glx: Be more paranoid about variable-length requests [CVE-2014-8093 1/6] (v2)

If the size computation routine returns -1 we should just reject the request outright. Clamping it to zero could give an attacker the opportunity to also mangle cmdlen in such a way that the subsequent length check passes, and the request would get executed, thus passing data we wanted to reject to the renderer. v3: backport to nx-libs 3.6.x (Mike DePaulo) v2: backport to RHEL5 - fix swap paths Reviewed-by: Keith Packard <keithp@keithp.com> Reviewed-by: Julien Cristau <jcristau@debian.org> Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Fedora X Ninjas <x@fedoraproject.org> Signed-off-by: Dave Airlie <airlied@redhat.com> fixup swaps

glx: Be more paranoid about variable-length requests [CVE-2014-8093 1/6] (v2)
5c43bb24 · Adam Jackson · Mike Gabriel · cea44678 · 5c43bb24 · 5c43bb24
Commit 5c43bb24 authored Nov 10, 2014 by Adam Jackson Committed by Mike Gabriel Feb 14, 2015
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 4 deletions

glxcmds.c nx-X11/programs/Xserver/GL/glx/glxcmds.c +2 -2

glxcmdsswap.c nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c +2 -2

No files found.
--- a/nx-X11/programs/Xserver/GL/glx/glxcmds.c
+++ b/nx-X11/programs/Xserver/GL/glx/glxcmds.c
@@ -1484,7 +1484,7 @@ int __glXRender(__GLXclientState *cl, GLbyte *pc)
            /* variable size command */
            extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, False);
            if (extra < 0) {
-                extra = 0;
+                return BadLength;
            }
            if (cmdlen != __GLX_PAD(entry->bytes + extra)) {
                return BadLength;
@@ -1601,7 +1601,7 @@ int __glXRenderLarge(__GLXclientState *cl, GLbyte *pc)
 	    */
 	    extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, False);
 	    if (extra < 0) {
-		extra = 0;
+	        return BadLength;
 	    }
 	    /* large command's header is 4 bytes longer, so add 4 */
 	    if (cmdlen != __GLX_PAD(entry->bytes + 4 + extra)) {

--- a/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c
+++ b/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c
@@ -535,7 +535,7 @@ int __glXSwapRender(__GLXclientState *cl, GLbyte *pc)
            /* variable size command */
            extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, True);
            if (extra < 0) {
-                extra = 0;
+                return BadLength;
            }
            if (cmdlen != __GLX_PAD(entry->bytes + extra)) {
                return BadLength;
@@ -659,7 +659,7 @@ int __glXSwapRenderLarge(__GLXclientState *cl, GLbyte *pc)
 	    */
 	    extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, True);
 	    if (extra < 0) {
-		extra = 0;
+		return BadLength;
 	    }
 	    /* large command's header is 4 bytes longer, so add 4 */
 	    if (cmdlen != __GLX_PAD(entry->bytes + 4 + extra)) {