andreacavalli
/
xserver-multidpi
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

glx: Length checking for non-generated single requests (v2) [CVE-2014-8098 7/8] 

v2:
Fix single versus vendor-private length checking for ARB_imaging subset
extensions. (Julien Cristau)

v3:
Fix single versus vendor-private length checking for ARB_imaging subset
extensions. (Julien Cristau)

Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 984583a497)
Signed-off-by: Julien Cristau <jcristau@debian.org>
This commit is contained in:
Adam Jackson 2014-11-10 12:13:47 -05:00 committed by Julien Cristau
parent 44ed4a6547
commit 92de7a90a1
5 changed files with 95 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
glx/indirect_texture_compression.c
View File

@ -43,6 +43,8 @@ __glXDisp_GetCompressedTexImage(struct __GLXclientStateRec *cl, GLbyte * pc)
__GLXcontext *const cx = __glXForceCurrent(cl, req->contextTag, &error);
ClientPtr client = cl->client;
REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
pc += __GLX_SINGLE_HDR_SIZE;
if (cx != NULL) {
const GLenum target = *(GLenum *) (pc + 0);
@ -87,6 +89,8 @@ __glXDispSwap_GetCompressedTexImage(struct __GLXclientStateRec *cl, GLbyte * pc)
__glXForceCurrent(cl, bswap_32(req->contextTag), &error);
ClientPtr client = cl->client;
REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
pc += __GLX_SINGLE_HDR_SIZE;
if (cx != NULL) {
const GLenum target = (GLenum) bswap_32(*(int *) (pc + 0));

23
glx/single2.c
View File

@ -45,11 +45,14 @@
int
__glXDisp_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
{
ClientPtr client = cl->client;
GLsizei size;
GLenum type;
__GLXcontext *cx;
int error;
REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
return error;
@ -76,10 +79,13 @@ __glXDisp_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
int
__glXDisp_SelectBuffer(__GLXclientState * cl, GLbyte * pc)
{
ClientPtr client = cl->client;
__GLXcontext *cx;
GLsizei size;
int error;
REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
return error;
@ -104,7 +110,7 @@ __glXDisp_SelectBuffer(__GLXclientState * cl, GLbyte * pc)
int
__glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc)
{
ClientPtr client;
ClientPtr client = cl->client;
xGLXRenderModeReply reply;
__GLXcontext *cx;
GLint nitems = 0, retBytes = 0, retval, newModeCheck;
@ -112,6 +118,8 @@ __glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc)
GLenum newMode;
int error;
REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
return error;
@ -188,7 +196,6 @@ __glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc)
** selection array, as per the API for glRenderMode itself.
*/
noChangeAllowed:;
client = cl->client;
reply = (xGLXRenderModeReply) {
.type = X_Reply,
.sequenceNumber = client->sequence,
@ -207,9 +214,12 @@ __glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc)
int
__glXDisp_Flush(__GLXclientState * cl, GLbyte * pc)
{
ClientPtr client = cl->client;
__GLXcontext *cx;
int error;
REQUEST_SIZE_MATCH(xGLXSingleReq);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
return error;
@ -223,10 +233,12 @@ __glXDisp_Flush(__GLXclientState * cl, GLbyte * pc)
int
__glXDisp_Finish(__GLXclientState * cl, GLbyte * pc)
{
ClientPtr client = cl->client;
__GLXcontext *cx;
ClientPtr client;
int error;
REQUEST_SIZE_MATCH(xGLXSingleReq);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
return error;
@ -317,7 +329,7 @@ __glXcombine_strings(const char *cext_string, const char *sext_string)
int
DoGetString(__GLXclientState * cl, GLbyte * pc, GLboolean need_swap)
{
ClientPtr client;
ClientPtr client = cl->client;
__GLXcontext *cx;
GLenum name;
const char *string;
@ -327,6 +339,8 @@ DoGetString(__GLXclientState * cl, GLbyte * pc, GLboolean need_swap)
char *buf = NULL, *buf1 = NULL;
GLint length = 0;
REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
/* If the client has the opposite byte order, swap the contextTag and
* the name.
*/
@ -343,7 +357,6 @@ DoGetString(__GLXclientState * cl, GLbyte * pc, GLboolean need_swap)
pc += __GLX_SINGLE_HDR_SIZE;
name = *(GLenum *) (pc + 0);
string = (const char *) glGetString(name);
client = cl->client;
if (string == NULL)
string = "";

