summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAdam Jackson <ajax@redhat.com>2014-11-10 12:13:39 -0500
committerAlan Coopersmith <alan.coopersmith@oracle.com>2014-12-08 18:09:49 -0800
commit13d36923e0ddb077f4854e354c3d5c80590b5d9d (patch)
treee3b7d519a2cc744303cca90d7148e19813afcbd4
parent717a1b37767b41e14859e5022ae9e679152821a9 (diff)
glx: Fix image size computation for EXT_texture_integer [CVE-2014-8098 1/8]
Without this we'd reject the request with BadLength. Note that some old versions of Mesa had a bug in the same place, and would _send_ zero bytes of image data; these will now be rejected, correctly. Reviewed-by: Keith Packard <keithp@keithp.com> Reviewed-by: Julien Cristau <jcristau@debian.org> Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-rw-r--r--glx/rensize.c10
1 files changed, 10 insertions, 0 deletions
diff --git a/glx/rensize.c b/glx/rensize.c
index ba22d1067..9ff73c764 100644
--- a/glx/rensize.c
+++ b/glx/rensize.c
@@ -224,6 +224,11 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
case GL_ALPHA:
case GL_LUMINANCE:
case GL_INTENSITY:
+ case GL_RED_INTEGER_EXT:
+ case GL_GREEN_INTEGER_EXT:
+ case GL_BLUE_INTEGER_EXT:
+ case GL_ALPHA_INTEGER_EXT:
+ case GL_LUMINANCE_INTEGER_EXT:
elementsPerGroup = 1;
break;
case GL_422_EXT:
@@ -234,14 +239,19 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
case GL_DEPTH_STENCIL_MESA:
case GL_YCBCR_MESA:
case GL_LUMINANCE_ALPHA:
+ case GL_LUMINANCE_ALPHA_INTEGER_EXT:
elementsPerGroup = 2;
break;
case GL_RGB:
case GL_BGR:
+ case GL_RGB_INTEGER_EXT:
+ case GL_BGR_INTEGER_EXT:
elementsPerGroup = 3;
break;
case GL_RGBA:
case GL_BGRA:
+ case GL_RGBA_INTEGER_EXT:
+ case GL_BGRA_INTEGER_EXT:
case GL_ABGR_EXT:
elementsPerGroup = 4;
break;