[PATCH 2/3] glx: fix BindTexImageEXT length check
Julien Cristau
jcristau at debian.org
Thu Jan 27 01:32:08 PST 2011
The request is followed by a list of attributes.
X.Org bug#33449
Reported-and-tested-by: meng <mengmeng.meng at intel.com>
Signed-off-by: Julien Cristau <jcristau at debian.org>
---
glx/glxcmds.c | 10 +++++++++-
1 files changed, 9 insertions(+), 1 deletions(-)
diff --git a/glx/glxcmds.c b/glx/glxcmds.c
index 0b375c3..5d633df 100644
--- a/glx/glxcmds.c
+++ b/glx/glxcmds.c
@@ -1697,13 +1697,21 @@ int __glXDisp_BindTexImageEXT(__GLXclientState *cl, GLbyte *pc)
GLXDrawable drawId;
int buffer;
int error;
+ CARD32 num_attribs;
- REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 8);
+ if ((sizeof(xGLXVendorPrivateReq) + 12) >> 2 > client->req_len)
+ return BadLength;
pc += __GLX_VENDPRIV_HDR_SIZE;
drawId = *((CARD32 *) (pc));
buffer = *((INT32 *) (pc + 4));
+ num_attribs = *((CARD32 *) (pc + 8));
+ if (num_attribs > (UINT32_MAX >> 3)) {
+ client->errorValue = num_attribs;
+ return BadValue;
+ }
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 12 + (num_attribs << 3));
if (buffer != GLX_FRONT_LEFT_EXT)
return __glXError(GLXBadPixmap);
--
1.7.2.3
More information about the xorg-devel
mailing list