1 |
From c91e4abc3b892f42802efa20fef7ada442c2d3f5 Mon Sep 17 00:00:00 2001 |
2 |
From: Adam Jackson <ajax@redhat.com> |
3 |
Date: Mon, 10 Nov 2014 12:13:44 -0500 |
4 |
Subject: [PATCH 27/40] glx: Top-level length checking for swapped |
5 |
VendorPrivate requests [CVE-2014-8098 4/8] |
6 |
|
7 |
Reviewed-by: Keith Packard <keithp@keithp.com> |
8 |
Reviewed-by: Julien Cristau <jcristau@debian.org> |
9 |
Reviewed-by: Michal Srb <msrb@suse.com> |
10 |
Reviewed-by: Andy Ritger <aritger@nvidia.com> |
11 |
Signed-off-by: Adam Jackson <ajax@redhat.com> |
12 |
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> |
13 |
--- |
14 |
glx/glxcmdsswap.c | 4 ++++ |
15 |
1 file changed, 4 insertions(+) |
16 |
|
17 |
diff --git a/glx/glxcmdsswap.c b/glx/glxcmdsswap.c |
18 |
index 5d179f3..9ec1222 100644 |
19 |
--- glx/glxcmdsswap.c |
20 |
+++ glx/glxcmdsswap.c |
21 |
@@ -958,11 +958,13 @@ __glXDispSwap_RenderLarge(__GLXclientState * cl, GLbyte * pc) |
22 |
int |
23 |
__glXDispSwap_VendorPrivate(__GLXclientState * cl, GLbyte * pc) |
24 |
{ |
25 |
+ ClientPtr client = cl->client; |
26 |
xGLXVendorPrivateReq *req; |
27 |
GLint vendorcode; |
28 |
__GLXdispatchVendorPrivProcPtr proc; |
29 |
|
30 |
__GLX_DECLARE_SWAP_VARIABLES; |
31 |
+ REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateReq); |
32 |
|
33 |
req = (xGLXVendorPrivateReq *) pc; |
34 |
__GLX_SWAP_SHORT(&req->length); |
35 |
@@ -985,11 +987,13 @@ __glXDispSwap_VendorPrivate(__GLXclientState * cl, GLbyte * pc) |
36 |
int |
37 |
__glXDispSwap_VendorPrivateWithReply(__GLXclientState * cl, GLbyte * pc) |
38 |
{ |
39 |
+ ClientPtr client = cl->client; |
40 |
xGLXVendorPrivateWithReplyReq *req; |
41 |
GLint vendorcode; |
42 |
__GLXdispatchVendorPrivProcPtr proc; |
43 |
|
44 |
__GLX_DECLARE_SWAP_VARIABLES; |
45 |
+ REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateWithReplyReq); |
46 |
|
47 |
req = (xGLXVendorPrivateWithReplyReq *) pc; |
48 |
__GLX_SWAP_SHORT(&req->length); |
49 |
-- |
50 |
2.1.2 |
51 |
|