pool/Mesa
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
factory
Mesa/u_mesa-CVE-2023-45919.patch
Stefan Dirsch a3f4315d0b Accepting request 1225797 from home:darix:playground 
- Update to release 24.3.0
  --> https://docs.mesa3d.org/relnotes/24.3.0

- Update to release 24.3.0~rc2
  https://www.phoronix.com/news/Mesa-24.3-rc2
- Update to release 24.3.0~rc1
  https://www.phoronix.com/news/Mesa-24.3-rc1-Released
- refreshed patches:
  n_drirc-disable-rgb10-for-chromium-on-amd.patch
  python36-buildfix1.patch
  python36-buildfix2.patch
  tlsdesc_test.patch
  u_mesa-CVE-2023-45913.patch
  u_mesa-CVE-2023-45919.patch
  u_mesa-CVE-2023-45922.patch
- drop patches
  0001-dril-Fixup-order-of-pixel-formats-in-drilConfigs.patch
  u_dep_xcb.patch
- drop no longer supported options:
  -Ddri3=enabled
  -Ddri-search-path=%{_libdir}/dri
- new files added in this update currently packaged as part of
  Mesa-dri:
  %{_libdir}/gbm/dri_gbm.so

OBS-URL: https://build.opensuse.org/request/show/1225797
OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/Mesa?expand=0&rev=1345
2024-11-22 12:58:55 +00:00

34 lines
1.3 KiB
Diff
Raw Permalink Blame History

src/glx/glx_query.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
Index: mesa-24.3.0-rc1/src/glx/glx_query.c
===================================================================
--- mesa-24.3.0-rc1.orig/src/glx/glx_query.c
+++ mesa-24.3.0-rc1/src/glx/glx_query.c
@@ -56,6 +56,13 @@ __glXQueryServerString(Display * dpy, CA
/* The spec doesn't mention this, but the Xorg server replies with
* a string already terminated with '\0'. */
uint32_t len = xcb_glx_query_server_string_string_length(reply);
+ /* Allow a max of 64kb string length */
+ size_t reply_len = strnlen(xcb_glx_query_server_string_string(reply), 64*1024);
+ if (reply_len + 1 != len)
+ {
+ free(reply);
+ return(NULL);
+ }
char *buf = malloc(len);
memcpy(buf, xcb_glx_query_server_string_string(reply), len);
free(reply);
@@ -83,6 +90,12 @@ __glXGetString(Display * dpy, CARD32 con
/* The spec doesn't mention this, but the Xorg server replies with
* a string already terminated with '\0'. */
uint32_t len = xcb_glx_get_string_string_length(reply);
+ size_t reply_len = strnlen(xcb_glx_get_string_string(reply), 64*1024);
+ if (reply_len + 1 != len)
+ {
+ free(reply);
+ return(NULL);
+ }
char *buf = malloc(len);
memcpy(buf, xcb_glx_get_string_string(reply), len);
free(reply);
Reference in New Issue View Git Blame Copy Permalink