glx: Fix mask truncation in __glXGetAnswerBuffer [CVE-2014-8093 6/6]

On a system where sizeof(unsigned) != sizeof(intptr_t), the unary bitwise not operation will result in a mask that clears all high bits from temp_buf in the expression: temp_buf = (temp_buf + mask) & ~mask; Signed-off-by: Robert Morell <rmorell@nvidia.com> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
author: Robert Morell <rmorell@nvidia.com> 2014-11-12 18:51:43 -0800
committer: Alan Coopersmith <alan.coopersmith@oracle.com> 2014-12-08 18:09:50 -0800
commit: 7e7630bbb775573eea2a2335adb9d190c3e1e971 (patch)
tree: a4b86f3cb45806222c64b6f73d86502e867677f8 /glx
parent: e883c170c15493ab3637c0a01890f5a7ca4e16a5 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/glx/indirect_util.c b/glx/indirect_util.c
index de8149127..9ba28157c 100644
--- a/glx/indirect_util.c
+++ b/glx/indirect_util.c
@@ -73,7 +73,7 @@ __glXGetAnswerBuffer(__GLXclientState * cl, size_t required_size,
                      void *local_buffer, size_t local_size, unsigned alignment)
 {
     void *buffer = local_buffer;
-    const unsigned mask = alignment - 1;
+    const intptr_t mask = alignment - 1;
 
     if (local_size < required_size) {
         size_t worst_case_size;
author	Robert Morell <rmorell@nvidia.com>	2014-11-12 18:51:43 -0800
committer	Alan Coopersmith <alan.coopersmith@oracle.com>	2014-12-08 18:09:50 -0800
commit	7e7630bbb775573eea2a2335adb9d190c3e1e971 (patch)
tree	a4b86f3cb45806222c64b6f73d86502e867677f8 /glx
parent	e883c170c15493ab3637c0a01890f5a7ca4e16a5 (diff)