~ubuntu-branches/ubuntu/raring/mesa/raring-proposed

Viewing changes to debian/patches/CVE-2013-1872.patch

Committer: Package Import Robot
Author(s): Maarten Lankhorst
Date: 2013-06-24 13:44:48 UTC
mfrom: (183.2.1 raring-security)
Revision ID: package-import@ubuntu.com-20130624134448-42t32k68t0h3sx6m

Tags: 9.1.3-0ubuntu0.4

* Added patches to add/fix Haswell pci-id's (LP: #1175533)
  - add-vlv-ids.diff
  - fix-hsw-gt3-names.diff
  - fix-missing-gt3-id.diff
  - add-more-reserved-hsw-ids.diff

files added:
debian/patches/CVE-2013-1872.patch

debian/patches/CVE-2013-1993.patch

debian/patches/add-more-reserved-hsw-ids.diff

debian/patches/add-vlv-ids.diff

debian/patches/fix-hsw-gt3-names.diff

debian/patches/fix-missing-gt3-id.diff

files modified:
debian/changelog

debian/patches/series

Show diffs side-by-side

added added

removed removed

debian/patches/CVE-2013-1872.patch

Description: fix denial of service and possible code execution via

out-of-bands access

Origin: backport, http://cgit.freedesktop.org/mesa/mesa/commit/?id=0677ea063cd96adefe87c1fb01ef7c66d905535b

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=59429

Index: mesa-9.1.3/src/mesa/drivers/dri/i965/brw_fs.cpp

===================================================================

--- mesa-9.1.3.orig/src/mesa/drivers/dri/i965/brw_fs.cpp 2013-06-18 13:53:12.200524978 -0400

+++ mesa-9.1.3/src/mesa/drivers/dri/i965/brw_fs.cpp 2013-06-18 13:53:12.196524978 -0400

@@ -786,6 +786,7 @@

import_uniforms_callback,

variable_ht);

this->params_remap = v->params_remap;

+ this->nr_params_remap = v->nr_params_remap;

}

/* Our support for uniforms is piggy-backed on the struct

@@ -1458,6 +1459,7 @@

{

if (dispatch_width == 8) {

this->params_remap = ralloc_array(mem_ctx, int, c->prog_data.nr_params);

+ this->nr_params_remap = c->prog_data.nr_params;

for (unsigned int i = 0; i < c->prog_data.nr_params; i++)

this->params_remap[i] = -1;

@@ -1472,7 +1474,14 @@

if (inst->src[i].file != UNIFORM)

continue;

- assert(constant_nr < (int)c->prog_data.nr_params);

+ /* Section 5.11 of the OpenGL 4.3 spec says:

+ *

+ * "Out-of-bounds reads return undefined values, which include

+ * values from other variables of the active program or zero."

+ */

+ if (constant_nr < 0 || constant_nr >= (int)c->prog_data.nr_params) {

+ constant_nr = 0;

+ }

/* For now, set this to non-negative. We'll give it the

* actual new number in a moment, in order to keep the

@@ -1520,6 +1529,10 @@

if (inst->src[i].file != UNIFORM)

continue;

+ /* as above alias to 0 */

+ if (constant_nr < 0 || constant_nr >= (int)this->nr_params_remap) {

+ constant_nr = 0;

+ }

assert(this->params_remap[constant_nr] != -1);

inst->src[i].reg = this->params_remap[constant_nr];

inst->src[i].reg_offset = 0;

Index: mesa-9.1.3/src/mesa/drivers/dri/i965/brw_fs.h

===================================================================

--- mesa-9.1.3.orig/src/mesa/drivers/dri/i965/brw_fs.h 2013-06-18 13:53:12.200524978 -0400

+++ mesa-9.1.3/src/mesa/drivers/dri/i965/brw_fs.h 2013-06-18 13:53:12.196524978 -0400

@@ -431,6 +431,7 @@

* uniform index.

int *params_remap;

+ int nr_params_remap;

struct hash_table *variable_ht;

fs_reg frag_depth;

Index: mesa-9.1.3/src/mesa/drivers/dri/i965/brw_fs_visitor.cpp

===================================================================

--- mesa-9.1.3.orig/src/mesa/drivers/dri/i965/brw_fs_visitor.cpp 2013-06-18 13:53:12.200524978 -0400

+++ mesa-9.1.3/src/mesa/drivers/dri/i965/brw_fs_visitor.cpp 2013-06-18 13:53:12.196524978 -0400

@@ -2273,6 +2273,9 @@

this->virtual_grf_use = NULL;

this->live_intervals_valid = false;

+ this->params_remap = NULL;

+ this->nr_params_remap = 0;

this->force_uncompressed_stack = 0;

this->force_sechalf_stack = 0;

}

Older »