glx: Additional paranoia in __glXGetAnswerBuffer / __GLX_GET_ANSWER_BUFFER (v2) [CVE-2014-8093 3/6]

If the computed reply size is negative, something went wrong, treat it as an error. v2: Be more careful about size_t being unsigned (Matthieu Herrb) v3: SIZE_MAX not SIZE_T_MAX (Alan Coopersmith) v4: backport to nx-libs 3.6.x (Mike DePaulo) Reviewed-by: Julien Cristau <jcristau@debian.org> Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Fedora X Ninjas <x@fedoraproject.org> Signed-off-by: Dave Airlie <airlied@redhat.com>

glx: Additional paranoia in glXGetAnswerBuffer / GLX_GET_ANSWER_BUFFER (v2) [CVE-2014-8093 3/6]
d0fcbc8a · Adam Jackson · Mike Gabriel · cdf0c3e6 · d0fcbc8a
Commit d0fcbc8a authored Nov 10, 2014 by Adam Jackson Committed by Mike Gabriel Feb 14, 2015
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 1 deletion

unpack.h nx-X11/programs/Xserver/GL/glx/unpack.h +2 -1

No files found.
--- a/nx-X11/programs/Xserver/GL/glx/unpack.h
+++ b/nx-X11/programs/Xserver/GL/glx/unpack.h
@@ -89,7 +89,8 @@ extern xGLXSingleReply __glXReply;
 ** pointer.
 */
 #define __GLX_GET_ANSWER_BUFFER(res,cl,size,align)			 \
-    if ((size) > sizeof(answerBuffer)) {				 \
+    if (size < 0) return BadLength;                                      \
+    else if ((size) > sizeof(answerBuffer)) {				 \
 	int bump;							 \
 	if ((cl)->returnBufSize < (size)+(align)) {			 \
 	    (cl)->returnBuf = (GLbyte*)Xrealloc((cl)->returnBuf,	 \