[PATCH 2/5] glx: validate request lengths

Julien Cristau jcristau at debian.org
Mon Jan 3 12:08:07 PST 2011


Reviewed-by: Adam Jackson <ajax at redhat.com>
Signed-off-by: Julien Cristau <jcristau at debian.org>
---
 glx/glxcmds.c |  142 +++++++++++++++++++++++++++++++++++++++++++++++++++++----
 glx/xfont.c   |    2 +
 2 files changed, 135 insertions(+), 9 deletions(-)

diff --git a/glx/glxcmds.c b/glx/glxcmds.c
index 419cc46..566dbbe 100644
--- a/glx/glxcmds.c
+++ b/glx/glxcmds.c
@@ -314,11 +314,14 @@ DoCreateContext(__GLXclientState *cl, GLXContextID gcId,
 
 int __glXDisp_CreateContext(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXCreateContextReq *req = (xGLXCreateContextReq *) pc;
     __GLXconfig *config;
     __GLXscreen *pGlxScreen;
     int err;
 
+    REQUEST_SIZE_MATCH(xGLXCreateContextReq);
+
     if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err))
 	return err;
     if (!validGlxVisual(cl->client, pGlxScreen, req->visual, &config, &err))
@@ -330,11 +333,14 @@ int __glXDisp_CreateContext(__GLXclientState *cl, GLbyte *pc)
 
 int __glXDisp_CreateNewContext(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXCreateNewContextReq *req = (xGLXCreateNewContextReq *) pc;
     __GLXconfig *config;
     __GLXscreen *pGlxScreen;
     int err;
 
+    REQUEST_SIZE_MATCH(xGLXCreateNewContextReq);
+
     if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err))
 	return err;
     if (!validGlxFBConfig(cl->client, pGlxScreen, req->fbconfig, &config, &err))
@@ -346,12 +352,15 @@ int __glXDisp_CreateNewContext(__GLXclientState *cl, GLbyte *pc)
 
 int __glXDisp_CreateContextWithConfigSGIX(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXCreateContextWithConfigSGIXReq *req = 
 	(xGLXCreateContextWithConfigSGIXReq *) pc;
     __GLXconfig *config;
     __GLXscreen *pGlxScreen;
     int err;
 
+    REQUEST_SIZE_MATCH(xGLXCreateContextWithConfigSGIXReq);
+
     if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err))
 	return err;
     if (!validGlxFBConfig(cl->client, pGlxScreen, req->fbconfig, &config, &err))
@@ -362,10 +371,13 @@ int __glXDisp_CreateContextWithConfigSGIX(__GLXclientState *cl, GLbyte *pc)
 }
 int __glXDisp_DestroyContext(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXDestroyContextReq *req = (xGLXDestroyContextReq *) pc;
     __GLXcontext *glxc;
     int err;
 
+    REQUEST_SIZE_MATCH(xGLXDestroyContextReq);
+
     if (!validGlxContext(cl->client, req->context, DixDestroyAccess,
 			 &glxc, &err))
 	    return err;
@@ -685,24 +697,33 @@ DoMakeCurrent(__GLXclientState *cl,
 
 int __glXDisp_MakeCurrent(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXMakeCurrentReq *req = (xGLXMakeCurrentReq *) pc;
 
+    REQUEST_SIZE_MATCH(xGLXMakeCurrentReq);
+
     return DoMakeCurrent( cl, req->drawable, req->drawable,
 			  req->context, req->oldContextTag );
 }
 
 int __glXDisp_MakeContextCurrent(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXMakeContextCurrentReq *req = (xGLXMakeContextCurrentReq *) pc;
 
+    REQUEST_SIZE_MATCH(xGLXMakeContextCurrentReq);
+
     return DoMakeCurrent( cl, req->drawable, req->readdrawable,
 			  req->context, req->oldContextTag );
 }
 
 int __glXDisp_MakeCurrentReadSGI(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXMakeCurrentReadSGIReq *req = (xGLXMakeCurrentReadSGIReq *) pc;
 
+    REQUEST_SIZE_MATCH(xGLXMakeCurrentReadSGIReq);
+
     return DoMakeCurrent( cl, req->drawable, req->readable,
 			  req->context, req->oldContextTag );
 }
@@ -715,6 +736,8 @@ int __glXDisp_IsDirect(__GLXclientState *cl, GLbyte *pc)
     __GLXcontext *glxc;
     int err;
 
