImage1DReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLint row_length = * (GLint *)(pc + 4); GLint image_height = 0; @@ -216,7 +214,7 @@ GLenum type = * (GLenum *)(pc + 48); } int -__glXTexImage2DReqSize( const GLbyte * pc, Bool swap ) +__glXTexImage2DReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLint row_length = * (GLint *)(pc + 4); GLint image_height = 0; @@ -246,7 +244,7 @@ GLenum type = * (GLenum *)(pc + 48); } int -__glXTexEnvfvReqSize( const GLbyte * pc, Bool swap ) +__glXTexEnvfvReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLenum pname = * (GLenum *)(pc + 4); GLsizei compsize; @@ -256,11 +254,11 @@ GLenum pname = * (GLenum *)(pc + 4); } compsize = __glTexEnvfv_size(pname); - return __GLX_PAD((compsize * 4)); + return safe_pad(safe_mul(compsize, 4)); } int -__glXTexGendvReqSize( const GLbyte * pc, Bool swap ) +__glXTexGendvReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLenum pname = * (GLenum *)(pc + 4); GLsizei compsize; @@ -270,11 +268,11 @@ GLenum pname = * (GLenum *)(pc + 4); } compsize = __glTexGendv_size(pname); - return __GLX_PAD((compsize * 8)); + return safe_pad(safe_mul(compsize, 8)); } int -__glXTexGenfvReqSize( const GLbyte * pc, Bool swap ) +__glXTexGenfvReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLenum pname = * (GLenum *)(pc + 4); GLsizei compsize; @@ -284,11 +282,11 @@ GLenum pname = * (GLenum *)(pc + 4); } compsize = __glTexGenfv_size(pname); - return __GLX_PAD((compsize * 4)); + return safe_pad(safe_mul(compsize, 4)); } int -__glXPixelMapfvReqSize( const GLbyte * pc, Bool swap ) +__glXPixelMapfvReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei mapsize = *(GLsizei *)(pc + 4); @@ -296,11 +294,11 @@ GLsizei mapsize = *(GLsizei *)(pc + 4); mapsize = bswap_32(mapsize); } - return __GLX_PAD((mapsize * 4)); + return safe_pad(safe_mul(mapsize, 4)); } int -__glXPixelMapusvReqSize( const GLbyte * pc, Bool swap ) +__glXPixelMapusvReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei mapsize = *(GLsizei *)(pc + 4); @@ -308,11 +306,11 @@ GLsizei mapsize = *(GLsizei *)(pc + 4); mapsize = bswap_32(mapsize); } - return __GLX_PAD((mapsize * 2)); + return safe_pad(safe_mul(mapsize, 2)); } int -__glXDrawPixelsReqSize( const GLbyte * pc, Bool swap ) +__glXDrawPixelsReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLint row_length = * (GLint *)(pc + 4); GLint image_height = 0; @@ -340,7 +338,7 @@ GLenum type = * (GLenum *)(pc + 32); } int -__glXPrioritizeTexturesReqSize( const GLbyte * pc, Bool swap ) +__glXPrioritizeTexturesReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei n = *(GLsizei *)(pc + 0); @@ -348,11 +346,11 @@ GLsizei n = *(GLsizei *)(pc + 0); n = bswap_32(n); } - return __GLX_PAD((n * 4) + (n * 4)); + return safe_pad(safe_add(safe_mul(n, 4), safe_mul(n, 4))); } int -__glXTexSubImage1DReqSize( const GLbyte * pc, Bool swap ) +__glXTexSubImage1DReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLint row_length = * (GLint *)(pc + 4); GLint image_height = 0; @@ -380,7 +378,7 @@ GLenum type = * (GLenum *)(pc + 48); } int -__glXTexSubImage2DReqSize( const GLbyte * pc, Bool swap ) +__glXTexSubImage2DReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLint row_length = * (GLint *)(pc + 4); GLint image_height = 0; @@ -410,7 +408,7 @@ GLenum type = * (GLenum *)(pc + 48); } int -__glXColorTableReqSize( const GLbyte * pc, Bool swap ) +__glXColorTableReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLint row_length = * (GLint *)(pc + 4); GLint image_height = 0; @@ -438,7 +436,7 @@ GLenum type = * (GLenum *)(pc + 36); } int -__glXColorTableParameterfvReqSize( const