diff options
Diffstat (limited to 'x11-servers')
30 files changed, 4002 insertions, 1 deletions
diff --git a/x11-servers/xorg-server/Makefile b/x11-servers/xorg-server/Makefile index b608dfa530c1..183136dbc8bb 100644 --- a/x11-servers/xorg-server/Makefile +++ b/x11-servers/xorg-server/Makefile @@ -35,13 +35,14 @@ OPTIONS_EXCLUDE_sparc64= HAL .if defined(WITH_NEW_XORG) XORG_VERSION= 1.12.4 -XORG_REVISION= 9 +XORG_REVISION= 10 PLIST_SUB+= OLD="@comment " NEW="" EXTRA_PATCHES+= ${FILESDIR}/extra-clang \ ${FILESDIR}/extra-configure \ ${FILESDIR}/extra-new-bad-impl \ ${FILESDIR}/extra-new-dix_dixfonts.c .else +FORBIDDEN= unfixed security issues XORG_VERSION= 1.7.7 XORG_REVISION= 14 PLIST_SUB+= OLD="" NEW="@comment " diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8092-1-4 b/x11-servers/xorg-server/files/patch-CVE-2014-8092-1-4 new file mode 100644 index 000000000000..d04a03be0054 --- /dev/null +++ b/x11-servers/xorg-server/files/patch-CVE-2014-8092-1-4 @@ -0,0 +1,37 @@ +From eeae42d60bf3d5663ea088581f6c28a82cd17829 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Wed, 22 Jan 2014 21:11:16 -0800 +Subject: [PATCH 01/40] dix: integer overflow in ProcPutImage() [CVE-2014-8092 + 1/4] + +ProcPutImage() calculates a length field from a width, left pad and depth +specified by the client (if the specified format is XYPixmap). + +The calculations for the total amount of memory the server needs for the +pixmap can overflow a 32-bit number, causing out-of-bounds memory writes +on 32-bit systems (since the length is stored in a long int variable). + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> +--- + dix/dispatch.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/dix/dispatch.c b/dix/dispatch.c +index d844a09..55b978d 100644 +--- dix/dispatch.c ++++ dix/dispatch.c +@@ -2000,6 +2000,9 @@ ProcPutImage(ClientPtr client) + tmpImage = (char *) &stuff[1]; + lengthProto = length; + ++ if (lengthProto >= (INT32_MAX / stuff->height)) ++ return BadLength; ++ + if ((bytes_to_int32(lengthProto * stuff->height) + + bytes_to_int32(sizeof(xPutImageReq))) != client->req_len) + return BadLength; +-- +2.1.2 + diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8092-2-4 b/x11-servers/xorg-server/files/patch-CVE-2014-8092-2-4 new file mode 100644 index 000000000000..25d58bd418a5 --- /dev/null +++ b/x11-servers/xorg-server/files/patch-CVE-2014-8092-2-4 @@ -0,0 +1,49 @@ +From bc8e20430b6f6378daf6ce4329029248a88af08b Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Mon, 6 Jan 2014 23:30:14 -0800 +Subject: [PATCH 02/40] dix: integer overflow in GetHosts() [CVE-2014-8092 2/4] + +GetHosts() iterates over all the hosts it has in memory, and copies +them to a buffer. The buffer length is calculated by iterating over +all the hosts and adding up all of their combined length. There is a +potential integer overflow, if there are lots and lots of hosts (with +a combined length of > ~4 gig). This should be possible by repeatedly +calling ProcChangeHosts() on 64bit machines with enough memory. + +This patch caps the list at 1mb, because multi-megabyte hostname +lists for X access control are insane. + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> +--- + os/access.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/os/access.c b/os/access.c +index 5c510de..f393c8d 100644 +--- os/access.c ++++ os/access.c +@@ -1296,6 +1296,10 @@ GetHosts(void **data, int *pnHosts, int *pLen, BOOL * pEnabled) + for (host = validhosts; host; host = host->next) { + nHosts++; + n += pad_to_int32(host->len) + sizeof(xHostEntry); ++ /* Could check for INT_MAX, but in reality having more than 1mb of ++ hostnames in the access list is ridiculous */ ++ if (n >= 1048576) ++ break; + } + if (n) { + *data = ptr = malloc(n); +@@ -1304,6 +1308,8 @@ GetHosts(void **data, int *pnHosts, int *pLen, BOOL * pEnabled) + } + for (host = validhosts; host; host = host->next) { + len = host->len; ++ if ((ptr + sizeof(xHostEntry) + len) > (data + n)) ++ break; + ((xHostEntry *) ptr)->family = host->family; + ((xHostEntry *) ptr)->length = len; + ptr += sizeof(xHostEntry); +-- +2.1.2 + diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8092-3-4 b/x11-servers/xorg-server/files/patch-CVE-2014-8092-3-4 new file mode 100644 index 000000000000..e05101bac9e3 --- /dev/null +++ b/x11-servers/xorg-server/files/patch-CVE-2014-8092-3-4 @@ -0,0 +1,128 @@ +From 97015a07b9e15d8ec5608b95d95ec0eb51202acb Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Wed, 22 Jan 2014 22:37:15 -0800 +Subject: [PATCH 03/40] dix: integer overflow in RegionSizeof() [CVE-2014-8092 + 3/4] + +RegionSizeof contains several integer overflows if a large length +value is passed in. Once we fix it to return 0 on overflow, we +also have to fix the callers to handle this error condition + +v2: Fixed limit calculation in RegionSizeof as pointed out by jcristau. + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> +Reviewed-by: Julien Cristau <jcristau@debian.org> +--- + dix/region.c | 20 +++++++++++++------- + include/regionstr.h | 10 +++++++--- + 2 files changed, 20 insertions(+), 10 deletions(-) + +diff --git a/dix/region.c b/dix/region.c +index ce1014e..04e5901 100644 +--- dix/region.c ++++ dix/region.c +@@ -169,7 +169,6 @@ Equipment Corporation. + ((r1)->y1 <= (r2)->y1) && \ + ((r1)->y2 >= (r2)->y2) ) + +-#define xallocData(n) malloc(RegionSizeof(n)) + #define xfreeData(reg) if ((reg)->data && (reg)->data->size) free((reg)->data) + + #define RECTALLOC_BAIL(pReg,n,bail) \ +@@ -205,8 +204,9 @@ if (!(pReg)->data || (((pReg)->data->numRects + (n)) > (pReg)->data->size)) \ + #define DOWNSIZE(reg,numRects) \ + if (((numRects) < ((reg)->data->size >> 1)) && ((reg)->data->size > 50)) \ + { \ +- RegDataPtr NewData; \ +- NewData = (RegDataPtr)realloc((reg)->data, RegionSizeof(numRects)); \ ++ size_t NewSize = RegionSizeof(numRects); \ ++ RegDataPtr NewData = \ ++ (NewSize > 0) ? realloc((reg)->data, NewSize) : NULL ; \ + if (NewData) \ + { \ + NewData->size = (numRects); \ +@@ -345,17 +345,20 @@ Bool + RegionRectAlloc(RegionPtr pRgn, int n) + { + RegDataPtr data; ++ size_t rgnSize; + + if (!pRgn->data) { + n++; +- pRgn->data = xallocData(n); ++ rgnSize = RegionSizeof(n); ++ pRgn->data = (rgnSize > 0) ? malloc(rgnSize) : NULL; + if (!pRgn->data) + return RegionBreak(pRgn); + pRgn->data->numRects = 1; + *RegionBoxptr(pRgn) = pRgn->extents; + } + else if (!pRgn->data->size) { +- pRgn->data = xallocData(n); ++ rgnSize = RegionSizeof(n); ++ pRgn->data = (rgnSize > 0) ? malloc(rgnSize) : NULL; + if (!pRgn->data) + return RegionBreak(pRgn); + pRgn->data->numRects = 0; +@@ -367,7 +370,8 @@ RegionRectAlloc(RegionPtr pRgn, int n) + n = 250; + } + n += pRgn->data->numRects; +- data = (RegDataPtr) realloc(pRgn->data, RegionSizeof(n)); ++ rgnSize = RegionSizeof(n); ++ data = (rgnSize > 0) ? realloc(pRgn->data, rgnSize) : NULL; + if (!data) + return RegionBreak(pRgn); + pRgn->data = data; +@@ -1312,6 +1316,7 @@ RegionFromRects(int nrects, xRectangle *prect, int ctype) + { + + RegionPtr pRgn; ++ size_t rgnSize; + RegDataPtr pData; + BoxPtr pBox; + int i; +@@ -1338,7 +1343,8 @@ RegionFromRects(int nrects, xRectangle *prect, int ctype) + } + return pRgn; + } +- pData = xallocData(nrects); ++ rgnSize = RegionSizeof(nrects); ++ pData = (rgnSize > 0) ? malloc(rgnSize) : NULL; + if (!pData) { + RegionBreak(pRgn); + return pRgn; +diff --git a/include/regionstr.h b/include/regionstr.h +index 515e93f..079375d 100644 +--- include/regionstr.h ++++ include/regionstr.h +@@ -127,7 +127,10 @@ RegionEnd(RegionPtr reg) + static inline size_t + RegionSizeof(size_t n) + { +- return (sizeof(RegDataRec) + ((n) * sizeof(BoxRec))); ++ if (n < ((INT_MAX - sizeof(RegDataRec)) / sizeof(BoxRec))) ++ return (sizeof(RegDataRec) + ((n) * sizeof(BoxRec))); ++ else ++ return 0; + } + + static inline void +@@ -138,9 +141,10 @@ RegionInit(RegionPtr _pReg, BoxPtr _rect, int _size) + (_pReg)->data = (RegDataPtr) NULL; + } + else { ++ size_t rgnSize; + (_pReg)->extents = RegionEmptyBox; +- if (((_size) > 1) && ((_pReg)->data = +- (RegDataPtr) malloc(RegionSizeof(_size)))) { ++ if (((_size) > 1) && ((rgnSize = RegionSizeof(_size)) > 0) && ++ (((_pReg)->data = malloc(rgnSize)) != NULL)) { + (_pReg)->data->size = (_size); + (_pReg)->data->numRects = 0; + } +-- +2.1.2 + diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8092-4-4 b/x11-servers/xorg-server/files/patch-CVE-2014-8092-4-4 new file mode 100644 index 000000000000..64436ed41424 --- /dev/null +++ b/x11-servers/xorg-server/files/patch-CVE-2014-8092-4-4 @@ -0,0 +1,34 @@ +From e0e11644622a589129a01e11e5d105dc74a098de Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Wed, 22 Jan 2014 23:44:46 -0800 +Subject: [PATCH 04/40] dix: integer overflow in REQUEST_FIXED_SIZE() + [CVE-2014-8092 4/4] + +Force use of 64-bit integers when evaluating data provided by clients +in 32-bit fields which can overflow when added or multiplied during +checks. + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> +--- + include/dix.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/include/dix.h b/include/dix.h +index 991a3ce..e0c6ed8 100644 +--- include/dix.h ++++ include/dix.h +@@ -76,7 +76,8 @@ SOFTWARE. + + #define REQUEST_FIXED_SIZE(req, n)\ + if (((sizeof(req) >> 2) > client->req_len) || \ +- (((sizeof(req) + (n) + 3) >> 2) != client->req_len)) \ ++ ((n >> 2) >= client->req_len) || \ ++ ((((uint64_t) sizeof(req) + (n) + 3) >> 2) != (uint64_t) client->req_len)) \ + return(BadLength) + + #define LEGAL_NEW_RESOURCE(id,client)\ +-- +2.1.2 + diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8092-pt5 b/x11-servers/xorg-server/files/patch-CVE-2014-8092-pt5 new file mode 100644 index 000000000000..4446b4898426 --- /dev/null +++ b/x11-servers/xorg-server/files/patch-CVE-2014-8092-pt5 @@ -0,0 +1,32 @@ +From 9802a0162f738de03585ca3f3b8a8266494f7d45 Mon Sep 17 00:00:00 2001 +From: Keith Packard <keithp@keithp.com> +Date: Tue, 9 Dec 2014 09:30:59 -0800 +Subject: [PATCH 38/40] Missing parens in REQUEST_FIXED_SIZE macro + [CVE-2014-8092 pt. 5] + +The 'n' parameter must be surrounded by parens in both places to +prevent precedence from mis-computing things. + +Signed-off-by: Keith Packard <keithp@keithp.com> +Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + include/dix.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/dix.h b/include/dix.h +index 21176a8..921156b 100644 +--- include/dix.h ++++ include/dix.h +@@ -80,7 +80,7 @@ SOFTWARE. + + #define REQUEST_FIXED_SIZE(req, n)\ + if (((sizeof(req) >> 2) > client->req_len) || \ +- ((n >> 2) >= client->req_len) || \ ++ (((n) >> 2) >= client->req_len) || \ + ((((uint64_t) sizeof(req) + (n) + 3) >> 2) != (uint64_t) client->req_len)) \ + return(BadLength) + +-- +2.1.2 + diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8092-pt6 b/x11-servers/xorg-server/files/patch-CVE-2014-8092-pt6 new file mode 100644 index 000000000000..5adb2b02cc9b --- /dev/null +++ b/x11-servers/xorg-server/files/patch-CVE-2014-8092-pt6 @@ -0,0 +1,35 @@ +From 1559a94395258fd73e369f1a2c98a44bfe21a486 Mon Sep 17 00:00:00 2001 +From: Keith Packard <keithp@keithp.com> +Date: Tue, 9 Dec 2014 09:31:00 -0800 +Subject: [PATCH 39/40] dix: GetHosts bounds check using wrong pointer value + [CVE-2014-8092 pt. 6] + +GetHosts saves the pointer to allocated memory in *data, and then +wants to bounds-check writes to that region, but was mistakenly using +a bare 'data' instead of '*data'. Also, data is declared as void **, +so we need a cast to turn it into a byte pointer so we can actually do +pointer comparisons. + +Signed-off-by: Keith Packard <keithp@keithp.com> +Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + os/access.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/os/access.c b/os/access.c +index f393c8d..28f2d32 100644 +--- os/access.c ++++ os/access.c +@@ -1308,7 +1308,7 @@ GetHosts(void **data, int *pnHosts, int *pLen, BOOL * pEnabled) + } + for (host = validhosts; host; host = host->next) { + len = host->len; +- if ((ptr + sizeof(xHostEntry) + len) > (data + n)) ++ if ((ptr + sizeof(xHostEntry) + len) > ((unsigned char *) *data + n)) + break; + ((xHostEntry *) ptr)->family = host->family; + ((xHostEntry *) ptr)->length = len; +-- +2.1.2 + diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8093-1-6 b/x11-servers/xorg-server/files/patch-CVE-2014-8093-1-6 new file mode 100644 index 000000000000..ffa7e3995647 --- /dev/null +++ b/x11-servers/xorg-server/files/patch-CVE-2014-8093-1-6 @@ -0,0 +1,47 @@ +From 23fe7718bb171e71db2d1a30505c2ca2988799d9 Mon Sep 17 00:00:00 2001 +From: Adam Jackson <ajax@redhat.com> +Date: Mon, 10 Nov 2014 12:13:36 -0500 +Subject: [PATCH 19/40] glx: Be more paranoid about variable-length requests + [CVE-2014-8093 1/6] + +If the size computation routine returns -1 we should just reject the +request outright. Clamping it to zero could give an attacker the +opportunity to also mangle cmdlen in such a way that the subsequent +length check passes, and the request would get executed, thus passing +data we wanted to reject to the renderer. + +Reviewed-by: Keith Packard <keithp@keithp.com> +Reviewed-by: Julien Cristau <jcristau@debian.org> +Reviewed-by: Michal Srb <msrb@suse.com> +Reviewed-by: Andy Ritger <aritger@nvidia.com> +Signed-off-by: Adam Jackson <ajax@redhat.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + glx/glxcmds.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/glx/glxcmds.c b/glx/glxcmds.c +index 009fd9b..ea42e2a 100644 +--- glx/glxcmds.c ++++ glx/glxcmds.c +@@ -2062,7 +2062,7 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc) + extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE, + client->swapped); + if (extra < 0) { +- extra = 0; ++ return BadLength; + } + if (cmdlen != __GLX_PAD(entry.bytes + extra)) { + return BadLength; +@@ -2179,7 +2179,7 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc) + extra = (*entry.varsize) (pc + __GLX_RENDER_LARGE_HDR_SIZE, + client->swapped); + if (extra < 0) { +- extra = 0; ++ return BadLength; + } + /* large command's header is 4 bytes longer, so add 4 */ + if (cmdlen != __GLX_PAD(entry.bytes + 4 + extra)) { +-- +2.1.2 + diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8093-2-6 b/x11-servers/xorg-server/files/patch-CVE-2014-8093-2-6 new file mode 100644 index 000000000000..6be272144ba2 --- /dev/null +++ b/x11-servers/xorg-server/files/patch-CVE-2014-8093-2-6 @@ -0,0 +1,165 @@ +From ab2ba9338aa5e85b4487bc7fbe69985c76483e01 Mon Sep 17 00:00:00 2001 +From: Adam Jackson <ajax@redhat.com> +Date: Mon, 10 Nov 2014 12:13:37 -0500 +Subject: [PATCH 20/40] glx: Be more strict about rejecting invalid image sizes + [CVE-2014-8093 2/6] + +Before this we'd just clamp the image size to 0, which was just +hideously stupid; if the parameters were such that they'd overflow an +integer, you'd allocate a small buffer, then pass huge values into (say) +ReadPixels, and now you're scribbling over arbitrary server memory. + +Reviewed-by: Keith Packard <keithp@keithp.com> +Reviewed-by: Julien Cristau <jcristau@debian.org> +Reviewed-by: Michal Srb <msrb@suse.com> +Reviewed-by: Andy Ritger <aritger@nvidia.com> +Signed-off-by: Adam Jackson <ajax@redhat.