+    REQUEST_SIZE_MATCH(xGLXIsDirectReq);
+
     if (!validGlxContext(cl->client, req->context, DixReadAccess, &glxc, &err))
 	return err;
 
@@ -739,6 +762,8 @@ int __glXDisp_QueryVersion(__GLXclientState *cl, GLbyte *pc)
     xGLXQueryVersionReply reply;
     GLuint major, minor;
 
+    REQUEST_SIZE_MATCH(xGLXQueryVersionReq);
+
     major = req->majorVersion;
     minor = req->minorVersion;
     (void)major;
@@ -765,11 +790,15 @@ int __glXDisp_QueryVersion(__GLXclientState *cl, GLbyte *pc)
 
 int __glXDisp_WaitGL(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXWaitGLReq *req = (xGLXWaitGLReq *)pc;
-    GLXContextTag tag = req->contextTag;
+    GLXContextTag tag;
     __GLXcontext *glxc = NULL;
     int error;
 
+    REQUEST_SIZE_MATCH(xGLXWaitGLReq);
+
+    tag = req->contextTag;
     if (tag) {
 	glxc = __glXLookupContextByTag(cl, tag);
 	if (!glxc)
@@ -789,11 +818,15 @@ int __glXDisp_WaitGL(__GLXclientState *cl, GLbyte *pc)
 
 int __glXDisp_WaitX(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXWaitXReq *req = (xGLXWaitXReq *)pc;
-    GLXContextTag tag = req->contextTag;
+    GLXContextTag tag;
     __GLXcontext *glxc = NULL;
     int error;
 
+    REQUEST_SIZE_MATCH(xGLXWaitXReq);
+
+    tag = req->contextTag;
     if (tag) {
 	glxc = __glXLookupContextByTag(cl, tag);
 	if (!glxc)
@@ -813,13 +846,19 @@ int __glXDisp_CopyContext(__GLXclientState *cl, GLbyte *pc)
 {
     ClientPtr client = cl->client;
     xGLXCopyContextReq *req = (xGLXCopyContextReq *) pc;
-    GLXContextID source = req->source;
-    GLXContextID dest = req->dest;
-    GLXContextTag tag = req->contextTag;
-    unsigned long mask = req->mask;
+    GLXContextID source;
+    GLXContextID dest;
+    GLXContextTag tag;
+    unsigned long mask;
     __GLXcontext *src, *dst;
     int error;
 
+    REQUEST_SIZE_MATCH(xGLXCopyContextReq);
+
+    source = req->source;
+    dest = req->dest;
+    tag = req->contextTag;
+    mask = req->mask;
     if (!validGlxContext(cl->client, source, DixReadAccess, &src, &error))
 	return error;
     if (!validGlxContext(cl->client, dest, DixWriteAccess, &dst, &error))
@@ -902,6 +941,8 @@ int __glXDisp_GetVisualConfigs(__GLXclientState *cl, GLbyte *pc)
     __GLX_DECLARE_SWAP_VARIABLES;
     __GLX_DECLARE_SWAP_ARRAY_VARIABLES;
 
+    REQUEST_SIZE_MATCH(xGLXGetVisualConfigsReq);
+
     if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err))
 	return err;
 
@@ -1081,13 +1122,17 @@ DoGetFBConfigs(__GLXclientState *cl, unsigned screen)
 
 int __glXDisp_GetFBConfigs(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXGetFBConfigsReq *req = (xGLXGetFBConfigsReq *) pc;
+    REQUEST_SIZE_MATCH(xGLXGetFBConfigsReq);
     return DoGetFBConfigs(cl, req->screen);
 }
 
 int __glXDisp_GetFBConfigsSGIX(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXGetFBConfigsSGIXReq *req = (xGLXGetFBConfigsSGIXReq *) pc;
+    REQUEST_SIZE_MATCH(xGLXGetFBConfigsSGIXReq);
     return DoGetFBConfigs(cl, req->screen);
 }
 
@@ -1213,11 +1258,14 @@ determineTextureTarget(ClientPtr client, XID glxDrawableID,
 
 int __glXDisp_CreateGLXPixmap(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXCreateGLXPixmapReq *req = (xGLXCreateGLXPixmapReq *) pc;
     __GLXconfig *config;
     __GLXscreen *pGlxScreen;
     int err;
 
