xserver: Branch 'server-1.8-branch' - 9 commits
Julien Cristau
jcristau at kemper.freedesktop.org
Sat Oct 29 11:54:04 PDT 2011
glx/glxcmds.c | 186 +++++++++++++++++++++++++++++++++++++++++++++++++++---
glx/glxcmdsswap.c | 171 ++++++++++++++++++++++++++++++++++++++++++++++---
glx/xfont.c | 2
os/utils.c | 4 -
4 files changed, 341 insertions(+), 22 deletions(-)
New commits:
commit 630e4c93865ab892eec09d475d22596bbd8bd6fc
Author: Matthieu Herrb <matthieu.herrb at laas.fr>
Date: Mon Oct 17 22:27:35 2011 +0200
Fix CVE-2011-4029: File permission change vulnerability.
Use fchmod() to change permissions of the lock file instead
of chmod(), thus avoid the race that can be exploited to set
a symbolic link to any file or directory in the system.
Signed-off-by: Matthieu Herrb <matthieu.herrb at laas.fr>
Reviewed-by: Alan Coopersmith <alan.coopersmith at oracle.com>
(cherry picked from commit b67581cf825940fdf52bf2e0af4330e695d724a4)
diff --git a/os/utils.c b/os/utils.c
index 3b6c7cd..917b34f 100644
--- a/os/utils.c
+++ b/os/utils.c
@@ -315,7 +315,7 @@ LockServer(void)
FatalError("Could not create lock file in %s\n", tmp);
(void) sprintf(pid_str, "%10ld\n", (long)getpid());
(void) write(lfd, pid_str, 11);
- (void) chmod(tmp, 0444);
+ (void) fchmod(lfd, 0444);
(void) close(lfd);
/*
commit 4185af737d7ae9aeb90893ef93343f4672f3222c
Author: Matthieu Herrb <matthieu.herrb at laas.fr>
Date: Mon Oct 17 22:26:12 2011 +0200
Fix CVE-2011-4028: File disclosure vulnerability.
use O_NOFOLLOW to open the existing lock file, so symbolic links
aren't followed, thus avoid revealing if it point to an existing
file.
Signed-off-by: Matthieu Herrb <matthieu.herrb at laas.fr>
Reviewed-by: Alan Coopersmith <alan.coopersmith at oracle.com>
(cherry picked from commit 6ba44b91e37622ef8c146d8f2ac92d708a18ed34)
diff --git a/os/utils.c b/os/utils.c
index 13d3b3f..3b6c7cd 100644
--- a/os/utils.c
+++ b/os/utils.c
@@ -336,7 +336,7 @@ LockServer(void)
/*
* Read the pid from the existing file
*/
- lfd = open(LockFile, O_RDONLY);
+ lfd = open(LockFile, O_RDONLY|O_NOFOLLOW);
if (lfd < 0) {
unlink(tmp);
FatalError("Can't read lock file %s\n", LockFile);
commit d7ca4b7139ef05bf6562341bea75c58249b8586d
Author: Julien Cristau <jcristau at debian.org>
Date: Sun Jan 23 13:35:54 2011 +0100
glx: Work around wrong request lengths sent by mesa
mesa used to send too long requests for GLXDestroyPixmap,
GLXDestroyWindow, GLXChangeDrawableAttributes, GLXGetDrawableAttributes
and GLXGetFBConfigsSGIX.
Fixes a regression introduced in ec9c97c6bf70b523bc500bd3adf62176f1bb33a4
X.Org bug#33324 <https://bugs.freedesktop.org/show_bug.cgi?id=33324>
Reported-by: xunx.fang at intel.com
Signed-off-by: Julien Cristau <jcristau at debian.org>
Reviewed-by: Adam Jackson <ajax at redhat.com>
(cherry picked from commit 402b329c3aa8ddbebaa1f593306a02d4cd6fed26)
diff --git a/glx/glxcmds.c b/glx/glxcmds.c
index f05e14d..2b5f0df 100644
--- a/glx/glxcmds.c
+++ b/glx/glxcmds.c
@@ -1126,7 +1126,8 @@ int __glXDisp_GetFBConfigsSGIX(__GLXclientState *cl, GLbyte *pc)
{
ClientPtr client = cl->client;
xGLXGetFBConfigsSGIXReq *req = (xGLXGetFBConfigsSGIXReq *) pc;
- REQUEST_SIZE_MATCH(xGLXGetFBConfigsSGIXReq);
+ /* work around mesa bug, don't use REQUEST_SIZE_MATCH */
+ REQUEST_AT_LEAST_SIZE(xGLXGetFBConfigsSGIXReq);
return DoGetFBConfigs(cl, req->screen);
}
@@ -1350,7 +1351,9 @@ int __glXDisp_DestroyPixmap(__GLXclientState *cl, GLbyte *pc)
ClientPtr client = cl->client;
xGLXDestroyPixmapReq *req = (xGLXDestroyPixmapReq *) pc;
- REQUEST_SIZE_MATCH(xGLXDestroyPixmapReq);
+ /* should be REQUEST_SIZE_MATCH, but mesa's glXDestroyPixmap used to set
+ * length to 3 instead of 2 */
+ REQUEST_AT_LEAST_SIZE(xGLXDestroyPixmapReq);
return DoDestroyDrawable(cl, req->glxpixmap, GLX_DRAWABLE_PIXMAP);
}
@@ -1492,7 +1495,13 @@ int __glXDisp_ChangeDrawableAttributes(__GLXclientState *cl, GLbyte *pc)
client->errorValue = req->numAttribs;
return BadValue;
}
+#if 0
+ /* mesa sends an additional 8 bytes */
REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3);
+#else
+ if (((sizeof(xGLXChangeDrawableAttributesReq) + (req->numAttribs << 3)) >> 2) < client->req_len)
+ return BadLength;
+#endif
return DoChangeDrawableAttributes(cl->client, req->drawable,
req->numAttribs, (CARD32 *) (req + 1));
@@ -1555,7 +1564,8 @@ int __glXDisp_DestroyWindow(__GLXclientState *cl, GLbyte *pc)
ClientPtr client = cl->client;
xGLXDestroyWindowReq *req = (xGLXDestroyWindowReq *) pc;
- REQUEST_SIZE_MATCH(xGLXDestroyWindowReq);
+ /* mesa's glXDestroyWindow used to set length to 3 instead of 2 */
+ REQUEST_AT_LEAST_SIZE(xGLXDestroyWindowReq);
return DoDestroyDrawable(cl, req->glxwindow, GLX_DRAWABLE_WINDOW);
}
@@ -1864,7 +1874,8 @@ int __glXDisp_GetDrawableAttributes(__GLXclientState *cl, GLbyte *pc)
ClientPtr client = cl->client;
xGLXGetDrawableAttributesReq *req = (xGLXGetDrawableAttributesReq *)pc;
- REQUEST_SIZE_MATCH(xGLXGetDrawableAttributesReq);
+ /* this should be REQUEST_SIZE_MATCH, but mesa sends an additional 4 bytes */
+ REQUEST_AT_LEAST_SIZE(xGLXGetDrawableAttributesReq);
return DoGetDrawableAttributes(cl, req->drawable);
}
diff --git a/glx/glxcmdsswap.c b/glx/glxcmdsswap.c
index c200244..5947e64 100644
--- a/glx/glxcmdsswap.c
+++ b/glx/glxcmdsswap.c
@@ -280,7 +280,7 @@ int __glXDispSwap_GetFBConfigsSGIX(__GLXclientState *cl, GLbyte *pc)
xGLXGetFBConfigsSGIXReq *req = (xGLXGetFBConfigsSGIXReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
- REQUEST_SIZE_MATCH(xGLXGetFBConfigsSGIXReq);
+ REQUEST_AT_LEAST_SIZE(xGLXGetFBConfigsSGIXReq);
__GLX_SWAP_INT(&req->screen);
return __glXDisp_GetFBConfigsSGIX(cl, pc);
@@ -369,7 +369,7 @@ int __glXDispSwap_DestroyPixmap(__GLXclientState *cl, GLbyte *pc)
xGLXDestroyGLXPixmapReq *req = (xGLXDestroyGLXPixmapReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
- REQUEST_SIZE_MATCH(xGLXDestroyGLXPixmapReq);
+ REQUEST_AT_LEAST_SIZE(xGLXDestroyGLXPixmapReq);
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->glxpixmap);
@@ -477,7 +477,9 @@ int __glXDispSwap_ChangeDrawableAttributes(__GLXclientState *cl, GLbyte *pc)
client->errorValue = req->numAttribs;
return BadValue;
}
- REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3);
+ if (((sizeof(xGLXChangeDrawableAttributesReq) + (req->numAttribs << 3)) >> 2) < client->req_len)
+ return BadLength;
+
attribs = (CARD32*)(req + 1);
__GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
@@ -543,7 +545,7 @@ int __glXDispSwap_DestroyWindow(__GLXclientState *cl, GLbyte *pc)
xGLXDestroyWindowReq *req = (xGLXDestroyWindowReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
- REQUEST_SIZE_MATCH(xGLXDestroyWindowReq);
+ REQUEST_AT_LEAST_SIZE(xGLXDestroyWindowReq);
__GLX_SWAP_INT(&req->glxwindow);
@@ -743,7 +745,7 @@ int __glXDispSwap_GetDrawableAttributes(__GLXclientState *cl, GLbyte *pc)
xGLXGetDrawableAttributesReq *req = (xGLXGetDrawableAttributesReq *)pc;
__GLX_DECLARE_SWAP_VARIABLES;
- REQUEST_SIZE_MATCH(xGLXGetDrawableAttributesReq);
+ REQUEST_AT_LEAST_SIZE(xGLXGetDrawableAttributesReq);
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->drawable);
commit e79160d403b7dd84be97ce1e851216cecb7efdac
Author: Julien Cristau <jcristau at debian.org>
Date: Wed Jan 26 13:06:53 2011 +0100
glx: fix BindTexImageEXT length check
The request is followed by a list of attributes.
X.Org bug#33449
Reported-and-tested-by: meng <mengmeng.meng at intel.com>
Signed-off-by: Julien Cristau <jcristau at debian.org>
Reviewed-by: Adam Jackson <ajax at redhat.com>
(cherry picked from commit 1137c11be0f82049d28024eaf963c6f76e0d4334)
diff --git a/glx/glxcmds.c b/glx/glxcmds.c
index 46a77a9..f05e14d 100644
--- a/glx/glxcmds.c
+++ b/glx/glxcmds.c
@@ -1689,13 +1689,21 @@ int __glXDisp_BindTexImageEXT(__GLXclientState *cl, GLbyte *pc)
GLXDrawable drawId;
int buffer;
int error;
+ CARD32 num_attribs;
- REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 8);
+ if ((sizeof(xGLXVendorPrivateReq) + 12) >> 2 > client->req_len)
+ return BadLength;
pc += __GLX_VENDPRIV_HDR_SIZE;
drawId = *((CARD32 *) (pc));
buffer = *((INT32 *) (pc + 4));
+ num_attribs = *((CARD32 *) (pc + 8));
+ if (num_attribs > (UINT32_MAX >> 3)) {
+ client->errorValue = num_attribs;
+ return BadValue;
+ }
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 12 + (num_attribs << 3));
if (buffer != GLX_FRONT_LEFT_EXT)
return __glXError(GLXBadPixmap);
diff --git a/glx/glxcmdsswap.c b/glx/glxcmdsswap.c
index 1155b23..c200244 100644
--- a/glx/glxcmdsswap.c
+++ b/glx/glxcmdsswap.c
@@ -649,19 +649,23 @@ int __glXDispSwap_BindTexImageEXT(__GLXclientState *cl, GLbyte *pc)
xGLXVendorPrivateReq *req = (xGLXVendorPrivateReq *) pc;
GLXDrawable *drawId;
int *buffer;
+ CARD32 *num_attribs;
__GLX_DECLARE_SWAP_VARIABLES;
- REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 8);
+ if ((sizeof(xGLXVendorPrivateReq) + 12) >> 2 > client->req_len)
+ return BadLength;
pc += __GLX_VENDPRIV_HDR_SIZE;
drawId = ((GLXDrawable *) (pc));
buffer = ((int *) (pc + 4));
+ num_attribs = ((CARD32 *) (pc + 8));
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->contextTag);
__GLX_SWAP_INT(drawId);
__GLX_SWAP_INT(buffer);
+ __GLX_SWAP_INT(num_attribs);
return __glXDisp_BindTexImageEXT(cl, (GLbyte *)pc);
}
commit a1074ca98d6e8e1959614b2d10af98b296669381
Author: Julien Cristau <jcristau at debian.org>
Date: Sun Jan 23 17:05:26 2011 +0100
glx: fix request length check for CreateGLXPbufferSGIX
The request is followed by an attribute list.