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + glx/singlepix.c | 16 ++++++++-------- + glx/singlepixswap.c | 16 ++++++++-------- + 2 files changed, 16 insertions(+), 16 deletions(-) + +diff --git a/glx/singlepix.c b/glx/singlepix.c +index 506fdaa..8b6c261 100644 +--- glx/singlepix.c ++++ glx/singlepix.c +@@ -65,7 +65,7 @@ __glXDisp_ReadPixels(__GLXclientState * cl, GLbyte * pc) + lsbFirst = *(GLboolean *) (pc + 25); + compsize = __glReadPixels_size(format, type, width, height); + if (compsize < 0) +- compsize = 0; ++ return BadLength; + + glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes); + glPixelStorei(GL_PACK_LSB_FIRST, lsbFirst); +@@ -124,7 +124,7 @@ __glXDisp_GetTexImage(__GLXclientState * cl, GLbyte * pc) + compsize = + __glGetTexImage_size(target, level, format, type, width, height, depth); + if (compsize < 0) +- compsize = 0; ++ return BadLength; + + glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes); + __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1); +@@ -218,9 +218,9 @@ GetSeparableFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag) + compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1); + + if (compsize < 0) +- compsize = 0; ++ return BadLength; + if (compsize2 < 0) +- compsize2 = 0; ++ return BadLength; + compsize = __GLX_PAD(compsize); + compsize2 = __GLX_PAD(compsize2); + +@@ -296,7 +296,7 @@ GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag) + */ + compsize = __glGetTexImage_size(target, 1, format, type, width, height, 1); + if (compsize < 0) +- compsize = 0; ++ return BadLength; + + glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes); + __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1); +@@ -365,7 +365,7 @@ GetHistogram(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag) + */ + compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1); + if (compsize < 0) +- compsize = 0; ++ return BadLength; + + glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes); + __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1); +@@ -426,7 +426,7 @@ GetMinmax(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag) + + compsize = __glGetTexImage_size(target, 1, format, type, 2, 1, 1); + if (compsize < 0) +- compsize = 0; ++ return BadLength; + + glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes); + __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1); +@@ -491,7 +491,7 @@ GetColorTable(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag) + */ + compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1); + if (compsize < 0) +- compsize = 0; ++ return BadLength; + + glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes); + __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1); +diff --git a/glx/singlepixswap.c b/glx/singlepixswap.c +index 8469101..8dc304f 100644 +--- glx/singlepixswap.c ++++ glx/singlepixswap.c +@@ -75,7 +75,7 @@ __glXDispSwap_ReadPixels(__GLXclientState * cl, GLbyte * pc) + lsbFirst = *(GLboolean *) (pc + 25); + compsize = __glReadPixels_size(format, type, width, height); + if (compsize < 0) +- compsize = 0; ++ return BadLength; + + glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes); + glPixelStorei(GL_PACK_LSB_FIRST, lsbFirst); +@@ -144,7 +144,7 @@ __glXDispSwap_GetTexImage(__GLXclientState * cl, GLbyte * pc) + compsize = + __glGetTexImage_size(target, level, format, type, width, height, depth); + if (compsize < 0) +- compsize = 0; ++ return BadLength; + + glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes); + __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1); +@@ -252,9 +252,9 @@ GetSeparableFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag) + compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1); + + if (compsize < 0) +- compsize = 0; ++ return BadLength; + if (compsize2 < 0) +- compsize2 = 0; ++ return BadLength; + compsize = __GLX_PAD(compsize); + compsize2 = __GLX_PAD(compsize2); + +@@ -338,7 +338,7 @@ GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag) + */ + compsize = __glGetTexImage_size(target, 1, format, type, width, height, 1); + if (compsize < 0) +- compsize = 0; ++ return BadLength; + + glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes); + __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1); +@@ -415,7 +415,7 @@ GetHistogram(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag) + */ + compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1); + if (compsize < 0) +- compsize = 0; ++ return BadLength; + + glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes); + __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1); +@@ -483,7 +483,7 @@ GetMinmax(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag) + + compsize = __glGetTexImage_size(target, 1, format, type, 2, 1, 1); + if (compsize < 0) +- compsize = 0; ++ return BadLength; + + glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes); + __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1); +@@ -554,7 +554,7 @@ GetColorTable(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag) + */ + compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1); + if (compsize < 0) +- compsize = 0; ++ return BadLength; + + glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes); + __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1); +-- +2.1.2 + diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8093-3-6 b/x11-servers/xorg-server/files/patch-CVE-2014-8093-3-6 new file mode 100644 index 000000000000..0145fc1f85f0 --- /dev/null +++ b/x11-servers/xorg-server/files/patch-CVE-2014-8093-3-6 @@ -0,0 +1,59 @@ +From 717a1b37767b41e14859e5022ae9e679152821a9 Mon Sep 17 00:00:00 2001 +From: Adam Jackson <ajax@redhat.com> +Date: Mon, 10 Nov 2014 12:13:38 -0500 +Subject: [PATCH 21/40] glx: Additional paranoia in __glXGetAnswerBuffer / + __GLX_GET_ANSWER_BUFFER (v2) [CVE-2014-8093 3/6] + +If the computed reply size is negative, something went wrong, treat it +as an error. + +v2: Be more careful about size_t being unsigned (Matthieu Herrb) +v3: SIZE_MAX not SIZE_T_MAX (Alan Coopersmith) + +Reviewed-by: Julien Cristau <jcristau@debian.org> +Reviewed-by: Michal Srb <msrb@suse.com> +Reviewed-by: Andy Ritger <aritger@nvidia.com> +Signed-off-by: Adam Jackson <ajax@redhat.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + glx/indirect_util.c | 7 ++++++- + glx/unpack.h | 3 ++- + 2 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/glx/indirect_util.c b/glx/indirect_util.c +index 926e57c..de81491 100644 +--- glx/indirect_util.c ++++ glx/indirect_util.c +@@ -76,9 +76,14 @@ __glXGetAnswerBuffer(__GLXclientState * cl, size_t required_size, + const unsigned mask = alignment - 1; + + if (local_size < required_size) { +- const size_t worst_case_size = required_size + alignment; ++ size_t worst_case_size; + intptr_t temp_buf; + ++ if (required_size < SIZE_MAX - alignment) ++ worst_case_size = required_size + alignment; ++ else ++ return NULL; ++ + if (cl->returnBufSize < worst_case_size) { + void *temp = realloc(cl->returnBuf, worst_case_size); + +diff --git a/glx/unpack.h b/glx/unpack.h +index 52fba74..2b1ebcf 100644 +--- glx/unpack.h ++++ glx/unpack.h +@@ -83,7 +83,8 @@ extern xGLXSingleReply __glXReply; + ** pointer. + */ + #define __GLX_GET_ANSWER_BUFFER(res,cl,size,align) \ +- if ((size) > sizeof(answerBuffer)) { \ ++ if (size < 0) return BadLength; \ ++ else if ((size) > sizeof(answerBuffer)) { \ + int bump; \ + if ((cl)->returnBufSize < (size)+(align)) { \ + (cl)->returnBuf = (GLbyte*)realloc((cl)->returnBuf, \ +-- +2.1.2 + diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8093-4-6 b/x11-servers/xorg-server/files/patch-CVE-2014-8093-4-6 new file mode 100644 index 000000000000..6a461c92e105 --- /dev/null +++ b/x11-servers/xorg-server/files/patch-CVE-2014-8093-4-6 @@ -0,0 +1,82 @@ +From 2a5cbc17fc72185bf0fa06fef26d1f782de72595 Mon Sep 17 00:00:00 2001 +From: Adam Jackson <ajax@redhat.com> +Date: Mon, 10 Nov 2014 12:13:40 -0500 +Subject: [PATCH 23/40] glx: Add safe_{add,mul,pad} (v3) [CVE-2014-8093 4/6] + +These are paranoid about integer overflow, and will return -1 if their +operation would overflow a (signed) integer or if either argument is +negative. + +Note that RenderLarge requests are sized with a uint32_t so in principle +this could be sketchy there, but dix limits bigreqs to 128M so you +shouldn't ever notice, and honestly if you're sending more than 2G of +rendering commands you're already doing something very wrong. + +v2: Use INT_MAX for consistency with the rest of the server (jcristau) +v3: Reject negative arguments (anholt) + +Reviewed-by: Keith Packard <keithp@keithp.com> +Reviewed-by: Julien Cristau <jcristau@debian.org> +Reviewed-by: Michal Srb <msrb@suse.com> +Reviewed-by: Andy Ritger <aritger@nvidia.com> +Signed-off-by: Adam Jackson <ajax@redhat.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + glx/glxserver.h | 41 +++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 41 insertions(+) + +diff --git a/glx/glxserver.h b/glx/glxserver.h +index a324b29..9482601 100644 +--- glx/glxserver.h ++++ glx/glxserver.h +@@ -228,6 +228,47 @@ extern void glxSwapQueryServerStringReply(ClientPtr client, + * Routines for computing the size of variably-sized rendering commands. + */ + ++static _X_INLINE int ++safe_add(int a, int b) ++{ ++ if (a < 0 || b < 0) ++ return -1; ++ ++ if (INT_MAX - a < b) ++ return -1; ++ ++ return a + b; ++} ++ ++static _X_INLINE int ++safe_mul(int a, int b) ++{ ++ if (a < 0 || b < 0) ++ return -1; ++ ++ if (a == 0 || b == 0) ++ return 0; ++ ++ if (a > INT_MAX / b) ++ return -1; ++ ++ return a * b; ++} ++ ++static _X_INLINE int ++safe_pad(int a) ++{ ++ int ret; ++ ++ if (a < 0) ++ return -1; ++ ++ if ((ret = safe_add(a, 3)) < 0) ++ return -1; ++ ++ return ret & (GLuint)~3; ++} ++ + extern int __glXTypeSize(GLenum enm); + extern int __glXImageSize(GLenum format, GLenum type, + GLenum target, GLsizei w, GLsizei h, GLsizei d, +-- +2.1.2 + diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8093-5-6 b/x11-servers/xorg-server/files/patch-CVE-2014-8093-5-6 new file mode 100644 index 000000000000..6384cd634f99 --- /dev/null +++ b/x11-servers/xorg-server/files/patch-CVE-2014-8093-5-6 @@ -0,0 +1,225 @@ +From 698888e6671d54c7ae41e9d456f7f5483a3459d2 Mon Sep 17 00:00:00 2001 +From: Adam Jackson <ajax@redhat.com> +Date: Mon, 10 Nov 2014 12:13:42 -0500 +Subject: [PATCH 25/40] glx: Integer overflow protection for non-generated + render requests (v3) [CVE-2014-8093 5/6] + +v2: +Fix constants in __glXMap2fReqSize (Michal Srb) +Validate w/h/d for proxy targets too (Keith Packard) + +v3: +Fix Map[12]Size to correctly reject order == 0 (Julien Cristau) + +Reviewed-by: Keith Packard <keithp@keithp.com> +Reviewed-by: Michal Srb <msrb@suse.com> +Reviewed-by: Andy Ritger <aritger@nvidia.com> +Signed-off-by: Adam Jackson <ajax@redhat.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + glx/rensize.c | 77 +++++++++++++++++++++++++++++++---------------------------- + 1 file changed, 41 insertions(+), 36 deletions(-) + +diff --git a/glx/rensize.c b/glx/rensize.c +index 9ff73c7..d46334a 100644 +--- glx/rensize.c ++++ glx/rensize.c +@@ -43,19 +43,11 @@ + (((a & 0xff000000U)>>24) | ((a & 0xff0000U)>>8) | \ + ((a & 0xff00U)<<8) | ((a & 0xffU)<<24)) + +-static int +-Map1Size(GLint k, GLint order) +-{ +- if (order <= 0 || k < 0) +- return -1; +- return k * order; +-} +- + int + __glXMap1dReqSize(const GLbyte * pc, Bool swap) + { + GLenum target; +- GLint order, k; ++ GLint order; + + target = *(GLenum *) (pc + 16); + order = *(GLint *) (pc + 20); +@@ -63,15 +55,16 @@ __glXMap1dReqSize(const GLbyte * pc, Bool swap) + target = SWAPL(target); + order = SWAPL(order); + } +- k = __glMap1d_size(target); +- return 8 * Map1Size(k, order); ++ if (order < 1) ++ return -1; ++ return safe_mul(8, safe_mul(__glMap1d_size(target), order)); + } + + int + __glXMap1fReqSize(const GLbyte * pc, Bool swap) + { + GLenum target; +- GLint order, k; ++ GLint order; + + target = *(GLenum *) (pc + 0); + order = *(GLint *) (pc + 12); +@@ -79,23 +72,24 @@ __glXMap1fReqSize(const GLbyte * pc, Bool swap) + target = SWAPL(target); + order = SWAPL(order); + } +- k = __glMap1f_size(target); +- return 4 * Map1Size(k, order); ++ if (order < 1) ++ return -1; ++ return safe_mul(4, safe_mul(__glMap1f_size(target), order)); + } + + static int + Map2Size(int k, int majorOrder, int minorOrder) + { +- if (majorOrder <= 0 || minorOrder <= 0 || k < 0) ++ if (majorOrder < 1 || minorOrder < 1) + return -1; +- return k * majorOrder * minorOrder; ++ return safe_mul(k, safe_mul(majorOrder, minorOrder)); + } + + int + __glXMap2dReqSize(const GLbyte * pc, Bool swap) + { + GLenum target; +- GLint uorder, vorder, k; ++ GLint uorder, vorder; + + target = *(GLenum *) (pc + 32); + uorder = *(GLint *) (pc + 36); +@@ -105,15 +99,14 @@ __glXMap2dReqSize(const GLbyte * pc, Bool swap) + uorder = SWAPL(uorder); + vorder = SWAPL(vorder); + } +- k = __glMap2d_size(target); +- return 8 * Map2Size(k, uorder, vorder); ++ return safe_mul(8, Map2Size(__glMap2d_size(target), uorder, vorder)); + } + + int + __glXMap2fReqSize(const GLbyte * pc, Bool swap) + { + GLenum target; +- GLint uorder, vorder, k; ++ GLint uorder, vorder; + + target = *(GLenum *) (pc + 0); + uorder = *(GLint *) (pc + 12); +@@ -123,8 +116,7 @@ __glXMap2fReqSize(const GLbyte * pc, Bool swap) + uorder = SWAPL(uorder); + vorder = SWAPL(vorder); + } +- k = __glMap2f_size(target); +- return 4 * Map2Size(k, uorder, vorder); ++ return safe_mul(4, Map2Size(__glMap2f_size(target), uorder, vorder)); + } + + /** +@@ -175,14 +167,16 @@ __glXImageSize(GLenum format, GLenum type, GLenum target, + GLint bytesPerElement, elementsPerGroup, groupsPerRow; + GLint groupSize, rowSize, padding, imageSize; + ++ if (w == 0 || h == 0 || d == 0) ++ return 0; ++ + if (w < 0 || h < 0 || d < 0 || + (type == GL_BITMAP && + (format != GL_COLOR_INDEX && format != GL_STENCIL_INDEX))) { + return -1; + } +- if (w == 0 || h == 0 || d == 0) +- return 0; + ++ /* proxy targets have no data */ + switch (target) { + case GL_PROXY_TEXTURE_1D: + case GL_PROXY_TEXTURE_2D: +@@ -199,6 +193,12 @@ __glXImageSize(GLenum format, GLenum type, GLenum target, + return 0; + } + ++ /* real data has to have real sizes */ ++ if (imageHeight < 0 || rowLength < 0 || skipImages < 0 || skipRows < 0) ++ return -1; ++ if (alignment != 1 && alignment != 2 && alignment != 4 && alignment != 8) ++ return -1; ++ + if (type == GL_BITMAP) { + if (rowLength > 0) { + groupsPerRow = rowLength; +@@ -207,11 +207,14 @@ __glXImageSize(GLenum format, GLenum type, GLenum target, + groupsPerRow = w; + } + rowSize = bits_to_bytes(groupsPerRow); ++ if (rowSize < 0) ++ return -1; + padding = (rowSize % alignment); + if (padding) { + rowSize += alignment - padding; + } +- return ((h + skipRows) * rowSize); ++ ++ return safe_mul(safe_add(h, skipRows), rowSize); + } + else { + switch (format) { +@@ -303,6 +306,7 @@ __glXImageSize(GLenum format, GLenum type, GLenum target, + default: + return -1; + } ++ /* known safe by the switches above, not checked */ + groupSize = bytesPerElement * elementsPerGroup; + if (rowLength > 0) { + groupsPerRow = rowLength; +@@ -310,18 +314,21 @@ __glXImageSize(GLenum format, GLenum type, GLenum target, + else { + groupsPerRow = w; + } +- rowSize = groupsPerRow * groupSize; ++ ++ if ((rowSize = safe_mul(groupsPerRow, groupSize)) < 0) ++ return -1; + padding = (rowSize % alignment); + if (padding) { + rowSize += alignment - padding; + } +- if (imageHeight > 0) { +- imageSize = (imageHeight + skipRows) * rowSize; +- } +- else { +- imageSize = (h + skipRows) * rowSize; +- } +- return ((d + skipImages) * imageSize); ++ ++ if (imageHeight > 0) ++ h = imageHeight; ++ h = safe_add(h, skipRows); ++ ++ imageSize = safe_mul(h, rowSize); ++ ++ return safe_mul(safe_add(d, skipImages), imageSize); + } + } + +@@ -445,9 +452,7 @@ __glXSeparableFilter2DReqSize(const GLbyte * pc, Bool swap) + /* XXX Should rowLength be used for either or both image? */ + image1size = __glXImageSize(format, type, 0, w, 1, 1, + 0, rowLength, 0, 0, alignment); +- image1size = __GLX_PAD(image1size); + image2size = __glXImageSize(format, type, 0, h, 1, 1, + 0, rowLength, 0, 0, alignment); +- return image1size + image2size; +- ++ return safe_add(safe_pad(image1size), image2size); + } +-- +2.1.2 + diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8093-6-6 b/x11-servers/xorg-server/files/patch-CVE-2014-8093-6-6 new file mode 100644 index 000000000000..ce3041385c77 --- /dev/null +++ b/x11-servers/xorg-server/files/patch-CVE-2014-8093-6-6 @@ -0,0 +1,34 @@ +From 7e7630bbb775573eea2a2335adb9d190c3e1e971 Mon Sep 17 00:00:00 2001 +From: Robert Morell <rmorell@nvidia.com> +Date: Wed, 12 Nov 2014 18:51:43 -0800 +Subject: [PATCH 32/40] glx: Fix mask truncation in __glXGetAnswerBuffer + [CVE-2014-8093 6/6] + +On a system where sizeof(unsigned) != sizeof(intptr_t), the unary +bitwise not operation will result in a mask that clears all high bits +from temp_buf in the expression: + temp_buf = (temp_buf + mask) & ~mask; + +Signed-off-by: Robert Morell <rmorell@nvidia.com> +Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + glx/indirect_util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/glx/indirect_util.c b/glx/indirect_util.c +index de81491..9ba2815 100644 +--- glx/indirect_util.c ++++ glx/indirect_util.c +@@ -73,7 +73,7 @@ __glXGetAnswerBuffer(__GLXclientState * cl, size_t required_size, + void *local_buffer, size_t local_size, unsigned alignment) + { + void *buffer = local_buffer; +- const unsigned mask = alignment - 1; ++ const intptr_t mask = alignment - 1; + + if (local_size < required_size) { + size_t worst_case_size; +-- +2.1.2 + diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8094 b/x11-servers/xorg-server/files/patch-CVE-2014-8094 new file mode 100644 index 000000000000..b634b6522b13 --- /dev/null +++ b/x11-servers/xorg-server/files/patch-CVE-2014-8094 @@ -0,0 +1,35 @@ +From 6692670fde081bbfe9313f17d84037ae9116702a Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Wed, 22 Jan 2014 23:40:18 -0800 +Subject: [PATCH 05/40] dri2: integer overflow in ProcDRI2GetBuffers() + [CVE-2014-8094] + +ProcDRI2GetBuffers() tries to validate a length field (count). +There is an integer overflow in the validation. This can cause +out of bound reads and memory corruption later on. + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> +Reviewed-by: Julien Cristau <jcristau@debian.org> +--- + hw/xfree86/dri2/dri2ext.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/hw/xfree86/dri2/dri2ext.c b/hw/xfree86/dri2/dri2ext.c +index ffd66fa..221ec53 100644 +--- hw/xfree86/dri2/dri2ext.c ++++ hw/xfree86/dri2/dri2ext.c +@@ -270,6 +270,9 @@ ProcDRI2GetBuffers(ClientPtr client) + unsigned int *attachments; + + REQUEST_FIXED_SIZE(xDRI2GetBuffersReq, stuff->count * 4); ++ if (stuff->count > (INT_MAX / 4)) ++ return BadLength; ++ + if (!validDrawable(client, stuff->drawable, DixReadAccess | DixWriteAccess, + &pDrawable, &status)) + return status; +-- +2.1.2 + diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8095 b/x11-servers/xorg-server/files/patch-CVE-2014-8095 new file mode 100644 index 000000000000..8c8a3f0bd6d5 --- /dev/null +++ b/x11-servers/xorg-server/files/patch-CVE-2014-8095 @@ -0,0 +1,561 @@ +From 73c63afb93c0af1bfd1969bf6e71c9edca586c77 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sun, 26 Jan 2014 10:54:41 -0800 +Subject: [PATCH 07/40] Xi: unvalidated lengths in Xinput extension + [CVE-2014-8095] + +Multiple functions in the Xinput extension handling of requests from +clients failed to check that the length of the request sent by the +client was large enough to perform all the required operations and +thus could read or write to memory outside the bounds of the request +buffer. + +This commit includes the creation of a new REQUEST_AT_LEAST_EXTRA_SIZE +macro in include/dix.h for the common case of needing to ensure a +request is large enough to include both the request itself and a +minimum amount of extra data following the request header. + +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> +--- + Xi/chgdctl.c | 8 ++++++-- + Xi/chgfctl.c | 2 ++ + Xi/sendexev.c | 3 +++ + Xi/xiallowev.c | 2 ++ + Xi/xichangecursor.c | 2 +- + Xi/xichangehierarchy.c | 35 ++++++++++++++++++++++++++++++++--- + Xi/xigetclientpointer.c | 1 + + Xi/xigrabdev.c | 9 ++++++++- + Xi/xipassivegrab.c | 12 ++++++++++-- + Xi/xiproperty.c | 14 ++++++-------- + Xi/xiquerydevice.c | 1 + + Xi/xiquerypointer.c | 2 ++ + Xi/xiselectev.c | 8 ++++++++ + Xi/xisetclientpointer.c | 3 ++- + Xi/xisetdevfocus.c | 4 ++++ + Xi/xiwarppointer.c | 2 ++ + include/dix.h | 4 ++++ + 17 files changed, 94 insertions(+), 18 deletions(-) + +diff --git a/Xi/chgdctl.c b/Xi/chgdctl.c +index d078aa2..b3ee867 100644 +--- Xi/chgdctl.c ++++ Xi/chgdctl.c +@@ -78,7 +78,7 @@ SProcXChangeDeviceControl(ClientPtr client) + + REQUEST(xChangeDeviceControlReq); + swaps(&stuff->length); +- REQUEST_AT_LEAST_SIZE(xChangeDeviceControlReq); ++ REQUEST_AT_LEAST_EXTRA_SIZE(xChangeDeviceControlReq, sizeof(xDeviceCtl)); + swaps(&stuff->control); + ctl = (xDeviceCtl *) &stuff[1]; + swaps(&ctl->control); +@@ -115,7 +115,7 @@ ProcXChangeDeviceControl(ClientPtr client) + xDeviceEnableCtl *e; + + REQUEST(xChangeDeviceControlReq); +- REQUEST_AT_LEAST_SIZE(xChangeDeviceControlReq); ++ REQUEST_AT_LEAST_EXTRA_SIZE(xChangeDeviceControlReq, sizeof(xDeviceCtl)); + + len = stuff->length - bytes_to_int32(sizeof(xChangeDeviceControlReq)); + ret = dixLookupDevice(&dev, stuff->deviceid, client, DixManageAccess); +@@ -192,6 +192,10 @@ ProcXChangeDeviceControl(ClientPtr client) + break; + case DEVICE_ENABLE: + e = (xDeviceEnableCtl *) &stuff[1]; ++ if ((len != bytes_to_int32(sizeof(xDeviceEnableCtl)))) { ++ ret = BadLength; ++ goto out; ++ } + + if (IsXTestDevice(dev, NULL)) + status = !Success; +diff --git a/Xi/chgfctl.c b/Xi/chgfctl.c +index 6dcf60c..224c2ba 100644 +--- Xi/chgfctl.c ++++ Xi/chgfctl.c +@@ -467,6 +467,8 @@ ProcXChangeFeedbackControl(ClientPtr client) + xStringFeedbackCtl *f = ((xStringFeedbackCtl *) &stuff[1]); + + if (client->swapped) { ++ if (len < bytes_to_int32(sizeof(xStringFeedbackCtl))) ++ return BadLength; + swaps(&f->num_keysyms); + } + if (len != +diff --git a/Xi/sendexev.c b/Xi/sendexev.c +index 3c21386..183f88d 100644 +--- Xi/sendexev.c ++++ Xi/sendexev.c +@@ -135,6 +135,9 @@ ProcXSendExtensionEvent(ClientPtr client) + if (ret != Success) + return ret; + ++ if (stuff->num_events == 0) ++ return ret; ++ + /* The client's event type must be one defined by an extension. */ + + first = ((xEvent *) &stuff[1]); +diff --git a/Xi/xiallowev.c b/Xi/xiallowev.c +index ebef233..ca263ef 100644 +--- Xi/xiallowev.c ++++ Xi/xiallowev.c +@@ -48,6 +48,7 @@ int + SProcXIAllowEvents(ClientPtr client) + { + REQUEST(xXIAllowEventsReq); ++ REQUEST_AT_LEAST_SIZE(xXIAllowEventsReq); + + swaps(&stuff->length); + swaps(&stuff->deviceid); +@@ -55,6 +56,7 @@ SProcXIAllowEvents(ClientPtr client) + if (stuff->length > 3) { + xXI2_2AllowEventsReq *req_xi22 = (xXI2_2AllowEventsReq *) stuff; + ++ REQUEST_AT_LEAST_SIZE(xXI2_2AllowEventsReq); + swapl(&req_xi22->touchid); + swapl(&req_xi22->grab_window); + } +diff --git a/Xi/xichangecursor.c b/Xi/xichangecursor.c +index 7a1bb7a..8e6255b 100644 +--- Xi/xichangecursor.c ++++ Xi/xichangecursor.c +@@ -57,11 +57,11 @@ int + SProcXIChangeCursor(ClientPtr client) + { + REQUEST(xXIChangeCursorReq); ++ REQUEST_SIZE_MATCH(xXIChangeCursorReq); + swaps(&stuff->length); + swapl(&stuff->win); + swapl(&stuff->cursor); + swaps(&stuff->deviceid); +- REQUEST_SIZE_MATCH(xXIChangeCursorReq); + return (ProcXIChangeCursor(client)); + } + +diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c +index 9e36354..2732445 100644 +--- Xi/xichangehierarchy.c ++++ Xi/xichangehierarchy.c +@@ -411,7 +411,7 @@ int + ProcXIChangeHierarchy(ClientPtr client) + { + xXIAnyHierarchyChangeInfo *any; +- int required_len = sizeof(xXIChangeHierarchyReq); ++ size_t len; /* length of data remaining in request */ + int rc = Success; + int flags[MAXDEVICES] = { 0 }; + +@@ -421,21 +421,46 @@ ProcXIChangeHierarchy(ClientPtr client) + if (!stuff->num_changes) + return rc; + ++ if (stuff->length > (INT_MAX >> 2)) ++ return BadAlloc; ++ len = (stuff->length << 2) - sizeof(xXIAnyHierarchyChangeInfo); ++ + any = (xXIAnyHierarchyChangeInfo *) &stuff[1]; + while (stuff->num_changes--) { ++ if (len < sizeof(xXIAnyHierarchyChangeInfo)) { ++ rc = BadLength; ++ goto unwind; ++ } ++ + SWAPIF(swaps(&any->type)); + SWAPIF(swaps(&any->length)); + +- required_len += any->length; +- if ((stuff->length * 4) < required_len) ++ if ((any->length > (INT_MAX >> 2)) || (len < (any->length << 2))) + return BadLength; + ++#define CHANGE_SIZE_MATCH(type) \ ++ do { \ ++ if ((len < sizeof(type)) || (any->length != (sizeof(type) >> 2))) { \ ++ rc = BadLength; \ ++ goto unwind; \ ++ } \ ++ } while(0) ++ + switch (any->type) { + case XIAddMaster: + { + xXIAddMasterInfo *c = (xXIAddMasterInfo *) any; + ++ /* Variable length, due to appended name string */ ++ if (len < sizeof(xXIAddMasterInfo)) { ++ rc = BadLength; ++ goto unwind; ++ } + SWAPIF(swaps(&c->name_len)); ++ if (c->name_len > (len - sizeof(xXIAddMasterInfo))) { ++ rc = BadLength; ++ goto unwind; ++ } + + rc = add_master(client, c, flags); + if (rc != Success) +@@ -446,6 +471,7 @@ ProcXIChangeHierarchy(ClientPtr client) + { + xXIRemoveMasterInfo *r = (xXIRemoveMasterInfo *) any; + ++ CHANGE_SIZE_MATCH(xXIRemoveMasterInfo); + rc = remove_master(client, r, flags); + if (rc != Success) + goto unwind; +@@ -455,6 +481,7 @@ ProcXIChangeHierarchy(ClientPtr client) + { + xXIDetachSlaveInfo *c = (xXIDetachSlaveInfo *) any; + ++ CHANGE_SIZE_MATCH(xXIDetachSlaveInfo); + rc = detach_slave(client, c, flags); + if (rc != Success) + goto unwind; +@@ -464,6 +491,7 @@ ProcXIChangeHierarchy(ClientPtr client) + { + xXIAttachSlaveInfo *c = (xXIAttachSlaveInfo *) any; + ++ CHANGE_SIZE_MATCH(xXIAttachSlaveInfo); + rc = attach_slave(client, c, flags); + if (rc != Success) + goto unwind; +@@ -471,6 +499,7 @@ ProcXIChangeHierarchy(ClientPtr client) + break; + } + ++ len -= any->length * 4; + any = (xXIAnyHierarchyChangeInfo *) ((char *) any + any->length * 4); + } + +diff --git a/Xi/xigetclientpointer.c b/Xi/xigetclientpointer.c +index 3c90d58..306dd39 100644 +--- Xi/xigetclientpointer.c ++++ Xi/xigetclientpointer.c +@@ -50,6 +50,7 @@ int + SProcXIGetClientPointer(ClientPtr client) + { + REQUEST(xXIGetClientPointerReq); ++ REQUEST_SIZE_MATCH(xXIGetClientPointerReq); + + swaps(&stuff->length); + swapl(&stuff->win); +diff --git a/Xi/xigrabdev.c b/Xi/xigrabdev.c +index 63d95bc..e2a2ae3 100644 +--- Xi/xigrabdev.c ++++ Xi/xigrabdev.c +@@ -47,6 +47,11 @@ int + SProcXIGrabDevice(ClientPtr client) + { + REQUEST(xXIGrabDeviceReq); ++ /* ++ * Check here for at least the length of the struct we swap, then ++ * let ProcXIGrabDevice check the full size after we swap mask_len. ++ */ ++ REQUEST_AT_LEAST_SIZE(xXIGrabDeviceReq); + + swaps(&stuff->length); + swaps(&stuff->deviceid); +@@ -71,7 +76,7 @@ ProcXIGrabDevice(ClientPtr client) + unsigned int pointer_mode; + + REQUEST(xXIGrabDeviceReq); +- REQUEST_AT_LEAST_SIZE(xXIGrabDeviceReq); ++ REQUEST_FIXED_SIZE(xXIGrabDeviceReq, ((size_t) stuff->mask_len) * 4); + + ret = dixLookupDevice(&dev, stuff->deviceid, client, DixGrabAccess); + if (ret != Success) +@@ -131,6 +136,7 @@ int + SProcXIUngrabDevice(ClientPtr client) + { + REQUEST(xXIUngrabDeviceReq); ++ REQUEST_SIZE_MATCH(xXIUngrabDeviceReq); + + swaps(&stuff->length); + swaps(&stuff->deviceid); +@@ -148,6 +154,7 @@ ProcXIUngrabDevice(ClientPtr client) + TimeStamp time; + + REQUEST(xXIUngrabDeviceReq); ++ REQUEST_SIZE_MATCH(xXIUngrabDeviceReq); + + ret = dixLookupDevice(&dev, stuff->deviceid, client, DixGetAttrAccess); + if (ret != Success) +--- Xi/xipassivegrab.c.orig 2012-05-17 19:09:01.000000000 +0200 ++++ Xi/xipassivegrab.c 2014-12-10 10:32:35.379412598 +0100 +@@ -50,9 +50,10 @@ + SProcXIPassiveGrabDevice(ClientPtr client) + { + int i; +- xXIModifierInfo *mods; ++ uint32_t *mods; + + REQUEST(xXIPassiveGrabDeviceReq); ++ REQUEST_AT_LEAST_SIZE(xXIPassiveGrabDeviceReq); + + swaps(&stuff->length); + swaps(&stuff->deviceid); +@@ -63,12 +64,12 @@ + swaps(&stuff->mask_len); + swaps(&stuff->num_modifiers); + +- mods = (xXIModifierInfo *) &stuff[1]; ++ REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq, ++ ((uint32_t) stuff->mask_len + stuff->num_modifiers) *4); ++ mods = (uint32_t *) &stuff[1] + stuff->mask_len; + + for (i = 0; i < stuff->num_modifiers; i++, mods++) { +- swapl(&mods->base_mods); +- swapl(&mods->latched_mods); +- swapl(&mods->locked_mods); ++ swapl(mods); + } + + return ProcXIPassiveGrabDevice(client); +@@ -88,7 +89,8 @@ + int mask_len; + + REQUEST(xXIPassiveGrabDeviceReq); +- REQUEST_AT_LEAST_SIZE(xXIPassiveGrabDeviceReq); ++ REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq, ++ ((uint32_t) stuff->mask_len + stuff->num_modifiers) * 4); + + if (stuff->deviceid == XIAllDevices) + dev = inputInfo.all_devices; +@@ -250,6 +252,7 @@ + uint32_t *modifiers; + + REQUEST(xXIPassiveUngrabDeviceReq); ++ REQUEST_AT_LEAST_SIZE(xXIPassiveUngrabDeviceReq); + + swaps(&stuff->length); + swapl(&stuff->grab_window); +@@ -257,6 +260,8 @@ + swapl(&stuff->detail); + swaps(&stuff->num_modifiers); + ++ REQUEST_FIXED_SIZE(xXIPassiveUngrabDeviceReq, ++ ((uint32_t) stuff->num_modifiers) << 2); + modifiers = (uint32_t *) &stuff[1]; + + for (i = 0; i < stuff->num_modifiers; i++, modifiers++) +@@ -275,7 +280,8 @@ + int i, rc; + + REQUEST(xXIPassiveUngrabDeviceReq); +- REQUEST_AT_LEAST_SIZE(xXIPassiveUngrabDeviceReq); ++ REQUEST_FIXED_SIZE(xXIPassiveUngrabDeviceReq, ++ ((uint32_t) stuff->num_modifiers) << 2); + + if (stuff->deviceid == XIAllDevices) + dev = inputInfo.all_devices; +diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c +index 463607d..8e8e4b0 100644 +--- Xi/xiproperty.c ++++ Xi/xiproperty.c +@@ -1013,10 +1013,9 @@ int + SProcXListDeviceProperties(ClientPtr client) + { + REQUEST(xListDevicePropertiesReq); ++ REQUEST_SIZE_MATCH(xListDevicePropertiesReq); + + swaps(&stuff->length); +- +- REQUEST_SIZE_MATCH(xListDevicePropertiesReq); + return (ProcXListDeviceProperties(client)); + } + +@@ -1037,10 +1036,10 @@ int + SProcXDeleteDeviceProperty(ClientPtr client) + { + REQUEST(xDeleteDevicePropertyReq); ++ REQUEST_SIZE_MATCH(xDeleteDevicePropertyReq); + + swaps(&stuff->length); + swapl(&stuff->property); +- REQUEST_SIZE_MATCH(xDeleteDevicePropertyReq); + return (ProcXDeleteDeviceProperty(client)); + } + +@@ -1048,13 +1047,13 @@ int + SProcXGetDeviceProperty(ClientPtr client) + { + REQUEST(xGetDevicePropertyReq); ++ REQUEST_SIZE_MATCH(xGetDevicePropertyReq); + + swaps(&stuff->length); + swapl(&stuff->property); + swapl(&stuff->type); + swapl(&stuff->longOffset); + swapl(&stuff->longLength); +- REQUEST_SIZE_MATCH(xGetDevicePropertyReq); + return (ProcXGetDeviceProperty(client)); + } + +@@ -1253,11 +1252,10 @@ int + SProcXIListProperties(ClientPtr client) + { + REQUEST(xXIListPropertiesReq); ++ REQUEST_SIZE_MATCH(xXIListPropertiesReq); + + swaps(&stuff->length); + swaps(&stuff->deviceid); +- +- REQUEST_SIZE_MATCH(xXIListPropertiesReq); + return (ProcXIListProperties(client)); + } + +@@ -1279,11 +1277,11 @@ int + SProcXIDeleteProperty(ClientPtr client) + { + REQUEST(xXIDeletePropertyReq); ++ REQUEST_SIZE_MATCH(xXIDeletePropertyReq); + + swaps(&stuff->length); + swaps(&stuff->deviceid); + swapl(&stuff->property); +- REQUEST_SIZE_MATCH(xXIDeletePropertyReq); + return (ProcXIDeleteProperty(client)); + } + +@@ -1291,6 +1289,7 @@ int + SProcXIGetProperty(ClientPtr client) + { + REQUEST(xXIGetPropertyReq); ++ REQUEST_SIZE_MATCH(xXIGetPropertyReq); + + swaps(&stuff->length); + swaps(&stuff->deviceid); +@@ -1298,7 +1297,6 @@ SProcXIGetProperty(ClientPtr client) + swapl(&stuff->type); + swapl(&stuff->offset); + swapl(&stuff->len); +- REQUEST_SIZE_MATCH(xXIGetPropertyReq); + return (ProcXIGetProperty(client)); + } + +diff --git a/Xi/xiquerydevice.c b/Xi/xiquerydevice.c +index 4e544f0..67a9a4f 100644 +--- Xi/xiquerydevice.c ++++ Xi/xiquerydevice.c +@@ -54,6 +54,7 @@ int + SProcXIQueryDevice(ClientPtr client) + { + REQUEST(xXIQueryDeviceReq); ++ REQUEST_SIZE_MATCH(xXIQueryDeviceReq); + + swaps(&stuff->length); + swaps(&stuff->deviceid); +diff --git a/Xi/xiquerypointer.c b/Xi/xiquerypointer.c +index e9bdd42..7ec0c85 100644 +--- Xi/xiquerypointer.c ++++ Xi/xiquerypointer.c +@@ -63,6 +63,8 @@ int + SProcXIQueryPointer(ClientPtr client) + { + REQUEST(xXIQueryPointerReq); ++ REQUEST_SIZE_MATCH(xXIQueryPointerReq); ++ + swaps(&stuff->length); + swaps(&stuff->deviceid); + swapl(&stuff->win); +diff --git a/Xi/xiselectev.c b/Xi/xiselectev.c +index 45a996e..168579f 100644 +--- Xi/xiselectev.c ++++ Xi/xiselectev.c +@@ -114,6 +114,7 @@ int + SProcXISelectEvents(ClientPtr client) + { + int i; ++ int len; + xXIEventMask *evmask; + + REQUEST(xXISelectEventsReq); +@@ -122,10 +123,17 @@ SProcXISelectEvents(ClientPtr client) + swapl(&stuff->win); + swaps(&stuff->num_masks); + ++ len = stuff->length - bytes_to_int32(sizeof(xXISelectEventsReq)); + evmask = (xXIEventMask *) &stuff[1]; + for (i = 0; i < stuff->num_masks; i++) { ++ if (len < bytes_to_int32(sizeof(xXIEventMask))) ++ return BadLength; ++ len -= bytes_to_int32(sizeof(xXIEventMask)); + swaps(&evmask->deviceid); + swaps(&evmask->mask_len); ++ if (len < evmask->mask_len) ++ return BadLength; ++ len -= evmask->mask_len; + evmask = + (xXIEventMask *) (((char *) &evmask[1]) + evmask->mask_len * 4); + } +diff --git a/Xi/xisetclientpointer.c b/Xi/xisetclientpointer.c +index 38ff51e..24d4a53 100644 +--- Xi/xisetclientpointer.c ++++ Xi/xisetclientpointer.c +@@ -51,10 +51,11 @@ int + SProcXISetClientPointer(ClientPtr client) + { + REQUEST(xXISetClientPointerReq); ++ REQUEST_SIZE_MATCH(xXISetClientPointerReq); ++ + swaps(&stuff->length); + swapl(&stuff->win); + swaps(&stuff->deviceid); +- REQUEST_SIZE_MATCH(xXISetClientPointerReq); + return (ProcXISetClientPointer(client)); + } + +diff --git a/Xi/xisetdevfocus.c b/Xi/xisetdevfocus.c +index 372ec24..96a9a16 100644 +--- Xi/xisetdevfocus.c ++++ Xi/xisetdevfocus.c +@@ -44,6 +44,8 @@ int + SProcXISetFocus(ClientPtr client) + { + REQUEST(xXISetFocusReq); ++ REQUEST_AT_LEAST_SIZE(xXISetFocusReq); ++ + swaps(&stuff->length); + swaps(&stuff->deviceid); + swapl(&stuff->focus); +@@ -56,6 +58,8 @@ int + SProcXIGetFocus(ClientPtr client) + { + REQUEST(xXIGetFocusReq); ++ REQUEST_AT_LEAST_SIZE(xXIGetFocusReq); ++ + swaps(&stuff->length); + swaps(&stuff->deviceid); + +diff --git a/Xi/xiwarppointer.c b/Xi/xiwarppointer.c +index 3f051f7..780758a 100644 +--- Xi/xiwarppointer.c ++++ Xi/xiwarppointer.c +@@ -56,6 +56,8 @@ int + SProcXIWarpPointer(ClientPtr client) + { + REQUEST(xXIWarpPointerReq); ++ REQUEST_SIZE_MATCH(xXIWarpPointerReq); ++ + swaps(&stuff->length); + swapl(&stuff->src_win); + swapl(&stuff->dst_win); +diff --git a/include/dix.h b/include/dix.h +index e0c6ed8..21176a8 100644 +--- include/dix.h ++++ include/dix.h +@@ -74,6 +74,10 @@ SOFTWARE. + if ((sizeof(req) >> 2) > client->req_len )\ + return(BadLength) + ++#define REQUEST_AT_LEAST_EXTRA_SIZE(req, extra) \ ++ if (((sizeof(req) + ((uint64_t) extra)) >> 2) > client->req_len ) \ ++ return(BadLength) ++ + #define REQUEST_FIXED_SIZE(req, n)\ + if (((sizeof(req) >> 2) > client->req_len) || \ + ((n >> 2) >= client->req_len) || \ +-- +cgit v0.10.2 + diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8096 b/x11-servers/xorg-server/files/patch-CVE-2014-8096 new file mode 100644 index 000000000000..789801aa3d9d --- /dev/null +++ b/x11-servers/xorg-server/files/patch-CVE-2014-8096 @@ -0,0 +1,27 @@ +From 7553082b9b883b5f130044f3d53bce2f0b660e52 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sun, 26 Jan 2014 17:18:54 -0800 +Subject: [PATCH 08/40] xcmisc: unvalidated length in SProcXCMiscGetXIDList() + [CVE-2014-8096] + +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> +--- + Xext/xcmisc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/Xext/xcmisc.c b/Xext/xcmisc.c +index 034bfb6..1e91010 100644 +--- Xext/xcmisc.c ++++ Xext/xcmisc.c +@@ -167,6 +167,7 @@ static int + SProcXCMiscGetXIDList(ClientPtr client) + { + REQUEST(xXCMiscGetXIDListReq); ++ REQUEST_SIZE_MATCH(xXCMiscGetXIDListReq); + + swaps(&stuff->length); + swapl(&stuff->count); +-- +2.1.2 + diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8097 b/x11-servers/xorg-server/files/patch-CVE-2014-8097 new file mode 100644 index 000000000000..19964c2274e4 --- /dev/null +++ b/x11-servers/xorg-server/files/patch-CVE-2014-8097 @@ -0,0 +1,73 @@ +From 2ef42519c41e793579c9cea699c866fee3d9321f Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Wed, 22 Jan 2014 23:12:04 -0800 +Subject: [PATCH 06/40] dbe: unvalidated lengths in DbeSwapBuffers calls + [CVE-2014-8097] + +ProcDbeSwapBuffers() has a 32bit (n) length value that it uses to read +from a buffer. The length is never validated, which can lead to out of +bound reads, and possibly returning the data read from out of bounds to +the misbehaving client via an X Error packet. + +SProcDbeSwapBuffers() swaps data (for correct endianness) before +handing it off to the real proc. While doing the swapping, the +length field is not validated, which can cause memory corruption. + +v2: reorder checks to avoid compilers optimizing out checks for overflow +that happen after we'd already have done the overflowing multiplications. + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> +--- + dbe/dbe.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/dbe/dbe.c b/dbe/dbe.c +index 527588c..df2ad5c 100644 +--- dbe/dbe.c ++++ dbe/dbe.c +@@ -450,18 +450,20 @@ ProcDbeSwapBuffers(ClientPtr client) + DbeSwapInfoPtr swapInfo; + xDbeSwapInfo *dbeSwapInfo; + int error; +- register int i, j; +- int nStuff; ++ unsigned int i, j; ++ unsigned int nStuff; + + REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq); + nStuff = stuff->n; /* use local variable for performance. */ + + if (nStuff == 0) { ++ REQUEST_SIZE_MATCH(xDbeSwapBuffersReq); + return Success; + } + + if (nStuff > UINT32_MAX / sizeof(DbeSwapInfoRec)) + return BadAlloc; ++ REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, nStuff * sizeof(xDbeSwapInfo)); + + /* Get to the swap info appended to the end of the request. */ + dbeSwapInfo = (xDbeSwapInfo *) &stuff[1]; +@@ -914,13 +916,16 @@ static int + SProcDbeSwapBuffers(ClientPtr client) + { + REQUEST(xDbeSwapBuffersReq); +- register int i; ++ unsigned int i; + xDbeSwapInfo *pSwapInfo; + + swaps(&stuff->length); + REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq); + + swapl(&stuff->n); ++ if (stuff->n > UINT32_MAX / sizeof(DbeSwapInfoRec)) ++ return BadAlloc; ++ REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, stuff->n * sizeof(xDbeSwapInfo)); + + if (stuff->n != 0) { + pSwapInfo = (xDbeSwapInfo *) stuff + 1; +-- +2.1.2 + diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8097-pt2 b/x11-servers/xorg-server/files/patch-CVE-2014-8097-pt2 new file mode 100644 index 000000000000..70b898717ba1 --- /dev/null +++ b/x11-servers/xorg-server/files/patch-CVE-2014-8097-pt2 @@ -0,0 +1,50 @@ +From b20912c3d45cbbde3c443e6c3d9e189092fe65e1 Mon Sep 17 00:00:00 2001 +From: Keith Packard <keithp@keithp.com> +Date: Tue, 9 Dec 2014 09:30:57 -0800 +Subject: [PATCH 36/40] dbe: Call to DDX SwapBuffers requires address of int, + not unsigned int [CVE-2014-8097 pt. 2] + +When the local types used to walk the DBE request were changed, this +changed the type of the parameter passed to the DDX SwapBuffers API, +but there wasn't a matching change in the API definition. + +At this point, with the API frozen, I just stuck a new variable in +with the correct type. Because we've already bounds-checked nStuff to +be smaller than UINT32_MAX / sizeof(DbeSwapInfoRec), we know it will +fit in a signed int without overflow. + +Signed-off-by: Keith Packard <keithp@keithp.com +Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + dbe/dbe.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/dbe/dbe.c b/dbe/dbe.c +index df2ad5c..e5d928d 100644 +--- dbe/dbe.c ++++ dbe/dbe.c +@@ -452,6 +452,7 @@ ProcDbeSwapBuffers(ClientPtr client) + int error; + unsigned int i, j; + unsigned int nStuff; ++ int nStuff_i; /* DDX API requires int for nStuff */ + + REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq); + nStuff = stuff->n; /* use local variable for performance. */ +@@ -527,9 +528,10 @@ ProcDbeSwapBuffers(ClientPtr client) + * could deal with cross-screen synchronization. + */ + +- while (nStuff > 0) { ++ nStuff_i = nStuff; ++ while (nStuff_i > 0) { + pDbeScreenPriv = DBE_SCREEN_PRIV_FROM_WINDOW(swapInfo[0].pWindow); +- error = (*pDbeScreenPriv->SwapBuffers) (client, &nStuff, swapInfo); ++ error = (*pDbeScreenPriv->SwapBuffers) (client, &nStuff_i, swapInfo); + if (error != Success) { + free(swapInfo); + return error; +-- +2.1.2 + diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8098-1-8 b/x11-servers/xorg-server/files/patch-CVE-2014-8098-1-8 new file mode 100644 index 000000000000..658fa963992b --- /dev/null +++ b/x11-servers/xorg-server/files/patch-CVE-2014-8098-1-8 @@ -0,0 +1,59 @@ +From 13d36923e0ddb077f4854e354c3d5c80590b5d9d Mon Sep 17 00:00:00 2001 +From: Adam Jackson <ajax@redhat.com> +Date: Mon, 10 Nov 2014 12:13:39 -0500 +Subject: [PATCH 22/40] glx: Fix image size computation for EXT_texture_integer + [CVE-2014-8098 1/8] + +Without this we'd reject the request with BadLength. Note that some old +versions of Mesa had a bug in the same place, and would _send_ zero +bytes of image data; these will now be rejected, correctly. + +Reviewed-by: Keith Packard <keithp@keithp.com> +Reviewed-by: Julien Cristau <jcristau@debian.org> +Reviewed-by: Michal Srb <msrb@suse.com> +Reviewed-by: Andy Ritger <aritger@nvidia.com> +Signed-off-by: Adam Jackson <ajax@redhat.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + glx/rensize.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/glx/rensize.c b/glx/rensize.c +index ba22d10..9ff73c7 100644 +--- glx/rensize.c ++++ glx/rensize.c +@@ -224,6 +224,11 @@ __glXImageSize(GLenum format, GLenum type, GLenum target, + case GL_ALPHA: + case GL_LUMINANCE: + case GL_INTENSITY: ++ case GL_RED_INTEGER_EXT: ++ case GL_GREEN_INTEGER_EXT: ++ case GL_BLUE_INTEGER_EXT: ++ case GL_ALPHA_INTEGER_EXT: ++ case GL_LUMINANCE_INTEGER_EXT: + elementsPerGroup = 1; + break; + case GL_422_EXT: +@@ -234,14 +239,19 @@ __glXImageSize(GLenum format, GLenum type, GLenum target, + case GL_DEPTH_STENCIL_MESA: + case GL_YCBCR_MESA: + case GL_LUMINANCE_ALPHA: ++ case GL_LUMINANCE_ALPHA_INTEGER_EXT: + elementsPerGroup = 2; + break; + case GL_RGB: + case GL_BGR: ++ case GL_RGB_INTEGER_EXT: ++ case GL_BGR_INTEGER_EXT: + elementsPerGroup = 3; + break; + case GL_RGBA: + case GL_BGRA: ++ case GL_RGBA_INTEGER_EXT: ++ case GL_BGRA_INTEGER_EXT: + case GL_ABGR_EXT: + elementsPerGroup = 4; + break; +-- +2.1.2 + diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8098-2-8 b/x11-servers/xorg-server/files/patch-CVE-2014-8098-2-8 new file mode 100644 index 000000000000..bbbc5b60ebd1 --- /dev/null +++ b/x11-servers/xorg-server/files/patch-CVE-2014-8098-2-8 @@ -0,0 +1,75 @@ +From be09e0c988ffdb0371293af49fb4ea8f49ed324a Mon Sep 17 00:00:00 2001 +From: Julien Cristau <jcristau@debian.org> +Date: Mon, 10 Nov 2014 12:13:41 -0500 +Subject: [PATCH 24/40] glx: Length checking for GLXRender requests (v2) + [CVE-2014-8098 2/8] + +v2: +Remove can't-happen comparison for cmdlen < 0 (Michal Srb) + +Reviewed-by: Adam Jackson <ajax@redhat.com> +Reviewed-by: Michal Srb <msrb@suse.com> +Reviewed-by: Andy Ritger <aritger@nvidia.com> +Signed-off-by: Julien Cristau <jcristau@debian.org> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + glx/glxcmds.c | 21 ++++++++++----------- + 1 file changed, 10 insertions(+), 11 deletions(-) + +diff --git a/glx/glxcmds.c b/glx/glxcmds.c +index ea42e2a..ddd9119 100644 +--- glx/glxcmds.c ++++ glx/glxcmds.c +@@ -2025,7 +2025,7 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc) + left = (req->length << 2) - sz_xGLXRenderReq; + while (left > 0) { + __GLXrenderSizeData entry; +- int extra; ++ int extra = 0; + __GLXdispatchRenderProcPtr proc; + int err; + +@@ -2044,6 +2044,9 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc) + cmdlen = hdr->length; + opcode = hdr->opcode; + ++ if (left < cmdlen) ++ return BadLength; ++ + /* + ** Check for core opcodes and grab entry data. + */ +@@ -2057,6 +2060,10 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc) + return __glXError(GLXBadRenderRequest); + } + ++ if (cmdlen < entry.bytes) { ++ return BadLength; ++ } ++ + if (entry.varsize) { + /* variable size command */ + extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE, +@@ -2064,17 +2071,9 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc) + if (extra < 0) { + return BadLength; + } +- if (cmdlen != __GLX_PAD(entry.bytes + extra)) { +- return BadLength; +- } + } +- else { +- /* constant size command */ +- if (cmdlen != __GLX_PAD(entry.bytes)) { +- return BadLength; +- } +- } +- if (left < cmdlen) { ++ ++ if (cmdlen != safe_pad(safe_add(entry.bytes, extra))) { + return BadLength; + } + +-- +2.1.2 + diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8098-3-8 b/x11-servers/xorg-server/files/patch-CVE-2014-8098-3-8 new file mode 100644 index 000000000000..0f54277f803c --- /dev/null +++ b/x11-servers/xorg-server/files/patch-CVE-2014-8098-3-8 @@ -0,0 +1,153 @@ +From a33a939e6abb255b14d8dbc85fcbd2c55b958bae Mon Sep 17 00:00:00 2001 +From: Adam Jackson <ajax@redhat.com> +Date: Mon, 10 Nov 2014 12:13:43 -0500 +Subject: [PATCH 26/40] glx: Length checking for RenderLarge requests (v2) + [CVE-2014-8098 3/8] + +This is a half-measure until we start passing request length into the +varsize function, but it's better than the nothing we had before. + +v2: Verify that there's at least a large render header's worth of +dataBytes (Julien Cristau) + +Reviewed-by: Michal Srb <msrb@suse.com> +Reviewed-by: Andy Ritger <aritger@nvidia.com> +Signed-off-by: Adam Jackson <ajax@redhat.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + glx/glxcmds.c | 57 ++++++++++++++++++++++++++++++++++----------------------- + 1 file changed, 34 insertions(+), 23 deletions(-) + +--- glx/glxcmds.c.orig 2014-12-10 14:30:17.826442820 +0100 ++++ glx/glxcmds.c 2014-12-10 14:32:34.472432537 +0100 +@@ -2032,6 +2032,8 @@ + + __GLX_DECLARE_SWAP_VARIABLES; + ++ REQUEST_AT_LEAST_SIZE(xGLXRenderLargeReq); ++ + req = (xGLXRenderLargeReq *) pc; + if (client->swapped) { + __GLX_SWAP_SHORT(&req->length); +@@ -2047,12 +2049,14 @@ + __glXResetLargeCommandStatus(cl); + return error; + } ++ if (safe_pad(req->dataBytes) < 0) ++ return BadLength; + dataBytes = req->dataBytes; + + /* + ** Check the request length. + */ +- if ((req->length << 2) != __GLX_PAD(dataBytes) + sz_xGLXRenderLargeReq) { ++ if ((req->length << 2) != safe_pad(dataBytes) + sz_xGLXRenderLargeReq) { + client->errorValue = req->length; + /* Reset in case this isn't 1st request. */ + __glXResetLargeCommandStatus(cl); +@@ -2062,7 +2066,7 @@ + + if (cl->largeCmdRequestsSoFar == 0) { + __GLXrenderSizeData entry; +- int extra; ++ int extra = 0; + size_t cmdlen; + int err; + +@@ -2075,13 +2079,17 @@ + return __glXError(GLXBadLargeRequest); + } + ++ if (dataBytes < __GLX_RENDER_LARGE_HDR_SIZE) ++ return BadLength; ++ + hdr = (__GLXrenderLargeHeader *) pc; + if (client->swapped) { + __GLX_SWAP_INT(&hdr->length); + __GLX_SWAP_INT(&hdr->opcode); + } +- cmdlen = hdr->length; + opcode = hdr->opcode; ++ if ((cmdlen = safe_pad(hdr->length)) < 0) ++ return BadLength; + + /* + ** Check for core opcodes and grab entry data. +@@ -2103,17 +2111,13 @@ + if (extra < 0) { + return BadLength; + } +- /* large command's header is 4 bytes longer, so add 4 */ +- if (cmdlen != __GLX_PAD(entry.bytes + 4 + extra)) { +- return BadLength; +- } + } +- else { +- /* constant size command */ +- if (cmdlen != __GLX_PAD(entry.bytes + 4)) { +- return BadLength; +- } ++ ++ /* the +4 is safe because we know entry.bytes is small */ ++ if (cmdlen != safe_pad(safe_add(entry.bytes + 4, extra))) { ++ return BadLength; + } ++ + /* + ** Make enough space in the buffer, then copy the entire request. + */ +@@ -2143,6 +2147,7 @@ + ** We are receiving subsequent (i.e. not the first) requests of a + ** multi request command. + */ ++ int bytesSoFar; /* including this packet */ + + /* + ** Check the request number and the total request count. +@@ -2161,11 +2166,18 @@ + /* + ** Check that we didn't get too much data. + */ +- if ((cl->largeCmdBytesSoFar + dataBytes) > cl->largeCmdBytesTotal) { ++ if ((bytesSoFar = safe_add(cl->largeCmdBytesSoFar, dataBytes)) < 0) { ++ client->errorValue = dataBytes; ++ __glXResetLargeCommandStatus(cl); ++ return __glXError(GLXBadLargeRequest); ++ } ++ ++ if (bytesSoFar > cl->largeCmdBytesTotal) { + client->errorValue = dataBytes; + __glXResetLargeCommandStatus(cl); + return __glXError(GLXBadLargeRequest); + } ++ + memcpy(cl->largeCmdBuf + cl->largeCmdBytesSoFar, pc, dataBytes); + cl->largeCmdBytesSoFar += dataBytes; + cl->largeCmdRequestsSoFar++; +@@ -2177,17 +2189,16 @@ + ** This is the last request; it must have enough bytes to complete + ** the command. + */ +- /* NOTE: the two pad macros have been added below; they are needed +- ** because the client library pads the total byte count, but not +- ** the per-request byte counts. The Protocol Encoding says the +- ** total byte count should not be padded, so a proposal will be +- ** made to the ARB to relax the padding constraint on the total +- ** byte count, thus preserving backward compatibility. Meanwhile, +- ** the padding done below fixes a bug that did not allow +- ** large commands of odd sizes to be accepted by the server. ++ /* NOTE: the pad macro below is needed because the client library ++ ** pads the total byte count, but not the per-request byte counts. ++ ** The Protocol Encoding says the total byte count should not be ++ ** padded, so a proposal will be made to the ARB to relax the ++ ** padding constraint on the total byte count, thus preserving ++ ** backward compatibility. Meanwhile, the padding done below ++ ** fixes a bug that did not allow large commands of odd sizes to ++ ** be accepted by the server. + */ +- if (__GLX_PAD(cl->largeCmdBytesSoFar) != +- __GLX_PAD(cl->largeCmdBytesTotal)) { ++ if (safe_pad(cl->largeCmdBytesSoFar) != cl->largeCmdBytesTotal) { + client->errorValue = dataBytes; + __glXResetLargeCommandStatus(cl); + return __glXError(GLXBadLargeRequest); diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8098-4-8 b/x11-servers/xorg-server/files/patch-CVE-2014-8098-4-8 new file mode 100644 index 000000000000..3a89be2990f2 --- /dev/null +++ b/x11-servers/xorg-server/files/patch-CVE-2014-8098-4-8 @@ -0,0 +1,51 @@ +From c91e4abc3b892f42802efa20fef7ada442c2d3f5 Mon Sep 17 00:00:00 2001 +From: Adam Jackson <ajax@redhat.com> +Date: Mon, 10 Nov 2014 12:13:44 -0500 +Subject: [PATCH 27/40] glx: Top-level length checking for swapped + VendorPrivate requests [CVE-2014-8098 4/8] + +Reviewed-by: Keith Packard <keithp@keithp.com> +Reviewed-by: Julien Cristau <jcristau@debian.org> +Reviewed-by: Michal Srb <msrb@suse.com> +Reviewed-by: Andy Ritger <aritger@nvidia.com> +Signed-off-by: Adam Jackson <ajax@redhat.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + glx/glxcmdsswap.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/glx/glxcmdsswap.c b/glx/glxcmdsswap.c +index 5d179f3..9ec1222 100644 +--- glx/glxcmdsswap.c ++++ glx/glxcmdsswap.c +@@ -958,11 +958,13 @@ __glXDispSwap_RenderLarge(__GLXclientState * cl, GLbyte * pc) + int + __glXDispSwap_VendorPrivate(__GLXclientState * cl, GLbyte * pc) + { ++ ClientPtr client = cl->client; + xGLXVendorPrivateReq *req; + GLint vendorcode; + __GLXdispatchVendorPrivProcPtr proc; + + __GLX_DECLARE_SWAP_VARIABLES; ++ REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateReq); + + req = (xGLXVendorPrivateReq *) pc; + __GLX_SWAP_SHORT(&req->length); +@@ -985,11 +987,13 @@ __glXDispSwap_VendorPrivate(__GLXclientState * cl, GLbyte * pc) + int + __glXDispSwap_VendorPrivateWithReply(__GLXclientState * cl, GLbyte * pc) + { ++ ClientPtr client = cl->client; + xGLXVendorPrivateWithReplyReq *req; + GLint vendorcode; + __GLXdispatchVendorPrivProcPtr proc; + + __GLX_DECLARE_SWAP_VARIABLES; ++ REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateWithReplyReq); + + req = (xGLXVendorPrivateWithReplyReq *) pc; + __GLX_SWAP_SHORT(&req->length); +-- +2.1.2 + diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8098-6-8 b/x11-servers/xorg-server/files/patch-CVE-2014-8098-6-8 new file mode 100644 index 000000000000..1a043b808113 --- /dev/null +++ b/x11-servers/xorg-server/files/patch-CVE-2014-8098-6-8 @@ -0,0 +1,45 @@ +From 44ba149f28ece93c2fbfc9cc980588de5322dd4b Mon Sep 17 00:00:00 2001 +From: Adam Jackson <ajax@redhat.com> +Date: Mon, 10 Nov 2014 12:13:46 -0500 +Subject: [PATCH 29/40] glx: Length-checking for non-generated vendor private + requests [CVE-2014-8098 6/8] + +Reviewed-by: Keith Packard <keithp@keithp.com> +Reviewed-by: Michal Srb <msrb@suse.com> +Reviewed-by: Andy Ritger <aritger@nvidia.com> +Signed-off-by: Adam Jackson <ajax@redhat.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + glx/indirect_program.c | 2 ++ + glx/swap_interval.c | 2 ++ + 2 files changed, 4 insertions(+) + +diff --git a/glx/indirect_program.c b/glx/indirect_program.c +index cda139e..5caee7b 100644 +--- glx/indirect_program.c ++++ glx/indirect_program.c +@@ -56,6 +56,8 @@ DoGetProgramString(struct __GLXclientStateRec *cl, GLbyte * pc, + __GLXcontext *const cx = __glXForceCurrent(cl, req->contextTag, &error); + ClientPtr client = cl->client; + ++ REQUEST_FIXED_SIZE(xGLXVendorPrivateWithReplyReq, 8); ++ + pc += __GLX_VENDPRIV_HDR_SIZE; + if (cx != NULL) { + GLenum target; +diff --git a/glx/swap_interval.c b/glx/swap_interval.c +index 17bc992..2320550 100644 +--- glx/swap_interval.c ++++ glx/swap_interval.c +@@ -46,6 +46,8 @@ DoSwapInterval(__GLXclientState * cl, GLbyte * pc, int do_swap) + __GLXcontext *cx; + GLint interval; + ++ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 4); ++ + cx = __glXLookupContextByTag(cl, tag); + + if ((cx == NULL) || (cx->pGlxScreen == NULL)) { +-- +2.1.2 + diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8098-7-8 b/x11-servers/xorg-server/files/patch-CVE-2014-8098-7-8 new file mode 100644 index 000000000000..518b71d1f885 --- /dev/null +++ b/x11-servers/xorg-server/files/patch-CVE-2014-8098-7-8 @@ -0,0 +1,553 @@ +From 984583a497c813df5827ae22483133e704fee79c Mon Sep 17 00:00:00 2001 +From: Adam Jackson <ajax@redhat.com> +Date: Mon, 10 Nov 2014 12:13:47 -0500 +Subject: [PATCH 30/40] glx: Length checking for non-generated single requests + (v2) [CVE-2014-8098 7/8] + +v2: +Fix single versus vendor-private length checking for ARB_imaging subset +extensions. (Julien Cristau) + +v3: +Fix single versus vendor-private length checking for ARB_imaging subset +extensions. (Julien Cristau) + +Reviewed-by: Michal Srb <msrb@suse.com> +Reviewed-by: Andy Ritger <aritger@nvidia.com> +Signed-off-by: Adam Jackson <ajax@redhat.com> +Signed-off-by: Julien Cristau <jcristau@debian.org> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + glx/indirect_texture_compression.c | 4 ++++ + glx/single2.c | 23 +++++++++++++++----- + glx/single2swap.c | 19 ++++++++++++---- + glx/singlepix.c | 44 +++++++++++++++++++++++++------------- + glx/singlepixswap.c | 34 ++++++++++++++++++++++++----- + 5 files changed, 95 insertions(+), 29 deletions(-) + +diff --git a/glx/indirect_texture_compression.c b/glx/indirect_texture_compression.c +index cda7656..1ebf7f3 100644 +--- glx/indirect_texture_compression.c ++++ glx/indirect_texture_compression.c +@@ -43,6 +43,8 @@ __glXDisp_GetCompressedTexImage(struct __GLXclientStateRec *cl, GLbyte * pc) + __GLXcontext *const cx = __glXForceCurrent(cl, req->contextTag, &error); + ClientPtr client = cl->client; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 8); ++ + pc += __GLX_SINGLE_HDR_SIZE; + if (cx != NULL) { + const GLenum target = *(GLenum *) (pc + 0); +@@ -87,6 +89,8 @@ __glXDispSwap_GetCompressedTexImage(struct __GLXclientStateRec *cl, GLbyte * pc) + __glXForceCurrent(cl, bswap_32(req->contextTag), &error); + ClientPtr client = cl->client; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 8); ++ + pc += __GLX_SINGLE_HDR_SIZE; + if (cx != NULL) { + const GLenum target = (GLenum) bswap_32(*(int *) (pc + 0)); +--- glx/single2.c.orig 2012-05-17 19:09:02.000000000 +0200 ++++ glx/single2.c 2014-12-10 14:44:06.961670320 +0100 +@@ -49,11 +49,14 @@ + int + __glXDisp_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc) + { ++ ClientPtr client = cl->client; + GLsizei size; + GLenum type; + __GLXcontext *cx; + int error; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 8); ++ + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { + return error; +@@ -80,10 +83,13 @@ + int + __glXDisp_SelectBuffer(__GLXclientState * cl, GLbyte * pc) + { ++ ClientPtr client = cl->client; + __GLXcontext *cx; + GLsizei size; + int error; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 4); ++ + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { + return error; +@@ -108,7 +114,7 @@ + int + __glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc) + { +- ClientPtr client; ++ ClientPtr client = cl->client; + xGLXRenderModeReply reply; + __GLXcontext *cx; + GLint nitems = 0, retBytes = 0, retval, newModeCheck; +@@ -116,6 +122,8 @@ + GLenum newMode; + int error; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 4); ++ + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { + return error; +@@ -192,7 +200,6 @@ + ** selection array, as per the API for glRenderMode itself. + */ + noChangeAllowed:; +- client = cl->client; + reply.length = nitems; + reply.type = X_Reply; + reply.sequenceNumber = client->sequence; +@@ -209,9 +216,12 @@ + int + __glXDisp_Flush(__GLXclientState * cl, GLbyte * pc) + { ++ ClientPtr client = cl->client; + __GLXcontext *cx; + int error; + ++ REQUEST_SIZE_MATCH(xGLXSingleReq); ++ + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { + return error; +@@ -225,10 +235,12 @@ + int + __glXDisp_Finish(__GLXclientState * cl, GLbyte * pc) + { ++ ClientPtr client = cl->client; + __GLXcontext *cx; +- ClientPtr client; + int error; + ++ REQUEST_SIZE_MATCH(xGLXSingleReq); ++ + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { + return error; +@@ -319,7 +331,7 @@ + int + DoGetString(__GLXclientState * cl, GLbyte * pc, GLboolean need_swap) + { +- ClientPtr client; ++ ClientPtr client = cl->client; + __GLXcontext *cx; + GLenum name; + const char *string; +@@ -329,6 +341,8 @@ + char *buf = NULL, *buf1 = NULL; + GLint length = 0; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 4); ++ + /* If the client has the opposite byte order, swap the contextTag and + * the name. + */ +@@ -345,7 +359,6 @@ + pc += __GLX_SINGLE_HDR_SIZE; + name = *(GLenum *) (pc + 0); + string = (const char *) CALL_GetString(GET_DISPATCH(), (name)); +- client = cl->client; + + if (string == NULL) + string = ""; +--- glx/single2swap.c.orig 2012-05-17 19:09:02.000000000 +0200 ++++ glx/single2swap.c 2014-12-10 14:46:06.475406737 +0100 +@@ -45,6 +45,7 @@ + int + __glXDispSwap_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc) + { ++ ClientPtr client = cl->client; + GLsizei size; + GLenum type; + +@@ -52,6 +53,8 @@ + __GLXcontext *cx; + int error; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 8); ++ + __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { +@@ -81,12 +84,15 @@ + int + __glXDispSwap_SelectBuffer(__GLXclientState * cl, GLbyte * pc) + { ++ ClientPtr client = cl->client; + __GLXcontext *cx; + GLsizei size; + + __GLX_DECLARE_SWAP_VARIABLES; + int error; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 4); ++ + __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { +@@ -113,7 +119,7 @@ + int + __glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc) + { +- ClientPtr client; ++ ClientPtr client = cl->client; + __GLXcontext *cx; + xGLXRenderModeReply reply; + GLint nitems = 0, retBytes = 0, retval, newModeCheck; +@@ -124,6 +130,8 @@ + __GLX_DECLARE_SWAP_ARRAY_VARIABLES; + int error; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 4); ++ + __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { +@@ -204,7 +212,6 @@ + ** selection array, as per the API for glRenderMode itself. + */ + noChangeAllowed:; +- client = cl->client; + reply.length = nitems; + reply.type = X_Reply; + reply.sequenceNumber = client->sequence; +@@ -226,11 +233,14 @@ + int + __glXDispSwap_Flush(__GLXclientState * cl, GLbyte * pc) + { ++ ClientPtr client = cl->client; + __GLXcontext *cx; + int error; + + __GLX_DECLARE_SWAP_VARIABLES; + ++ REQUEST_SIZE_MATCH(xGLXSingleReq); ++ + __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { +@@ -245,12 +255,14 @@ + int + __glXDispSwap_Finish(__GLXclientState * cl, GLbyte * pc) + { ++ ClientPtr client = cl->client; + __GLXcontext *cx; +- ClientPtr client; + int error; + + __GLX_DECLARE_SWAP_VARIABLES; + ++ REQUEST_SIZE_MATCH(xGLXSingleReq); ++ + __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { +@@ -262,7 +274,6 @@ + cx->hasUnflushedCommands = GL_FALSE; + + /* Send empty reply packet to indicate finish is finished */ +- client = cl->client; + __GLX_BEGIN_REPLY(0); + __GLX_PUT_RETVAL(0); + __GLX_SWAP_REPLY_HEADER(); +--- glx/singlepix.c.orig 2014-12-10 15:49:35.025115139 +0100 ++++ glx/singlepix.c 2014-12-10 15:53:21.967098978 +0100 +@@ -55,6 +55,8 @@ + int error; + char *answer, answerBuffer[200]; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 28); ++ + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { + return error; +@@ -107,6 +109,8 @@ + char *answer, answerBuffer[200]; + GLint width = 0, height = 0, depth = 1; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 20); ++ + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { + return error; +@@ -169,6 +173,8 @@ + GLubyte answerBuffer[200]; + char *answer; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 4); ++ + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { + return error; +@@ -231,15 +237,13 @@ + compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1); + compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1); + +- if (compsize < 0) ++ if ((compsize = safe_pad(compsize)) < 0) + return BadLength; +- if (compsize2 < 0) ++ if ((compsize2 = safe_pad(compsize2)) < 0) + return BadLength; +- compsize = __GLX_PAD(compsize); +- compsize2 = __GLX_PAD(compsize2); + + CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, swapBytes)); +- __GLX_GET_ANSWER_BUFFER(answer, cl, compsize + compsize2, 1); ++ __GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1); + __glXClearErrorOccured(); + CALL_GetSeparableFilter(GET_DISPATCH(), (*(GLenum *) (pc + 0), + *(GLenum *) (pc + 4), +@@ -265,7 +269,8 @@ + __glXDisp_GetSeparableFilter(__GLXclientState * cl, GLbyte * pc) + { + const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); +- ++ ClientPtr client = cl->client; ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 16); + return GetSeparableFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); + } + +@@ -273,7 +278,8 @@ + __glXDisp_GetSeparableFilterEXT(__GLXclientState * cl, GLbyte * pc) + { + const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); +- ++ ClientPtr client = cl->client; ++ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); + return GetSeparableFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); + } + +@@ -343,7 +349,8 @@ + __glXDisp_GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc) + { + const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); +- ++ ClientPtr client = cl->client; ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 16); + return GetConvolutionFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); + } + +@@ -351,7 +358,8 @@ + __glXDisp_GetConvolutionFilterEXT(__GLXclientState * cl, GLbyte * pc) + { + const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); +- ++ ClientPtr client = cl->client; ++ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); + return GetConvolutionFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); + } + +@@ -411,7 +419,8 @@ + __glXDisp_GetHistogram(__GLXclientState * cl, GLbyte * pc) + { + const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); +- ++ ClientPtr client = cl->client; ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 16); + return