Skip to content

N
nx-libs
Switch branch/tag
Find file
BlameHistoryPermalink
  • Mihai Moldovan's avatar
    CVE patches were previously not included in release tarballs. · 96efadac
    Mihai Moldovan authored 
    Rename:
    - 1001-LZW-decompress-fix-for-CVE-2011-2895-From-xorg-lib-X.patch =>
      1001-LZW-decompress-fix-for-CVE-2011-2895-From-xorg-.full.patch
    - 1002-Fix-CVE-2011-4028-File-disclosure-vulnerability.-ups.patch =>
      1002-Fix-CVE-2011-4028-File-disclosure-vulnerability.full.patch
    - 1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageText-C.patch =>
      1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageT.full.patch
    - 1004-CVE-2013-6462-unlimited-sscanf-overflows-stack-buffe.patch =>
      1004-CVE-2013-6462-unlimited-sscanf-overflows-stack-.full.patch
    - 1005-CVE-2014-0209-integer-overflow-of-realloc-size-in-Fo.patch =>
      1005-CVE-2014-0209-integer-overflow-of-realloc-size-.full.patch
    - 1006-CVE-2014-0209-integer-overflow-of-realloc-size-in-le.patch =>
      1006-CVE-2014-0209-integer-overflow-of-realloc-size-.full.patch
    - 1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_conn_se.patch =>
      1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_co.full.patch
    - 1008-Don-t-crash-when-we-receive-an-FS_Error-from-the-fon.patch =>
      1008-Don-t-crash-when-we-receive-an-FS_Error-from-th.full.patch
    - 1009-CVE-2014-0210-unvalidated-lengths-when-reading-repli.patch =>
      1009-CVE-2014-0210-unvalidated-lengths-when-reading-.full.patch
    - 1010-CVE-2014-0211-Integer-overflow-in-fs_get_reply-_fs_s.patch =>
      1010-CVE-2014-0211-Integer-overflow-in-fs_get_reply-.full.patch
    - 1011-CVE-2014-0210-unvalidated-length-fields-in-fs_read_q.patch =>
      1011-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch
    - 1012-CVE-2014-0211-integer-overflow-in-fs_read_extent_inf.patch =>
      1012-CVE-2014-0211-integer-overflow-in-fs_read_exten.full.patch
    - 1013-CVE-2014-0211-integer-overflow-in-fs_alloc_glyphs-fr.patch =>
      1013-CVE-2014-0211-integer-overflow-in-fs_alloc_glyp.full.patch
    - 1014-CVE-2014-0210-unvalidated-length-fields-in-fs_read_e.patch =>
      1014-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch
    - 1015-CVE-2014-0210-unvalidated-length-fields-in-fs_read_g.patch =>
      1015-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch
    - 1016-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch =>
      1016-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch
    - 1017-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch =>
      1017-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch
    - 1018-unchecked-malloc-may-allow-unauthed-client-to-crash-.patch =>
      1018-unchecked-malloc-may-allow-unauthed-client-to-c.full.patch
    - 1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8092-1.patch =>
      1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8.full.patch
    - 1020-dix-integer-overflow-in-GetHosts-CVE-2014-8092-2-4.patch =>
      1020-dix-integer-overflow-in-GetHosts-CVE-2014-8092-.full.patch
    - 1021-dix-integer-overflow-in-RegionSizeof-CVE-2014-8092-3.patch =>
      1021-dix-integer-overflow-in-RegionSizeof-CVE-2014-8.full.patch
    - 1022-dix-integer-overflow-in-REQUEST_FIXED_SIZE-CVE-2014-.patch =>
      1022-dix-integer-overflow-in-REQUEST_FIXED_SIZE-CVE-.full.patch
    - 1023-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls-CVE-.patch =>
      1023-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls.full.patch
