aboutsummaryrefslogtreecommitdiff
path: root/x11-servers/xorg-server/files/patch-CVE-2014-8098-1-8
diff options
context:
space:
mode:
Diffstat (limited to 'x11-servers/xorg-server/files/patch-CVE-2014-8098-1-8')
-rw-r--r--x11-servers/xorg-server/files/patch-CVE-2014-8098-1-859
1 files changed, 59 insertions, 0 deletions
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8098-1-8 b/x11-servers/xorg-server/files/patch-CVE-2014-8098-1-8
new file mode 100644
index 000000000000..658fa963992b
--- /dev/null
+++ b/x11-servers/xorg-server/files/patch-CVE-2014-8098-1-8
@@ -0,0 +1,59 @@
+From 13d36923e0ddb077f4854e354c3d5c80590b5d9d Mon Sep 17 00:00:00 2001
+From: Adam Jackson <ajax@redhat.com>
+Date: Mon, 10 Nov 2014 12:13:39 -0500
+Subject: [PATCH 22/40] glx: Fix image size computation for EXT_texture_integer
+ [CVE-2014-8098 1/8]
+
+Without this we'd reject the request with BadLength. Note that some old
+versions of Mesa had a bug in the same place, and would _send_ zero
+bytes of image data; these will now be rejected, correctly.
+
+Reviewed-by: Keith Packard <keithp@keithp.com>
+Reviewed-by: Julien Cristau <jcristau@debian.org>
+Reviewed-by: Michal Srb <msrb@suse.com>
+Reviewed-by: Andy Ritger <aritger@nvidia.com>
+Signed-off-by: Adam Jackson <ajax@redhat.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ glx/rensize.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/glx/rensize.c b/glx/rensize.c
+index ba22d10..9ff73c7 100644
+--- glx/rensize.c
++++ glx/rensize.c
+@@ -224,6 +224,11 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
+ case GL_ALPHA:
+ case GL_LUMINANCE:
+ case GL_INTENSITY:
++ case GL_RED_INTEGER_EXT:
++ case GL_GREEN_INTEGER_EXT:
++ case GL_BLUE_INTEGER_EXT:
++ case GL_ALPHA_INTEGER_EXT:
++ case GL_LUMINANCE_INTEGER_EXT:
+ elementsPerGroup = 1;
+ break;
+ case GL_422_EXT:
+@@ -234,14 +239,19 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
+ case GL_DEPTH_STENCIL_MESA:
+ case GL_YCBCR_MESA:
+ case GL_LUMINANCE_ALPHA:
++ case GL_LUMINANCE_ALPHA_INTEGER_EXT:
+ elementsPerGroup = 2;
+ break;
+ case GL_RGB:
+ case GL_BGR:
++ case GL_RGB_INTEGER_EXT:
++ case GL_BGR_INTEGER_EXT:
+ elementsPerGroup = 3;
+ break;
+ case GL_RGBA:
+ case GL_BGRA:
++ case GL_RGBA_INTEGER_EXT:
++ case GL_BGRA_INTEGER_EXT:
+ case GL_ABGR_EXT:
+ elementsPerGroup = 4;
+ break;
+--
+2.1.2
+
generated by cgit v1.2.3 (git 2.25.1) at 2025-02-26 19:10:22 +0000