scorpionit / rpms / xorg-x11-server

Forked from rpms/xorg-x11-server 4 years ago
Clone
Source Code
GIT

Files

ajax/upstream f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f7 f8 f9 master olpc2 olpc3 private-1_2-branch private-unbreak-domain-branch
  1.   f20
  2.   0021-glx-Fix-image-size-computation-for-EXT_texture_integ.patch
Blob Blame History Raw 
From bf0ab1bee4d590fbfaa2fd4e56857b019898e21a Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Mon, 10 Nov 2014 12:13:39 -0500
Subject: [PATCH 21/31] glx: Fix image size computation for EXT_texture_integer
 [CVE-2014-8098 1/8]

Without this we'd reject the request with BadLength.  Note that some old
versions of Mesa had a bug in the same place, and would _send_ zero
bytes of image data; these will now be rejected, correctly.

Reviewed-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
---
 glx/rensize.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/glx/rensize.c b/glx/rensize.c
index bcc3a53..10f76bc 100644
--- a/glx/rensize.c
+++ b/glx/rensize.c
@@ -224,6 +224,11 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
         case GL_ALPHA:
         case GL_LUMINANCE:
         case GL_INTENSITY:
+        case GL_RED_INTEGER_EXT:
+        case GL_GREEN_INTEGER_EXT:
+        case GL_BLUE_INTEGER_EXT:
+        case GL_ALPHA_INTEGER_EXT:
+        case GL_LUMINANCE_INTEGER_EXT:
             elementsPerGroup = 1;
             break;
         case GL_422_EXT:
@@ -234,14 +239,19 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
         case GL_DEPTH_STENCIL_MESA:
         case GL_YCBCR_MESA:
         case GL_LUMINANCE_ALPHA:
+        case GL_LUMINANCE_ALPHA_INTEGER_EXT:
             elementsPerGroup = 2;
             break;
         case GL_RGB:
         case GL_BGR:
+        case GL_RGB_INTEGER_EXT:
+        case GL_BGR_INTEGER_EXT:
             elementsPerGroup = 3;
             break;
         case GL_RGBA:
         case GL_BGRA:
+        case GL_RGBA_INTEGER_EXT:
+        case GL_BGRA_INTEGER_EXT:
         case GL_ABGR_EXT:
             elementsPerGroup = 4;
             break;
-- 
1.9.3
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.