Signed-off-by: Julien Cristau <jcristau at debian.org>
Reviewed-by: Adam Jackson <ajax at redhat.com>
(cherry picked from commit a883cf1545abd89bb2cadfa659718884b56fd234)
diff --git a/glx/glxcmds.c b/glx/glxcmds.c
index 25f1060..46a77a9 100644
--- a/glx/glxcmds.c
+++ b/glx/glxcmds.c
@@ -1430,7 +1430,7 @@ int __glXDisp_CreateGLXPbufferSGIX(__GLXclientState *cl, GLbyte *pc)
ClientPtr client = cl->client;
xGLXCreateGLXPbufferSGIXReq *req = (xGLXCreateGLXPbufferSGIXReq *) pc;
- REQUEST_SIZE_MATCH(xGLXCreateGLXPbufferSGIXReq);
+ REQUEST_AT_LEAST_SIZE(xGLXCreateGLXPbufferSGIXReq);
return DoCreatePbuffer(cl->client, req->screen, req->fbconfig,
req->width, req->height, req->pbuffer);
diff --git a/glx/glxcmdsswap.c b/glx/glxcmdsswap.c
index a0e0882..1155b23 100644
--- a/glx/glxcmdsswap.c
+++ b/glx/glxcmdsswap.c
@@ -422,7 +422,7 @@ int __glXDispSwap_CreateGLXPbufferSGIX(__GLXclientState *cl, GLbyte *pc)
xGLXCreateGLXPbufferSGIXReq *req = (xGLXCreateGLXPbufferSGIXReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
- REQUEST_SIZE_MATCH(xGLXCreateGLXPbufferSGIXReq);
+ REQUEST_AT_LEAST_SIZE(xGLXCreateGLXPbufferSGIXReq);
__GLX_SWAP_INT(&req->screen);
__GLX_SWAP_INT(&req->fbconfig);
commit 835c09ce5f612ad003953e88939458abf5d93ee6
Author: Julien Cristau <jcristau at debian.org>
Date: Wed Nov 10 22:39:54 2010 +0100
glx: validate numAttribs field before using it
Reviewed-by: Kristian Høgsberg <krh at bitplanet.net>
Reviewed-by: Daniel Stone <daniel at fooishbar.org>
Signed-off-by: Julien Cristau <jcristau at debian.org>
(cherry picked from commit d9225b9602c85603ae616a7381c784f5cf5e811c)
diff --git a/glx/glxcmds.c b/glx/glxcmds.c
index 9725a15..25f1060 100644
--- a/glx/glxcmds.c
+++ b/glx/glxcmds.c
@@ -1277,6 +1277,11 @@ int __glXDisp_CreatePixmap(__GLXclientState *cl, GLbyte *pc)
__GLXscreen *pGlxScreen;
int err;
+ REQUEST_AT_LEAST_SIZE(xGLXCreatePixmapReq);
+ if (req->numAttribs > (UINT32_MAX >> 3)) {
+ client->errorValue = req->numAttribs;
+ return BadValue;
+ }
REQUEST_FIXED_SIZE(xGLXCreatePixmapReq, req->numAttribs << 3);
if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err))
@@ -1390,6 +1395,11 @@ int __glXDisp_CreatePbuffer(__GLXclientState *cl, GLbyte *pc)
CARD32 *attrs;
int width, height, i;
+ REQUEST_AT_LEAST_SIZE(xGLXCreatePbufferReq);
+ if (req->numAttribs > (UINT32_MAX >> 3)) {
+ client->errorValue = req->numAttribs;
+ return BadValue;
+ }
REQUEST_FIXED_SIZE(xGLXCreatePbufferReq, req->numAttribs << 3);
attrs = (CARD32 *) (req + 1);
@@ -1477,6 +1487,11 @@ int __glXDisp_ChangeDrawableAttributes(__GLXclientState *cl, GLbyte *pc)
xGLXChangeDrawableAttributesReq *req =
(xGLXChangeDrawableAttributesReq *) pc;
+ REQUEST_AT_LEAST_SIZE(xGLXChangeDrawableAttributesReq);
+ if (req->numAttribs > (UINT32_MAX >> 3)) {
+ client->errorValue = req->numAttribs;
+ return BadValue;
+ }
REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3);
return DoChangeDrawableAttributes(cl->client, req->drawable,
@@ -1489,6 +1504,11 @@ int __glXDisp_ChangeDrawableAttributesSGIX(__GLXclientState *cl, GLbyte *pc)
xGLXChangeDrawableAttributesSGIXReq *req =
(xGLXChangeDrawableAttributesSGIXReq *)pc;
+ REQUEST_AT_LEAST_SIZE(xGLXChangeDrawableAttributesSGIXReq);
+ if (req->numAttribs > (UINT32_MAX >> 3)) {
+ client->errorValue = req->numAttribs;
+ return BadValue;
+ }
REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesSGIXReq, req->numAttribs << 3);
return DoChangeDrawableAttributes(cl->client, req->drawable,
@@ -1504,6 +1524,11 @@ int __glXDisp_CreateWindow(__GLXclientState *cl, GLbyte *pc)
DrawablePtr pDraw;
int err;
+ REQUEST_AT_LEAST_SIZE(xGLXCreateWindowReq);
+ if (req->numAttribs > (UINT32_MAX >> 3)) {
+ client->errorValue = req->numAttribs;
+ return BadValue;
+ }
REQUEST_FIXED_SIZE(xGLXCreateWindowReq, req->numAttribs << 3);
if (!validGlxScreen(client, req->screen, &pGlxScreen, &err))
diff --git a/glx/glxcmdsswap.c b/glx/glxcmdsswap.c
index cbd9b88..a0e0882 100644
--- a/glx/glxcmdsswap.c
+++ b/glx/glxcmdsswap.c
@@ -320,6 +320,10 @@ int __glXDispSwap_CreatePixmap(__GLXclientState *cl, GLbyte *pc)
__GLX_SWAP_INT(&req->glxpixmap);
__GLX_SWAP_INT(&req->numAttribs);
+ if (req->numAttribs > (UINT32_MAX >> 3)) {
+ client->errorValue = req->numAttribs;
+ return BadValue;
+ }
REQUEST_FIXED_SIZE(xGLXCreatePixmapReq, req->numAttribs << 3);
attribs = (CARD32*)(req + 1);
__GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
@@ -401,6 +405,10 @@ int __glXDispSwap_CreatePbuffer(__GLXclientState *cl, GLbyte *pc)
__GLX_SWAP_INT(&req->pbuffer);
__GLX_SWAP_INT(&req->numAttribs);
+ if (req->numAttribs > (UINT32_MAX >> 3)) {
+ client->errorValue = req->numAttribs;
+ return BadValue;
+ }
REQUEST_FIXED_SIZE(xGLXCreatePbufferReq, req->numAttribs << 3);
attribs = (CARD32*)(req + 1);
__GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
@@ -465,6 +473,10 @@ int __glXDispSwap_ChangeDrawableAttributes(__GLXclientState *cl, GLbyte *pc)
__GLX_SWAP_INT(&req->drawable);
__GLX_SWAP_INT(&req->numAttribs);
+ if (req->numAttribs > (UINT32_MAX >> 3)) {
+ client->errorValue = req->numAttribs;
+ return BadValue;
+ }
REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3);
attribs = (CARD32*)(req + 1);
__GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
@@ -487,6 +499,10 @@ int __glXDispSwap_ChangeDrawableAttributesSGIX(__GLXclientState *cl,
__GLX_SWAP_INT(&req->drawable);
__GLX_SWAP_INT(&req->numAttribs);
+ if (req->numAttribs > (UINT32_MAX >> 3)) {
+ client->errorValue = req->numAttribs;
+ return BadValue;
+ }
REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesSGIXReq, req->numAttribs << 3);
attribs = (CARD32*)(req + 1);
__GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
@@ -510,6 +526,10 @@ int __glXDispSwap_CreateWindow(__GLXclientState *cl, GLbyte *pc)
__GLX_SWAP_INT(&req->glxwindow);
__GLX_SWAP_INT(&req->numAttribs);
+ if (req->numAttribs > (UINT32_MAX >> 3)) {
+ client->errorValue = req->numAttribs;
+ return BadValue;
+ }
REQUEST_FIXED_SIZE(xGLXCreateWindowReq, req->numAttribs << 3);
attribs = (CARD32*)(req + 1);
__GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
commit a02149cbad8f65a7bdd697213176732f105eaace
Author: Julien Cristau <jcristau at debian.org>
Date: Sun Aug 22 16:20:45 2010 +0100
glx: swap the request arrays entirely, not just half of them
Various glx requests include a list of pairs of attributes. We were
only swapping the first half.
