xserver: Branch 'master' - 4 commits
Keith Packard
keithp at kemper.freedesktop.org
Fri Feb 18 14:29:59 PST 2011
glx/glxcmds.c | 31 +++++++++++++++++++++++++------
glx/glxcmdsswap.c | 20 +++++++++++++-------
2 files changed, 38 insertions(+), 13 deletions(-)
New commits:
commit 2c77aeb39f59f1a94cc603a2e6256a62ce785c36
Merge: 816d67d... 402b329...
Author: Keith Packard <keithp at keithp.com>
Date: Fri Feb 18 14:29:32 2011 -0800
Merge remote branch 'jcristau/for-keith'
commit 402b329c3aa8ddbebaa1f593306a02d4cd6fed26
Author: Julien Cristau <jcristau at debian.org>
Date: Sun Jan 23 13:35:54 2011 +0100
glx: Work around wrong request lengths sent by mesa
mesa used to send too long requests for GLXDestroyPixmap,
GLXDestroyWindow, GLXChangeDrawableAttributes, GLXGetDrawableAttributes
and GLXGetFBConfigsSGIX.
Fixes a regression introduced in ec9c97c6bf70b523bc500bd3adf62176f1bb33a4
X.Org bug#33324 <https://bugs.freedesktop.org/show_bug.cgi?id=33324>
Reported-by: xunx.fang at intel.com
Signed-off-by: Julien Cristau <jcristau at debian.org>
Reviewed-by: Adam Jackson <ajax at redhat.com>
diff --git a/glx/glxcmds.c b/glx/glxcmds.c
index 5d633df..9b4bc9e 100644
--- a/glx/glxcmds.c
+++ b/glx/glxcmds.c
@@ -1132,7 +1132,8 @@ int __glXDisp_GetFBConfigsSGIX(__GLXclientState *cl, GLbyte *pc)
{
ClientPtr client = cl->client;
xGLXGetFBConfigsSGIXReq *req = (xGLXGetFBConfigsSGIXReq *) pc;
- REQUEST_SIZE_MATCH(xGLXGetFBConfigsSGIXReq);
+ /* work around mesa bug, don't use REQUEST_SIZE_MATCH */
+ REQUEST_AT_LEAST_SIZE(xGLXGetFBConfigsSGIXReq);
return DoGetFBConfigs(cl, req->screen);
}
@@ -1356,7 +1357,9 @@ int __glXDisp_DestroyPixmap(__GLXclientState *cl, GLbyte *pc)
ClientPtr client = cl->client;
xGLXDestroyPixmapReq *req = (xGLXDestroyPixmapReq *) pc;
- REQUEST_SIZE_MATCH(xGLXDestroyPixmapReq);
+ /* should be REQUEST_SIZE_MATCH, but mesa's glXDestroyPixmap used to set
+ * length to 3 instead of 2 */
+ REQUEST_AT_LEAST_SIZE(xGLXDestroyPixmapReq);
return DoDestroyDrawable(cl, req->glxpixmap, GLX_DRAWABLE_PIXMAP);
}
@@ -1498,7 +1501,13 @@ int __glXDisp_ChangeDrawableAttributes(__GLXclientState *cl, GLbyte *pc)
client->errorValue = req->numAttribs;
return BadValue;
}
+#if 0
+ /* mesa sends an additional 8 bytes */
REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3);
+#else
+ if (((sizeof(xGLXChangeDrawableAttributesReq) + (req->numAttribs << 3)) >> 2) < client->req_len)
+ return BadLength;
+#endif
return DoChangeDrawableAttributes(cl->client, req->drawable,
req->numAttribs, (CARD32 *) (req + 1));
@@ -1563,7 +1572,8 @@ int __glXDisp_DestroyWindow(__GLXclientState *cl, GLbyte *pc)
ClientPtr client = cl->client;
xGLXDestroyWindowReq *req = (xGLXDestroyWindowReq *) pc;
- REQUEST_SIZE_MATCH(xGLXDestroyWindowReq);