    - 1024-Xi-unvalidated-lengths-in-Xinput-extension-CVE-2014-.patch =>
      1024-Xi-unvalidated-lengths-in-Xinput-extension-CVE-.full.patch
    - 1025-xcmisc-unvalidated-length-in-SProcXCMiscGetXIDList-C.patch =>
      1025-xcmisc-unvalidated-length-in-SProcXCMiscGetXIDL.full.patch
    - 1026-Xv-unvalidated-lengths-in-XVideo-extension-swapped-p.patch =>
      1026-Xv-unvalidated-lengths-in-XVideo-extension-swap.full.patch
    - 1027-render-check-request-size-before-reading-it-CVE-2014.patch =>
      1027-render-check-request-size-before-reading-it-CVE.full.patch
    - 1028-render-unvalidated-lengths-in-Render-extn.-swapped-p.patch =>
      1028-render-unvalidated-lengths-in-Render-extn.-swap.full.patch
    - 1029-xfixes-unvalidated-length-in-SProcXFixesSelectSelect.patch =>
      1029-xfixes-unvalidated-length-in-SProcXFixesSelectS.full.patch
    - 1030-randr-unvalidated-lengths-in-RandR-extension-swapped.patch =>
      1030-randr-unvalidated-lengths-in-RandR-extension-sw.full.patch
    - 1031-glx-Be-more-paranoid-about-variable-length-requests-.patch =>
      1031-glx-Be-more-paranoid-about-variable-length-requ.full.patch
    - 1032-glx-Be-more-strict-about-rejecting-invalid-image-siz.patch =>
      1032-glx-Be-more-strict-about-rejecting-invalid-imag.full.patch
    - 1033-glx-Additional-paranoia-in-__glXGetAnswerBuffer-__GL.patch =>
      1033-glx-Additional-paranoia-in-__glXGetAnswerBuffer.full.patch
    - 1034-glx-Add-safe_-add-mul-pad-v3-CVE-2014-8093-4-6-v4.patch =>
      1034-glx-Add-safe_-add-mul-pad-v3-CVE-2014-8093-4-6-.full.patch
    - 1035-glx-Length-checking-for-GLXRender-requests-v2-CVE-20.patch =>
      1035-glx-Length-checking-for-GLXRender-requests-v2-C.full.patch
    - 1036-glx-Integer-overflow-protection-for-non-generated-re.patch =>
      1036-glx-Integer-overflow-protection-for-non-generat.full.patch
    - 1037-glx-Top-level-length-checking-for-swapped-VendorPriv.patch =>
      1037-glx-Top-level-length-checking-for-swapped-Vendo.full.patch
    - 1038-glx-Length-checking-for-non-generated-single-request.patch =>
      1038-glx-Length-checking-for-non-generated-single-re.full.patch
    - 1039-glx-Length-checking-for-RenderLarge-requests-v2-CVE-.patch =>
      1039-glx-Length-checking-for-RenderLarge-requests-v2.full.patch
    - 1040-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch =>
      1040-glx-Pass-remaining-request-length-into-varsize-.full.patch
    - 1041-nx-X11-lib-font-fc-fserve.c-initialize-remaining-buf.patch =>
      1041-nx-X11-lib-font-fc-fserve.c-initialize-remainin.full.patch
    - 1042-Do-proper-input-validation-to-fix-for-CVE-2011-2895.patch =>
      1042-Do-proper-input-validation-to-fix-for-CVE-2011-.full.patch
    - 1101-Coverity-844-845-846-Fix-memory-leaks.patch =>
      1101-Coverity-844-845-846-Fix-memory-leaks.full.patch
    - 1102-include-introduce-byte-counting-functions.patch =>
      1102-include-introduce-byte-counting-functions.full.patch
    - 1103-xkb-Don-t-swap-XkbSetGeometry-data-in-the-input-buff.patch =>
      1103-xkb-Don-t-swap-XkbSetGeometry-data-in-the-input.full.patch
    - 1104-xkb-Check-strings-length-against-request-size.patch =>
      1104-xkb-Check-strings-length-against-request-size.full.patch
    96efadac
1032-glx-Be-more-strict-about-rejecting-invalid-imag.full.patch 7.25 KB
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 
From cdf0c3e65670c797a4fd0617d44d2bdff4011815 Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Mon, 10 Nov 2014 12:13:37 -0500
Subject: [PATCH 32/40] glx: Be more strict about rejecting invalid image sizes
 [CVE-2014-8093 2/6]

