[X2Go-Commits] [nx-libs] 46/52: glx: Add safe_{add, mul, pad} (v3) [CVE-2014-8093 4/6] (v4)

Sat Feb 14 17:47:17 CET 2015

This is an automated email from the git hooks/post-receive script.

x2go pushed a commit to branch 3.6.x
in repository nx-libs.

commit 1a9f23118787be611b6db51e4eac864c43c702d9
Author: Adam Jackson <ajax at redhat.com>
Date:   Mon Nov 10 12:13:40 2014 -0500

    glx: Add safe_{add,mul,pad} (v3) [CVE-2014-8093 4/6] (v4)
    
    These are paranoid about integer overflow, and will return -1 if their
    operation would overflow a (signed) integer or if either argument is
    negative.
    
    Note that RenderLarge requests are sized with a uint32_t so in principle
    this could be sketchy there, but dix limits bigreqs to 128M so you
    shouldn't ever notice, and honestly if you're sending more than 2G of
    rendering commands you're already doing something very wrong.
    
    v2: Use INT_MAX for consistency with the rest of the server (jcristau)
    v3: Reject negative arguments (anholt)
    
    v4: RHEL5: add limits.h, use inline
    
    v5: backport to nx-libs 3.6.x (Mike DePaulo)
    
    Reviewed-by: Keith Packard <keithp at keithp.com>
    Reviewed-by: Julien Cristau <jcristau at debian.org>
    Reviewed-by: Michal Srb <msrb at suse.com>
    Reviewed-by: Andy Ritger <aritger at nvidia.com>
    Signed-off-by: Adam Jackson <ajax at redhat.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
    Signed-off-by: Fedora X Ninjas <x at fedoraproject.org>
    Signed-off-by: Dave Airlie <airlied at redhat.com>
---
 nx-X11/programs/Xserver/GL/glx/glxserver.h |   41 ++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)

diff --git a/nx-X11/programs/Xserver/GL/glx/glxserver.h b/nx-X11/programs/Xserver/GL/glx/glxserver.h
index e8449b2..4047574 100644
--- a/nx-X11/programs/Xserver/GL/glx/glxserver.h
+++ b/nx-X11/programs/Xserver/GL/glx/glxserver.h
@@ -54,6 +54,7 @@
 #include "GL/glx_ansic.h"
 
 
+#include <limits.h>
 /*
 ** The X header misc.h defines these math functions.
 */
@@ -223,6 +224,46 @@ extern void glxSwapQueryServerStringReply(ClientPtr client,
 /*
  * Routines for computing the size of variably-sized rendering commands.
  */
+static __inline__ int
+safe_add(int a, int b)
+{
+    if (a < 0 || b < 0)
+        return -1;
+
+    if (INT_MAX - a < b)
+        return -1;
+
+    return a + b;
+}
+
+static __inline__ int
+safe_mul(int a, int b)
+{
+    if (a < 0 || b < 0)
+        return -1;
+
+    if (a == 0 || b == 0)
+        return 0;
+
+    if (a > INT_MAX / b)
+        return -1;
+
+   return a * b;
+}
+
+static __inline__ int
+safe_pad(int a)
+{
+    int ret;
+
+    if (a < 0)
+        return -1;
+
+    if ((ret = safe_add(a, 3)) < 0)
+        return -1;
+
+    return ret & (GLuint)~3;
+}
 
 extern int __glXTypeSize(GLenum enm);
 extern int __glXImageSize(GLenum format, GLenum type,

--
Alioth's /srv/git/_hooks_/post-receive-email on /srv/git/code.x2go.org/nx-libs.git