+ /* mesa's glXDestroyWindow used to set length to 3 instead of 2 */
+ REQUEST_AT_LEAST_SIZE(xGLXDestroyWindowReq);
return DoDestroyDrawable(cl, req->glxwindow, GLX_DRAWABLE_WINDOW);
}
@@ -1872,7 +1882,8 @@ int __glXDisp_GetDrawableAttributes(__GLXclientState *cl, GLbyte *pc)
ClientPtr client = cl->client;
xGLXGetDrawableAttributesReq *req = (xGLXGetDrawableAttributesReq *)pc;
- REQUEST_SIZE_MATCH(xGLXGetDrawableAttributesReq);
+ /* this should be REQUEST_SIZE_MATCH, but mesa sends an additional 4 bytes */
+ REQUEST_AT_LEAST_SIZE(xGLXGetDrawableAttributesReq);
return DoGetDrawableAttributes(cl, req->drawable);
}
diff --git a/glx/glxcmdsswap.c b/glx/glxcmdsswap.c
index d58de62..76e6fb6 100644
--- a/glx/glxcmdsswap.c
+++ b/glx/glxcmdsswap.c
@@ -279,7 +279,7 @@ int __glXDispSwap_GetFBConfigsSGIX(__GLXclientState *cl, GLbyte *pc)
xGLXGetFBConfigsSGIXReq *req = (xGLXGetFBConfigsSGIXReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
- REQUEST_SIZE_MATCH(xGLXGetFBConfigsSGIXReq);
+ REQUEST_AT_LEAST_SIZE(xGLXGetFBConfigsSGIXReq);
__GLX_SWAP_INT(&req->screen);
return __glXDisp_GetFBConfigsSGIX(cl, pc);
@@ -368,7 +368,7 @@ int __glXDispSwap_DestroyPixmap(__GLXclientState *cl, GLbyte *pc)
xGLXDestroyGLXPixmapReq *req = (xGLXDestroyGLXPixmapReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
- REQUEST_SIZE_MATCH(xGLXDestroyGLXPixmapReq);
+ REQUEST_AT_LEAST_SIZE(xGLXDestroyGLXPixmapReq);
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->glxpixmap);
@@ -476,7 +476,9 @@ int __glXDispSwap_ChangeDrawableAttributes(__GLXclientState *cl, GLbyte *pc)
client->errorValue = req->numAttribs;
return BadValue;
}
- REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3);
+ if (((sizeof(xGLXChangeDrawableAttributesReq) + (req->numAttribs << 3)) >> 2) < client->req_len)
+ return BadLength;
+
attribs = (CARD32*)(req + 1);
__GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
@@ -542,7 +544,7 @@ int __glXDispSwap_DestroyWindow(__GLXclientState *cl, GLbyte *pc)
xGLXDestroyWindowReq *req = (xGLXDestroyWindowReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
- REQUEST_SIZE_MATCH(xGLXDestroyWindowReq);
+ REQUEST_AT_LEAST_SIZE(xGLXDestroyWindowReq);
__GLX_SWAP_INT(&req->glxwindow);
@@ -742,7 +744,7 @@ int __glXDispSwap_GetDrawableAttributes(__GLXclientState *cl, GLbyte *pc)
xGLXGetDrawableAttributesReq *req = (xGLXGetDrawableAttributesReq *)pc;
__GLX_DECLARE_SWAP_VARIABLES;
- REQUEST_SIZE_MATCH(xGLXGetDrawableAttributesReq);
+ REQUEST_AT_LEAST_SIZE(xGLXGetDrawableAttributesReq);
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->drawable);
commit 1137c11be0f82049d28024eaf963c6f76e0d4334
Author: Julien Cristau <jcristau at debian.org>
Date: Wed Jan 26 13:06:53 2011 +0100
glx: fix BindTexImageEXT length check
The request is followed by a list of attributes.