+    REQUEST_SIZE_MATCH(xGLXCreateGLXPixmapReq);
+
     if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err))
 	return err;
     if (!validGlxVisual(cl->client, pGlxScreen, req->visual, &config, &err))
@@ -1229,11 +1277,14 @@ int __glXDisp_CreateGLXPixmap(__GLXclientState *cl, GLbyte *pc)
 
 int __glXDisp_CreatePixmap(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXCreatePixmapReq *req = (xGLXCreatePixmapReq *) pc;
     __GLXconfig *config;
     __GLXscreen *pGlxScreen;
     int err;
 
+    REQUEST_FIXED_SIZE(xGLXCreatePixmapReq, req->numAttribs << 3);
+
     if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err))
 	return err;
     if (!validGlxFBConfig(cl->client, pGlxScreen, req->fbconfig, &config, &err))
@@ -1252,12 +1303,15 @@ int __glXDisp_CreatePixmap(__GLXclientState *cl, GLbyte *pc)
 
 int __glXDisp_CreateGLXPixmapWithConfigSGIX(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXCreateGLXPixmapWithConfigSGIXReq *req = 
 	(xGLXCreateGLXPixmapWithConfigSGIXReq *) pc;
     __GLXconfig *config;
     __GLXscreen *pGlxScreen;
     int err;
 
+    REQUEST_SIZE_MATCH(xGLXCreateGLXPixmapWithConfigSGIXReq);
+
     if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err))
 	return err;
     if (!validGlxFBConfig(cl->client, pGlxScreen, req->fbconfig, &config, &err))
@@ -1284,15 +1338,21 @@ static int DoDestroyDrawable(__GLXclientState *cl, XID glxdrawable, int type)
 
 int __glXDisp_DestroyGLXPixmap(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXDestroyGLXPixmapReq *req = (xGLXDestroyGLXPixmapReq *) pc;
 
+    REQUEST_SIZE_MATCH(xGLXDestroyGLXPixmapReq);
+
     return DoDestroyDrawable(cl, req->glxpixmap, GLX_DRAWABLE_PIXMAP);
 }
 
 int __glXDisp_DestroyPixmap(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXDestroyPixmapReq *req = (xGLXDestroyPixmapReq *) pc;
 
+    REQUEST_SIZE_MATCH(xGLXDestroyPixmapReq);
+
     return DoDestroyDrawable(cl, req->glxpixmap, GLX_DRAWABLE_PIXMAP);
 }
 
@@ -1331,10 +1391,13 @@ DoCreatePbuffer(ClientPtr client, int screenNum, XID fbconfigId,
 
 int __glXDisp_CreatePbuffer(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXCreatePbufferReq	*req = (xGLXCreatePbufferReq *) pc;
     CARD32			*attrs;
     int				 width, height, i;
 
+    REQUEST_FIXED_SIZE(xGLXCreatePbufferReq, req->numAttribs << 3);
+
     attrs = (CARD32 *) (req + 1);
     width = 0;
     height = 0;
@@ -1360,23 +1423,32 @@ int __glXDisp_CreatePbuffer(__GLXclientState *cl, GLbyte *pc)
 
 int __glXDisp_CreateGLXPbufferSGIX(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXCreateGLXPbufferSGIXReq *req = (xGLXCreateGLXPbufferSGIXReq *) pc;
 
+    REQUEST_SIZE_MATCH(xGLXCreateGLXPbufferSGIXReq);
+
     return DoCreatePbuffer(cl->client, req->screen, req->fbconfig,
 			   req->width, req->height, req->pbuffer);
 }
 
 int __glXDisp_DestroyPbuffer(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXDestroyPbufferReq *req = (xGLXDestroyPbufferReq *) pc;
 
+    REQUEST_SIZE_MATCH(xGLXDestroyPbufferReq);
+
     return DoDestroyDrawable(cl, req->pbuffer, GLX_DRAWABLE_PBUFFER);
 }
 
 int __glXDisp_DestroyGLXPbufferSGIX(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXDestroyGLXPbufferSGIXReq *req = (xGLXDestroyGLXPbufferSGIXReq *) pc;
 
+    REQUEST_SIZE_MATCH(xGLXDestroyGLXPbufferSGIXReq);
+
     return DoDestroyDrawable(cl, req->pbuffer, GLX_DRAWABLE_PBUFFER);
 }
 
@@ -1407,18 +1479,24 @@ DoChangeDrawableAttributes(ClientPtr client, XID glxdrawable,
 
 int __glXDisp_ChangeDrawableAttributes(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXChangeDrawableAttributesReq *req =
 	(xGLXChangeDrawableAttributesReq *) pc;
 
