debian/changelog | 6 ++++++ src/mesa/main/uniform_query.cpp | 26 +++++++++++++------------- 2 files changed, 19 insertions(+), 13 deletions(-)
New commits: commit 85ac297d43e4e0172f6ef8d59c05f4b02da68e9c Author: Julien Cristau <[email protected]> Date: Thu Dec 6 11:20:02 2012 +0100 Upload to unstable diff --git a/debian/changelog b/debian/changelog index 1b3b36f..e5aba72 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +mesa (8.0.5-3) unstable; urgency=high + + * mesa: add bounds checking for uniform array access (CVE-2012-5129). + + -- Julien Cristau <[email protected]> Thu, 06 Dec 2012 10:20:40 +0100 + mesa (8.0.5-2) unstable; urgency=low * Fix regression in 8.0.5 (spurious GL_INVALID_ENUM errors): commit a2ecfd6abf0073b2a48ead01ee3490d6a0b04744 Author: Frank Henigman <[email protected]> Date: Fri Nov 2 16:12:50 2012 -0400 mesa: add bounds checking for uniform array access validate_uniform_parameters now checks that the array index is valid. This means if an index is out of bounds, glGetUniform* now fails with GL_INVALID_OPERATION, as it should. _mesa_uniform and _mesa_uniform_matrix also call validate_uniform_parameters so the bounds checks there became redundant and were removed. The test in glGetUniformLocation is modified to check array bounds so it now returns GL_INVALID_INDEX (-1) if you ask for the location of a non-existent array element, as it should. diff --git a/src/mesa/main/uniform_query.cpp b/src/mesa/main/uniform_query.cpp index 9fa2211..a24cb0a 100644 --- a/src/mesa/main/uniform_query.cpp +++ b/src/mesa/main/uniform_query.cpp @@ -164,11 +164,14 @@ validate_uniform_parameters(struct gl_context *ctx, return false; } - /* This case should be impossible. The implication is that a call like - * glGetUniformLocation(prog, "foo[8]") was successful but "foo" is not an - * array. + /* If the uniform is an array, check that array_index is in bounds. + * If not an array, check that array_index is zero. + * array_index is unsigned so no need to check for less than zero. */ - if (*array_index != 0 && shProg->UniformStorage[*loc].array_elements == 0) { + unsigned limit = shProg->UniformStorage[*loc].array_elements; + if (limit == 0) + limit = 1; + if (*array_index >= limit) { _mesa_error(ctx, GL_INVALID_OPERATION, "%s(location=%d)", caller, location); return false; @@ -655,9 +658,6 @@ _mesa_uniform(struct gl_context *ctx, struct gl_shader_program *shProg, * will have already generated an error. */ if (uni->array_elements != 0) { - if (offset >= uni->array_elements) - return; - count = MIN2(count, (int) (uni->array_elements - offset)); } @@ -801,9 +801,6 @@ _mesa_uniform_matrix(struct gl_context *ctx, struct gl_shader_program *shProg, * will have already generated an error. */ if (uni->array_elements != 0) { - if (offset >= uni->array_elements) - return; - count = MIN2(count, (int) (uni->array_elements - offset)); } @@ -933,10 +930,13 @@ _mesa_get_uniform_location(struct gl_context *ctx, if (!found) return -1; - /* Since array_elements is 0 for non-arrays, this causes look-ups of 'a[0]' - * to (correctly) fail if 'a' is not an array. + /* If the uniform is an array, fail if the index is out of bounds. + * (A negative index is caught above.) This also fails if the uniform + * is not an array, but the user is trying to index it, because + * array_elements is zero and offset >= 0. */ - if (array_lookup && shProg->UniformStorage[location].array_elements == 0) { + if (array_lookup + && offset >= shProg->UniformStorage[location].array_elements) { return -1; } -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