19
glx/single2swap.c
View File

@ -41,6 +41,7 @@
int
__glXDispSwap_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
{
ClientPtr client = cl->client;
GLsizei size;
GLenum type;
@ -48,6 +49,8 @@ __glXDispSwap_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
__GLXcontext *cx;
int error;
REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
__GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@ -77,12 +80,15 @@ __glXDispSwap_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
int
__glXDispSwap_SelectBuffer(__GLXclientState * cl, GLbyte * pc)
{
ClientPtr client = cl->client;
__GLXcontext *cx;
GLsizei size;
__GLX_DECLARE_SWAP_VARIABLES;
int error;
REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
__GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@ -109,7 +115,7 @@ __glXDispSwap_SelectBuffer(__GLXclientState * cl, GLbyte * pc)
int
__glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc)
{
ClientPtr client;
ClientPtr client = cl->client;
__GLXcontext *cx;
xGLXRenderModeReply reply;
GLint nitems = 0, retBytes = 0, retval, newModeCheck;
@ -120,6 +126,8 @@ __glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc)
__GLX_DECLARE_SWAP_ARRAY_VARIABLES;
int error;
REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
__GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@ -200,7 +208,6 @@ __glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc)
** selection array, as per the API for glRenderMode itself.
*/
noChangeAllowed:;
client = cl->client;
reply = (xGLXRenderModeReply) {
.type = X_Reply,
.sequenceNumber = client->sequence,
@ -224,11 +231,14 @@ __glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc)
int
__glXDispSwap_Flush(__GLXclientState * cl, GLbyte * pc)
{
ClientPtr client = cl->client;
__GLXcontext *cx;
int error;
__GLX_DECLARE_SWAP_VARIABLES;
REQUEST_SIZE_MATCH(xGLXSingleReq);
__GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@ -243,12 +253,14 @@ __glXDispSwap_Flush(__GLXclientState * cl, GLbyte * pc)
int
__glXDispSwap_Finish(__GLXclientState * cl, GLbyte * pc)
{
ClientPtr client = cl->client;
__GLXcontext *cx;
ClientPtr client;
int error;
__GLX_DECLARE_SWAP_VARIABLES;
REQUEST_SIZE_MATCH(xGLXSingleReq);
__GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@ -260,7 +272,6 @@ __glXDispSwap_Finish(__GLXclientState * cl, GLbyte * pc)
cx->hasUnflushedCommands = GL_FALSE;
/* Send empty reply packet to indicate finish is finished */
client = cl->client;
__GLX_BEGIN_REPLY(0);
__GLX_PUT_RETVAL(0);
__GLX_SWAP_REPLY_HEADER();

44
glx/singlepix.c
View File

@ -51,6 +51,8 @@ __glXDisp_ReadPixels(__GLXclientState * cl, GLbyte * pc)
int error;
char *answer, answerBuffer[200];
REQUEST_FIXED_SIZE(xGLXSingleReq, 28);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
return error;
@ -100,6 +102,8 @@ __glXDisp_GetTexImage(__GLXclientState * cl, GLbyte * pc)
char *answer, answerBuffer[200];
GLint width = 0, height = 0, depth = 1;
REQUEST_FIXED_SIZE(xGLXSingleReq, 20);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
return error;
@ -157,6 +161,8 @@ __glXDisp_GetPolygonStipple(__GLXclientState * cl, GLbyte * pc)
GLubyte answerBuffer[200];
char *answer;
REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
return error;
@ -217,15 +223,13 @@ GetSeparableFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1);
if (compsize < 0)
if ((compsize = safe_pad(compsize)) < 0)
return BadLength;
if (compsize2 < 0)
if ((compsize2 = safe_pad(compsize2)) < 0)
return BadLength;
compsize = __GLX_PAD(compsize);
compsize2 = __GLX_PAD(compsize2);
glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
__GLX_GET_ANSWER_BUFFER(answer, cl, compsize + compsize2, 1);
__GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1);
__glXClearErrorOccured();
glGetSeparableFilter(*(GLenum *) (pc + 0), *(GLenum *) (pc + 4),
*(GLenum *) (pc + 8), answer, answer + compsize, NULL);
@ -249,7 +253,8 @@ int
__glXDisp_GetSeparableFilter(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
ClientPtr client = cl->client;
REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
return GetSeparableFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
}
@ -257,7 +262,8 @@ int
__glXDisp_GetSeparableFilterEXT(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
ClientPtr client = cl->client;
REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
return GetSeparableFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
}
@ -323,7 +329,8 @@ int
__glXDisp_GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
ClientPtr client = cl->client;
REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
return GetConvolutionFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
}
@ -331,7 +338,8 @@ int
__glXDisp_GetConvolutionFilterEXT(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
ClientPtr client = cl->client;
REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
return GetConvolutionFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
}
@ -390,7 +398,8 @@ int
__glXDisp_GetHistogram(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
ClientPtr client = cl->client;
REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
return GetHistogram(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
}
@ -398,7 +407,8 @@ int
__glXDisp_GetHistogramEXT(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
ClientPtr client = cl->client;
REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
return GetHistogram(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
}
@ -450,7 +460,8 @@ int
__glXDisp_GetMinmax(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
ClientPtr client = cl->client;
REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
return GetMinmax(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
}
@ -458,7 +469,8 @@ int
__glXDisp_GetMinmaxEXT(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
ClientPtr client = cl->client;
REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
return GetMinmax(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
}
@ -517,7 +529,8 @@ int
__glXDisp_GetColorTable(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
ClientPtr client = cl->client;
REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
return GetColorTable(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
}
@ -525,6 +538,7 @@ int
__glXDisp_GetColorTableSGI(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
ClientPtr client = cl->client;
REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
return GetColorTable(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
}