GLbyte * pc, Bool swap ) +__glXColorTableParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLenum pname = * (GLenum *)(pc + 4); GLsizei compsize; @@ -448,11 +446,11 @@ GLenum pname = * (GLenum *)(pc + 4); } compsize = __glColorTableParameterfv_size(pname); - return __GLX_PAD((compsize * 4)); + return safe_pad(safe_mul(compsize, 4)); } int -__glXColorSubTableReqSize( const GLbyte * pc, Bool swap ) +__glXColorSubTableReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLint row_length = * (GLint *)(pc + 4); GLint image_height = 0; @@ -480,7 +478,7 @@ GLenum type = * (GLenum *)(pc + 36); } int -__glXConvolutionFilter1DReqSize( const GLbyte * pc, Bool swap ) +__glXConvolutionFilter1DReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLint row_length = * (GLint *)(pc + 4); GLint image_height = 0; @@ -508,7 +506,7 @@ GLenum type = * (GLenum *)(pc + 40); } int -__glXConvolutionFilter2DReqSize( const GLbyte * pc, Bool swap ) +__glXConvolutionFilter2DReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLint row_length = * (GLint *)(pc + 4); GLint image_height = 0; @@ -538,7 +536,7 @@ GLenum type = * (GLenum *)(pc + 40); } int -__glXConvolutionParameterfvReqSize( const GLbyte * pc, Bool swap ) +__glXConvolutionParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLenum pname = * (GLenum *)(pc + 4); GLsizei compsize; @@ -548,7 +546,7 @@ GLenum pname = * (GLenum *)(pc + 4); } compsize = __glConvolutionParameterfv_size(pname); - return __GLX_PAD((compsize * 4)); + return safe_pad(safe_mul(compsize, 4)); } int @@ -589,7 +587,7 @@ GLenum type = * (GLenum *)(pc + 72); } int -__glXTexSubImage3DReqSize( const GLbyte * pc, Bool swap ) +__glXTexSubImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLint row_length = * (GLint *)(pc + 4); GLint image_height = * (GLint *)(pc + 8); @@ -623,7 +621,7 @@ GLenum type = * (GLenum *)(pc + 80); } int -__glXCompressedTexImage1DReqSize( const GLbyte * pc, Bool swap ) +__glXCompressedTexImage1DReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei imageSize = *(GLsizei *)(pc + 20); @@ -631,11 +629,11 @@ GLsizei imageSize = *(GLsizei *)(pc + 20); imageSize = bswap_32(imageSize); } - return __GLX_PAD(imageSize); + return safe_pad(imageSize); } int -__glXCompressedTexImage2DReqSize( const GLbyte * pc, Bool swap ) +__glXCompressedTexImage2DReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei imageSize = *(GLsizei *)(pc + 24); @@ -643,11 +641,11 @@ GLsizei imageSize = *(GLsizei *)(pc + 24); imageSize = bswap_32(imageSize); } - return __GLX_PAD(imageSize); + return safe_pad(imageSize); } int -__glXCompressedTexImage3DReqSize( const GLbyte * pc, Bool swap ) +__glXCompressedTexImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei imageSize = *(GLsizei *)(pc + 28); @@ -655,11 +653,11 @@ GLsizei imageSize = *(GLsizei *)(pc + 28); imageSize = bswap_32(imageSize); } - return __GLX_PAD(imageSize); + return safe_pad(imageSize); } int -__glXCompressedTexSubImage3DReqSize( const GLbyte * pc, Bool swap ) +__glXCompressedTexSubImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei imageSize = *(GLsizei *)(pc + 36); @@ -667,11 +665,11 @@ GLsizei imageSize = *(GLsizei *)(pc + 36); imageSize = bswap_32(imageSize); } - return __GLX_PAD(imageSize); + return safe_pad(imageSize); } int -__glXPointParameterfvReqSize( const GLbyte * pc, Bool swap ) +__glXPointParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLenum pname = * (GLenum *)(pc + 0); GLsizei compsize; @@ -681,11 +679,11 @@ GLenum pname = * (GLenum *)(pc + 0); } compsize = __glPointParameterfv_size(pname); - return __GLX_PAD((compsize * 4)); + return safe_pad(safe_mul(compsize, 4)); } int -__glXDrawBuffersReqSize( const GLbyte * pc, Bool swap ) +__glXDrawBuffersReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei n = *(GLsizei *)(pc + 0); @@ -693,11 +691,11 @@ GLsizei n = *(GLsizei *)(pc + 0); n = bswap_32(n); } - return __GLX_PAD((n * 4)); + return safe_pad(safe_mul(n, 4)); } int -__glXProgramStringARBReqSize( const GLbyte * pc, Bool swap ) +__glXProgramStringARBReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei len = *(GLsizei *)(pc + 8); @@ -705,11 +703,11 @@ GLsizei len = *(GLsizei *)(pc + 8); len = bswap_32(len); } - return __GLX_PAD(len); + return safe_pad(len); } int -__glXProgramParameters4dvNVReqSize( const GLbyte * pc, Bool swap ) +__glXProgramParameters4dvNVReqSize( const GLbyte * pc, Bool swap, int reqlen) { GLsizei num = *(GLsizei *)(pc + 8); @@ -717,11 +715,11 @@ GLsizei num = *(GLsizei *)(pc + 8); num = bswap_32(num); } - return __GLX_PAD((num * 32)); + return safe_pad(safe_mul(num, 32)); } int -__glXProgramParameters4fvNVReqSize( const GLbyte * pc, Bool swap ) +__glXProgramParameters4fvNVReqSize( const GLbyte * pc, Bool swap, int reqlen) { GLsizei num = *(GLsizei *)(pc + 8); @@ -729,11 +727,11 @@ GLsizei num = *(GLsizei *)(pc + 8); num = bswap_32(num); } - return __GLX_PAD((num * 16)); + return safe_pad(safe_mul(num, 16)); } int -__glXVertexAttribs1dvNVReqSize( const GLbyte * pc, Bool swap ) +__glXVertexAttribs1dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei n = *(GLsizei *)(pc + 4); @@ -741,11 +739,11 @@ GLsizei n = *(GLsizei *)(pc + 4); n = bswap_32(n); } - return __GLX_PAD((n * 8)); + return safe_pad(safe_mul(n, 8)); } int -__glXVertexAttribs2dvNVReqSize( const GLbyte * pc, Bool swap ) +__glXVertexAttribs2dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei n = *(GLsizei *)(pc + 4); @@ -753,11 +751,11 @@ GLsizei n = *(GLsizei *)(pc + 4); n = bswap_32(n); } - return __GLX_PAD((n * 16)); + return safe_pad(safe_mul(n, 16)); } int -__glXVertexAttribs3dvNVReqSize( const GLbyte * pc, Bool swap ) +__glXVertexAttribs3dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei n = *(GLsizei *)(pc + 4); @@ -765,11 +763,11 @@ GLsizei n = *(GLsizei *)(pc + 4); n = bswap_32(n); } - return __GLX_PAD((n * 24)); + return safe_pad(safe_mul(n, 24)); } int -__glXVertexAttribs3fvNVReqSize( const GLbyte * pc, Bool swap ) +__glXVertexAttribs3fvNVReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei n = *(GLsizei *)(pc + 4); @@ -777,11 +775,11 @@ GLsizei n = *(GLsizei *)(pc + 4); n = bswap_32(n); } - return __GLX_PAD((n * 12)); + return safe_pad(safe_mul(n, 12)); } int -__glXVertexAttribs3svNVReqSize( const GLbyte * pc, Bool swap ) +__glXVertexAttribs3svNVReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei n = *(GLsizei *)(pc + 4); @@ -789,11 +787,11 @@ GLsizei n = *(GLsizei *)(pc + 4); n = bswap_32(n); } - return __GLX_PAD((n * 6)); + return safe_pad(safe_mul(n, 6)); } int -__glXVertexAttribs4dvNVReqSize( const GLbyte * pc, Bool swap ) +__glXVertexAttribs4dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei n = *(GLsizei *)(pc + 4); @@ -801,11 +799,11 @@ GLsizei n = *(GLsizei *)(pc + 4); n = bswap_32(n); } - return __GLX_PAD((n * 32)); + return safe_pad(safe_mul(n, 32)); } int -__glXProgramNamedParameter4fvNVReqSize( const GLbyte * pc, Bool swap ) +__glXProgramNamedParameter4fvNVReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei len = *(GLsizei *)(pc + 4); @@ -813,7 +811,7 @@ GLsizei len = *(GLsizei *)(pc + 4); len = bswap_32(len); } - return __GLX_PAD(len); + return safe_pad(len); } ALIAS( Fogiv, Fogfv ) -- cgit v1.2.3