GetHistogram(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); + } + +@@ -419,7 +428,8 @@ + __glXDisp_GetHistogramEXT(__GLXclientState * cl, GLbyte * pc) + { + const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); +- ++ ClientPtr client = cl->client; ++ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); + return GetHistogram(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); + } + +@@ -471,7 +481,8 @@ + __glXDisp_GetMinmax(__GLXclientState * cl, GLbyte * pc) + { + const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); +- ++ ClientPtr client = cl->client; ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 16); + return GetMinmax(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); + } + +@@ -479,7 +490,8 @@ + __glXDisp_GetMinmaxEXT(__GLXclientState * cl, GLbyte * pc) + { + const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); +- ++ ClientPtr client = cl->client; ++ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); + return GetMinmax(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); + } + +@@ -540,7 +552,8 @@ + __glXDisp_GetColorTable(__GLXclientState * cl, GLbyte * pc) + { + const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); +- ++ ClientPtr client = cl->client; ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 16); + return GetColorTable(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); + } + +@@ -548,6 +561,7 @@ + __glXDisp_GetColorTableSGI(__GLXclientState * cl, GLbyte * pc) + { + const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); +- ++ ClientPtr client = cl->client; ++ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); + return GetColorTable(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); + } +--- glx/singlepixswap.c.orig 2014-12-10 15:49:35.025115139 +0100 ++++ glx/singlepixswap.c 2014-12-10 15:55:47.558406617 +0100 +@@ -57,6 +57,8 @@ + int error; + char *answer, answerBuffer[200]; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 28); ++ + __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { +@@ -122,6 +124,8 @@ + char *answer, answerBuffer[200]; + GLint width = 0, height = 0, depth = 1; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 20); ++ + __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { +@@ -197,6 +201,8 @@ + + __GLX_DECLARE_SWAP_VARIABLES; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 4); ++ + __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { +@@ -266,15 +272,13 @@ + compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1); + compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1); + +- if (compsize < 0) ++ if ((compsize = safe_pad(compsize)) < 0) + return BadLength; +- if (compsize2 < 0) ++ if ((compsize2 = safe_pad(compsize2)) < 0) + return BadLength; +- compsize = __GLX_PAD(compsize); +- compsize2 = __GLX_PAD(compsize2); + + CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, !swapBytes)); +- __GLX_GET_ANSWER_BUFFER(answer, cl, compsize + compsize2, 1); ++ __GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1); + __glXClearErrorOccured(); + CALL_GetSeparableFilter(GET_DISPATCH(), (*(GLenum *) (pc + 0), + *(GLenum *) (pc + 4), +@@ -302,7 +306,9 @@ + __glXDispSwap_GetSeparableFilter(__GLXclientState * cl, GLbyte * pc) + { + const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); ++ ClientPtr client = cl->client; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 16); + return GetSeparableFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); + } + +@@ -310,7 +316,9 @@ + __glXDispSwap_GetSeparableFilterEXT(__GLXclientState * cl, GLbyte * pc) + { + const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); ++ ClientPtr client = cl->client; + ++ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); + return GetSeparableFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); + } + +@@ -388,7 +396,9 @@ + __glXDispSwap_GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc) + { + const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); ++ ClientPtr client = cl->client; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 16); + return GetConvolutionFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); + } + +@@ -396,7 +406,9 @@ + __glXDispSwap_GetConvolutionFilterEXT(__GLXclientState * cl, GLbyte * pc) + { + const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); ++ ClientPtr client = cl->client; + ++ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); + return GetConvolutionFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); + } + +@@ -463,7 +475,9 @@ + __glXDispSwap_GetHistogram(__GLXclientState * cl, GLbyte * pc) + { + const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); ++ ClientPtr client = cl->client; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 16); + return GetHistogram(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); + } + +@@ -471,7 +485,9 @@ + __glXDispSwap_GetHistogramEXT(__GLXclientState * cl, GLbyte * pc) + { + const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); ++ ClientPtr client = cl->client; + ++ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); + return GetHistogram(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); + } + +@@ -529,7 +545,9 @@ + __glXDispSwap_GetMinmax(__GLXclientState * cl, GLbyte * pc) + { + const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); ++ ClientPtr client = cl->client; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 16); + return GetMinmax(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); + } + +@@ -537,7 +555,9 @@ + __glXDispSwap_GetMinmaxEXT(__GLXclientState * cl, GLbyte * pc) + { + const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); ++ ClientPtr client = cl->client; + ++ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); + return GetMinmax(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); + } + +@@ -605,7 +625,9 @@ + __glXDispSwap_GetColorTable(__GLXclientState * cl, GLbyte * pc) + { + const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); ++ ClientPtr client = cl->client; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 16); + return GetColorTable(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); + } + +@@ -613,6 +635,8 @@ + __glXDispSwap_GetColorTableSGI(__GLXclientState * cl, GLbyte * pc) + { + const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); ++ ClientPtr client = cl->client; + ++ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); + return GetColorTable(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); + } diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8098-8-8 b/x11-servers/xorg-server/files/patch-CVE-2014-8098-8-8 new file mode 100644 index 000000000000..defe212095d3 --- /dev/null +++ b/x11-servers/xorg-server/files/patch-CVE-2014-8098-8-8 @@ -0,0 +1,964 @@ +From e883c170c15493ab3637c0a01890f5a7ca4e16a5 Mon Sep 17 00:00:00 2001 +From: Adam Jackson <ajax@redhat.com> +Date: Mon, 10 Nov 2014 12:13:48 -0500 +Subject: [PATCH 31/40] glx: Pass remaining request length into ->varsize (v2) + [CVE-2014-8098 8/8] + +v2: Handle more multiplies in indirect_reqsize.c (Julien Cristau) + +Reviewed-by: Julien Cristau <jcristau@debian.org> +Reviewed-by: Michal Srb <msrb@suse.com> +Reviewed-by: Andy Ritger <aritger@nvidia.com> +Signed-off-by: Adam Jackson <ajax@redhat.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + glx/glxcmds.c | 7 +- + glx/glxserver.h | 2 +- + glx/indirect_reqsize.c | 142 +++++++++++++++++++------------------- + glx/indirect_reqsize.h | 181 ++++++++++++++++++++++++++++++------------------- + glx/rensize.c | 27 +++++--- + 5 files changed, 205 insertions(+), 154 deletions(-) + +--- glx/glxcmds.c.orig 2014-12-10 15:58:29.877078381 +0100 ++++ glx/glxcmds.c 2014-12-10 16:02:02.578063888 +0100 +@@ -1990,7 +1990,8 @@ + if (entry.varsize) { + /* variable size command */ + extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE, +- client->swapped); ++ client->swapped, ++ left - __GLX_RENDER_HDR_SIZE); + if (extra < 0) { + return BadLength; + } +@@ -2067,6 +2068,7 @@ + if (cl->largeCmdRequestsSoFar == 0) { + __GLXrenderSizeData entry; + int extra = 0; ++ int left = (req->length << 2) - sz_xGLXRenderLargeReq; + size_t cmdlen; + int err; + +@@ -2107,7 +2109,8 @@ + ** will be in the 1st request, so it's okay to do this. + */ + extra = (*entry.varsize) (pc + __GLX_RENDER_LARGE_HDR_SIZE, +- client->swapped); ++ client->swapped, ++ left - __GLX_RENDER_LARGE_HDR_SIZE); + if (extra < 0) { + return BadLength; + } +--- glx/glxserver.h.orig 2012-05-17 19:09:02.000000000 +0200 ++++ glx/glxserver.h 2014-12-10 14:55:50.575337222 +0100 +@@ -167,7 +167,7 @@ + /* + * Tables for computing the size of each rendering command. + */ +-typedef int (*gl_proto_size_func) (const GLbyte *, Bool); ++typedef int (*gl_proto_size_func) (const GLbyte *, Bool, int); + + typedef struct { + int bytes; +--- glx/indirect_reqsize.c.orig 2012-05-17 19:09:02.000000000 +0200 ++++ glx/indirect_reqsize.c 2014-12-10 15:28:31.264202211 +0100 +@@ -31,24 +31,22 @@ + #include "indirect_size.h" + #include "indirect_reqsize.h" + +-#define __GLX_PAD(x) (((x) + 3) & ~3) +- + #if defined(__CYGWIN__) || defined(__MINGW32__) + #undef HAVE_ALIAS + #endif + #ifdef HAVE_ALIAS + #define ALIAS2(from,to) \ +- GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap ) \ ++ GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap, int reqlen ) \ + __attribute__ ((alias( # to ))); + #define ALIAS(from,to) ALIAS2( from, __glX ## to ## ReqSize ) + #else + #define ALIAS(from,to) \ +- GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap ) \ +- { return __glX ## to ## ReqSize( pc, swap ); } ++ GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap, int reqlen ) \ ++ { return __glX ## to ## ReqSize( pc, swap, reqlen ); } + #endif + + int +-__glXCallListsReqSize(const GLbyte * pc, Bool swap) ++__glXCallListsReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei n = *(GLsizei *) (pc + 0); + GLenum type = *(GLenum *) (pc + 4); +@@ -60,11 +58,11 @@ + } + + compsize = __glCallLists_size(type); +- return __GLX_PAD((compsize * n)); ++ return safe_pad(safe_mul(compsize, n)); + } + + int +-__glXBitmapReqSize(const GLbyte * pc, Bool swap) ++__glXBitmapReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLint row_length = *(GLint *) (pc + 4); + GLint image_height = 0; +@@ -88,7 +86,7 @@ + } + + int +-__glXFogfvReqSize(const GLbyte * pc, Bool swap) ++__glXFogfvReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *) (pc + 0); + GLsizei compsize; +@@ -98,11 +96,11 @@ + } + + compsize = __glFogfv_size(pname); +- return __GLX_PAD((compsize * 4)); ++ return safe_pad(safe_mul(compsize, 4)); + } + + int +-__glXLightfvReqSize(const GLbyte * pc, Bool swap) ++__glXLightfvReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *) (pc + 4); + GLsizei compsize; +@@ -112,11 +110,11 @@ + } + + compsize = __glLightfv_size(pname); +- return __GLX_PAD((compsize * 4)); ++ return safe_pad(safe_mul(compsize, 4)); + } + + int +-__glXLightModelfvReqSize(const GLbyte * pc, Bool swap) ++__glXLightModelfvReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *) (pc + 0); + GLsizei compsize; +@@ -126,11 +124,11 @@ + } + + compsize = __glLightModelfv_size(pname); +- return __GLX_PAD((compsize * 4)); ++ return safe_pad(safe_mul(compsize, 4)); + } + + int +-__glXMaterialfvReqSize(const GLbyte * pc, Bool swap) ++__glXMaterialfvReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *) (pc + 4); + GLsizei compsize; +@@ -140,11 +138,11 @@ + } + + compsize = __glMaterialfv_size(pname); +- return __GLX_PAD((compsize * 4)); ++ return safe_pad(safe_mul(compsize, 4)); + } + + int +-__glXPolygonStippleReqSize(const GLbyte * pc, Bool swap) ++__glXPolygonStippleReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLint row_length = *(GLint *) (pc + 4); + GLint image_height = 0; +@@ -164,7 +162,7 @@ + } + + int +-__glXTexParameterfvReqSize(const GLbyte * pc, Bool swap) ++__glXTexParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *) (pc + 4); + GLsizei compsize; +@@ -174,11 +172,11 @@ + } + + compsize = __glTexParameterfv_size(pname); +- return __GLX_PAD((compsize * 4)); ++ return safe_pad(safe_mul(compsize, 4)); + } + + int +-__glXTexImage1DReqSize(const GLbyte * pc, Bool swap) ++__glXTexImage1DReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLint row_length = *(GLint *) (pc + 4); + GLint image_height = 0; +@@ -206,7 +204,7 @@ + } + + int +-__glXTexImage2DReqSize(const GLbyte * pc, Bool swap) ++__glXTexImage2DReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLint row_length = *(GLint *) (pc + 4); + GLint image_height = 0; +@@ -236,7 +234,7 @@ + } + + int +-__glXTexEnvfvReqSize(const GLbyte * pc, Bool swap) ++__glXTexEnvfvReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *) (pc + 4); + GLsizei compsize; +@@ -246,11 +244,11 @@ + } + + compsize = __glTexEnvfv_size(pname); +- return __GLX_PAD((compsize * 4)); ++ return safe_pad(safe_mul(compsize, 4)); + } + + int +-__glXTexGendvReqSize(const GLbyte * pc, Bool swap) ++__glXTexGendvReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *) (pc + 4); + GLsizei compsize; +@@ -260,11 +258,11 @@ + } + + compsize = __glTexGendv_size(pname); +- return __GLX_PAD((compsize * 8)); ++ return safe_pad(safe_mul(compsize, 8)); + } + + int +-__glXTexGenfvReqSize(const GLbyte * pc, Bool swap) ++__glXTexGenfvReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *) (pc + 4); + GLsizei compsize; +@@ -274,11 +272,11 @@ + } + + compsize = __glTexGenfv_size(pname); +- return __GLX_PAD((compsize * 4)); ++ return safe_pad(safe_mul(compsize, 4)); + } + + int +-__glXPixelMapfvReqSize(const GLbyte * pc, Bool swap) ++__glXPixelMapfvReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei mapsize = *(GLsizei *) (pc + 4); + +@@ -286,11 +284,11 @@ + mapsize = bswap_32(mapsize); + } + +- return __GLX_PAD((mapsize * 4)); ++ return safe_pad(safe_mul(mapsize, 4)); + } + + int +-__glXPixelMapusvReqSize(const GLbyte * pc, Bool swap) ++__glXPixelMapusvReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei mapsize = *(GLsizei *) (pc + 4); + +@@ -298,11 +296,11 @@ + mapsize = bswap_32(mapsize); + } + +- return __GLX_PAD((mapsize * 2)); ++ return safe_pad(safe_mul(mapsize, 2)); + } + + int +-__glXDrawPixelsReqSize(const GLbyte * pc, Bool swap) ++__glXDrawPixelsReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLint row_length = *(GLint *) (pc + 4); + GLint image_height = 0; +@@ -330,7 +328,7 @@ + } + + int +-__glXPrioritizeTexturesReqSize(const GLbyte * pc, Bool swap) ++__glXPrioritizeTexturesReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei n = *(GLsizei *) (pc + 0); + +@@ -338,11 +336,11 @@ + n = bswap_32(n); + } + +- return __GLX_PAD((n * 4) + (n * 4)); ++ return safe_pad(safe_add(safe_mul(n, 4), safe_mul(n, 4))); + } + + int +-__glXTexSubImage1DReqSize(const GLbyte * pc, Bool swap) ++__glXTexSubImage1DReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLint row_length = *(GLint *) (pc + 4); + GLint image_height = 0; +@@ -370,7 +368,7 @@ + } + + int +-__glXTexSubImage2DReqSize(const GLbyte * pc, Bool swap) ++__glXTexSubImage2DReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLint row_length = *(GLint *) (pc + 4); + GLint image_height = 0; +@@ -400,7 +398,7 @@ + } + + int +-__glXColorTableReqSize(const GLbyte * pc, Bool swap) ++__glXColorTableReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLint row_length = *(GLint *) (pc + 4); + GLint image_height = 0; +@@ -428,7 +426,7 @@ + } + + int +-__glXColorTableParameterfvReqSize(const GLbyte * pc, Bool swap) ++__glXColorTableParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *) (pc + 4); + GLsizei compsize; +@@ -438,11 +436,11 @@ + } + + compsize = __glColorTableParameterfv_size(pname); +- return __GLX_PAD((compsize * 4)); ++ return safe_pad(safe_mul(compsize, 4)); + } + + int +-__glXColorSubTableReqSize(const GLbyte * pc, Bool swap) ++__glXColorSubTableReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLint row_length = *(GLint *) (pc + 4); + GLint image_height = 0; +@@ -470,7 +468,7 @@ + } + + int +-__glXConvolutionFilter1DReqSize(const GLbyte * pc, Bool swap) ++__glXConvolutionFilter1DReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLint row_length = *(GLint *) (pc + 4); + GLint image_height = 0; +@@ -498,7 +496,7 @@ + } + + int +-__glXConvolutionFilter2DReqSize(const GLbyte * pc, Bool swap) ++__glXConvolutionFilter2DReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLint row_length = *(GLint *) (pc + 4); + GLint image_height = 0; +@@ -528,7 +526,7 @@ + } + + int +-__glXConvolutionParameterfvReqSize(const GLbyte * pc, Bool swap) ++__glXConvolutionParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *) (pc + 4); + GLsizei compsize; +@@ -538,11 +536,11 @@ + } + + compsize = __glConvolutionParameterfv_size(pname); +- return __GLX_PAD((compsize * 4)); ++ return safe_pad(safe_mul(compsize, 4)); + } + + int +-__glXTexImage3DReqSize(const GLbyte * pc, Bool swap) ++__glXTexImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLint row_length = *(GLint *) (pc + 4); + GLint image_height = *(GLint *) (pc + 8); +@@ -579,7 +577,7 @@ + } + + int +-__glXTexSubImage3DReqSize(const GLbyte * pc, Bool swap) ++__glXTexSubImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLint row_length = *(GLint *) (pc + 4); + GLint image_height = *(GLint *) (pc + 8); +@@ -613,7 +611,7 @@ + } + + int +-__glXCompressedTexImage1DARBReqSize(const GLbyte * pc, Bool swap) ++__glXCompressedTexImage1DARBReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei imageSize = *(GLsizei *) (pc + 20); + +@@ -621,11 +619,11 @@ + imageSize = bswap_32(imageSize); + } + +- return __GLX_PAD(imageSize); ++ return safe_pad(imageSize); + } + + int +-__glXCompressedTexImage2DARBReqSize(const GLbyte * pc, Bool swap) ++__glXCompressedTexImage2DARBReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei imageSize = *(GLsizei *) (pc + 24); + +@@ -633,11 +631,11 @@ + imageSize = bswap_32(imageSize); + } + +- return __GLX_PAD(imageSize); ++ return safe_pad(imageSize); + } + + int +-__glXCompressedTexImage3DARBReqSize(const GLbyte * pc, Bool swap) ++__glXCompressedTexImage3DARBReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei imageSize = *(GLsizei *) (pc + 28); + +@@ -645,11 +643,11 @@ + imageSize = bswap_32(imageSize); + } + +- return __GLX_PAD(imageSize); ++ return safe_pad(imageSize); + } + + int +-__glXCompressedTexSubImage3DARBReqSize(const GLbyte * pc, Bool swap) ++__glXCompressedTexSubImage3DARBReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei imageSize = *(GLsizei *) (pc + 36); + +@@ -657,11 +655,11 @@ + imageSize = bswap_32(imageSize); + } + +- return __GLX_PAD(imageSize); ++ return safe_pad(imageSize); + } + + int +-__glXProgramStringARBReqSize(const GLbyte * pc, Bool swap) ++__glXProgramStringARBReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei len = *(GLsizei *) (pc + 8); + +@@ -669,11 +667,11 @@ + len = bswap_32(len); + } + +- return __GLX_PAD(len); ++ return safe_pad(len); + } + + int +-__glXDrawBuffersARBReqSize(const GLbyte * pc, Bool swap) ++__glXDrawBuffersARBReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei n = *(GLsizei *) (pc + 0); + +@@ -681,11 +679,11 @@ + n = bswap_32(n); + } + +- return __GLX_PAD((n * 4)); ++ return safe_pad(safe_mul(n, 4)); + } + + int +-__glXPointParameterfvEXTReqSize(const GLbyte * pc, Bool swap) ++__glXPointParameterfvEXTReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *) (pc + 0); + GLsizei compsize; +@@ -695,11 +693,11 @@ + } + + compsize = __glPointParameterfvEXT_size(pname); +- return __GLX_PAD((compsize * 4)); ++ return safe_pad(safe_mul(compsize, 4)); + } + + int +-__glXProgramParameters4dvNVReqSize(const GLbyte * pc, Bool swap) ++__glXProgramParameters4dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei num = *(GLsizei *) (pc + 8); + +@@ -707,11 +705,11 @@ + num = bswap_32(num); + } + +- return __GLX_PAD((num * 32)); ++ return safe_pad(safe_mul(num, 32)); + } + + int +-__glXProgramParameters4fvNVReqSize(const GLbyte * pc, Bool swap) ++__glXProgramParameters4fvNVReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei num = *(GLsizei *) (pc + 8); + +@@ -719,11 +717,11 @@ + num = bswap_32(num); + } + +- return __GLX_PAD((num * 16)); ++ return safe_pad(safe_mul(num, 16)); + } + + int +-__glXVertexAttribs1dvNVReqSize(const GLbyte * pc, Bool swap) ++__glXVertexAttribs1dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei n = *(GLsizei *) (pc + 4); + +@@ -731,11 +729,11 @@ + n = bswap_32(n); + } + +- return __GLX_PAD((n * 8)); ++ return safe_pad(safe_mul(n, 8)); + } + + int +-__glXVertexAttribs2dvNVReqSize(const GLbyte * pc, Bool swap) ++__glXVertexAttribs2dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei n = *(GLsizei *) (pc + 4); + +@@ -743,11 +741,11 @@ + n = bswap_32(n); + } + +- return __GLX_PAD((n * 16)); ++ return safe_pad(safe_mul(n, 16)); + } + + int +-__glXVertexAttribs3dvNVReqSize(const GLbyte * pc, Bool swap) ++__glXVertexAttribs3dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei n = *(GLsizei *) (pc + 4); + +@@ -755,11 +753,11 @@ + n = bswap_32(n); + } + +- return __GLX_PAD((n * 24)); ++ return safe_pad(safe_mul(n, 24)); + } + + int +-__glXVertexAttribs3fvNVReqSize(const GLbyte * pc, Bool swap) ++__glXVertexAttribs3fvNVReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei n = *(GLsizei *) (pc + 4); + +@@ -767,11 +765,11 @@ + n = bswap_32(n); + } + +- return __GLX_PAD((n * 12)); ++ return safe_pad(safe_mul(n, 12)); + } + + int +-__glXVertexAttribs3svNVReqSize(const GLbyte * pc, Bool swap) ++__glXVertexAttribs3svNVReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei n = *(GLsizei *) (pc + 4); + +@@ -779,11 +777,11 @@ + n = bswap_32(n); + } + +- return __GLX_PAD((n * 6)); ++ return safe_pad(safe_mul(n, 6)); + } + + int +-__glXVertexAttribs4dvNVReqSize(const GLbyte * pc, Bool swap) ++__glXVertexAttribs4dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei n = *(GLsizei *) (pc + 4); + +@@ -791,11 +789,11 @@ + n = bswap_32(n); + } + +- return __GLX_PAD((n * 32)); ++ return safe_pad(safe_mul(n, 32)); + } + + int +-__glXProgramNamedParameter4fvNVReqSize(const GLbyte * pc, Bool swap) ++__glXProgramNamedParameter4fvNVReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei len = *(GLsizei *) (pc + 4); + +@@ -803,7 +801,7 @@ + len = bswap_32(len); + } + +- return __GLX_PAD(len); ++ return safe_pad(len); + } + + ALIAS(Fogiv, Fogfv) +--- glx/indirect_reqsize.h.orig 2012-05-17 19:09:02.000000000 +0200 ++++ glx/indirect_reqsize.h 2014-12-10 15:45:48.967149775 +0100 +@@ -36,128 +36,169 @@ + #define PURE + #endif + +-extern PURE _X_HIDDEN int __glXCallListsReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXBitmapReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXFogfvReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXFogivReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXLightfvReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXLightivReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXLightModelfvReqSize(const GLbyte * pc, +- Bool swap); +-extern PURE _X_HIDDEN int __glXLightModelivReqSize(const GLbyte * pc, +- Bool swap); +-extern PURE _X_HIDDEN int __glXMaterialfvReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXMaterialivReqSize(const GLbyte * pc, Bool swap); ++extern PURE _X_HIDDEN int __glXCallListsReqSize(const GLbyte * pc, Bool swap, ++ int reqlen); ++extern PURE _X_HIDDEN int __glXBitmapReqSize(const GLbyte * pc, Bool swap, ++ int reqlen); ++extern PURE _X_HIDDEN int __glXFogfvReqSize(const GLbyte * pc, Bool swap, ++ int reqlen); ++extern PURE _X_HIDDEN int __glXFogivReqSize(const GLbyte * pc, Bool swap, ++ int reqlen); ++extern PURE _X_HIDDEN int __glXLightfvReqSize(const GLbyte * pc, Bool swap, ++ int reqlen); ++extern PURE _X_HIDDEN int __glXLightivReqSize(const GLbyte * pc, Bool swap, ++ int reqlen); ++extern PURE _X_HIDDEN int __glXLightModelfvReqSize(const GLbyte * pc, Bool swap, ++ int reqlen); ++extern PURE _X_HIDDEN int __glXLightModelivReqSize(const GLbyte * pc, Bool swap, ++ int reqlen); ++extern PURE _X_HIDDEN int __glXMaterialfvReqSize(const GLbyte * pc, Bool swap, ++ int reqlen); ++extern PURE _X_HIDDEN int __glXMaterialivReqSize(const GLbyte * pc, Bool swap, ++ int reqlen); + extern PURE _X_HIDDEN int __glXPolygonStippleReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXTexParameterfvReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXTexParameterivReqSize(const GLbyte * pc, +- Bool swap); +-extern PURE _X_HIDDEN int __glXTexImage1DReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXTexImage2DReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXTexEnvfvReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXTexEnvivReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXTexGendvReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXTexGenfvReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXTexGenivReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXMap1dReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXMap1fReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXMap2dReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXMap2fReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXPixelMapfvReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXPixelMapuivReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXPixelMapusvReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXDrawPixelsReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXDrawArraysReqSize(const GLbyte * pc, Bool swap); ++ Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXTexImage1DReqSize(const GLbyte * pc, Bool swap, ++ int reqlen); ++extern PURE _X_HIDDEN int __glXTexImage2DReqSize(const GLbyte * pc, Bool swap, ++ int reqlen); ++extern PURE _X_HIDDEN int __glXTexEnvfvReqSize(const GLbyte * pc, Bool swap, ++ int reqlen); ++extern PURE _X_HIDDEN int __glXTexEnvivReqSize(const GLbyte * pc, Bool swap, ++ int reqlen); ++extern PURE _X_HIDDEN int __glXTexGendvReqSize(const GLbyte * pc, Bool swap, ++ int reqlen); ++extern PURE _X_HIDDEN int __glXTexGenfvReqSize(const GLbyte * pc, Bool swap, ++ int reqlen); ++extern PURE _X_HIDDEN int __glXTexGenivReqSize(const GLbyte * pc, Bool swap, ++ int reqlen); ++extern PURE _X_HIDDEN int __glXMap1dReqSize(const GLbyte * pc, Bool swap, ++ int reqlen); ++extern PURE _X_HIDDEN int __glXMap1fReqSize(const GLbyte * pc, Bool swap, ++ int reqlen); ++extern PURE _X_HIDDEN int __glXMap2dReqSize(const GLbyte * pc, Bool swap, ++ int reqlen); ++extern PURE _X_HIDDEN int __glXMap2fReqSize(const GLbyte * pc, Bool swap, ++ int reqlen); ++extern PURE _X_HIDDEN int __glXPixelMapfvReqSize(const GLbyte * pc, Bool swap, ++ int reqlen); ++extern PURE _X_HIDDEN int __glXPixelMapuivReqSize(const GLbyte * pc, Bool swap, ++ int reqlen); ++extern PURE _X_HIDDEN int __glXPixelMapusvReqSize(const GLbyte * pc, Bool swap, ++ int reqlen); ++extern PURE _X_HIDDEN int __glXDrawPixelsReqSize(const GLbyte * pc, Bool swap, ++ int reqlen); ++extern PURE _X_HIDDEN int __glXDrawArraysReqSize(const GLbyte * pc, Bool swap, ++ int reqlen); + extern PURE _X_HIDDEN int __glXPrioritizeTexturesReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXTexSubImage1DReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXTexSubImage2DReqSize(const GLbyte * pc, +- Bool swap); +-extern PURE _X_HIDDEN int __glXColorTableReqSize(const GLbyte * pc, Bool swap); ++ Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXColorTableReqSize(const GLbyte * pc, Bool swap, ++ int reqlen); + extern PURE _X_HIDDEN int __glXColorTableParameterfvReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, ++ int reqlen); + extern PURE _X_HIDDEN int __glXColorTableParameterivReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, ++ int reqlen); + extern PURE _X_HIDDEN int __glXColorSubTableReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXConvolutionFilter1DReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, ++ int reqlen); + extern PURE _X_HIDDEN int __glXConvolutionFilter2DReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, ++ int reqlen); + extern PURE _X_HIDDEN int __glXConvolutionParameterfvReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, ++ int reqlen); + extern PURE _X_HIDDEN int __glXConvolutionParameterivReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, ++ int reqlen); + extern PURE _X_HIDDEN int __glXSeparableFilter2DReqSize(const GLbyte * pc, +- Bool swap); +-extern PURE _X_HIDDEN int __glXTexImage3DReqSize(const GLbyte * pc, Bool swap); ++ Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXTexImage3DReqSize(const GLbyte * pc, Bool swap, ++ int reqlen); + extern PURE _X_HIDDEN int __glXTexSubImage3DReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXCompressedTexImage1DARBReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, ++ int reqlen); + extern PURE _X_HIDDEN int __glXCompressedTexImage2DARBReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, ++ int reqlen); + extern PURE _X_HIDDEN int __glXCompressedTexImage3DARBReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, ++ int reqlen); + extern PURE _X_HIDDEN int __glXCompressedTexSubImage1DARBReqSize(const GLbyte * +- pc, Bool swap); ++ pc, Bool swap, ++ int reqlen); + extern PURE _X_HIDDEN int __glXCompressedTexSubImage2DARBReqSize(const GLbyte * +- pc, Bool swap); ++ pc, Bool swap, ++ int reqlen); + extern PURE _X_HIDDEN int __glXCompressedTexSubImage3DARBReqSize(const GLbyte * +- pc, Bool swap); ++ pc, Bool swap, ++ int reqlen); + extern PURE _X_HIDDEN int __glXProgramStringARBReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXDrawBuffersARBReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXPointParameterfvEXTReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXLoadProgramNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXProgramParameters4dvNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXProgramParameters4fvNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXRequestResidentProgramsNVReqSize(const GLbyte * +- pc, Bool swap); ++ pc, Bool swap, ++ int reqlen); + extern PURE _X_HIDDEN int __glXVertexAttribs1dvNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXVertexAttribs1fvNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXVertexAttribs1svNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXVertexAttribs2dvNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXVertexAttribs2fvNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXVertexAttribs2svNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXVertexAttribs3dvNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXVertexAttribs3fvNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXVertexAttribs3svNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXVertexAttribs4dvNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXVertexAttribs4fvNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXVertexAttribs4svNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXVertexAttribs4ubvNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXPointParameterivNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXProgramNamedParameter4dvNVReqSize(const GLbyte * +- pc, Bool swap); ++ pc, Bool swap, ++ int reqlen); + extern PURE _X_HIDDEN int __glXProgramNamedParameter4fvNVReqSize(const GLbyte * +- pc, Bool swap); ++ pc, Bool swap, ++ int reqlen); + extern PURE _X_HIDDEN int __glXDeleteFramebuffersEXTReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXDeleteRenderbuffersEXTReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + + #undef PURE + +--- glx/rensize.c.orig 2012-05-17 19:09:02.000000000 +0200 ++++ glx/rensize.c 2014-12-10 14:55:50.580336482 +0100 +@@ -52,7 +52,7 @@ + } + + int +-__glXMap1dReqSize(const GLbyte * pc, Bool swap) ++__glXMap1dReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLenum target; + GLint order, k; +@@ -68,7 +68,7 @@ + } + + int +-__glXMap1fReqSize(const GLbyte * pc, Bool swap) ++__glXMap1fReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLenum target; + GLint order, k; +@@ -92,7 +92,7 @@ + } + + int +-__glXMap2dReqSize(const GLbyte * pc, Bool swap) ++__glXMap2dReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLenum target; + GLint uorder, vorder, k; +@@ -110,7 +110,7 @@ + } + + int +-__glXMap2fReqSize(const GLbyte * pc, Bool swap) ++__glXMap2fReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLenum target; + GLint uorder, vorder, k; +@@ -342,13 +342,14 @@ + } + + int +-__glXDrawArraysReqSize(const GLbyte * pc, Bool swap) ++__glXDrawArraysReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + __GLXdispatchDrawArraysHeader *hdr = (__GLXdispatchDrawArraysHeader *) pc; + __GLXdispatchDrawArraysComponentHeader *compHeader; + GLint numVertexes = hdr->numVertexes; + GLint numComponents = hdr->numComponents; + GLint arrayElementSize = 0; ++ GLint x, size; + int i; + + if (swap) { +@@ -357,6 +358,13 @@ + } + + pc += sizeof(__GLXdispatchDrawArraysHeader); ++ reqlen -= sizeof(__GLXdispatchDrawArraysHeader); ++ ++ size = safe_mul(sizeof(__GLXdispatchDrawArraysComponentHeader), ++ numComponents); ++ if (size < 0 || reqlen < 0 || reqlen < size) ++ return -1; ++ + compHeader = (__GLXdispatchDrawArraysComponentHeader *) pc; + + for (i = 0; i < numComponents; i++) { +@@ -400,17 +408,18 @@ + return -1; + } + +- arrayElementSize += __GLX_PAD(numVals * __glXTypeSize(datatype)); ++ x = safe_pad(safe_mul(numVals, __glXTypeSize(datatype))); ++ if ((arrayElementSize = safe_add(arrayElementSize, x)) < 0) ++ return -1; + + pc += sizeof(__GLXdispatchDrawArraysComponentHeader); + } + +- return ((numComponents * sizeof(__GLXdispatchDrawArraysComponentHeader)) + +- (numVertexes * arrayElementSize)); ++ return safe_add(size, safe_mul(numVertexes, arrayElementSize)); + } + + int +-__glXSeparableFilter2DReqSize(const GLbyte * pc, Bool swap) ++__glXSeparableFilter2DReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + __GLXdispatchConvolutionFilterHeader *hdr = + (__GLXdispatchConvolutionFilterHeader *) pc; diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8099 b/x11-servers/xorg-server/files/patch-CVE-2014-8099 new file mode 100644 index 000000000000..dfc1b68a7f35 --- /dev/null +++ b/x11-servers/xorg-server/files/patch-CVE-2014-8099 @@ -0,0 +1,179 @@ +From 32a95fb7c7dbe22c9441c62762dfa4a8ec54d6c3 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sun, 26 Jan 2014 19:23:17 -0800 +Subject: [PATCH 09/40] Xv: unvalidated lengths in XVideo extension swapped + procs [CVE-2014-8099] + +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> +--- + Xext/xvdisp.c | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +diff --git a/Xext/xvdisp.c b/Xext/xvdisp.c +index 86f982a..c2d0fc9 100644 +--- Xext/xvdisp.c ++++ Xext/xvdisp.c +@@ -1121,6 +1121,7 @@ static int + SProcXvQueryExtension(ClientPtr client) + { + REQUEST(xvQueryExtensionReq); ++ REQUEST_SIZE_MATCH(xvQueryExtensionReq); + swaps(&stuff->length); + return XvProcVector[xv_QueryExtension] (client); + } +@@ -1129,6 +1130,7 @@ static int + SProcXvQueryAdaptors(ClientPtr client) + { + REQUEST(xvQueryAdaptorsReq); ++ REQUEST_SIZE_MATCH(xvQueryAdaptorsReq); + swaps(&stuff->length); + swapl(&stuff->window); + return XvProcVector[xv_QueryAdaptors] (client); +@@ -1138,6 +1140,7 @@ static int + SProcXvQueryEncodings(ClientPtr client) + { + REQUEST(xvQueryEncodingsReq); ++ REQUEST_SIZE_MATCH(xvQueryEncodingsReq); + swaps(&stuff->length); + swapl(&stuff->port); + return XvProcVector[xv_QueryEncodings] (client); +@@ -1147,6 +1150,7 @@ static int + SProcXvGrabPort(ClientPtr client) + { + REQUEST(xvGrabPortReq); ++ REQUEST_SIZE_MATCH(xvGrabPortReq); + swaps(&stuff->length); + swapl(&stuff->port); + swapl(&stuff->time); +@@ -1157,6 +1161,7 @@ static int + SProcXvUngrabPort(ClientPtr client) + { + REQUEST(xvUngrabPortReq); ++ REQUEST_SIZE_MATCH(xvUngrabPortReq); + swaps(&stuff->length); + swapl(&stuff->port); + swapl(&stuff->time); +@@ -1167,6 +1172,7 @@ static int + SProcXvPutVideo(ClientPtr client) + { + REQUEST(xvPutVideoReq); ++ REQUEST_SIZE_MATCH(xvPutVideoReq); + swaps(&stuff->length); + swapl(&stuff->port); + swapl(&stuff->drawable); +@@ -1186,6 +1192,7 @@ static int + SProcXvPutStill(ClientPtr client) + { + REQUEST(xvPutStillReq); ++ REQUEST_SIZE_MATCH(xvPutStillReq); + swaps(&stuff->length); + swapl(&stuff->port); + swapl(&stuff->drawable); +@@ -1205,6 +1212,7 @@ static int + SProcXvGetVideo(ClientPtr client) + { + REQUEST(xvGetVideoReq); ++ REQUEST_SIZE_MATCH(xvGetVideoReq); + swaps(&stuff->length); + swapl(&stuff->port); + swapl(&stuff->drawable); +@@ -1224,6 +1232,7 @@ static int + SProcXvGetStill(ClientPtr client) + { + REQUEST(xvGetStillReq); ++ REQUEST_SIZE_MATCH(xvGetStillReq); + swaps(&stuff->length); + swapl(&stuff->port); + swapl(&stuff->drawable); +@@ -1243,6 +1252,7 @@ static int + SProcXvPutImage(ClientPtr client) + { + REQUEST(xvPutImageReq); ++ REQUEST_AT_LEAST_SIZE(xvPutImageReq); + swaps(&stuff->length); + swapl(&stuff->port); + swapl(&stuff->drawable); +@@ -1266,6 +1276,7 @@ static int + SProcXvShmPutImage(ClientPtr client) + { + REQUEST(xvShmPutImageReq); ++ REQUEST_SIZE_MATCH(xvShmPutImageReq); + swaps(&stuff->length); + swapl(&stuff->port); + swapl(&stuff->drawable); +@@ -1293,6 +1304,7 @@ static int + SProcXvSelectVideoNotify(ClientPtr client) + { + REQUEST(xvSelectVideoNotifyReq); ++ REQUEST_SIZE_MATCH(xvSelectVideoNotifyReq); + swaps(&stuff->length); + swapl(&stuff->drawable); + return XvProcVector[xv_SelectVideoNotify] (client); +@@ -1302,6 +1314,7 @@ static int + SProcXvSelectPortNotify(ClientPtr client) + { + REQUEST(xvSelectPortNotifyReq); ++ REQUEST_SIZE_MATCH(xvSelectPortNotifyReq); + swaps(&stuff->length); + swapl(&stuff->port); + return XvProcVector[xv_SelectPortNotify] (client); +@@ -1311,6 +1324,7 @@ static int + SProcXvStopVideo(ClientPtr client) + { + REQUEST(xvStopVideoReq); ++ REQUEST_SIZE_MATCH(xvStopVideoReq); + swaps(&stuff->length); + swapl(&stuff->port); + swapl(&stuff->drawable); +@@ -1321,6 +1335,7 @@ static int + SProcXvSetPortAttribute(ClientPtr client) + { + REQUEST(xvSetPortAttributeReq); ++ REQUEST_SIZE_MATCH(xvSetPortAttributeReq); + swaps(&stuff->length); + swapl(&stuff->port); + swapl(&stuff->attribute); +@@ -1332,6 +1347,7 @@ static int + SProcXvGetPortAttribute(ClientPtr client) + { + REQUEST(xvGetPortAttributeReq); ++ REQUEST_SIZE_MATCH(xvGetPortAttributeReq); + swaps(&stuff->length); + swapl(&stuff->port); + swapl(&stuff->attribute); +@@ -1342,6 +1358,7 @@ static int + SProcXvQueryBestSize(ClientPtr client) + { + REQUEST(xvQueryBestSizeReq); ++ REQUEST_SIZE_MATCH(xvQueryBestSizeReq); + swaps(&stuff->length); + swapl(&stuff->port); + swaps(&stuff->vid_w); +@@ -1355,6 +1372,7 @@ static int + SProcXvQueryPortAttributes(ClientPtr client) + { + REQUEST(xvQueryPortAttributesReq); ++ REQUEST_SIZE_MATCH(xvQueryPortAttributesReq); + swaps(&stuff->length); + swapl(&stuff->port); + return XvProcVector[xv_QueryPortAttributes] (client); +@@ -1364,6 +1382,7 @@ static int + SProcXvQueryImageAttributes(ClientPtr client) + { + REQUEST(xvQueryImageAttributesReq); ++ REQUEST_SIZE_MATCH(xvQueryImageAttributesReq); + swaps(&stuff->length); + swapl(&stuff->port); + swapl(&stuff->id); +@@ -1376,6 +1395,7 @@ static int + SProcXvListImageFormats(ClientPtr client) + { + REQUEST(xvListImageFormatsReq); ++ REQUEST_SIZE_MATCH(xvListImageFormatsReq); + swaps(&stuff->length); + swapl(&stuff->port); + return XvProcVector[xv_ListImageFormats] (client); +-- +2.1.2 + diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8100-1-2 b/x11-servers/xorg-server/files/patch-CVE-2014-8100-1-2 new file mode 100644 index 000000000000..a2ae0541e95e --- /dev/null +++ b/x11-servers/xorg-server/files/patch-CVE-2014-8100-1-2 @@ -0,0 +1,30 @@ +From b5f9ef03df6a650571b29d3d1c1d2b67c6e84336 Mon Sep 17 00:00:00 2001 +From: Julien Cristau <jcristau@debian.org> +Date: Tue, 28 Oct 2014 10:30:04 +0100 +Subject: [PATCH 13/40] render: check request size before reading it + [CVE-2014-8100 1/2] + +Otherwise we may be reading outside of the client request. + +Signed-off-by: Julien Cristau <jcristau@debian.org> +Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + render/render.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- render/render.c.orig 2014-12-10 16:06:01.737046585 +0100 ++++ render/render.c 2014-12-10 16:07:49.285040265 +0100 +@@ -271,10 +271,11 @@ + + REQUEST(xRenderQueryVersionReq); + ++ REQUEST_SIZE_MATCH(xRenderQueryVersionReq); ++ + pRenderClient->major_version = stuff->majorVersion; + pRenderClient->minor_version = stuff->minorVersion; + +- REQUEST_SIZE_MATCH(xRenderQueryVersionReq); + memset(&rep, 0, sizeof(xRenderQueryVersionReply)); + rep.type = X_Reply; + rep.length = 0; diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8100-2-2 b/x11-servers/xorg-server/files/patch-CVE-2014-8100-2-2 new file mode 100644 index 000000000000..e4d6503b87de --- /dev/null +++ b/x11-servers/xorg-server/files/patch-CVE-2014-8100-2-2 @@ -0,0 +1,140 @@ +From 5d3a788aeb2fbd3ca2812747dc18c94a8b981c63 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sun, 26 Jan 2014 19:51:29 -0800 +Subject: [PATCH 14/40] render: unvalidated lengths in Render extn. swapped + procs [CVE-2014-8100 2/2] + +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> +--- + render/render.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/render/render.c b/render/render.c +index 200e0c8..723f380 100644 +--- render/render.c ++++ render/render.c +@@ -1995,7 +1995,7 @@ static int + SProcRenderQueryVersion(ClientPtr client) + { + REQUEST(xRenderQueryVersionReq); +- ++ REQUEST_SIZE_MATCH(xRenderQueryVersionReq); + swaps(&stuff->length); + swapl(&stuff->majorVersion); + swapl(&stuff->minorVersion); +@@ -2006,6 +2006,7 @@ static int + SProcRenderQueryPictFormats(ClientPtr client) + { + REQUEST(xRenderQueryPictFormatsReq); ++ REQUEST_SIZE_MATCH(xRenderQueryPictFormatsReq); + swaps(&stuff->length); + return (*ProcRenderVector[stuff->renderReqType]) (client); + } +@@ -2014,6 +2015,7 @@ static int + SProcRenderQueryPictIndexValues(ClientPtr client) + { + REQUEST(xRenderQueryPictIndexValuesReq); ++ REQUEST_AT_LEAST_SIZE(xRenderQueryPictIndexValuesReq); + swaps(&stuff->length); + swapl(&stuff->format); + return (*ProcRenderVector[stuff->renderReqType]) (client); +@@ -2029,6 +2031,7 @@ static int + SProcRenderCreatePicture(ClientPtr client) + { + REQUEST(xRenderCreatePictureReq); ++ REQUEST_AT_LEAST_SIZE(xRenderCreatePictureReq); + swaps(&stuff->length); + swapl(&stuff->pid); + swapl(&stuff->drawable); +@@ -2042,6 +2045,7 @@ static int + SProcRenderChangePicture(ClientPtr client) + { + REQUEST(xRenderChangePictureReq); ++ REQUEST_AT_LEAST_SIZE(xRenderChangePictureReq); + swaps(&stuff->length); + swapl(&stuff->picture); + swapl(&stuff->mask); +@@ -2053,6 +2057,7 @@ static int + SProcRenderSetPictureClipRectangles(ClientPtr client) + { + REQUEST(xRenderSetPictureClipRectanglesReq); ++ REQUEST_AT_LEAST_SIZE(xRenderSetPictureClipRectanglesReq); + swaps(&stuff->length); + swapl(&stuff->picture); + swaps(&stuff->xOrigin); +@@ -2065,6 +2070,7 @@ static int + SProcRenderFreePicture(ClientPtr client) + { + REQUEST(xRenderFreePictureReq); ++ REQUEST_SIZE_MATCH(xRenderFreePictureReq); + swaps(&stuff->length); + swapl(&stuff->picture); + return (*ProcRenderVector[stuff->renderReqType]) (client); +@@ -2074,6 +2080,7 @@ static int + SProcRenderComposite(ClientPtr client) + { + REQUEST(xRenderCompositeReq); ++ REQUEST_SIZE_MATCH(xRenderCompositeReq); + swaps(&stuff->length); + swapl(&stuff->src); + swapl(&stuff->mask); +@@ -2093,6 +2100,7 @@ static int + SProcRenderScale(ClientPtr client) + { + REQUEST(xRenderScaleReq); ++ REQUEST_SIZE_MATCH(xRenderScaleReq); + swaps(&stuff->length); + swapl(&stuff->src); + swapl(&stuff->dst); +@@ -2193,6 +2201,7 @@ static int + SProcRenderCreateGlyphSet(ClientPtr client) + { + REQUEST(xRenderCreateGlyphSetReq); ++ REQUEST_SIZE_MATCH(xRenderCreateGlyphSetReq); + swaps(&stuff->length); + swapl(&stuff->gsid); + swapl(&stuff->format); +@@ -2203,6 +2212,7 @@ static int + SProcRenderReferenceGlyphSet(ClientPtr client) + { + REQUEST(xRenderReferenceGlyphSetReq); ++ REQUEST_SIZE_MATCH(xRenderReferenceGlyphSetReq); + swaps(&stuff->length); + swapl(&stuff->gsid); + swapl(&stuff->existing); +@@ -2213,6 +2223,7 @@ static int + SProcRenderFreeGlyphSet(ClientPtr client) + { + REQUEST(xRenderFreeGlyphSetReq); ++ REQUEST_SIZE_MATCH(xRenderFreeGlyphSetReq); + swaps(&stuff->length); + swapl(&stuff->glyphset); + return (*ProcRenderVector[stuff->renderReqType]) (client); +@@ -2227,6 +2238,7 @@ SProcRenderAddGlyphs(ClientPtr client) + xGlyphInfo *gi; + + REQUEST(xRenderAddGlyphsReq); ++ REQUEST_AT_LEAST_SIZE(xRenderAddGlyphsReq); + swaps(&stuff->length); + swapl(&stuff->glyphset); + swapl(&stuff->nglyphs); +@@ -2261,6 +2273,7 @@ static int + SProcRenderFreeGlyphs(ClientPtr client) + { + REQUEST(xRenderFreeGlyphsReq); ++ REQUEST_AT_LEAST_SIZE(xRenderFreeGlyphsReq); + swaps(&stuff->length); + swapl(&stuff->glyphset); + SwapRestL(stuff); +@@ -2278,6 +2291,7 @@ SProcRenderCompositeGlyphs(ClientPtr client) + int size; + + REQUEST(xRenderCompositeGlyphsReq); ++ REQUEST_AT_LEAST_SIZE(xRenderCompositeGlyphsReq); + + switch (stuff->renderReqType) { + default: +-- +2.1.2 + diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8101 b/x11-servers/xorg-server/files/patch-CVE-2014-8101 new file mode 100644 index 000000000000..d7fcb8d30a6e --- /dev/null +++ b/x11-servers/xorg-server/files/patch-CVE-2014-8101 @@ -0,0 +1,51 @@ +From 3df2fcf12499ebdb26b9b67419ea485a42041f33 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sun, 26 Jan 2014 19:38:09 -0800 +Subject: [PATCH 12/40] randr: unvalidated lengths in RandR extension swapped + procs [CVE-2014-8101] + +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> +--- + randr/rrsdispatch.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/randr/rrsdispatch.c b/randr/rrsdispatch.c +index 08c3b6a..47558cf 100644 +--- randr/rrsdispatch.c ++++ randr/rrsdispatch.c +@@ -27,6 +27,7 @@ SProcRRQueryVersion(ClientPtr client) + { + REQUEST(xRRQueryVersionReq); + ++ REQUEST_SIZE_MATCH(xRRQueryVersionReq); + swaps(&stuff->length); + swapl(&stuff->majorVersion); + swapl(&stuff->minorVersion); +@@ -38,6 +39,7 @@ SProcRRGetScreenInfo(ClientPtr client) + { + REQUEST(xRRGetScreenInfoReq); + ++ REQUEST_SIZE_MATCH(xRRGetScreenInfoReq); + swaps(&stuff->length); + swapl(&stuff->window); + return (*ProcRandrVector[stuff->randrReqType]) (client); +@@ -69,6 +71,7 @@ SProcRRSelectInput(ClientPtr client) + { + REQUEST(xRRSelectInputReq); + ++ REQUEST_SIZE_MATCH(xRRSelectInputReq); + swaps(&stuff->length); + swapl(&stuff->window); + swaps(&stuff->enable); +@@ -152,6 +155,7 @@ SProcRRConfigureOutputProperty(ClientPtr client) + { + REQUEST(xRRConfigureOutputPropertyReq); + ++ REQUEST_AT_LEAST_SIZE(xRRConfigureOutputPropertyReq); + swaps(&stuff->length); + swapl(&stuff->output); + swapl(&stuff->property); +-- +2.1.2 + diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8102 b/x11-servers/xorg-server/files/patch-CVE-2014-8102 new file mode 100644 index 000000000000..46f4ead5312d --- /dev/null +++ b/x11-servers/xorg-server/files/patch-CVE-2014-8102 @@ -0,0 +1,27 @@ +From a0ece23a8bd300c8be10812d368dc8058c97c63e Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sun, 26 Jan 2014 20:02:20 -0800 +Subject: [PATCH 15/40] xfixes: unvalidated length in + SProcXFixesSelectSelectionInput [CVE-2014-8102] + +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> +--- + xfixes/select.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/xfixes/select.c b/xfixes/select.c +index c088ed3..e964d58 100644 +--- xfixes/select.c ++++ xfixes/select.c +@@ -201,6 +201,7 @@ SProcXFixesSelectSelectionInput(ClientPtr client) + { + REQUEST(xXFixesSelectSelectionInputReq); + ++ REQUEST_SIZE_MATCH(xXFixesSelectSelectionInputReq); + swaps(&stuff->length); + swapl(&stuff->window); + swapl(&stuff->selection); +-- +2.1.2 + |