+    REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3);
+
     return DoChangeDrawableAttributes(cl->client, req->drawable,
 				      req->numAttribs, (CARD32 *) (req + 1));
 }
 
 int __glXDisp_ChangeDrawableAttributesSGIX(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXChangeDrawableAttributesSGIXReq *req =
 	(xGLXChangeDrawableAttributesSGIXReq *)pc;
 
+    REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesSGIXReq, req->numAttribs << 3);
+
     return DoChangeDrawableAttributes(cl->client, req->drawable,
 				      req->numAttribs, (CARD32 *) (req + 1));
 }
@@ -1432,6 +1510,8 @@ int __glXDisp_CreateWindow(__GLXclientState *cl, GLbyte *pc)
     DrawablePtr		 pDraw;
     int			 err;
 
+    REQUEST_FIXED_SIZE(xGLXCreateWindowReq, req->numAttribs << 3);
+
     LEGAL_NEW_RESOURCE(req->glxwindow, client);
 
     if (!validGlxScreen(client, req->screen, &pGlxScreen, &err))
@@ -1455,8 +1535,11 @@ int __glXDisp_CreateWindow(__GLXclientState *cl, GLbyte *pc)
 
 int __glXDisp_DestroyWindow(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXDestroyWindowReq *req = (xGLXDestroyWindowReq *) pc;
 
+    REQUEST_SIZE_MATCH(xGLXDestroyWindowReq);
+
     return DoDestroyDrawable(cl, req->glxwindow, GLX_DRAWABLE_WINDOW);
 }
 
@@ -1472,12 +1555,16 @@ int __glXDisp_SwapBuffers(__GLXclientState *cl, GLbyte *pc)
 {
     ClientPtr client = cl->client;
     xGLXSwapBuffersReq *req = (xGLXSwapBuffersReq *) pc;
-    GLXContextTag tag = req->contextTag;
-    XID drawId = req->drawable;
+    GLXContextTag tag;
+    XID drawId;
     __GLXcontext *glxc = NULL;
     __GLXdrawable *pGlxDraw;
     int error;
 
+    REQUEST_SIZE_MATCH(xGLXSwapBuffersReq);
+
+    tag = req->contextTag;
+    drawId = req->drawable;
     if (tag) {
 	glxc = __glXLookupContextByTag(cl, tag);
 	if (!glxc) {
@@ -1558,15 +1645,21 @@ DoQueryContext(__GLXclientState *cl, GLXContextID gcId)
 
 int __glXDisp_QueryContextInfoEXT(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXQueryContextInfoEXTReq *req = (xGLXQueryContextInfoEXTReq *) pc;
 
+    REQUEST_SIZE_MATCH(xGLXQueryContextInfoEXTReq);
+
     return DoQueryContext(cl, req->context);
 }
 
 int __glXDisp_QueryContext(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXQueryContextReq *req = (xGLXQueryContextReq *) pc;
 
+    REQUEST_SIZE_MATCH(xGLXQueryContextReq);
+
     return DoQueryContext(cl, req->context);
 }
 
@@ -1580,6 +1673,8 @@ int __glXDisp_BindTexImageEXT(__GLXclientState *cl, GLbyte *pc)
     int			 buffer;
     int			 error;
 
+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 8);
+
     pc += __GLX_VENDPRIV_HDR_SIZE;
 
     drawId = *((CARD32 *) (pc));
@@ -1614,6 +1709,8 @@ int __glXDisp_ReleaseTexImageEXT(__GLXclientState *cl, GLbyte *pc)
     int			 buffer;
     int			 error;
 
+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 8);
+
     pc += __GLX_VENDPRIV_HDR_SIZE;
 
     drawId = *((CARD32 *) (pc));
@@ -1649,6 +1746,8 @@ int __glXDisp_CopySubBufferMESA(__GLXclientState *cl, GLbyte *pc)
     (void) client;
     (void) req;
 
+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 20);
+
     pc += __GLX_VENDPRIV_HDR_SIZE;
 
     drawId = *((CARD32 *) (pc));
@@ -1737,16 +1836,22 @@ DoGetDrawableAttributes(__GLXclientState *cl, XID drawId)
 
 int __glXDisp_GetDrawableAttributes(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXGetDrawableAttributesReq *req = (xGLXGetDrawableAttributesReq *)pc;
 
+    REQUEST_SIZE_MATCH(xGLXGetDrawableAttributesReq);
+
     return DoGetDrawableAttributes(cl, req->drawable);
 }
 
 int __glXDisp_GetDrawableAttributesSGIX(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXGetDrawableAttributesSGIXReq *req =
 	(xGLXGetDrawableAttributesSGIXReq *)pc;
     