Reviewed-by: Kristian Høgsberg <krh at bitplanet.net>
Reviewed-by: Daniel Stone <daniel at fooishbar.org>
Signed-off-by: Julien Cristau <jcristau at debian.org>
(cherry picked from commit 62319e8381ebd645ae36b25e5fc3c0e9b098387b)
diff --git a/glx/glxcmdsswap.c b/glx/glxcmdsswap.c
index cca9843..cbd9b88 100644
--- a/glx/glxcmdsswap.c
+++ b/glx/glxcmdsswap.c
@@ -322,7 +322,7 @@ int __glXDispSwap_CreatePixmap(__GLXclientState *cl, GLbyte *pc)
REQUEST_FIXED_SIZE(xGLXCreatePixmapReq, req->numAttribs << 3);
attribs = (CARD32*)(req + 1);
- __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs);
+ __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
return __glXDisp_CreatePixmap(cl, pc);
}
@@ -403,7 +403,7 @@ int __glXDispSwap_CreatePbuffer(__GLXclientState *cl, GLbyte *pc)
REQUEST_FIXED_SIZE(xGLXCreatePbufferReq, req->numAttribs << 3);
attribs = (CARD32*)(req + 1);
- __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs);
+ __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
return __glXDisp_CreatePbuffer(cl, pc);
}
@@ -467,7 +467,7 @@ int __glXDispSwap_ChangeDrawableAttributes(__GLXclientState *cl, GLbyte *pc)
REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3);
attribs = (CARD32*)(req + 1);
- __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs);
+ __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
return __glXDisp_ChangeDrawableAttributes(cl, pc);
}
@@ -489,7 +489,7 @@ int __glXDispSwap_ChangeDrawableAttributesSGIX(__GLXclientState *cl,
REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesSGIXReq, req->numAttribs << 3);
attribs = (CARD32*)(req + 1);
- __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs);
+ __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
return __glXDisp_ChangeDrawableAttributesSGIX(cl, pc);
}
@@ -512,7 +512,7 @@ int __glXDispSwap_CreateWindow(__GLXclientState *cl, GLbyte *pc)
REQUEST_FIXED_SIZE(xGLXCreateWindowReq, req->numAttribs << 3);
attribs = (CARD32*)(req + 1);
- __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs);
+ __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
return __glXDisp_CreateWindow(cl, pc);
}
commit 541f459a9e760f811ce896d098815f9a8157daa2
Author: Julien Cristau <jcristau at debian.org>
Date: Sun Aug 22 00:50:05 2010 +0100
glx: check request length before swapping
Reviewed-by: Kristian Høgsberg <krh at bitplanet.net>
Reviewed-by: Daniel Stone <daniel at fooishbar.org>
Signed-off-by: Julien Cristau <jcristau at debian.org>
(cherry picked from commit 6c69235a9dfc52e4b4e47630ff4bab1a820eb543)
diff --git a/glx/glxcmdsswap.c b/glx/glxcmdsswap.c
index c414dc8..cca9843 100644
--- a/glx/glxcmdsswap.c
+++ b/glx/glxcmdsswap.c
@@ -61,9 +61,12 @@
int __glXDispSwap_CreateContext(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXCreateContextReq *req = (xGLXCreateContextReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXCreateContextReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->context);
__GLX_SWAP_INT(&req->visual);
@@ -75,9 +78,12 @@ int __glXDispSwap_CreateContext(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_CreateNewContext(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXCreateNewContextReq *req = (xGLXCreateNewContextReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXCreateNewContextReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->context);
__GLX_SWAP_INT(&req->fbconfig);
@@ -90,10 +96,13 @@ int __glXDispSwap_CreateNewContext(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_CreateContextWithConfigSGIX(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXCreateContextWithConfigSGIXReq *req =
(xGLXCreateContextWithConfigSGIXReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXCreateContextWithConfigSGIXReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->context);
__GLX_SWAP_INT(&req->fbconfig);
@@ -106,9 +115,12 @@ int __glXDispSwap_CreateContextWithConfigSGIX(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_DestroyContext(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXDestroyContextReq *req = (xGLXDestroyContextReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXDestroyContextReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->context);
@@ -117,9 +129,12 @@ int __glXDispSwap_DestroyContext(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_MakeCurrent(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXMakeCurrentReq *req = (xGLXMakeCurrentReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXMakeCurrentReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->drawable);
__GLX_SWAP_INT(&req->context);
@@ -130,9 +145,12 @@ int __glXDispSwap_MakeCurrent(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_MakeContextCurrent(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXMakeContextCurrentReq *req = (xGLXMakeContextCurrentReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXMakeContextCurrentReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->drawable);
__GLX_SWAP_INT(&req->readdrawable);
@@ -144,9 +162,12 @@ int __glXDispSwap_MakeContextCurrent(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_MakeCurrentReadSGI(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXMakeCurrentReadSGIReq *req = (xGLXMakeCurrentReadSGIReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXMakeCurrentReadSGIReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->drawable);
__GLX_SWAP_INT(&req->readable);
@@ -158,9 +179,12 @@ int __glXDispSwap_MakeCurrentReadSGI(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_IsDirect(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXIsDirectReq *req = (xGLXIsDirectReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXIsDirectReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->context);
@@ -169,9 +193,12 @@ int __glXDispSwap_IsDirect(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_QueryVersion(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXQueryVersionReq *req = (xGLXQueryVersionReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXQueryVersionReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->majorVersion);
__GLX_SWAP_INT(&req->minorVersion);
@@ -181,9 +208,12 @@ int __glXDispSwap_QueryVersion(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_WaitGL(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXWaitGLReq *req = (xGLXWaitGLReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXWaitGLReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->contextTag);
@@ -192,9 +222,12 @@ int __glXDispSwap_WaitGL(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_WaitX(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXWaitXReq *req = (xGLXWaitXReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXWaitXReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->contextTag);
@@ -203,9 +236,12 @@ int __glXDispSwap_WaitX(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_CopyContext(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXCopyContextReq *req = (xGLXCopyContextReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXCopyContextReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->source);
