glx: Fix image size computation for EXT_texture_integer [CVE-2014-8098 1/8]

Without this we'd reject the request with BadLength.  Note that some old
versions of Mesa had a bug in the same place, and would _send_ zero
bytes of image data; these will now be rejected, correctly.

Reviewed-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

1 files changed, 10 insertions, 0 deletions

diff --git a/glx/rensize.c b/glx/rensize.c
index ba22d1067..9ff73c764 100644
--- a/glx/rensize.c
+++ b/glx/rensize.c
@@ -224,6 +224,11 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
         case GL_ALPHA:
         case GL_LUMINANCE:
         case GL_INTENSITY:
+        case GL_RED_INTEGER_EXT:
+        case GL_GREEN_INTEGER_EXT:
+        case GL_BLUE_INTEGER_EXT:
+        case GL_ALPHA_INTEGER_EXT:
+        case GL_LUMINANCE_INTEGER_EXT:
             elementsPerGroup = 1;
             break;
         case GL_422_EXT:
@@ -234,14 +239,19 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
         case GL_DEPTH_STENCIL_MESA:
         case GL_YCBCR_MESA:
         case GL_LUMINANCE_ALPHA:
+        case GL_LUMINANCE_ALPHA_INTEGER_EXT:
             elementsPerGroup = 2;
             break;
         case GL_RGB:
         case GL_BGR:
+        case GL_RGB_INTEGER_EXT:
+        case GL_BGR_INTEGER_EXT:
             elementsPerGroup = 3;
             break;
         case GL_RGBA:
         case GL_BGRA:
+        case GL_RGBA_INTEGER_EXT:
+        case GL_BGRA_INTEGER_EXT:
         case GL_ABGR_EXT:
             elementsPerGroup = 4;
             break;