34
glx/singlepixswap.c
View File

@ -53,6 +53,8 @@ __glXDispSwap_ReadPixels(__GLXclientState * cl, GLbyte * pc)
int error;
char *answer, answerBuffer[200];
REQUEST_FIXED_SIZE(xGLXSingleReq, 28);
__GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@ -114,6 +116,8 @@ __glXDispSwap_GetTexImage(__GLXclientState * cl, GLbyte * pc)
char *answer, answerBuffer[200];
GLint width = 0, height = 0, depth = 1;
REQUEST_FIXED_SIZE(xGLXSingleReq, 20);
__GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@ -184,6 +188,8 @@ __glXDispSwap_GetPolygonStipple(__GLXclientState * cl, GLbyte * pc)
__GLX_DECLARE_SWAP_VARIABLES;
REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
__GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@ -251,15 +257,13 @@ GetSeparableFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1);
if (compsize < 0)
if ((compsize = safe_pad(compsize)) < 0)
return BadLength;
if (compsize2 < 0)
if ((compsize2 = safe_pad(compsize2)) < 0)
return BadLength;
compsize = __GLX_PAD(compsize);
compsize2 = __GLX_PAD(compsize2);
glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
__GLX_GET_ANSWER_BUFFER(answer, cl, compsize + compsize2, 1);
__GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1);
__glXClearErrorOccured();
glGetSeparableFilter(*(GLenum *) (pc + 0), *(GLenum *) (pc + 4),
*(GLenum *) (pc + 8), answer, answer + compsize, NULL);
@ -285,7 +289,9 @@ int
__glXDispSwap_GetSeparableFilter(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
ClientPtr client = cl->client;
REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
return GetSeparableFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
}
@ -293,7 +299,9 @@ int
__glXDispSwap_GetSeparableFilterEXT(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
ClientPtr client = cl->client;
REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
return GetSeparableFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
}
@ -367,7 +375,9 @@ int
__glXDispSwap_GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
ClientPtr client = cl->client;
REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
return GetConvolutionFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
}
@ -375,7 +385,9 @@ int
__glXDispSwap_GetConvolutionFilterEXT(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
ClientPtr client = cl->client;
REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
return GetConvolutionFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
}
@ -441,7 +453,9 @@ int
__glXDispSwap_GetHistogram(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
ClientPtr client = cl->client;
REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
return GetHistogram(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
}
@ -449,7 +463,9 @@ int
__glXDispSwap_GetHistogramEXT(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
ClientPtr client = cl->client;
REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
return GetHistogram(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
}
@ -507,7 +523,9 @@ int
__glXDispSwap_GetMinmax(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
ClientPtr client = cl->client;
REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
return GetMinmax(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
}
@ -515,7 +533,9 @@ int
__glXDispSwap_GetMinmaxEXT(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
ClientPtr client = cl->client;
REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
return GetMinmax(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
}
@ -581,7 +601,9 @@ int
__glXDispSwap_GetColorTable(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
ClientPtr client = cl->client;
REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
return GetColorTable(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
}
@ -589,6 +611,8 @@ int
__glXDispSwap_GetColorTableSGI(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
ClientPtr client = cl->client;
REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
return GetColorTable(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
}