__GLX_SWAP_INT(&req->dest);
@@ -216,36 +252,48 @@ int __glXDispSwap_CopyContext(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_GetVisualConfigs(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXGetVisualConfigsReq *req = (xGLXGetVisualConfigsReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXGetVisualConfigsReq);
+
__GLX_SWAP_INT(&req->screen);
return __glXDisp_GetVisualConfigs(cl, pc);
}
int __glXDispSwap_GetFBConfigs(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXGetFBConfigsReq *req = (xGLXGetFBConfigsReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXGetFBConfigsReq);
+
__GLX_SWAP_INT(&req->screen);
return __glXDisp_GetFBConfigs(cl, pc);
}
int __glXDispSwap_GetFBConfigsSGIX(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXGetFBConfigsSGIXReq *req = (xGLXGetFBConfigsSGIXReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXGetFBConfigsSGIXReq);
+
__GLX_SWAP_INT(&req->screen);
return __glXDisp_GetFBConfigsSGIX(cl, pc);
}
int __glXDispSwap_CreateGLXPixmap(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXCreateGLXPixmapReq *req = (xGLXCreateGLXPixmapReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXCreateGLXPixmapReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->screen);
__GLX_SWAP_INT(&req->visual);
@@ -257,17 +305,22 @@ int __glXDispSwap_CreateGLXPixmap(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_CreatePixmap(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXCreatePixmapReq *req = (xGLXCreatePixmapReq *) pc;
CARD32 *attribs;
__GLX_DECLARE_SWAP_VARIABLES;
__GLX_DECLARE_SWAP_ARRAY_VARIABLES;
+ REQUEST_AT_LEAST_SIZE(xGLXCreatePixmapReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->screen);
__GLX_SWAP_INT(&req->fbconfig);
__GLX_SWAP_INT(&req->pixmap);
__GLX_SWAP_INT(&req->glxpixmap);
__GLX_SWAP_INT(&req->numAttribs);
+
+ REQUEST_FIXED_SIZE(xGLXCreatePixmapReq, req->numAttribs << 3);
attribs = (CARD32*)(req + 1);
__GLX_SWAP_INT_ARRAY(attribs, req->numAttribs);
@@ -276,10 +329,13 @@ int __glXDispSwap_CreatePixmap(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_CreateGLXPixmapWithConfigSGIX(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXCreateGLXPixmapWithConfigSGIXReq *req =
(xGLXCreateGLXPixmapWithConfigSGIXReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXCreateGLXPixmapWithConfigSGIXReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->screen);
__GLX_SWAP_INT(&req->fbconfig);
@@ -291,9 +347,12 @@ int __glXDispSwap_CreateGLXPixmapWithConfigSGIX(__GLXclientState *cl, GLbyte *pc
int __glXDispSwap_DestroyGLXPixmap(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXDestroyGLXPixmapReq *req = (xGLXDestroyGLXPixmapReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXDestroyGLXPixmapReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->glxpixmap);
@@ -302,9 +361,12 @@ int __glXDispSwap_DestroyGLXPixmap(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_DestroyPixmap(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXDestroyGLXPixmapReq *req = (xGLXDestroyGLXPixmapReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXDestroyGLXPixmapReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->glxpixmap);
@@ -313,9 +375,12 @@ int __glXDispSwap_DestroyPixmap(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_QueryContext(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXQueryContextReq *req = (xGLXQueryContextReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXQueryContextReq);
+
__GLX_SWAP_INT(&req->context);
return __glXDisp_QueryContext(cl, pc);
@@ -323,15 +388,20 @@ int __glXDispSwap_QueryContext(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_CreatePbuffer(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXCreatePbufferReq *req = (xGLXCreatePbufferReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
__GLX_DECLARE_SWAP_ARRAY_VARIABLES;
CARD32 *attribs;
+ REQUEST_AT_LEAST_SIZE(xGLXCreatePbufferReq);
+
__GLX_SWAP_INT(&req->screen);
__GLX_SWAP_INT(&req->fbconfig);
__GLX_SWAP_INT(&req->pbuffer);
__GLX_SWAP_INT(&req->numAttribs);
+
+ REQUEST_FIXED_SIZE(xGLXCreatePbufferReq, req->numAttribs << 3);
attribs = (CARD32*)(req + 1);
__GLX_SWAP_INT_ARRAY(attribs, req->numAttribs);
@@ -340,9 +410,12 @@ int __glXDispSwap_CreatePbuffer(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_CreateGLXPbufferSGIX(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXCreateGLXPbufferSGIXReq *req = (xGLXCreateGLXPbufferSGIXReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXCreateGLXPbufferSGIXReq);
+
__GLX_SWAP_INT(&req->screen);
__GLX_SWAP_INT(&req->fbconfig);
__GLX_SWAP_INT(&req->pbuffer);
@@ -354,9 +427,12 @@ int __glXDispSwap_CreateGLXPbufferSGIX(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_DestroyPbuffer(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXDestroyPbufferReq *req = (xGLXDestroyPbufferReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXDestroyPbufferReq);
+
__GLX_SWAP_INT(&req->pbuffer);
return __glXDisp_DestroyPbuffer(cl, pc);
@@ -364,9 +440,12 @@ int __glXDispSwap_DestroyPbuffer(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_DestroyGLXPbufferSGIX(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXDestroyGLXPbufferSGIXReq *req = (xGLXDestroyGLXPbufferSGIXReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXDestroyGLXPbufferSGIXReq);
+
__GLX_SWAP_INT(&req->pbuffer);
return __glXDisp_DestroyGLXPbufferSGIX(cl, pc);
@@ -374,14 +453,19 @@ int __glXDispSwap_DestroyGLXPbufferSGIX(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_ChangeDrawableAttributes(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXChangeDrawableAttributesReq *req =
(xGLXChangeDrawableAttributesReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
__GLX_DECLARE_SWAP_ARRAY_VARIABLES;
CARD32 *attribs;
+ REQUEST_AT_LEAST_SIZE(xGLXChangeDrawableAttributesReq);
+
__GLX_SWAP_INT(&req->drawable);
__GLX_SWAP_INT(&req->numAttribs);
+
+ REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3);
attribs = (CARD32*)(req + 1);
__GLX_SWAP_INT_ARRAY(attribs, req->numAttribs);
@@ -391,14 +475,19 @@ int __glXDispSwap_ChangeDrawableAttributes(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_ChangeDrawableAttributesSGIX(__GLXclientState *cl,
GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXChangeDrawableAttributesSGIXReq *req =
(xGLXChangeDrawableAttributesSGIXReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
__GLX_DECLARE_SWAP_ARRAY_VARIABLES;
CARD32 *attribs;
+ REQUEST_AT_LEAST_SIZE(xGLXChangeDrawableAttributesSGIXReq);
+
__GLX_SWAP_INT(&req->drawable);
__GLX_SWAP_INT(&req->numAttribs);
+
+ REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesSGIXReq, req->numAttribs << 3);
attribs = (CARD32*)(req + 1);
__GLX_SWAP_INT_ARRAY(attribs, req->numAttribs);
@@ -407,16 +496,21 @@ int __glXDispSwap_ChangeDrawableAttributesSGIX(__GLXclientState *cl,
int __glXDispSwap_CreateWindow(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXCreateWindowReq *req = (xGLXCreateWindowReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
__GLX_DECLARE_SWAP_ARRAY_VARIABLES;
CARD32 *attribs;
+ REQUEST_AT_LEAST_SIZE(xGLXCreateWindowReq);
+
__GLX_SWAP_INT(&req->screen);
__GLX_SWAP_INT(&req->fbconfig);
__GLX_SWAP_INT(&req->window);
__GLX_SWAP_INT(&req->glxwindow);
__GLX_SWAP_INT(&req->numAttribs);
+
