glx: Length checking for GLXRender requests (v2) [CVE-2014-8098 2/8]

v2: Remove can't-happen comparison for cmdlen < 0 (Michal Srb) Reviewed-by: Adam Jackson <ajax@redhat.com> Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Julien Cristau <jcristau@debian.org> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
author: Julien Cristau <jcristau@debian.org> 2014-11-10 12:13:41 -0500
committer: Alan Coopersmith <alan.coopersmith@oracle.com> 2014-12-08 18:09:49 -0800
commit: be09e0c988ffdb0371293af49fb4ea8f49ed324a (patch)
tree: 8b1b6cf7f43a0602bbe14dd7ba19df208a272a15 /glx
parent: 2a5cbc17fc72185bf0fa06fef26d1f782de72595 (diff)
1 files changed, 10 insertions, 11 deletions
diff --git a/glx/glxcmds.c b/glx/glxcmds.c
index ea42e2a01..ddd911933 100644
--- a/glx/glxcmds.c
+++ b/glx/glxcmds.c
@@ -2025,7 +2025,7 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
     left = (req->length << 2) - sz_xGLXRenderReq;
     while (left > 0) {
         __GLXrenderSizeData entry;
-        int extra;
+        int extra = 0;
         __GLXdispatchRenderProcPtr proc;
         int err;
 
@@ -2044,6 +2044,9 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
         cmdlen = hdr->length;
         opcode = hdr->opcode;
 
+        if (left < cmdlen)
+            return BadLength;
+
         /*
          ** Check for core opcodes and grab entry data.
          */
@@ -2057,6 +2060,10 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
             return __glXError(GLXBadRenderRequest);
         }
 
+        if (cmdlen < entry.bytes) {
+            return BadLength;
+        }
+
         if (entry.varsize) {
             /* variable size command */
             extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE,
@@ -2064,17 +2071,9 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
             if (extra < 0) {
                 return BadLength;
             }
-            if (cmdlen != __GLX_PAD(entry.bytes + extra)) {
-                return BadLength;
-            }
         }
-        else {
-            /* constant size command */
-            if (cmdlen != __GLX_PAD(entry.bytes)) {
-                return BadLength;
-            }
-        }
-        if (left < cmdlen) {
+
+        if (cmdlen != safe_pad(safe_add(entry.bytes, extra))) {
             return BadLength;
         }
author	Julien Cristau <jcristau@debian.org>	2014-11-10 12:13:41 -0500
committer	Alan Coopersmith <alan.coopersmith@oracle.com>	2014-12-08 18:09:49 -0800
commit	be09e0c988ffdb0371293af49fb4ea8f49ed324a (patch)
tree	8b1b6cf7f43a0602bbe14dd7ba19df208a272a15 /glx
parent	2a5cbc17fc72185bf0fa06fef26d1f782de72595 (diff)