+    REQUEST_SIZE_MATCH(xGLXGetDrawableAttributesSGIXReq);
+
     return DoGetDrawableAttributes(cl, req->drawable);
 }
 
@@ -1771,6 +1876,8 @@ int __glXDisp_Render(__GLXclientState *cl, GLbyte *pc)
     __GLXcontext *glxc;
     __GLX_DECLARE_SWAP_VARIABLES;
 
+    REQUEST_AT_LEAST_SIZE(xGLXRenderReq);
+
     req = (xGLXRenderReq *) pc;
     if (client->swapped) {
 	__GLX_SWAP_SHORT(&req->length);
@@ -1791,6 +1898,9 @@ int __glXDisp_Render(__GLXclientState *cl, GLbyte *pc)
 	__GLXdispatchRenderProcPtr proc;
 	int err;
 
+	if (left < sizeof(__GLXrenderHeader))
+	    return BadLength;
+
 	/*
 	** Verify that the header length and the overall length agree.
 	** Also, each command must be word aligned.
@@ -2069,10 +2179,12 @@ int __glXDisp_RenderLarge(__GLXclientState *cl, GLbyte *pc)
 
 int __glXDisp_VendorPrivate(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXVendorPrivateReq *req = (xGLXVendorPrivateReq *) pc;
     GLint vendorcode = req->vendorCode;
     __GLXdispatchVendorPrivProcPtr proc;
 
+    REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateReq);
 
     proc = (__GLXdispatchVendorPrivProcPtr)
       __glXGetProtocolDecodeFunction(& VendorPriv_dispatch_info,
@@ -2088,10 +2200,12 @@ int __glXDisp_VendorPrivate(__GLXclientState *cl, GLbyte *pc)
 
 int __glXDisp_VendorPrivateWithReply(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXVendorPrivateReq *req = (xGLXVendorPrivateReq *) pc;
     GLint vendorcode = req->vendorCode;
     __GLXdispatchVendorPrivProcPtr proc;
 
+    REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateReq);
 
     proc = (__GLXdispatchVendorPrivProcPtr)
       __glXGetProtocolDecodeFunction(& VendorPriv_dispatch_info,
@@ -2114,6 +2228,8 @@ int __glXDisp_QueryExtensionsString(__GLXclientState *cl, GLbyte *pc)
     char *buf;
     int err;
 
+    REQUEST_SIZE_MATCH(xGLXQueryExtensionsStringReq);
+
     if (!validGlxScreen(client, req->screen, &pGlxScreen, &err))
 	return err;
 
@@ -2153,6 +2269,8 @@ int __glXDisp_QueryServerString(__GLXclientState *cl, GLbyte *pc)
     int err;
     char ver_str[16];
 
+    REQUEST_SIZE_MATCH(xGLXQueryServerStringReq);
+
     if (!validGlxScreen(client, req->screen, &pGlxScreen, &err))
 	return err;
 
@@ -2200,13 +2318,19 @@ int __glXDisp_QueryServerString(__GLXclientState *cl, GLbyte *pc)
 
 int __glXDisp_ClientInfo(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXClientInfoReq *req = (xGLXClientInfoReq *) pc;
     const char *buf;
    
+    REQUEST_AT_LEAST_SIZE(xGLXClientInfoReq);
+
+    buf = (const char *)(req+1);
+    if (!memchr(buf, 0, (client->req_len << 2) - sizeof(xGLXClientInfoReq)))
+	return BadLength;
+
     cl->GLClientmajorVersion = req->major;
     cl->GLClientminorVersion = req->minor;
     free(cl->GLClientextensions);
-    buf = (const char *)(req+1);
     cl->GLClientextensions = strdup(buf);
 
     return Success;
diff --git a/glx/xfont.c b/glx/xfont.c
index 9943784..84a301f 100644
--- a/glx/xfont.c
+++ b/glx/xfont.c
@@ -154,6 +154,8 @@ int __glXDisp_UseXFont(__GLXclientState *cl, GLbyte *pc)
     __GLXcontext *cx;
     int error;
 
+    REQUEST_SIZE_MATCH(xGLXUseXFontReq);
+
     req = (xGLXUseXFontReq *) pc;
     cx = __glXForceCurrent(cl, req->contextTag, &error);
     if (!cx) {
-- 
1.7.2.3



More information about the xorg-devel mailing list