+ REQUEST_FIXED_SIZE(xGLXCreateWindowReq, req->numAttribs << 3);
attribs = (CARD32*)(req + 1);
__GLX_SWAP_INT_ARRAY(attribs, req->numAttribs);
@@ -425,9 +519,12 @@ int __glXDispSwap_CreateWindow(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_DestroyWindow(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXDestroyWindowReq *req = (xGLXDestroyWindowReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXDestroyWindowReq);
+
__GLX_SWAP_INT(&req->glxwindow);
return __glXDisp_DestroyWindow(cl, pc);
@@ -435,9 +532,12 @@ int __glXDispSwap_DestroyWindow(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_SwapBuffers(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXSwapBuffersReq *req = (xGLXSwapBuffersReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXSwapBuffersReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->contextTag);
__GLX_SWAP_INT(&req->drawable);
@@ -447,9 +547,12 @@ int __glXDispSwap_SwapBuffers(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_UseXFont(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXUseXFontReq *req = (xGLXUseXFontReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXUseXFontReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->contextTag);
__GLX_SWAP_INT(&req->font);
@@ -463,9 +566,12 @@ int __glXDispSwap_UseXFont(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_QueryExtensionsString(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXQueryExtensionsStringReq *req = (xGLXQueryExtensionsStringReq *)pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXQueryExtensionsStringReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->screen);
@@ -474,9 +580,12 @@ int __glXDispSwap_QueryExtensionsString(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_QueryServerString(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXQueryServerStringReq *req = (xGLXQueryServerStringReq *)pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXQueryServerStringReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->screen);
__GLX_SWAP_INT(&req->name);
@@ -486,9 +595,12 @@ int __glXDispSwap_QueryServerString(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_ClientInfo(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXClientInfoReq *req = (xGLXClientInfoReq *)pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_AT_LEAST_SIZE(xGLXClientInfoReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->major);
__GLX_SWAP_INT(&req->minor);
@@ -499,9 +611,12 @@ int __glXDispSwap_ClientInfo(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_QueryContextInfoEXT(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXQueryContextInfoEXTReq *req = (xGLXQueryContextInfoEXTReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXQueryContextInfoEXTReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->context);
@@ -510,12 +625,14 @@ int __glXDispSwap_QueryContextInfoEXT(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_BindTexImageEXT(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXVendorPrivateReq *req = (xGLXVendorPrivateReq *) pc;
GLXDrawable *drawId;
int *buffer;
-
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 8);
+
pc += __GLX_VENDPRIV_HDR_SIZE;
drawId = ((GLXDrawable *) (pc));
@@ -531,12 +648,14 @@ int __glXDispSwap_BindTexImageEXT(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_ReleaseTexImageEXT(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXVendorPrivateReq *req = (xGLXVendorPrivateReq *) pc;
GLXDrawable *drawId;
int *buffer;
-
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 8);
+
pc += __GLX_VENDPRIV_HDR_SIZE;
drawId = ((GLXDrawable *) (pc));
@@ -552,12 +671,14 @@ int __glXDispSwap_ReleaseTexImageEXT(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_CopySubBufferMESA(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXVendorPrivateReq *req = (xGLXVendorPrivateReq *) pc;
GLXDrawable *drawId;
int *buffer;
-
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 20);
+
(void) drawId;
(void) buffer;
@@ -577,11 +698,13 @@ int __glXDispSwap_CopySubBufferMESA(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_GetDrawableAttributesSGIX(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXVendorPrivateWithReplyReq *req = (xGLXVendorPrivateWithReplyReq *)pc;
CARD32 *data;
-
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXGetDrawableAttributesSGIXReq);
+
data = (CARD32 *) (req + 1);
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->contextTag);
@@ -592,10 +715,12 @@ int __glXDispSwap_GetDrawableAttributesSGIX(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_GetDrawableAttributes(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXGetDrawableAttributesReq *req = (xGLXGetDrawableAttributesReq *)pc;
-
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXGetDrawableAttributesReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->drawable);
commit 036b157f9fd6edefd5eb38deda8363667c443e22
Author: Julien Cristau <jcristau at debian.org>
Date: Sat Jul 3 19:47:55 2010 +0100
glx: validate request lengths
Reviewed-by: Adam Jackson <ajax at redhat.com>
Reviewed-by: Kristian Høgsberg <krh at bitplanet.net>
Reviewed-by: Daniel Stone <daniel at fooishbar.org>
Signed-off-by: Julien Cristau <jcristau at debian.org>
(cherry-picked from commit ec9c97c6bf70b523bc500bd3adf62176f1bb33a4)
Conflicts:
glx/glxcmds.c
diff --git a/glx/glxcmds.c b/glx/glxcmds.c
index 34829dd..9725a15 100644
--- a/glx/glxcmds.c
+++ b/glx/glxcmds.c
@@ -315,11 +315,14 @@ DoCreateContext(__GLXclientState *cl, GLXContextID gcId,
int __glXDisp_CreateContext(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXCreateContextReq *req = (xGLXCreateContextReq *) pc;
__GLXconfig *config;
__GLXscreen *pGlxScreen;
int err;
+ REQUEST_SIZE_MATCH(xGLXCreateContextReq);
+
if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err))
return err;
if (!validGlxVisual(cl->client, pGlxScreen, req->visual, &config, &err))
@@ -331,11 +334,14 @@ int __glXDisp_CreateContext(__GLXclientState *cl, GLbyte *pc)
int __glXDisp_CreateNewContext(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXCreateNewContextReq *req = (xGLXCreateNewContextReq *) pc;
__GLXconfig *config;
__GLXscreen *pGlxScreen;
int err;
+ REQUEST_SIZE_MATCH(xGLXCreateNewContextReq);
+
if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err))
return err;
if (!validGlxFBConfig(cl->client, pGlxScreen, req->fbconfig, &config, &err))
@@ -347,12 +353,15 @@ int __glXDisp_CreateNewContext(__GLXclientState *cl, GLbyte *pc)
int __glXDisp_CreateContextWithConfigSGIX(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXCreateContextWithConfigSGIXReq *req =
(xGLXCreateContextWithConfigSGIXReq *) pc;
__GLXconfig *config;
__GLXscreen *pGlxScreen;
int err;
+ REQUEST_SIZE_MATCH(xGLXCreateContextWithConfigSGIXReq);
+
if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err))
return err;
if (!validGlxFBConfig(cl->client, pGlxScreen, req->fbconfig, &config, &err))
@@ -363,10 +372,13 @@ int __glXDisp_CreateContextWithConfigSGIX(__GLXclientState *cl, GLbyte *pc)
}
