Skip to content

N
nx-libs
Commit 1ea1cd8c authored by Adam Jackson's avatar Adam Jackson Committed by Mike Gabriel
Browse files
Options

glx: Pass remaining request length into ->varsize (v2) [CVE-2014-8098 8/8] (V3)

v2: Handle more multiplies in indirect_reqsize.c (Julien Cristau) v3: RHEL5 backport v4: backport to nx-libs 3.6.x (Mike DePaulo) Reviewed-by: 's avatarJulien Cristau <jcristau@debian.org> Reviewed-by: 's avatarMichal Srb <msrb@suse.com> Reviewed-by: 's avatarAndy Ritger <aritger@nvidia.com> Signed-off-by: 's avatarAdam Jackson <ajax@redhat.com> Signed-off-by: 's avatarAlan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: 's avatarFedora X Ninjas <x@fedoraproject.org> Signed-off-by: 's avatarDave Airlie <airlied@redhat.com>
parent 9c558f9c
Expand all Hide whitespace changes
Inline Side-by-side
Showing with 54 additions and 49 deletions
nx-X11/programs/Xserver/GL/glx/glxcmds.c
View file @ 1ea1cd8c
......@@ -1490,7 +1490,7 @@ int __glXRender(__GLXclientState *cl, GLbyte *pc)
if (entry->varsize) {
/* variable size command */
extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, False);
extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, False, left - __GLX_RENDER_HDR_SIZE);
if (extra < 0) {
return BadLength;
}
......@@ -1563,6 +1563,7 @@ int __glXRenderLarge(__GLXclientState *cl, GLbyte *pc)
if (cl->largeCmdRequestsSoFar == 0) {
__GLXrenderSizeData *entry;
int extra = 0, cmdlen;
int left = (req->length << 2) - sz_xGLXRenderLargeReq;
/*
** This is the first request of a multi request command.
** Make enough space in the buffer, then copy the entire request.
......@@ -1608,7 +1609,8 @@ int __glXRenderLarge(__GLXclientState *cl, GLbyte *pc)
** be computed from its parameters), all the parameters needed
** will be in the 1st request, so it's okay to do this.
*/
extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, False);
extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, False,
left - __GLX_RENDER_LARGE_HDR_SIZE);
if (extra < 0) {
return BadLength;
}
......
nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c
View file @ 1ea1cd8c
......@@ -541,7 +541,8 @@ int __glXSwapRender(__GLXclientState *cl, GLbyte *pc)
if (entry->varsize) {
/* variable size command */
extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, True);
extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, True,
left - __GLX_RENDER_HDR_SIZE);
if (extra < 0) {
return BadLength;
}
......@@ -620,6 +621,7 @@ int __glXSwapRenderLarge(__GLXclientState *cl, GLbyte *pc)
if (cl->largeCmdRequestsSoFar == 0) {
__GLXrenderSizeData *entry;
int extra = 0;
int left = (req->length << 2) - sz_xGLXRenderLargeReq;
size_t cmdlen;
/*
** This is the first request of a multi request command.
......@@ -667,7 +669,8 @@ int __glXSwapRenderLarge(__GLXclientState *cl, GLbyte *pc)
** be computed from its parameters), all the parameters needed
** will be in the 1st request, so it's okay to do this.
*/
extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, True);
extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, True,
left - __GLX_RENDER_LARGE_HDR_SIZE);
if (extra < 0) {
return BadLength;
}
......
nx-X11/programs/Xserver/GL/glx/glxserver.h
View file @ 1ea1cd8c
......@@ -179,7 +179,7 @@ extern __GLXprocPtr __glXProcTable[];
*/
typedef struct {
int bytes;
int (*varsize)(GLbyte *pc, Bool swap);
int (*varsize)(GLbyte *pc, Bool swap, int left);
} __GLXrenderSizeData;
extern __GLXrenderSizeData __glXRenderSizeTable[];
extern __GLXrenderSizeData __glXRenderSizeTable_EXT[];
......@@ -271,48 +271,48 @@ extern int __glXImageSize(GLenum format, GLenum type,
GLint imageHeight, GLint rowLength, GLint skipImages, GLint skipRows,
GLint alignment);
extern int __glXCallListsReqSize(GLbyte *pc, Bool swap);
extern int __glXBitmapReqSize(GLbyte *pc, Bool swap);
extern int __glXFogfvReqSize(GLbyte *pc, Bool swap);
extern int __glXFogivReqSize(GLbyte *pc, Bool swap);
extern int __glXLightfvReqSize(GLbyte *pc, Bool swap);
extern int __glXLightivReqSize(GLbyte *pc, Bool swap);
extern int __glXLightModelfvReqSize(GLbyte *pc, Bool swap);
extern int __glXLightModelivReqSize(GLbyte *pc, Bool swap);
extern int __glXMaterialfvReqSize(GLbyte *pc, Bool swap);
extern int __glXMaterialivReqSize(GLbyte *pc, Bool swap);
extern int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap);
extern int __glXTexParameterivReqSize(GLbyte *pc, Bool swap);
extern int __glXTexImage1DReqSize(GLbyte *pc, Bool swap);
extern int __glXTexImage2DReqSize(GLbyte *pc, Bool swap);
extern int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap);
extern int __glXTexEnvivReqSize(GLbyte *pc, Bool swap);
extern int __glXTexGendvReqSize(GLbyte *pc, Bool swap);
extern int __glXTexGenfvReqSize(GLbyte *pc, Bool swap);
extern int __glXTexGenivReqSize(GLbyte *pc, Bool swap);
extern int __glXMap1dReqSize(GLbyte *pc, Bool swap);
extern int __glXMap1fReqSize(GLbyte *pc, Bool swap);
extern int __glXMap2dReqSize(GLbyte *pc, Bool swap);