X.Org bug#33449
Reported-and-tested-by: meng <mengmeng.meng at intel.com>
Signed-off-by: Julien Cristau <jcristau at debian.org>
Reviewed-by: Adam Jackson <ajax at redhat.com>
diff --git a/glx/glxcmds.c b/glx/glxcmds.c
index 0b375c3..5d633df 100644
--- a/glx/glxcmds.c
+++ b/glx/glxcmds.c
@@ -1697,13 +1697,21 @@ int __glXDisp_BindTexImageEXT(__GLXclientState *cl, GLbyte *pc)
GLXDrawable drawId;
int buffer;
int error;
+ CARD32 num_attribs;
- REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 8);
+ if ((sizeof(xGLXVendorPrivateReq) + 12) >> 2 > client->req_len)
+ return BadLength;
pc += __GLX_VENDPRIV_HDR_SIZE;
drawId = *((CARD32 *) (pc));
buffer = *((INT32 *) (pc + 4));
+ num_attribs = *((CARD32 *) (pc + 8));
+ if (num_attribs > (UINT32_MAX >> 3)) {
+ client->errorValue = num_attribs;
+ return BadValue;
+ }
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 12 + (num_attribs << 3));
if (buffer != GLX_FRONT_LEFT_EXT)
return __glXError(GLXBadPixmap);
diff --git a/glx/glxcmdsswap.c b/glx/glxcmdsswap.c
index 9d96c9d..d58de62 100644
--- a/glx/glxcmdsswap.c
+++ b/glx/glxcmdsswap.c
@@ -648,19 +648,23 @@ int __glXDispSwap_BindTexImageEXT(__GLXclientState *cl, GLbyte *pc)
xGLXVendorPrivateReq *req = (xGLXVendorPrivateReq *) pc;
GLXDrawable *drawId;
int *buffer;
+ CARD32 *num_attribs;
__GLX_DECLARE_SWAP_VARIABLES;
- REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 8);
+ if ((sizeof(xGLXVendorPrivateReq) + 12) >> 2 > client->req_len)
+ return BadLength;
pc += __GLX_VENDPRIV_HDR_SIZE;
drawId = ((GLXDrawable *) (pc));
buffer = ((int *) (pc + 4));
+ num_attribs = ((CARD32 *) (pc + 8));
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->contextTag);
__GLX_SWAP_INT(drawId);
__GLX_SWAP_INT(buffer);
+ __GLX_SWAP_INT(num_attribs);
return __glXDisp_BindTexImageEXT(cl, (GLbyte *)pc);
}
commit a883cf1545abd89bb2cadfa659718884b56fd234
Author: Julien Cristau <jcristau at debian.org>
Date: Sun Jan 23 17:05:26 2011 +0100
glx: fix request length check for CreateGLXPbufferSGIX
The request is followed by an attribute list.
Signed-off-by: Julien Cristau <jcristau at debian.org>
Reviewed-by: Adam Jackson <ajax at redhat.com>
diff --git a/glx/glxcmds.c b/glx/glxcmds.c
index 3ef567d..0b375c3 100644
--- a/glx/glxcmds.c
+++ b/glx/glxcmds.c
@@ -1436,7 +1436,7 @@ int __glXDisp_CreateGLXPbufferSGIX(__GLXclientState *cl, GLbyte *pc)
ClientPtr client = cl->client;
xGLXCreateGLXPbufferSGIXReq *req = (xGLXCreateGLXPbufferSGIXReq *) pc;
- REQUEST_SIZE_MATCH(xGLXCreateGLXPbufferSGIXReq);
+ REQUEST_AT_LEAST_SIZE(xGLXCreateGLXPbufferSGIXReq);
return DoCreatePbuffer(cl->client, req->screen, req->fbconfig,
req->width, req->height, req->pbuffer);
diff --git a/glx/glxcmdsswap.c b/glx/glxcmdsswap.c
index 3bb4cad..9d96c9d 100644
--- a/glx/glxcmdsswap.c
+++ b/glx/glxcmdsswap.c
@@ -421,7 +421,7 @@ int __glXDispSwap_CreateGLXPbufferSGIX(__GLXclientState *cl, GLbyte *pc)
xGLXCreateGLXPbufferSGIXReq *req = (xGLXCreateGLXPbufferSGIXReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
- REQUEST_SIZE_MATCH(xGLXCreateGLXPbufferSGIXReq);
+ REQUEST_AT_LEAST_SIZE(xGLXCreateGLXPbufferSGIXReq);
__GLX_SWAP_INT(&req->screen);
__GLX_SWAP_INT(&req->fbconfig);
More information about the xorg-commit
mailing list