Before this we'd just clamp the image size to 0, which was just
hideously stupid; if the parameters were such that they'd overflow an
integer, you'd allocate a small buffer, then pass huge values into (say)
ReadPixels, and now you're scribbling over arbitrary server memory.

v2: backport to nx-libs 3.6.x (Mike DePaulo)

Reviewed-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>
---
 nx-X11/programs/Xserver/GL/glx/singlepix.c     | 14 +++++++-------
 nx-X11/programs/Xserver/GL/glx/singlepixswap.c | 14 +++++++-------
 2 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/nx-X11/programs/Xserver/GL/glx/singlepix.c b/nx-X11/programs/Xserver/GL/glx/singlepix.c
index 845c46a..be804d8 100644
--- a/nx-X11/programs/Xserver/GL/glx/singlepix.c
+++ b/nx-X11/programs/Xserver/GL/glx/singlepix.c
@@ -70,7 +70,7 @@ int __glXDisp_ReadPixels(__GLXclientState *cl, GLbyte *pc)
     swapBytes = *(GLboolean *)(pc + 24);
     lsbFirst = *(GLboolean *)(pc + 25);
     compsize = __glReadPixels_size(format,type,width,height);
-    if (compsize < 0) compsize = 0;
+    if (compsize < 0) return BadLength;
 
     glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
     glPixelStorei(GL_PACK_LSB_FIRST, lsbFirst);
@@ -130,7 +130,7 @@ int __glXDisp_GetTexImage(__GLXclientState *cl, GLbyte *pc)
      * are illegal, but then width, height, and depth would still be zero anyway.
      */
     compsize = __glGetTexImage_size(target,level,format,type,width,height,depth);
-    if (compsize < 0) compsize = 0;
+    if (compsize < 0) return BadLength;
 
     glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
     __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1);
@@ -227,7 +227,7 @@ int __glXDisp_GetSeparableFilter(__GLXclientState *cl, GLbyte *pc)
     compsize = __glGetTexImage_size(target,1,format,type,width,1,1);
     compsize2 = __glGetTexImage_size(target,1,format,type,height,1,1);
 
-    if (compsize < 0) compsize = 0;
+    if (compsize < 0) return BadLength;
     if (compsize2 < 0) compsize2 = 0;
     compsize = __GLX_PAD(compsize);
     compsize2 = __GLX_PAD(compsize2);
@@ -291,7 +291,7 @@ int __glXDisp_GetConvolutionFilter(__GLXclientState *cl, GLbyte *pc)
      * are illegal, but then width and height would still be zero anyway.
      */
     compsize = __glGetTexImage_size(target,1,format,type,width,height,1);
-    if (compsize < 0) compsize = 0;
+    if (compsize < 0) return BadLength;
 
     glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
     __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1);
@@ -346,7 +346,7 @@ int __glXDisp_GetHistogram(__GLXclientState *cl, GLbyte *pc)
      * are illegal, but then width would still be zero anyway.
      */
     compsize = __glGetTexImage_size(target,1,format,type,width,1,1);
-    if (compsize < 0) compsize = 0;
+    if (compsize < 0) return BadLength;
 
     glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
     __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1);
@@ -389,7 +389,7 @@ int __glXDisp_GetMinmax(__GLXclientState *cl, GLbyte *pc)
     reset = *(GLboolean *)(pc + 13);
 
     compsize = __glGetTexImage_size(target,1,format,type,2,1,1);
-    if (compsize < 0) compsize = 0;
+    if (compsize < 0) return BadLength;
 
     glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
     __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1);
@@ -436,7 +436,7 @@ int __glXDisp_GetColorTable(__GLXclientState *cl, GLbyte *pc)
      * are illegal, but then width would still be zero anyway.
      */
     compsize = __glGetTexImage_size(target,1,format,type,width,1,1);
-    if (compsize < 0) compsize = 0;
+    if (compsize < 0) return BadLength;
 
     glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
     __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1);
diff --git a/nx-X11/programs/Xserver/GL/glx/singlepixswap.c b/nx-X11/programs/Xserver/GL/glx/singlepixswap.c
index ff68ece..cdc6f16 100644
--- a/nx-X11/programs/Xserver/GL/glx/singlepixswap.c
+++ b/nx-X11/programs/Xserver/GL/glx/singlepixswap.c
@@ -79,7 +79,7 @@ int __glXDispSwap_ReadPixels(__GLXclientState *cl, GLbyte *pc)
     swapBytes = *(GLboolean *)(pc + 24);
     lsbFirst = *(GLboolean *)(pc + 25);
     compsize = __glReadPixels_size(format,type,width,height);
-    if (compsize < 0) compsize = 0;
+    if (compsize < 0) return BadLength;
 
     glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
     glPixelStorei(GL_PACK_LSB_FIRST, lsbFirst);
@@ -148,7 +148,7 @@ int __glXDispSwap_GetTexImage(__GLXclientState *cl, GLbyte *pc)
      * are illegal, but then width, height, and depth would still be zero anyway.
      */
     compsize = __glGetTexImage_size(target,level,format,type,width,height,depth);
-    if (compsize < 0) compsize = 0;
+    if (compsize < 0) return BadLength;
 
     glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
     __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1);
@@ -257,7 +257,7 @@ int __glXDispSwap_GetSeparableFilter(__GLXclientState *cl, GLbyte *pc)
     compsize = __glGetTexImage_size(target,1,format,type,width,1,1);
     compsize2 = __glGetTexImage_size(target,1,format,type,height,1,1);
 
-    if (compsize < 0) compsize = 0;
+    if (compsize < 0) return BadLength;
     if (compsize2 < 0) compsize2 = 0;
     compsize = __GLX_PAD(compsize);
     compsize2 = __GLX_PAD(compsize2);
@@ -328,7 +328,7 @@ int __glXDispSwap_GetConvolutionFilter(__GLXclientState *cl, GLbyte *pc)
      * are illegal, but then width and height would still be zero anyway.
      */
     compsize = __glGetTexImage_size(target,1,format,type,width,height,1);
-    if (compsize < 0) compsize = 0;
+    if (compsize < 0) return BadLength;
 
     glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
     __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1);
@@ -390,7 +390,7 @@ int __glXDispSwap_GetHistogram(__GLXclientState *cl, GLbyte *pc)
      * are illegal, but then width would still be zero anyway.
      */
     compsize = __glGetTexImage_size(target,1,format,type,width,1,1);
-    if (compsize < 0) compsize = 0;
+    if (compsize < 0) return BadLength;
 
     glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
     __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1);
@@ -439,7 +439,7 @@ int __glXDispSwap_GetMinmax(__GLXclientState *cl, GLbyte *pc)
     reset = *(GLboolean *)(pc + 13);
 
     compsize = __glGetTexImage_size(target,1,format,type,2,1,1);
-    if (compsize < 0) compsize = 0;
+    if (compsize < 0) return BadLength;
 
     glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
     __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1);
@@ -491,7 +491,7 @@ int __glXDispSwap_GetColorTable(__GLXclientState *cl, GLbyte *pc)
      * are illegal, but then width would still be zero anyway.
      */
     compsize = __glGetTexImage_size(target,1,format,type,width,1,1);
-    if (compsize < 0) compsize = 0;
+    if (compsize < 0) return BadLength;
 
     glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
     __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1);
-- 
2.1.4