extern int __glXMap2fReqSize(GLbyte *pc, Bool swap);
extern int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap);
extern int __glXPixelMapuivReqSize(GLbyte *pc, Bool swap);
extern int __glXPixelMapusvReqSize(GLbyte *pc, Bool swap);
extern int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap);
extern int __glXDrawArraysSize(GLbyte *pc, Bool swap);
extern int __glXPrioritizeTexturesReqSize(GLbyte *pc, Bool swap);
extern int __glXTexSubImage1DReqSize(GLbyte *pc, Bool swap);
extern int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap);
extern int __glXTexImage3DReqSize(GLbyte *pc, Bool swap );
extern int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap);
extern int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap);
extern int __glXConvolutionFilter2DReqSize(GLbyte *pc, Bool swap);
extern int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap);
extern int __glXConvolutionParameterfvReqSize(GLbyte *pc, Bool swap);
extern int __glXSeparableFilter2DReqSize(GLbyte *pc, Bool swap);
extern int __glXColorTableReqSize(GLbyte *pc, Bool swap);
extern int __glXColorSubTableReqSize(GLbyte *pc, Bool swap);
extern int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap);
extern int __glXColorTableParameterivReqSize(GLbyte *pc, Bool swap);
extern int __glXCallListsReqSize(GLbyte *pc, Bool swap, int reqlen);
extern int __glXBitmapReqSize(GLbyte *pc, Bool swap, int reqlen);
extern int __glXFogfvReqSize(GLbyte *pc, Bool swap, int reqlen);
extern int __glXFogivReqSize(GLbyte *pc, Bool swap, int reqlen);
extern int __glXLightfvReqSize(GLbyte *pc, Bool swap, int reqlen);
extern int __glXLightivReqSize(GLbyte *pc, Bool swap, int reqlen);
extern int __glXLightModelfvReqSize(GLbyte *pc, Bool swap, int reqlen);
extern int __glXLightModelivReqSize(GLbyte *pc, Bool swap, int reqlen);
extern int __glXMaterialfvReqSize(GLbyte *pc, Bool swap, int reqlen);
extern int __glXMaterialivReqSize(GLbyte *pc, Bool swap, int reqlen);
extern int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen);
extern int __glXTexParameterivReqSize(GLbyte *pc, Bool swap, int reqlen);
extern int __glXTexImage1DReqSize(GLbyte *pc, Bool swap, int reqlen);
extern int __glXTexImage2DReqSize(GLbyte *pc, Bool swap, int reqlen);
extern int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap, int reqlen);
extern int __glXTexEnvivReqSize(GLbyte *pc, Bool swap, int reqlen);
extern int __glXTexGendvReqSize(GLbyte *pc, Bool swap, int reqlen);
extern int __glXTexGenfvReqSize(GLbyte *pc, Bool swap, int reqlen);
extern int __glXTexGenivReqSize(GLbyte *pc, Bool swap, int reqlen);
extern int __glXMap1dReqSize(GLbyte *pc, Bool swap, int reqlen);
extern int __glXMap1fReqSize(GLbyte *pc, Bool swap, int reqlen);
extern int __glXMap2dReqSize(GLbyte *pc, Bool swap, int reqlen);
extern int __glXMap2fReqSize(GLbyte *pc, Bool swap, int reqlen);
extern int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap, int reqlen);
extern int __glXPixelMapuivReqSize(GLbyte *pc, Bool swap, int reqlen);
extern int __glXPixelMapusvReqSize(GLbyte *pc, Bool swap, int reqlen);
extern int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap, int reqlen);
extern int __glXDrawArraysSize(GLbyte *pc, Bool swap, int reqlen);
extern int __glXPrioritizeTexturesReqSize(GLbyte *pc, Bool swap, int reqlen);
extern int __glXTexSubImage1DReqSize(GLbyte *pc, Bool swap, int reqlen);
extern int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap, int reqlen);
extern int __glXTexImage3DReqSize(GLbyte *pc, Bool swap, int reqlen );
extern int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap, int reqlen);
extern int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap, int reqlen);
extern int __glXConvolutionFilter2DReqSize(GLbyte *pc, Bool swap, int reqlen);
extern int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap, int reqlen);
extern int __glXConvolutionParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen);
extern int __glXSeparableFilter2DReqSize(GLbyte *pc, Bool swap, int reqlen);
extern int __glXColorTableReqSize(GLbyte *pc, Bool swap, int reqlen);
extern int __glXColorSubTableReqSize(GLbyte *pc, Bool swap, int reqlen);
extern int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen);
extern int __glXColorTableParameterivReqSize(GLbyte *pc, Bool swap, int reqlen);
/*
* Routines for computing the size of returned data.
......@@ -322,7 +322,7 @@ extern int __glXConvolutionParameterfvSize(GLenum pname);
extern int __glXColorTableParameterfvSize(GLenum pname);
extern int __glXColorTableParameterivSize(GLenum pname);
extern int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap);
extern int __glXPointParameterivReqSize(GLbyte *pc, Bool swap);
extern int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap, int reqlen);
extern int __glXPointParameterivReqSize(GLbyte *pc, Bool swap, int reqlen);
#endif /* !__GLX_server_h__ */
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment