xserver: Branch 'master' - 6 commits
Keith Packard
keithp at kemper.freedesktop.org
Tue Jan 18 15:18:31 PST 2011
glx/glxcmds.c | 169 ++++++++++++++++++++++++++++++++++++++++++++++++++----
glx/glxcmdsswap.c | 165 +++++++++++++++++++++++++++++++++++++++++++++++++---
glx/xfont.c | 2
3 files changed, 316 insertions(+), 20 deletions(-)
New commits:
commit 361128389e5cb0101cbd091ff8de77cf34608f6c
Merge: 65ceaad... d9225b9...
Author: Keith Packard <keithp at keithp.com>
Date: Tue Jan 18 15:18:08 2011 -0800
Merge remote branch 'jcristau/for-keith'
commit d9225b9602c85603ae616a7381c784f5cf5e811c
Author: Julien Cristau <jcristau at debian.org>
Date: Wed Nov 10 22:39:54 2010 +0100
glx: validate numAttribs field before using it
Reviewed-by: Kristian Høgsberg <krh at bitplanet.net>
Reviewed-by: Daniel Stone <daniel at fooishbar.org>
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/glx/glxcmds.c b/glx/glxcmds.c
index 566dbbe..3ef567d 100644
--- a/glx/glxcmds.c
+++ b/glx/glxcmds.c
@@ -1283,6 +1283,11 @@ int __glXDisp_CreatePixmap(__GLXclientState *cl, GLbyte *pc)
__GLXscreen *pGlxScreen;
int err;
+ REQUEST_AT_LEAST_SIZE(xGLXCreatePixmapReq);
+ if (req->numAttribs > (UINT32_MAX >> 3)) {
+ client->errorValue = req->numAttribs;
+ return BadValue;
+ }
REQUEST_FIXED_SIZE(xGLXCreatePixmapReq, req->numAttribs << 3);
if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err))
@@ -1396,6 +1401,11 @@ int __glXDisp_CreatePbuffer(__GLXclientState *cl, GLbyte *pc)
CARD32 *attrs;
int width, height, i;
+ REQUEST_AT_LEAST_SIZE(xGLXCreatePbufferReq);
+ if (req->numAttribs > (UINT32_MAX >> 3)) {
+ client->errorValue = req->numAttribs;
+ return BadValue;
+ }
REQUEST_FIXED_SIZE(xGLXCreatePbufferReq, req->numAttribs << 3);
attrs = (CARD32 *) (req + 1);
@@ -1483,6 +1493,11 @@ int __glXDisp_ChangeDrawableAttributes(__GLXclientState *cl, GLbyte *pc)
xGLXChangeDrawableAttributesReq *req =
(xGLXChangeDrawableAttributesReq *) pc;
+ REQUEST_AT_LEAST_SIZE(xGLXChangeDrawableAttributesReq);
+ if (req->numAttribs > (UINT32_MAX >> 3)) {
+ client->errorValue = req->numAttribs;
+ return BadValue;
+ }
REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3);
return DoChangeDrawableAttributes(cl->client, req->drawable,
@@ -1495,6 +1510,11 @@ int __glXDisp_ChangeDrawableAttributesSGIX(__GLXclientState *cl, GLbyte *pc)
xGLXChangeDrawableAttributesSGIXReq *req =
(xGLXChangeDrawableAttributesSGIXReq *)pc;
+ REQUEST_AT_LEAST_SIZE(xGLXChangeDrawableAttributesSGIXReq);
+ if (req->numAttribs > (UINT32_MAX >> 3)) {
+ client->errorValue = req->numAttribs;
+ return BadValue;
+ }
REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesSGIXReq, req->numAttribs << 3);
return DoChangeDrawableAttributes(cl->client, req->drawable,
@@ -1510,6 +1530,11 @@ int __glXDisp_CreateWindow(__GLXclientState *cl, GLbyte *pc)
DrawablePtr pDraw;
int err;
+ REQUEST_AT_LEAST_SIZE(xGLXCreateWindowReq);
+ if (req->numAttribs > (UINT32_MAX >> 3)) {
+ client->errorValue = req->numAttribs;
+ return BadValue;
+ }
REQUEST_FIXED_SIZE(xGLXCreateWindowReq, req->numAttribs << 3);
LEGAL_NEW_RESOURCE(req->glxwindow, client);
diff --git a/glx/glxcmdsswap.c b/glx/glxcmdsswap.c
index 87bf75b..3bb4cad 100644
--- a/glx/glxcmdsswap.c
+++ b/glx/glxcmdsswap.c
@@ -319,6 +319,10 @@ int __glXDispSwap_CreatePixmap(__GLXclientState *cl, GLbyte *pc)
__GLX_SWAP_INT(&req->glxpixmap);
__GLX_SWAP_INT(&req->numAttribs);
+ if (req->numAttribs > (UINT32_MAX >> 3)) {
+ client->errorValue = req->numAttribs;
+ return BadValue;
+ }
REQUEST_FIXED_SIZE(xGLXCreatePixmapReq, req->numAttribs << 3);
attribs = (CARD32*)(req + 1);
__GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
@@ -400,6 +404,10 @@ int __glXDispSwap_CreatePbuffer(__GLXclientState *cl, GLbyte *pc)
__GLX_SWAP_INT(&req->pbuffer);
__GLX_SWAP_INT(&req->numAttribs);
+ if (req->numAttribs > (UINT32_MAX >> 3)) {
+ client->errorValue = req->numAttribs;
+ return BadValue;
+ }
REQUEST_FIXED_SIZE(xGLXCreatePbufferReq, req->numAttribs << 3);
attribs = (CARD32*)(req + 1);
__GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
@@ -464,6 +472,10 @@ int __glXDispSwap_ChangeDrawableAttributes(__GLXclientState *cl, GLbyte *pc)
__GLX_SWAP_INT(&req->drawable);
__GLX_SWAP_INT(&req->numAttribs);
+ if (req->numAttribs > (UINT32_MAX >> 3)) {
+ client->errorValue = req->numAttribs;
+ return BadValue;
+ }
REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3);
attribs = (CARD32*)(req + 1);
__GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
@@ -486,6 +498,10 @@ int __glXDispSwap_ChangeDrawableAttributesSGIX(__GLXclientState *cl,
__GLX_SWAP_INT(&req->drawable);
__GLX_SWAP_INT(&req->numAttribs);
+ if (req->numAttribs > (UINT32_MAX >> 3)) {
+ client->errorValue = req->numAttribs;
+ return BadValue;
+ }
REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesSGIXReq, req->numAttribs << 3);
attribs = (CARD32*)(req + 1);
__GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
@@ -509,6 +525,10 @@ int __glXDispSwap_CreateWindow(__GLXclientState *cl, GLbyte *pc)
__GLX_SWAP_INT(&req->glxwindow);
__GLX_SWAP_INT(&req->numAttribs);
+ if (req->numAttribs > (UINT32_MAX >> 3)) {
+ client->errorValue = req->numAttribs;
+ return BadValue;
+ }
REQUEST_FIXED_SIZE(xGLXCreateWindowReq, req->numAttribs << 3);
attribs = (CARD32*)(req + 1);
__GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
commit 62319e8381ebd645ae36b25e5fc3c0e9b098387b
Author: Julien Cristau <jcristau at debian.org>
Date: Sun Aug 22 16:20:45 2010 +0100
glx: swap the request arrays entirely, not just half of them
Various glx requests include a list of pairs of attributes. We were
only swapping the first half.
Reviewed-by: Kristian Høgsberg <krh at bitplanet.net>
Reviewed-by: Daniel Stone <daniel at fooishbar.org>
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/glx/glxcmdsswap.c b/glx/glxcmdsswap.c
index 9276e2f..87bf75b 100644
--- a/glx/glxcmdsswap.c
+++ b/glx/glxcmdsswap.c
@@ -321,7 +321,7 @@ int __glXDispSwap_CreatePixmap(__GLXclientState *cl, GLbyte *pc)
REQUEST_FIXED_SIZE(xGLXCreatePixmapReq, req->numAttribs << 3);
attribs = (CARD32*)(req + 1);
- __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs);
+ __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
return __glXDisp_CreatePixmap(cl, pc);
}
@@ -402,7 +402,7 @@ int __glXDispSwap_CreatePbuffer(__GLXclientState *cl, GLbyte *pc)
REQUEST_FIXED_SIZE(xGLXCreatePbufferReq, req->numAttribs << 3);
attribs = (CARD32*)(req + 1);
- __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs);
+ __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
return __glXDisp_CreatePbuffer(cl, pc);
}
@@ -466,7 +466,7 @@ int __glXDispSwap_ChangeDrawableAttributes(__GLXclientState *cl, GLbyte *pc)
REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3);
attribs = (CARD32*)(req + 1);
- __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs);
+ __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
return __glXDisp_ChangeDrawableAttributes(cl, pc);
}
@@ -488,7 +488,7 @@ int __glXDispSwap_ChangeDrawableAttributesSGIX(__GLXclientState *cl,
REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesSGIXReq, req->numAttribs << 3);
attribs = (CARD32*)(req + 1);
- __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs);
+ __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
return __glXDisp_ChangeDrawableAttributesSGIX(cl, pc);
}
@@ -511,7 +511,7 @@ int __glXDispSwap_CreateWindow(__GLXclientState *cl, GLbyte *pc)
REQUEST_FIXED_SIZE(xGLXCreateWindowReq, req->numAttribs << 3);
attribs = (CARD32*)(req + 1);
- __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs);
+ __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
return __glXDisp_CreateWindow(cl, pc);
}
commit 6c69235a9dfc52e4b4e47630ff4bab1a820eb543
Author: Julien Cristau <jcristau at debian.org>
Date: Sun Aug 22 00:50:05 2010 +0100
glx: check request length before swapping
Reviewed-by: Kristian Høgsberg <krh at bitplanet.net>
Reviewed-by: Daniel Stone <daniel at fooishbar.org>
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/glx/glxcmdsswap.c b/glx/glxcmdsswap.c
index ce4d69a..9276e2f 100644
--- a/glx/glxcmdsswap.c
+++ b/glx/glxcmdsswap.c
@@ -60,9 +60,12 @@
int __glXDispSwap_CreateContext(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXCreateContextReq *req = (xGLXCreateContextReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXCreateContextReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->context);
__GLX_SWAP_INT(&req->visual);
@@ -74,9 +77,12 @@ int __glXDispSwap_CreateContext(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_CreateNewContext(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXCreateNewContextReq *req = (xGLXCreateNewContextReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXCreateNewContextReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->context);
__GLX_SWAP_INT(&req->fbconfig);
@@ -89,10 +95,13 @@ int __glXDispSwap_CreateNewContext(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_CreateContextWithConfigSGIX(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXCreateContextWithConfigSGIXReq *req =
(xGLXCreateContextWithConfigSGIXReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXCreateContextWithConfigSGIXReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->context);
__GLX_SWAP_INT(&req->fbconfig);
@@ -105,9 +114,12 @@ int __glXDispSwap_CreateContextWithConfigSGIX(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_DestroyContext(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXDestroyContextReq *req = (xGLXDestroyContextReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXDestroyContextReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->context);
@@ -116,9 +128,12 @@ int __glXDispSwap_DestroyContext(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_MakeCurrent(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXMakeCurrentReq *req = (xGLXMakeCurrentReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXMakeCurrentReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->drawable);
__GLX_SWAP_INT(&req->context);
@@ -129,9 +144,12 @@ int __glXDispSwap_MakeCurrent(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_MakeContextCurrent(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXMakeContextCurrentReq *req = (xGLXMakeContextCurrentReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXMakeContextCurrentReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->drawable);
__GLX_SWAP_INT(&req->readdrawable);
@@ -143,9 +161,12 @@ int __glXDispSwap_MakeContextCurrent(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_MakeCurrentReadSGI(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXMakeCurrentReadSGIReq *req = (xGLXMakeCurrentReadSGIReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXMakeCurrentReadSGIReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->drawable);
__GLX_SWAP_INT(&req->readable);
@@ -157,9 +178,12 @@ int __glXDispSwap_MakeCurrentReadSGI(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_IsDirect(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXIsDirectReq *req = (xGLXIsDirectReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXIsDirectReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->context);
@@ -168,9 +192,12 @@ int __glXDispSwap_IsDirect(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_QueryVersion(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXQueryVersionReq *req = (xGLXQueryVersionReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXQueryVersionReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->majorVersion);
__GLX_SWAP_INT(&req->minorVersion);
@@ -180,9 +207,12 @@ int __glXDispSwap_QueryVersion(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_WaitGL(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXWaitGLReq *req = (xGLXWaitGLReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXWaitGLReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->contextTag);
@@ -191,9 +221,12 @@ int __glXDispSwap_WaitGL(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_WaitX(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXWaitXReq *req = (xGLXWaitXReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXWaitXReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->contextTag);
@@ -202,9 +235,12 @@ int __glXDispSwap_WaitX(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_CopyContext(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXCopyContextReq *req = (xGLXCopyContextReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXCopyContextReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->source);
__GLX_SWAP_INT(&req->dest);
@@ -215,36 +251,48 @@ int __glXDispSwap_CopyContext(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_GetVisualConfigs(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXGetVisualConfigsReq *req = (xGLXGetVisualConfigsReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXGetVisualConfigsReq);
+
__GLX_SWAP_INT(&req->screen);
return __glXDisp_GetVisualConfigs(cl, pc);
}
int __glXDispSwap_GetFBConfigs(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXGetFBConfigsReq *req = (xGLXGetFBConfigsReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXGetFBConfigsReq);
+
__GLX_SWAP_INT(&req->screen);
return __glXDisp_GetFBConfigs(cl, pc);
}
int __glXDispSwap_GetFBConfigsSGIX(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXGetFBConfigsSGIXReq *req = (xGLXGetFBConfigsSGIXReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXGetFBConfigsSGIXReq);
+
__GLX_SWAP_INT(&req->screen);
return __glXDisp_GetFBConfigsSGIX(cl, pc);
}
int __glXDispSwap_CreateGLXPixmap(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXCreateGLXPixmapReq *req = (xGLXCreateGLXPixmapReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXCreateGLXPixmapReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->screen);
__GLX_SWAP_INT(&req->visual);
@@ -256,17 +304,22 @@ int __glXDispSwap_CreateGLXPixmap(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_CreatePixmap(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXCreatePixmapReq *req = (xGLXCreatePixmapReq *) pc;
CARD32 *attribs;
__GLX_DECLARE_SWAP_VARIABLES;
__GLX_DECLARE_SWAP_ARRAY_VARIABLES;
+ REQUEST_AT_LEAST_SIZE(xGLXCreatePixmapReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->screen);
__GLX_SWAP_INT(&req->fbconfig);
__GLX_SWAP_INT(&req->pixmap);
__GLX_SWAP_INT(&req->glxpixmap);
__GLX_SWAP_INT(&req->numAttribs);
+
+ REQUEST_FIXED_SIZE(xGLXCreatePixmapReq, req->numAttribs << 3);
attribs = (CARD32*)(req + 1);
__GLX_SWAP_INT_ARRAY(attribs, req->numAttribs);
@@ -275,10 +328,13 @@ int __glXDispSwap_CreatePixmap(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_CreateGLXPixmapWithConfigSGIX(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXCreateGLXPixmapWithConfigSGIXReq *req =
(xGLXCreateGLXPixmapWithConfigSGIXReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXCreateGLXPixmapWithConfigSGIXReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->screen);
__GLX_SWAP_INT(&req->fbconfig);
@@ -290,9 +346,12 @@ int __glXDispSwap_CreateGLXPixmapWithConfigSGIX(__GLXclientState *cl, GLbyte *pc
int __glXDispSwap_DestroyGLXPixmap(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXDestroyGLXPixmapReq *req = (xGLXDestroyGLXPixmapReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXDestroyGLXPixmapReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->glxpixmap);
@@ -301,9 +360,12 @@ int __glXDispSwap_DestroyGLXPixmap(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_DestroyPixmap(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXDestroyGLXPixmapReq *req = (xGLXDestroyGLXPixmapReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXDestroyGLXPixmapReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->glxpixmap);
@@ -312,9 +374,12 @@ int __glXDispSwap_DestroyPixmap(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_QueryContext(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXQueryContextReq *req = (xGLXQueryContextReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXQueryContextReq);
+
__GLX_SWAP_INT(&req->context);
return __glXDisp_QueryContext(cl, pc);
@@ -322,15 +387,20 @@ int __glXDispSwap_QueryContext(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_CreatePbuffer(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXCreatePbufferReq *req = (xGLXCreatePbufferReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
__GLX_DECLARE_SWAP_ARRAY_VARIABLES;
CARD32 *attribs;
+ REQUEST_AT_LEAST_SIZE(xGLXCreatePbufferReq);
+
__GLX_SWAP_INT(&req->screen);
__GLX_SWAP_INT(&req->fbconfig);
__GLX_SWAP_INT(&req->pbuffer);
__GLX_SWAP_INT(&req->numAttribs);
+
+ REQUEST_FIXED_SIZE(xGLXCreatePbufferReq, req->numAttribs << 3);
attribs = (CARD32*)(req + 1);
__GLX_SWAP_INT_ARRAY(attribs, req->numAttribs);
@@ -339,9 +409,12 @@ int __glXDispSwap_CreatePbuffer(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_CreateGLXPbufferSGIX(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXCreateGLXPbufferSGIXReq *req = (xGLXCreateGLXPbufferSGIXReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXCreateGLXPbufferSGIXReq);
+
__GLX_SWAP_INT(&req->screen);
__GLX_SWAP_INT(&req->fbconfig);
__GLX_SWAP_INT(&req->pbuffer);
@@ -353,9 +426,12 @@ int __glXDispSwap_CreateGLXPbufferSGIX(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_DestroyPbuffer(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXDestroyPbufferReq *req = (xGLXDestroyPbufferReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXDestroyPbufferReq);
+
__GLX_SWAP_INT(&req->pbuffer);
return __glXDisp_DestroyPbuffer(cl, pc);
@@ -363,9 +439,12 @@ int __glXDispSwap_DestroyPbuffer(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_DestroyGLXPbufferSGIX(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXDestroyGLXPbufferSGIXReq *req = (xGLXDestroyGLXPbufferSGIXReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXDestroyGLXPbufferSGIXReq);
+
__GLX_SWAP_INT(&req->pbuffer);
return __glXDisp_DestroyGLXPbufferSGIX(cl, pc);
@@ -373,14 +452,19 @@ int __glXDispSwap_DestroyGLXPbufferSGIX(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_ChangeDrawableAttributes(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXChangeDrawableAttributesReq *req =
(xGLXChangeDrawableAttributesReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
__GLX_DECLARE_SWAP_ARRAY_VARIABLES;
CARD32 *attribs;
+ REQUEST_AT_LEAST_SIZE(xGLXChangeDrawableAttributesReq);
+
__GLX_SWAP_INT(&req->drawable);
__GLX_SWAP_INT(&req->numAttribs);
+
+ REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3);
attribs = (CARD32*)(req + 1);
__GLX_SWAP_INT_ARRAY(attribs, req->numAttribs);
@@ -390,14 +474,19 @@ int __glXDispSwap_ChangeDrawableAttributes(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_ChangeDrawableAttributesSGIX(__GLXclientState *cl,
GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXChangeDrawableAttributesSGIXReq *req =
(xGLXChangeDrawableAttributesSGIXReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
__GLX_DECLARE_SWAP_ARRAY_VARIABLES;
CARD32 *attribs;
+ REQUEST_AT_LEAST_SIZE(xGLXChangeDrawableAttributesSGIXReq);
+
__GLX_SWAP_INT(&req->drawable);
__GLX_SWAP_INT(&req->numAttribs);
+
+ REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesSGIXReq, req->numAttribs << 3);
attribs = (CARD32*)(req + 1);
__GLX_SWAP_INT_ARRAY(attribs, req->numAttribs);
@@ -406,16 +495,21 @@ int __glXDispSwap_ChangeDrawableAttributesSGIX(__GLXclientState *cl,
int __glXDispSwap_CreateWindow(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXCreateWindowReq *req = (xGLXCreateWindowReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
__GLX_DECLARE_SWAP_ARRAY_VARIABLES;
CARD32 *attribs;
+ REQUEST_AT_LEAST_SIZE(xGLXCreateWindowReq);
+
__GLX_SWAP_INT(&req->screen);
__GLX_SWAP_INT(&req->fbconfig);
__GLX_SWAP_INT(&req->window);
__GLX_SWAP_INT(&req->glxwindow);
__GLX_SWAP_INT(&req->numAttribs);
+
+ REQUEST_FIXED_SIZE(xGLXCreateWindowReq, req->numAttribs << 3);
attribs = (CARD32*)(req + 1);
__GLX_SWAP_INT_ARRAY(attribs, req->numAttribs);
@@ -424,9 +518,12 @@ int __glXDispSwap_CreateWindow(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_DestroyWindow(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXDestroyWindowReq *req = (xGLXDestroyWindowReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXDestroyWindowReq);
+
__GLX_SWAP_INT(&req->glxwindow);
return __glXDisp_DestroyWindow(cl, pc);
@@ -434,9 +531,12 @@ int __glXDispSwap_DestroyWindow(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_SwapBuffers(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXSwapBuffersReq *req = (xGLXSwapBuffersReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXSwapBuffersReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->contextTag);
__GLX_SWAP_INT(&req->drawable);
@@ -446,9 +546,12 @@ int __glXDispSwap_SwapBuffers(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_UseXFont(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXUseXFontReq *req = (xGLXUseXFontReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXUseXFontReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->contextTag);
__GLX_SWAP_INT(&req->font);
@@ -462,9 +565,12 @@ int __glXDispSwap_UseXFont(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_QueryExtensionsString(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXQueryExtensionsStringReq *req = (xGLXQueryExtensionsStringReq *)pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXQueryExtensionsStringReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->screen);
@@ -473,9 +579,12 @@ int __glXDispSwap_QueryExtensionsString(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_QueryServerString(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXQueryServerStringReq *req = (xGLXQueryServerStringReq *)pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXQueryServerStringReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->screen);
__GLX_SWAP_INT(&req->name);
@@ -485,9 +594,12 @@ int __glXDispSwap_QueryServerString(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_ClientInfo(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXClientInfoReq *req = (xGLXClientInfoReq *)pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_AT_LEAST_SIZE(xGLXClientInfoReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->major);
__GLX_SWAP_INT(&req->minor);
@@ -498,9 +610,12 @@ int __glXDispSwap_ClientInfo(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_QueryContextInfoEXT(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXQueryContextInfoEXTReq *req = (xGLXQueryContextInfoEXTReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXQueryContextInfoEXTReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->context);
@@ -509,12 +624,14 @@ int __glXDispSwap_QueryContextInfoEXT(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_BindTexImageEXT(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXVendorPrivateReq *req = (xGLXVendorPrivateReq *) pc;
GLXDrawable *drawId;
int *buffer;
-
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 8);
+
pc += __GLX_VENDPRIV_HDR_SIZE;
drawId = ((GLXDrawable *) (pc));
@@ -530,12 +647,14 @@ int __glXDispSwap_BindTexImageEXT(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_ReleaseTexImageEXT(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXVendorPrivateReq *req = (xGLXVendorPrivateReq *) pc;
GLXDrawable *drawId;
int *buffer;
-
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 8);
+
pc += __GLX_VENDPRIV_HDR_SIZE;
drawId = ((GLXDrawable *) (pc));
@@ -551,12 +670,14 @@ int __glXDispSwap_ReleaseTexImageEXT(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_CopySubBufferMESA(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXVendorPrivateReq *req = (xGLXVendorPrivateReq *) pc;
GLXDrawable *drawId;
int *buffer;
-
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 20);
+
(void) drawId;
(void) buffer;
@@ -576,11 +697,13 @@ int __glXDispSwap_CopySubBufferMESA(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_GetDrawableAttributesSGIX(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXVendorPrivateWithReplyReq *req = (xGLXVendorPrivateWithReplyReq *)pc;
CARD32 *data;
-
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXGetDrawableAttributesSGIXReq);
+
data = (CARD32 *) (req + 1);
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->contextTag);
@@ -591,10 +714,12 @@ int __glXDispSwap_GetDrawableAttributesSGIX(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_GetDrawableAttributes(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXGetDrawableAttributesReq *req = (xGLXGetDrawableAttributesReq *)pc;
-
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXGetDrawableAttributesReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->drawable);
commit ec9c97c6bf70b523bc500bd3adf62176f1bb33a4
Author: Julien Cristau <jcristau at debian.org>
Date: Sat Jul 3 19:47:55 2010 +0100
glx: validate request lengths
Reviewed-by: Adam Jackson <ajax at redhat.com>
Reviewed-by: Kristian Høgsberg <krh at bitplanet.net>
Reviewed-by: Daniel Stone <daniel at fooishbar.org>
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/glx/glxcmds.c b/glx/glxcmds.c
index 419cc46..566dbbe 100644
--- a/glx/glxcmds.c
+++ b/glx/glxcmds.c
@@ -314,11 +314,14 @@ DoCreateContext(__GLXclientState *cl, GLXContextID gcId,
int __glXDisp_CreateContext(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXCreateContextReq *req = (xGLXCreateContextReq *) pc;
__GLXconfig *config;
__GLXscreen *pGlxScreen;
int err;
+ REQUEST_SIZE_MATCH(xGLXCreateContextReq);
+
if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err))
return err;
if (!validGlxVisual(cl->client, pGlxScreen, req->visual, &config, &err))
@@ -330,11 +333,14 @@ int __glXDisp_CreateContext(__GLXclientState *cl, GLbyte *pc)
int __glXDisp_CreateNewContext(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXCreateNewContextReq *req = (xGLXCreateNewContextReq *) pc;
__GLXconfig *config;
__GLXscreen *pGlxScreen;
int err;
+ REQUEST_SIZE_MATCH(xGLXCreateNewContextReq);
+
if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err))
return err;
if (!validGlxFBConfig(cl->client, pGlxScreen, req->fbconfig, &config, &err))
@@ -346,12 +352,15 @@ int __glXDisp_CreateNewContext(__GLXclientState *cl, GLbyte *pc)
int __glXDisp_CreateContextWithConfigSGIX(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXCreateContextWithConfigSGIXReq *req =
(xGLXCreateContextWithConfigSGIXReq *) pc;
__GLXconfig *config;
__GLXscreen *pGlxScreen;
int err;
+ REQUEST_SIZE_MATCH(xGLXCreateContextWithConfigSGIXReq);
+
if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err))
return err;
if (!validGlxFBConfig(cl->client, pGlxScreen, req->fbconfig, &config, &err))
@@ -362,10 +371,13 @@ int __glXDisp_CreateContextWithConfigSGIX(__GLXclientState *cl, GLbyte *pc)
}
int __glXDisp_DestroyContext(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXDestroyContextReq *req = (xGLXDestroyContextReq *) pc;
__GLXcontext *glxc;
int err;
+ REQUEST_SIZE_MATCH(xGLXDestroyContextReq);
+
if (!validGlxContext(cl->client, req->context, DixDestroyAccess,
&glxc, &err))
return err;
@@ -685,24 +697,33 @@ DoMakeCurrent(__GLXclientState *cl,
int __glXDisp_MakeCurrent(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXMakeCurrentReq *req = (xGLXMakeCurrentReq *) pc;
+ REQUEST_SIZE_MATCH(xGLXMakeCurrentReq);
+
return DoMakeCurrent( cl, req->drawable, req->drawable,
req->context, req->oldContextTag );
}
int __glXDisp_MakeContextCurrent(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXMakeContextCurrentReq *req = (xGLXMakeContextCurrentReq *) pc;
+ REQUEST_SIZE_MATCH(xGLXMakeContextCurrentReq);
+
return DoMakeCurrent( cl, req->drawable, req->readdrawable,
req->context, req->oldContextTag );
}
int __glXDisp_MakeCurrentReadSGI(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXMakeCurrentReadSGIReq *req = (xGLXMakeCurrentReadSGIReq *) pc;
+ REQUEST_SIZE_MATCH(xGLXMakeCurrentReadSGIReq);
+
return DoMakeCurrent( cl, req->drawable, req->readable,
req->context, req->oldContextTag );
}
@@ -715,6 +736,8 @@ int __glXDisp_IsDirect(__GLXclientState *cl, GLbyte *pc)
__GLXcontext *glxc;
int err;
+ REQUEST_SIZE_MATCH(xGLXIsDirectReq);
+
if (!validGlxContext(cl->client, req->context, DixReadAccess, &glxc, &err))
return err;
@@ -739,6 +762,8 @@ int __glXDisp_QueryVersion(__GLXclientState *cl, GLbyte *pc)
xGLXQueryVersionReply reply;
GLuint major, minor;
+ REQUEST_SIZE_MATCH(xGLXQueryVersionReq);
+
major = req->majorVersion;
minor = req->minorVersion;
(void)major;
@@ -765,11 +790,15 @@ int __glXDisp_QueryVersion(__GLXclientState *cl, GLbyte *pc)
int __glXDisp_WaitGL(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXWaitGLReq *req = (xGLXWaitGLReq *)pc;
- GLXContextTag tag = req->contextTag;
+ GLXContextTag tag;
__GLXcontext *glxc = NULL;
int error;
+ REQUEST_SIZE_MATCH(xGLXWaitGLReq);
+
+ tag = req->contextTag;
if (tag) {
glxc = __glXLookupContextByTag(cl, tag);
if (!glxc)
@@ -789,11 +818,15 @@ int __glXDisp_WaitGL(__GLXclientState *cl, GLbyte *pc)
int __glXDisp_WaitX(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXWaitXReq *req = (xGLXWaitXReq *)pc;
- GLXContextTag tag = req->contextTag;
+ GLXContextTag tag;
__GLXcontext *glxc = NULL;
int error;
+ REQUEST_SIZE_MATCH(xGLXWaitXReq);
+
+ tag = req->contextTag;
if (tag) {
glxc = __glXLookupContextByTag(cl, tag);
if (!glxc)
@@ -813,13 +846,19 @@ int __glXDisp_CopyContext(__GLXclientState *cl, GLbyte *pc)
{
ClientPtr client = cl->client;
xGLXCopyContextReq *req = (xGLXCopyContextReq *) pc;
- GLXContextID source = req->source;
- GLXContextID dest = req->dest;
- GLXContextTag tag = req->contextTag;
- unsigned long mask = req->mask;
+ GLXContextID source;
+ GLXContextID dest;
+ GLXContextTag tag;
+ unsigned long mask;
__GLXcontext *src, *dst;
int error;
+ REQUEST_SIZE_MATCH(xGLXCopyContextReq);
+
+ source = req->source;
+ dest = req->dest;
+ tag = req->contextTag;
+ mask = req->mask;
if (!validGlxContext(cl->client, source, DixReadAccess, &src, &error))
return error;
if (!validGlxContext(cl->client, dest, DixWriteAccess, &dst, &error))
@@ -902,6 +941,8 @@ int __glXDisp_GetVisualConfigs(__GLXclientState *cl, GLbyte *pc)
__GLX_DECLARE_SWAP_VARIABLES;
__GLX_DECLARE_SWAP_ARRAY_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXGetVisualConfigsReq);
+
if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err))
return err;
@@ -1081,13 +1122,17 @@ DoGetFBConfigs(__GLXclientState *cl, unsigned screen)
int __glXDisp_GetFBConfigs(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXGetFBConfigsReq *req = (xGLXGetFBConfigsReq *) pc;
+ REQUEST_SIZE_MATCH(xGLXGetFBConfigsReq);
return DoGetFBConfigs(cl, req->screen);
}
int __glXDisp_GetFBConfigsSGIX(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXGetFBConfigsSGIXReq *req = (xGLXGetFBConfigsSGIXReq *) pc;
+ REQUEST_SIZE_MATCH(xGLXGetFBConfigsSGIXReq);
return DoGetFBConfigs(cl, req->screen);
}
@@ -1213,11 +1258,14 @@ determineTextureTarget(ClientPtr client, XID glxDrawableID,
int __glXDisp_CreateGLXPixmap(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXCreateGLXPixmapReq *req = (xGLXCreateGLXPixmapReq *) pc;
__GLXconfig *config;
__GLXscreen *pGlxScreen;
int err;
+ REQUEST_SIZE_MATCH(xGLXCreateGLXPixmapReq);
+
if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err))
return err;
if (!validGlxVisual(cl->client, pGlxScreen, req->visual, &config, &err))
@@ -1229,11 +1277,14 @@ int __glXDisp_CreateGLXPixmap(__GLXclientState *cl, GLbyte *pc)
int __glXDisp_CreatePixmap(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXCreatePixmapReq *req = (xGLXCreatePixmapReq *) pc;
__GLXconfig *config;
__GLXscreen *pGlxScreen;
int err;
+ REQUEST_FIXED_SIZE(xGLXCreatePixmapReq, req->numAttribs << 3);
+
if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err))
return err;
if (!validGlxFBConfig(cl->client, pGlxScreen, req->fbconfig, &config, &err))
@@ -1252,12 +1303,15 @@ int __glXDisp_CreatePixmap(__GLXclientState *cl, GLbyte *pc)
int __glXDisp_CreateGLXPixmapWithConfigSGIX(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXCreateGLXPixmapWithConfigSGIXReq *req =
(xGLXCreateGLXPixmapWithConfigSGIXReq *) pc;
__GLXconfig *config;
__GLXscreen *pGlxScreen;
int err;
+ REQUEST_SIZE_MATCH(xGLXCreateGLXPixmapWithConfigSGIXReq);
+
if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err))
return err;
if (!validGlxFBConfig(cl->client, pGlxScreen, req->fbconfig, &config, &err))
@@ -1284,15 +1338,21 @@ static int DoDestroyDrawable(__GLXclientState *cl, XID glxdrawable, int type)
int __glXDisp_DestroyGLXPixmap(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXDestroyGLXPixmapReq *req = (xGLXDestroyGLXPixmapReq *) pc;
+ REQUEST_SIZE_MATCH(xGLXDestroyGLXPixmapReq);
+
return DoDestroyDrawable(cl, req->glxpixmap, GLX_DRAWABLE_PIXMAP);
}
int __glXDisp_DestroyPixmap(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXDestroyPixmapReq *req = (xGLXDestroyPixmapReq *) pc;
+ REQUEST_SIZE_MATCH(xGLXDestroyPixmapReq);
+
return DoDestroyDrawable(cl, req->glxpixmap, GLX_DRAWABLE_PIXMAP);
}
@@ -1331,10 +1391,13 @@ DoCreatePbuffer(ClientPtr client, int screenNum, XID fbconfigId,
int __glXDisp_CreatePbuffer(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXCreatePbufferReq *req = (xGLXCreatePbufferReq *) pc;
CARD32 *attrs;
int width, height, i;
+ REQUEST_FIXED_SIZE(xGLXCreatePbufferReq, req->numAttribs << 3);
+
attrs = (CARD32 *) (req + 1);
width = 0;
height = 0;
@@ -1360,23 +1423,32 @@ int __glXDisp_CreatePbuffer(__GLXclientState *cl, GLbyte *pc)
int __glXDisp_CreateGLXPbufferSGIX(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXCreateGLXPbufferSGIXReq *req = (xGLXCreateGLXPbufferSGIXReq *) pc;
+ REQUEST_SIZE_MATCH(xGLXCreateGLXPbufferSGIXReq);
+
return DoCreatePbuffer(cl->client, req->screen, req->fbconfig,
req->width, req->height, req->pbuffer);
}
int __glXDisp_DestroyPbuffer(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXDestroyPbufferReq *req = (xGLXDestroyPbufferReq *) pc;
+ REQUEST_SIZE_MATCH(xGLXDestroyPbufferReq);
+
return DoDestroyDrawable(cl, req->pbuffer, GLX_DRAWABLE_PBUFFER);
}
int __glXDisp_DestroyGLXPbufferSGIX(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXDestroyGLXPbufferSGIXReq *req = (xGLXDestroyGLXPbufferSGIXReq *) pc;
+ REQUEST_SIZE_MATCH(xGLXDestroyGLXPbufferSGIXReq);
+
return DoDestroyDrawable(cl, req->pbuffer, GLX_DRAWABLE_PBUFFER);
}
@@ -1407,18 +1479,24 @@ DoChangeDrawableAttributes(ClientPtr client, XID glxdrawable,
int __glXDisp_ChangeDrawableAttributes(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXChangeDrawableAttributesReq *req =
(xGLXChangeDrawableAttributesReq *) pc;
+ REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3);
+
return DoChangeDrawableAttributes(cl->client, req->drawable,
req->numAttribs, (CARD32 *) (req + 1));
}
int __glXDisp_ChangeDrawableAttributesSGIX(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXChangeDrawableAttributesSGIXReq *req =
(xGLXChangeDrawableAttributesSGIXReq *)pc;
+ REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesSGIXReq, req->numAttribs << 3);
+
return DoChangeDrawableAttributes(cl->client, req->drawable,
req->numAttribs, (CARD32 *) (req + 1));
}
@@ -1432,6 +1510,8 @@ int __glXDisp_CreateWindow(__GLXclientState *cl, GLbyte *pc)
DrawablePtr pDraw;
int err;
+ REQUEST_FIXED_SIZE(xGLXCreateWindowReq, req->numAttribs << 3);
+
LEGAL_NEW_RESOURCE(req->glxwindow, client);
if (!validGlxScreen(client, req->screen, &pGlxScreen, &err))
@@ -1455,8 +1535,11 @@ int __glXDisp_CreateWindow(__GLXclientState *cl, GLbyte *pc)
int __glXDisp_DestroyWindow(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXDestroyWindowReq *req = (xGLXDestroyWindowReq *) pc;
+ REQUEST_SIZE_MATCH(xGLXDestroyWindowReq);
+
return DoDestroyDrawable(cl, req->glxwindow, GLX_DRAWABLE_WINDOW);
}
@@ -1472,12 +1555,16 @@ int __glXDisp_SwapBuffers(__GLXclientState *cl, GLbyte *pc)
{
ClientPtr client = cl->client;
xGLXSwapBuffersReq *req = (xGLXSwapBuffersReq *) pc;
- GLXContextTag tag = req->contextTag;
- XID drawId = req->drawable;
+ GLXContextTag tag;
+ XID drawId;
__GLXcontext *glxc = NULL;
__GLXdrawable *pGlxDraw;
int error;
+ REQUEST_SIZE_MATCH(xGLXSwapBuffersReq);
+
+ tag = req->contextTag;
+ drawId = req->drawable;
if (tag) {
glxc = __glXLookupContextByTag(cl, tag);
if (!glxc) {
@@ -1558,15 +1645,21 @@ DoQueryContext(__GLXclientState *cl, GLXContextID gcId)
int __glXDisp_QueryContextInfoEXT(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXQueryContextInfoEXTReq *req = (xGLXQueryContextInfoEXTReq *) pc;
+ REQUEST_SIZE_MATCH(xGLXQueryContextInfoEXTReq);
+
return DoQueryContext(cl, req->context);
}
int __glXDisp_QueryContext(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXQueryContextReq *req = (xGLXQueryContextReq *) pc;
+ REQUEST_SIZE_MATCH(xGLXQueryContextReq);
+
return DoQueryContext(cl, req->context);
}
@@ -1580,6 +1673,8 @@ int __glXDisp_BindTexImageEXT(__GLXclientState *cl, GLbyte *pc)
int buffer;
int error;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 8);
+
pc += __GLX_VENDPRIV_HDR_SIZE;
drawId = *((CARD32 *) (pc));
@@ -1614,6 +1709,8 @@ int __glXDisp_ReleaseTexImageEXT(__GLXclientState *cl, GLbyte *pc)
int buffer;
int error;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 8);
+
pc += __GLX_VENDPRIV_HDR_SIZE;
drawId = *((CARD32 *) (pc));
@@ -1649,6 +1746,8 @@ int __glXDisp_CopySubBufferMESA(__GLXclientState *cl, GLbyte *pc)
(void) client;
(void) req;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 20);
+
pc += __GLX_VENDPRIV_HDR_SIZE;
drawId = *((CARD32 *) (pc));
@@ -1737,16 +1836,22 @@ DoGetDrawableAttributes(__GLXclientState *cl, XID drawId)
int __glXDisp_GetDrawableAttributes(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXGetDrawableAttributesReq *req = (xGLXGetDrawableAttributesReq *)pc;
+ REQUEST_SIZE_MATCH(xGLXGetDrawableAttributesReq);
+
return DoGetDrawableAttributes(cl, req->drawable);
}
int __glXDisp_GetDrawableAttributesSGIX(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXGetDrawableAttributesSGIXReq *req =
(xGLXGetDrawableAttributesSGIXReq *)pc;
+ REQUEST_SIZE_MATCH(xGLXGetDrawableAttributesSGIXReq);
+
return DoGetDrawableAttributes(cl, req->drawable);
}
@@ -1771,6 +1876,8 @@ int __glXDisp_Render(__GLXclientState *cl, GLbyte *pc)
__GLXcontext *glxc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_AT_LEAST_SIZE(xGLXRenderReq);
+
req = (xGLXRenderReq *) pc;
if (client->swapped) {
__GLX_SWAP_SHORT(&req->length);
@@ -1791,6 +1898,9 @@ int __glXDisp_Render(__GLXclientState *cl, GLbyte *pc)
__GLXdispatchRenderProcPtr proc;
int err;
+ if (left < sizeof(__GLXrenderHeader))
+ return BadLength;
+
/*
** Verify that the header length and the overall length agree.
** Also, each command must be word aligned.
@@ -2069,10 +2179,12 @@ int __glXDisp_RenderLarge(__GLXclientState *cl, GLbyte *pc)
int __glXDisp_VendorPrivate(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXVendorPrivateReq *req = (xGLXVendorPrivateReq *) pc;
GLint vendorcode = req->vendorCode;
__GLXdispatchVendorPrivProcPtr proc;
+ REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateReq);
proc = (__GLXdispatchVendorPrivProcPtr)
__glXGetProtocolDecodeFunction(& VendorPriv_dispatch_info,
@@ -2088,10 +2200,12 @@ int __glXDisp_VendorPrivate(__GLXclientState *cl, GLbyte *pc)
int __glXDisp_VendorPrivateWithReply(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXVendorPrivateReq *req = (xGLXVendorPrivateReq *) pc;
GLint vendorcode = req->vendorCode;
__GLXdispatchVendorPrivProcPtr proc;
+ REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateReq);
proc = (__GLXdispatchVendorPrivProcPtr)
__glXGetProtocolDecodeFunction(& VendorPriv_dispatch_info,
@@ -2114,6 +2228,8 @@ int __glXDisp_QueryExtensionsString(__GLXclientState *cl, GLbyte *pc)
char *buf;
int err;
+ REQUEST_SIZE_MATCH(xGLXQueryExtensionsStringReq);
+
if (!validGlxScreen(client, req->screen, &pGlxScreen, &err))
return err;
@@ -2153,6 +2269,8 @@ int __glXDisp_QueryServerString(__GLXclientState *cl, GLbyte *pc)
int err;
char ver_str[16];
+ REQUEST_SIZE_MATCH(xGLXQueryServerStringReq);
+
if (!validGlxScreen(client, req->screen, &pGlxScreen, &err))
return err;
@@ -2200,13 +2318,19 @@ int __glXDisp_QueryServerString(__GLXclientState *cl, GLbyte *pc)
int __glXDisp_ClientInfo(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXClientInfoReq *req = (xGLXClientInfoReq *) pc;
const char *buf;
+ REQUEST_AT_LEAST_SIZE(xGLXClientInfoReq);
+
+ buf = (const char *)(req+1);
+ if (!memchr(buf, 0, (client->req_len << 2) - sizeof(xGLXClientInfoReq)))
+ return BadLength;
+
cl->GLClientmajorVersion = req->major;
cl->GLClientminorVersion = req->minor;
free(cl->GLClientextensions);
- buf = (const char *)(req+1);
cl->GLClientextensions = strdup(buf);
return Success;
diff --git a/glx/xfont.c b/glx/xfont.c
index 9943784..84a301f 100644
--- a/glx/xfont.c
+++ b/glx/xfont.c
@@ -154,6 +154,8 @@ int __glXDisp_UseXFont(__GLXclientState *cl, GLbyte *pc)
__GLXcontext *cx;
int error;
+ REQUEST_SIZE_MATCH(xGLXUseXFontReq);
+
req = (xGLXUseXFontReq *) pc;
cx = __glXForceCurrent(cl, req->contextTag, &error);
if (!cx) {
commit 3f0d3f4d97bce75c1828635c322b6560a45a037f
Author: Julien Cristau <jcristau at debian.org>
Date: Sat Jul 3 19:42:26 2010 +0100
glx: make sure screen is non-negative in validGlxScreen
Reviewed-by: Adam Jackson <ajax at redhat.com>
Reviewed-by: Kristian Høgsberg <krh at bitplanet.net>
Reviewed-by: Daniel Stone <daniel at fooishbar.org>
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/glx/glxcmds.c b/glx/glxcmds.c
index de9c3f0..419cc46 100644
--- a/glx/glxcmds.c
+++ b/glx/glxcmds.c
@@ -56,7 +56,7 @@ validGlxScreen(ClientPtr client, int screen, __GLXscreen **pGlxScreen, int *err)
/*
** Check if screen exists.
*/
- if (screen >= screenInfo.numScreens) {
+ if (screen < 0 || screen >= screenInfo.numScreens) {
client->errorValue = screen;
*err = BadValue;
return FALSE;
More information about the xorg-commit
mailing list