diff options
author | Adam Jackson <ajax@redhat.com> | 2014-11-10 12:13:36 -0500 |
---|---|---|
committer | Julien Cristau <jcristau@debian.org> | 2014-12-09 17:50:13 +0100 |
commit | 1d496e046e398cd9d6d77edf8958967c86983bf0 (patch) | |
tree | 2c8174c163c6eafb6d6d052e0062818968011398 | |
parent | 5a4760babdfeb114d1e89df735496f042df352fe (diff) |
glx: Be more paranoid about variable-length requests [CVE-2014-8093 1/6]
If the size computation routine returns -1 we should just reject the
request outright. Clamping it to zero could give an attacker the
opportunity to also mangle cmdlen in such a way that the subsequent
length check passes, and the request would get executed, thus passing
data we wanted to reject to the renderer.
Reviewed-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 23fe7718bb171e71db2d1a30505c2ca2988799d9)
Signed-off-by: Julien Cristau <jcristau@debian.org>
-rw-r--r-- | glx/glxcmds.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/glx/glxcmds.c b/glx/glxcmds.c index 2fc3f4cc8..f8328af8b 100644 --- a/glx/glxcmds.c +++ b/glx/glxcmds.c @@ -2060,7 +2060,7 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc) extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE, client->swapped); if (extra < 0) { - extra = 0; + return BadLength; } if (cmdlen != __GLX_PAD(entry.bytes + extra)) { return BadLength; @@ -2177,7 +2177,7 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc) extra = (*entry.varsize) (pc + __GLX_RENDER_LARGE_HDR_SIZE, client->swapped); if (extra < 0) { - extra = 0; + return BadLength; } /* large command's header is 4 bytes longer, so add 4 */ if (cmdlen != __GLX_PAD(entry.bytes + 4 + extra)) { |