int __glXDisp_DestroyContext(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXDestroyContextReq *req = (xGLXDestroyContextReq *) pc;
__GLXcontext *glxc;
int err;
+ REQUEST_SIZE_MATCH(xGLXDestroyContextReq);
+
if (!validGlxContext(cl->client, req->context, DixDestroyAccess,
&glxc, &err))
return err;
@@ -679,24 +691,33 @@ DoMakeCurrent(__GLXclientState *cl,
int __glXDisp_MakeCurrent(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXMakeCurrentReq *req = (xGLXMakeCurrentReq *) pc;
+ REQUEST_SIZE_MATCH(xGLXMakeCurrentReq);
+
return DoMakeCurrent( cl, req->drawable, req->drawable,
req->context, req->oldContextTag );
}
int __glXDisp_MakeContextCurrent(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXMakeContextCurrentReq *req = (xGLXMakeContextCurrentReq *) pc;
+ REQUEST_SIZE_MATCH(xGLXMakeContextCurrentReq);
+
return DoMakeCurrent( cl, req->drawable, req->readdrawable,
req->context, req->oldContextTag );
}
int __glXDisp_MakeCurrentReadSGI(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXMakeCurrentReadSGIReq *req = (xGLXMakeCurrentReadSGIReq *) pc;
+ REQUEST_SIZE_MATCH(xGLXMakeCurrentReadSGIReq);
+
return DoMakeCurrent( cl, req->drawable, req->readable,
req->context, req->oldContextTag );
}
@@ -709,6 +730,8 @@ int __glXDisp_IsDirect(__GLXclientState *cl, GLbyte *pc)
__GLXcontext *glxc;
int err;
+ REQUEST_SIZE_MATCH(xGLXIsDirectReq);
+
if (!validGlxContext(cl->client, req->context, DixReadAccess, &glxc, &err))
return err;
@@ -733,6 +756,8 @@ int __glXDisp_QueryVersion(__GLXclientState *cl, GLbyte *pc)
xGLXQueryVersionReply reply;
GLuint major, minor;
+ REQUEST_SIZE_MATCH(xGLXQueryVersionReq);
+
major = req->majorVersion;
minor = req->minorVersion;
(void)major;
@@ -759,11 +784,15 @@ int __glXDisp_QueryVersion(__GLXclientState *cl, GLbyte *pc)
int __glXDisp_WaitGL(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXWaitGLReq *req = (xGLXWaitGLReq *)pc;
- GLXContextTag tag = req->contextTag;
+ GLXContextTag tag;
__GLXcontext *glxc = NULL;
int error;
+ REQUEST_SIZE_MATCH(xGLXWaitGLReq);
+
+ tag = req->contextTag;
if (tag) {
glxc = __glXLookupContextByTag(cl, tag);
if (!glxc)
@@ -783,11 +812,15 @@ int __glXDisp_WaitGL(__GLXclientState *cl, GLbyte *pc)
int __glXDisp_WaitX(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXWaitXReq *req = (xGLXWaitXReq *)pc;
- GLXContextTag tag = req->contextTag;
+ GLXContextTag tag;
__GLXcontext *glxc = NULL;
int error;
+ REQUEST_SIZE_MATCH(xGLXWaitXReq);
+
+ tag = req->contextTag;
if (tag) {
glxc = __glXLookupContextByTag(cl, tag);
if (!glxc)
@@ -807,13 +840,19 @@ int __glXDisp_CopyContext(__GLXclientState *cl, GLbyte *pc)
{
ClientPtr client = cl->client;
xGLXCopyContextReq *req = (xGLXCopyContextReq *) pc;
- GLXContextID source = req->source;
- GLXContextID dest = req->dest;
- GLXContextTag tag = req->contextTag;
- unsigned long mask = req->mask;
+ GLXContextID source;
+ GLXContextID dest;
+ GLXContextTag tag;
+ unsigned long mask;
__GLXcontext *src, *dst;
int error;
+ REQUEST_SIZE_MATCH(xGLXCopyContextReq);
+
+ source = req->source;
+ dest = req->dest;
+ tag = req->contextTag;
+ mask = req->mask;
if (!validGlxContext(cl->client, source, DixReadAccess, &src, &error))
return error;
if (!validGlxContext(cl->client, dest, DixWriteAccess, &dst, &error))
@@ -896,6 +935,8 @@ int __glXDisp_GetVisualConfigs(__GLXclientState *cl, GLbyte *pc)
__GLX_DECLARE_SWAP_VARIABLES;
__GLX_DECLARE_SWAP_ARRAY_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXGetVisualConfigsReq);
+
if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err))
return err;
@@ -1075,13 +1116,17 @@ DoGetFBConfigs(__GLXclientState *cl, unsigned screen)
int __glXDisp_GetFBConfigs(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXGetFBConfigsReq *req = (xGLXGetFBConfigsReq *) pc;
+ REQUEST_SIZE_MATCH(xGLXGetFBConfigsReq);
return DoGetFBConfigs(cl, req->screen);
}
int __glXDisp_GetFBConfigsSGIX(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXGetFBConfigsSGIXReq *req = (xGLXGetFBConfigsSGIXReq *) pc;
+ REQUEST_SIZE_MATCH(xGLXGetFBConfigsSGIXReq);
return DoGetFBConfigs(cl, req->screen);
}
@@ -1207,11 +1252,14 @@ determineTextureTarget(ClientPtr client, XID glxDrawableID,
int __glXDisp_CreateGLXPixmap(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXCreateGLXPixmapReq *req = (xGLXCreateGLXPixmapReq *) pc;
__GLXconfig *config;
__GLXscreen *pGlxScreen;
int err;
+ REQUEST_SIZE_MATCH(xGLXCreateGLXPixmapReq);
+
if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err))
return err;
if (!validGlxVisual(cl->client, pGlxScreen, req->visual, &config, &err))
@@ -1223,11 +1271,14 @@ int __glXDisp_CreateGLXPixmap(__GLXclientState *cl, GLbyte *pc)
int __glXDisp_CreatePixmap(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXCreatePixmapReq *req = (xGLXCreatePixmapReq *) pc;
__GLXconfig *config;
__GLXscreen *pGlxScreen;
int err;
+ REQUEST_FIXED_SIZE(xGLXCreatePixmapReq, req->numAttribs << 3);
+
if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err))
return err;
if (!validGlxFBConfig(cl->client, pGlxScreen, req->fbconfig, &config, &err))
@@ -1246,12 +1297,15 @@ int __glXDisp_CreatePixmap(__GLXclientState *cl, GLbyte *pc)
int __glXDisp_CreateGLXPixmapWithConfigSGIX(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXCreateGLXPixmapWithConfigSGIXReq *req =
(xGLXCreateGLXPixmapWithConfigSGIXReq *) pc;
__GLXconfig *config;
__GLXscreen *pGlxScreen;
int err;
+ REQUEST_SIZE_MATCH(xGLXCreateGLXPixmapWithConfigSGIXReq);
+
if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err))
return err;
if (!validGlxFBConfig(cl->client, pGlxScreen, req->fbconfig, &config, &err))
@@ -1278,15 +1332,21 @@ static int DoDestroyDrawable(__GLXclientState *cl, XID glxdrawable, int type)
int __glXDisp_DestroyGLXPixmap(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXDestroyGLXPixmapReq *req = (xGLXDestroyGLXPixmapReq *) pc;
+ REQUEST_SIZE_MATCH(xGLXDestroyGLXPixmapReq);
+
return DoDestroyDrawable(cl, req->glxpixmap, GLX_DRAWABLE_PIXMAP);
}
int __glXDisp_DestroyPixmap(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXDestroyPixmapReq *req = (xGLXDestroyPixmapReq *) pc;
+ REQUEST_SIZE_MATCH(xGLXDestroyPixmapReq);
+
return DoDestroyDrawable(cl, req->glxpixmap, GLX_DRAWABLE_PIXMAP);
}
@@ -1325,10 +1385,13 @@ DoCreatePbuffer(ClientPtr client, int screenNum, XID fbconfigId,
int __glXDisp_CreatePbuffer(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXCreatePbufferReq *req = (xGLXCreatePbufferReq *) pc;
CARD32 *attrs;
int width, height, i;
+ REQUEST_FIXED_SIZE(xGLXCreatePbufferReq, req->numAttribs << 3);
+
attrs = (CARD32 *) (req + 1);
width = 0;
height = 0;
@@ -1354,23 +1417,32 @@ int __glXDisp_CreatePbuffer(__GLXclientState *cl, GLbyte *pc)
int __glXDisp_CreateGLXPbufferSGIX(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXCreateGLXPbufferSGIXReq *req = (xGLXCreateGLXPbufferSGIXReq *) pc;
+ REQUEST_SIZE_MATCH(xGLXCreateGLXPbufferSGIXReq);
+
return DoCreatePbuffer(cl->client, req->screen, req->fbconfig,
req->width, req->height, req->pbuffer);
}
int __glXDisp_DestroyPbuffer(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXDestroyPbufferReq *req = (xGLXDestroyPbufferReq *) pc;
+ REQUEST_SIZE_MATCH(xGLXDestroyPbufferReq);
+
