mesa: Changes to 'debian-unstable'
debian/changelog | 6 ++++++
src/mesa/main/uniform_query.cpp | 26 +++++++++++++-------------
2 files changed, 19 insertions(+), 13 deletions(-)
New commits:
commit 85ac297d43e4e0172f6ef8d59c05f4b02da68e9c
Author: Julien Cristau <jcristau@debian.org>
Date: Thu Dec 6 11:20:02 2012 +0100
Upload to unstable
diff --git a/debian/changelog b/debian/changelog
index 1b3b36f..e5aba72 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+mesa (8.0.5-3) unstable; urgency=high
+
+ * mesa: add bounds checking for uniform array access (CVE-2012-5129).
+
+ -- Julien Cristau <jcristau@debian.org> Thu, 06 Dec 2012 10:20:40 +0100
+
mesa (8.0.5-2) unstable; urgency=low
* Fix regression in 8.0.5 (spurious GL_INVALID_ENUM errors):
commit a2ecfd6abf0073b2a48ead01ee3490d6a0b04744
Author: Frank Henigman <fjhenigman@google.com>
Date: Fri Nov 2 16:12:50 2012 -0400
mesa: add bounds checking for uniform array access
validate_uniform_parameters now checks that the array index is
valid. This means if an index is out of bounds, glGetUniform* now
fails with GL_INVALID_OPERATION, as it should.
_mesa_uniform and _mesa_uniform_matrix also call
validate_uniform_parameters so the bounds checks there became
redundant and were removed.
The test in glGetUniformLocation is modified to check array bounds
so it now returns GL_INVALID_INDEX (-1) if you ask for the location
of a non-existent array element, as it should.
diff --git a/src/mesa/main/uniform_query.cpp b/src/mesa/main/uniform_query.cpp
index 9fa2211..a24cb0a 100644
--- a/src/mesa/main/uniform_query.cpp
+++ b/src/mesa/main/uniform_query.cpp
@@ -164,11 +164,14 @@ validate_uniform_parameters(struct gl_context *ctx,
return false;
}
- /* This case should be impossible. The implication is that a call like
- * glGetUniformLocation(prog, "foo[8]") was successful but "foo" is not an
- * array.
+ /* If the uniform is an array, check that array_index is in bounds.
+ * If not an array, check that array_index is zero.
+ * array_index is unsigned so no need to check for less than zero.
*/
- if (*array_index != 0 && shProg->UniformStorage[*loc].array_elements == 0) {
+ unsigned limit = shProg->UniformStorage[*loc].array_elements;
+ if (limit == 0)
+ limit = 1;
+ if (*array_index >= limit) {
_mesa_error(ctx, GL_INVALID_OPERATION, "%s(location=%d)",
caller, location);
return false;
@@ -655,9 +658,6 @@ _mesa_uniform(struct gl_context *ctx, struct gl_shader_program *shProg,
* will have already generated an error.
*/
if (uni->array_elements != 0) {
- if (offset >= uni->array_elements)
- return;
-
count = MIN2(count, (int) (uni->array_elements - offset));
}
@@ -801,9 +801,6 @@ _mesa_uniform_matrix(struct gl_context *ctx, struct gl_shader_program *shProg,
* will have already generated an error.
*/
if (uni->array_elements != 0) {
- if (offset >= uni->array_elements)
- return;
-
count = MIN2(count, (int) (uni->array_elements - offset));
}
@@ -933,10 +930,13 @@ _mesa_get_uniform_location(struct gl_context *ctx,
if (!found)
return -1;
- /* Since array_elements is 0 for non-arrays, this causes look-ups of 'a[0]'
- * to (correctly) fail if 'a' is not an array.
+ /* If the uniform is an array, fail if the index is out of bounds.
+ * (A negative index is caught above.) This also fails if the uniform
+ * is not an array, but the user is trying to index it, because
+ * array_elements is zero and offset >= 0.
*/
- if (array_lookup && shProg->UniformStorage[location].array_elements == 0) {
+ if (array_lookup
+ && offset >= shProg->UniformStorage[location].array_elements) {
return -1;
}
Reply to: