[Mesa-dev] [PATCH] glapi/glx: Add overflow checks to the client-side indirect code

[Adam Jackson]

Coverity complains that the computed sizes can lead to negative lengths
passed to memcpy. If that happens we've been handed invalid arguments
anyway, so just bomb out.

The funky "0%s" is because the size string for the variable-length part
of the request is of the form "+ safe_pad() ...", and a unary + would
coerce the result to always be positive, defeating the overflow check.

Signed-off-by: Adam Jackson <ajax at redhat.com>
---
 src/mapi/glapi/gen/glX_proto_send.py | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/mapi/glapi/gen/glX_proto_send.py b/src/mapi/glapi/gen/glX_proto_send.py
index 10abcff..26e7ab6 100644
--- a/src/mapi/glapi/gen/glX_proto_send.py
+++ b/src/mapi/glapi/gen/glX_proto_send.py
@@ -635,6 +635,15 @@ generic_%u_byte( GLint rop, const void * ptr )
         if name != None and name not in f.glx_vendorpriv_names:
             print '#endif'
 
+        if f.command_variable_length() != "":
+            print "    if (0%s < 0) {" % f.command_variable_length()
+            print "        __glXSetError(gc, GL_INVALID_VALUE);"
+            if f.return_type != 'void':
+                print "        return 0;"
+            else:
+                print "        return;"
+            print "    }"
+
         condition_list = []
         for p in f.parameterIterateCounters():
             condition_list.append( "%s >= 0" % (p.name) )
-- 
2.7.4