return DoDestroyDrawable(cl, req->pbuffer, GLX_DRAWABLE_PBUFFER);
}
int __glXDisp_DestroyGLXPbufferSGIX(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXDestroyGLXPbufferSGIXReq *req = (xGLXDestroyGLXPbufferSGIXReq *) pc;
+ REQUEST_SIZE_MATCH(xGLXDestroyGLXPbufferSGIXReq);
+
return DoDestroyDrawable(cl, req->pbuffer, GLX_DRAWABLE_PBUFFER);
}
@@ -1401,18 +1473,24 @@ DoChangeDrawableAttributes(ClientPtr client, XID glxdrawable,
int __glXDisp_ChangeDrawableAttributes(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXChangeDrawableAttributesReq *req =
(xGLXChangeDrawableAttributesReq *) pc;
+ REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3);
+
return DoChangeDrawableAttributes(cl->client, req->drawable,
req->numAttribs, (CARD32 *) (req + 1));
}
int __glXDisp_ChangeDrawableAttributesSGIX(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXChangeDrawableAttributesSGIXReq *req =
(xGLXChangeDrawableAttributesSGIXReq *)pc;
+ REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesSGIXReq, req->numAttribs << 3);
+
return DoChangeDrawableAttributes(cl->client, req->drawable,
req->numAttribs, (CARD32 *) (req + 1));
}
@@ -1426,7 +1504,7 @@ int __glXDisp_CreateWindow(__GLXclientState *cl, GLbyte *pc)
DrawablePtr pDraw;
int err;
- LEGAL_NEW_RESOURCE(req->glxwindow, client);
+ REQUEST_FIXED_SIZE(xGLXCreateWindowReq, req->numAttribs << 3);
if (!validGlxScreen(client, req->screen, &pGlxScreen, &err))
return err;
@@ -1449,8 +1527,11 @@ int __glXDisp_CreateWindow(__GLXclientState *cl, GLbyte *pc)
int __glXDisp_DestroyWindow(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXDestroyWindowReq *req = (xGLXDestroyWindowReq *) pc;
+ REQUEST_SIZE_MATCH(xGLXDestroyWindowReq);
+
return DoDestroyDrawable(cl, req->glxwindow, GLX_DRAWABLE_WINDOW);
}
@@ -1466,12 +1547,16 @@ int __glXDisp_SwapBuffers(__GLXclientState *cl, GLbyte *pc)
{
ClientPtr client = cl->client;
xGLXSwapBuffersReq *req = (xGLXSwapBuffersReq *) pc;
- GLXContextTag tag = req->contextTag;
- XID drawId = req->drawable;
+ GLXContextTag tag;
+ XID drawId;
__GLXcontext *glxc = NULL;
__GLXdrawable *pGlxDraw;
int error;
+ REQUEST_SIZE_MATCH(xGLXSwapBuffersReq);
+
+ tag = req->contextTag;
+ drawId = req->drawable;
if (tag) {
glxc = __glXLookupContextByTag(cl, tag);
if (!glxc) {
@@ -1552,15 +1637,21 @@ DoQueryContext(__GLXclientState *cl, GLXContextID gcId)
int __glXDisp_QueryContextInfoEXT(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXQueryContextInfoEXTReq *req = (xGLXQueryContextInfoEXTReq *) pc;
+ REQUEST_SIZE_MATCH(xGLXQueryContextInfoEXTReq);
+
return DoQueryContext(cl, req->context);
}
int __glXDisp_QueryContext(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXQueryContextReq *req = (xGLXQueryContextReq *) pc;
+ REQUEST_SIZE_MATCH(xGLXQueryContextReq);
+
return DoQueryContext(cl, req->context);
}
@@ -1574,6 +1665,8 @@ int __glXDisp_BindTexImageEXT(__GLXclientState *cl, GLbyte *pc)
int buffer;
int error;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 8);
+
pc += __GLX_VENDPRIV_HDR_SIZE;
drawId = *((CARD32 *) (pc));
@@ -1608,6 +1701,8 @@ int __glXDisp_ReleaseTexImageEXT(__GLXclientState *cl, GLbyte *pc)
int buffer;
int error;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 8);
+
pc += __GLX_VENDPRIV_HDR_SIZE;
drawId = *((CARD32 *) (pc));
@@ -1643,6 +1738,8 @@ int __glXDisp_CopySubBufferMESA(__GLXclientState *cl, GLbyte *pc)
(void) client;
(void) req;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 20);
+
pc += __GLX_VENDPRIV_HDR_SIZE;
drawId = *((CARD32 *) (pc));
@@ -1731,16 +1828,22 @@ DoGetDrawableAttributes(__GLXclientState *cl, XID drawId)
int __glXDisp_GetDrawableAttributes(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXGetDrawableAttributesReq *req = (xGLXGetDrawableAttributesReq *)pc;
+ REQUEST_SIZE_MATCH(xGLXGetDrawableAttributesReq);
+
return DoGetDrawableAttributes(cl, req->drawable);
}
int __glXDisp_GetDrawableAttributesSGIX(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXGetDrawableAttributesSGIXReq *req =
(xGLXGetDrawableAttributesSGIXReq *)pc;
+ REQUEST_SIZE_MATCH(xGLXGetDrawableAttributesSGIXReq);
+
return DoGetDrawableAttributes(cl, req->drawable);
}
@@ -1765,6 +1868,8 @@ int __glXDisp_Render(__GLXclientState *cl, GLbyte *pc)
__GLXcontext *glxc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_AT_LEAST_SIZE(xGLXRenderReq);
+
req = (xGLXRenderReq *) pc;
if (client->swapped) {
__GLX_SWAP_SHORT(&req->length);
@@ -1785,6 +1890,9 @@ int __glXDisp_Render(__GLXclientState *cl, GLbyte *pc)
__GLXdispatchRenderProcPtr proc;
int err;
+ if (left < sizeof(__GLXrenderHeader))
+ return BadLength;
+
/*
** Verify that the header length and the overall length agree.
** Also, each command must be word aligned.
@@ -2295,10 +2403,12 @@ int __glXDisp_HyperpipeConfigSGIX(__GLXclientState *cl, GLbyte *pc)
int __glXDisp_VendorPrivate(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXVendorPrivateReq *req = (xGLXVendorPrivateReq *) pc;
GLint vendorcode = req->vendorCode;
__GLXdispatchVendorPrivProcPtr proc;
+ REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateReq);
proc = (__GLXdispatchVendorPrivProcPtr)
__glXGetProtocolDecodeFunction(& VendorPriv_dispatch_info,
@@ -2314,10 +2424,12 @@ int __glXDisp_VendorPrivate(__GLXclientState *cl, GLbyte *pc)
int __glXDisp_VendorPrivateWithReply(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXVendorPrivateReq *req = (xGLXVendorPrivateReq *) pc;
GLint vendorcode = req->vendorCode;
__GLXdispatchVendorPrivProcPtr proc;
+ REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateReq);
proc = (__GLXdispatchVendorPrivProcPtr)
__glXGetProtocolDecodeFunction(& VendorPriv_dispatch_info,
@@ -2340,6 +2452,8 @@ int __glXDisp_QueryExtensionsString(__GLXclientState *cl, GLbyte *pc)
char *buf;
int err;
+ REQUEST_SIZE_MATCH(xGLXQueryExtensionsStringReq);
+
if (!validGlxScreen(client, req->screen, &pGlxScreen, &err))
return err;
@@ -2379,6 +2493,8 @@ int __glXDisp_QueryServerString(__GLXclientState *cl, GLbyte *pc)
int err;
char ver_str[16];
+ REQUEST_SIZE_MATCH(xGLXQueryServerStringReq);
+
if (!validGlxScreen(client, req->screen, &pGlxScreen, &err))
return err;
@@ -2426,14 +2542,20 @@ int __glXDisp_QueryServerString(__GLXclientState *cl, GLbyte *pc)
int __glXDisp_ClientInfo(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXClientInfoReq *req = (xGLXClientInfoReq *) pc;
const char *buf;
+ REQUEST_AT_LEAST_SIZE(xGLXClientInfoReq);
+
+ buf = (const char *)(req+1);
+ if (!memchr(buf, 0, (client->req_len << 2) - sizeof(xGLXClientInfoReq)))
+ return BadLength;
+
cl->GLClientmajorVersion = req->major;
cl->GLClientminorVersion = req->minor;
if (cl->GLClientextensions)
xfree(cl->GLClientextensions);
- buf = (const char *)(req+1);
cl->GLClientextensions = xstrdup(buf);
return Success;
diff --git a/glx/xfont.c b/glx/xfont.c
index b8b466d..5d5b4c3 100644
--- a/glx/xfont.c
+++ b/glx/xfont.c
@@ -160,6 +160,8 @@ int __glXDisp_UseXFont(__GLXclientState *cl, GLbyte *pc)
__GLXcontext *cx;
int error;
+ REQUEST_SIZE_MATCH(xGLXUseXFontReq);
+
req = (xGLXUseXFontReq *) pc;
cx = __glXForceCurrent(cl, req->contextTag, &error);
if (!cx) {
More information about the xorg-commit
mailing list