diff options
| author | Koop Mast <kwm@FreeBSD.org> | 2014-12-10 21:35:13 +0000 |
|---|---|---|
| committer | Koop Mast <kwm@FreeBSD.org> | 2014-12-10 21:35:13 +0000 |
| commit | 1ef33079b39900dcc3d50c5e019eb2f8901c525b (patch) | |
| tree | 49084ca45edd067095895911788343ae39bf660b /x11-servers/xorg-server/files/patch-CVE-2014-8093-4-6 | |
| parent | Document xserver security advisories. (diff) | |
Fix multiple xserver security advisories in the 1.12.4 xserver.
The patches where not ported to 1.7.7 so mark it forbidden. This version
is not default anymore and will be removed in the 1.14 update that currently
being tested.
Obtained from: xserver upstream
MFH: 2014Q4
Security: 27b9b2f0-8081-11e4-b4ca-bcaec565249c
Notes
Notes:
svn path=/head/; revision=374489
Diffstat (limited to 'x11-servers/xorg-server/files/patch-CVE-2014-8093-4-6')
| -rw-r--r-- | x11-servers/xorg-server/files/patch-CVE-2014-8093-4-6 | 82 |
1 files changed, 82 insertions, 0 deletions
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8093-4-6 b/x11-servers/xorg-server/files/patch-CVE-2014-8093-4-6 new file mode 100644 index 000000000000..6a461c92e105 --- /dev/null +++ b/x11-servers/xorg-server/files/patch-CVE-2014-8093-4-6 @@ -0,0 +1,82 @@ +From 2a5cbc17fc72185bf0fa06fef26d1f782de72595 Mon Sep 17 00:00:00 2001 +From: Adam Jackson <ajax@redhat.com> +Date: Mon, 10 Nov 2014 12:13:40 -0500 +Subject: [PATCH 23/40] glx: Add safe_{add,mul,pad} (v3) [CVE-2014-8093 4/6] + +These are paranoid about integer overflow, and will return -1 if their +operation would overflow a (signed) integer or if either argument is +negative. + +Note that RenderLarge requests are sized with a uint32_t so in principle +this could be sketchy there, but dix limits bigreqs to 128M so you +shouldn't ever notice, and honestly if you're sending more than 2G of +rendering commands you're already doing something very wrong. + +v2: Use INT_MAX for consistency with the rest of the server (jcristau) +v3: Reject negative arguments (anholt) + +Reviewed-by: Keith Packard <keithp@keithp.com> +Reviewed-by: Julien Cristau <jcristau@debian.org> +Reviewed-by: Michal Srb <msrb@suse.com> +Reviewed-by: Andy Ritger <aritger@nvidia.com> +Signed-off-by: Adam Jackson <ajax@redhat.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + glx/glxserver.h | 41 +++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 41 insertions(+) + +diff --git a/glx/glxserver.h b/glx/glxserver.h +index a324b29..9482601 100644 +--- glx/glxserver.h ++++ glx/glxserver.h +@@ -228,6 +228,47 @@ extern void glxSwapQueryServerStringReply(ClientPtr client, + * Routines for computing the size of variably-sized rendering commands. + */ + ++static _X_INLINE int ++safe_add(int a, int b) ++{ ++ if (a < 0 || b < 0) ++ return -1; ++ ++ if (INT_MAX - a < b) ++ return -1; ++ ++ return a + b; ++} ++ ++static _X_INLINE int ++safe_mul(int a, int b) ++{ ++ if (a < 0 || b < 0) ++ return -1; ++ ++ if (a == 0 || b == 0) ++ return 0; ++ ++ if (a > INT_MAX / b) ++ return -1; ++ ++ return a * b; ++} ++ ++static _X_INLINE int ++safe_pad(int a) ++{ ++ int ret; ++ ++ if (a < 0) ++ return -1; ++ ++ if ((ret = safe_add(a, 3)) < 0) ++ return -1; ++ ++ return ret & (GLuint)~3; ++} ++ + extern int __glXTypeSize(GLenum enm); + extern int __glXImageSize(GLenum format, GLenum type, + GLenum target, GLsizei w, GLsizei h, GLsizei d, +-- +2.1.2 + |