Module Name: xsrc
Committed By: mrg
Date: Thu Dec 11 09:46:17 UTC 2014
Modified Files:
xsrc/xfree/xc/programs/Xserver/GL/glx: glxcmds.c glxcmdsswap.c
glxserver.h rensize.c single2.c single2swap.c singlepix.c
singlepixswap.c unpack.h
xsrc/xfree/xc/programs/Xserver/Xext: xcmisc.c xvdisp.c
xsrc/xfree/xc/programs/Xserver/Xi: chgdctl.c chgfctl.c sendexev.c
xsrc/xfree/xc/programs/Xserver/dbe: dbe.c
xsrc/xfree/xc/programs/Xserver/dix: dispatch.c
xsrc/xfree/xc/programs/Xserver/include: dix.h misc.h
xsrc/xfree/xc/programs/Xserver/os: access.c rpcauth.c
xsrc/xfree/xc/programs/Xserver/randr: randr.c
xsrc/xfree/xc/programs/Xserver/render: render.c
Log Message:
pull over from xorg-server, porting as necessary.
--
apply fixes for:
X.Org Security Advisory: Dec. 9, 2014
Protocol handling issues in X Window System servers
backported to 1.10.x by myself.
included are fixes for:
denial of service due to unchecked malloc in client authentication
CVE-2014-8091
integer overflows calculating memory needs for requests
CVE-2014-8092
CVE-2014-8093
CVE-2014-8094
out of bounds access due to not validating length or offset values in requests
CVE-2014-8095
CVE-2014-8096
CVE-2014-8097
CVE-2014-8098
CVE-2014-8099
CVE-2014-8100
CVE-2014-8101
CVE-2014-8102
CVE-2014-8103
--
apply two more parts of CVE-2014-8092:
Missing parens in REQUEST_FIXED_SIZE macro [CVE-2014-8092 pt. 5]
dix: GetHosts bounds check using wrong pointer value [CVE-2014-8092 pt. 6]
--
To generate a diff of this commit:
cvs rdiff -u -r1.1.1.6 -r1.2 xsrc/xfree/xc/programs/Xserver/GL/glx/glxcmds.c \
xsrc/xfree/xc/programs/Xserver/GL/glx/glxcmdsswap.c \
xsrc/xfree/xc/programs/Xserver/GL/glx/glxserver.h \
xsrc/xfree/xc/programs/Xserver/GL/glx/single2.c \
xsrc/xfree/xc/programs/Xserver/GL/glx/single2swap.c \
xsrc/xfree/xc/programs/Xserver/GL/glx/unpack.h
cvs rdiff -u -r1.1.1.7 -r1.2 xsrc/xfree/xc/programs/Xserver/GL/glx/rensize.c
cvs rdiff -u -r1.1.1.3 -r1.2 \
xsrc/xfree/xc/programs/Xserver/GL/glx/singlepix.c
cvs rdiff -u -r1.1.1.4 -r1.2 \
xsrc/xfree/xc/programs/Xserver/GL/glx/singlepixswap.c
cvs rdiff -u -r1.2 -r1.3 xsrc/xfree/xc/programs/Xserver/Xext/xcmisc.c
cvs rdiff -u -r1.1.1.5 -r1.2 xsrc/xfree/xc/programs/Xserver/Xext/xvdisp.c
cvs rdiff -u -r1.1.1.4 -r1.2 xsrc/xfree/xc/programs/Xserver/Xi/chgdctl.c \
xsrc/xfree/xc/programs/Xserver/Xi/chgfctl.c \
xsrc/xfree/xc/programs/Xserver/Xi/sendexev.c
cvs rdiff -u -r1.2 -r1.3 xsrc/xfree/xc/programs/Xserver/dbe/dbe.c
cvs rdiff -u -r1.1.1.7 -r1.2 xsrc/xfree/xc/programs/Xserver/dix/dispatch.c
cvs rdiff -u -r1.1.1.6 -r1.2 xsrc/xfree/xc/programs/Xserver/include/dix.h \
xsrc/xfree/xc/programs/Xserver/include/misc.h
cvs rdiff -u -r1.6 -r1.7 xsrc/xfree/xc/programs/Xserver/os/access.c
cvs rdiff -u -r1.1.1.5 -r1.2 xsrc/xfree/xc/programs/Xserver/os/rpcauth.c
cvs rdiff -u -r1.1.1.3 -r1.2 xsrc/xfree/xc/programs/Xserver/randr/randr.c
cvs rdiff -u -r1.3 -r1.4 xsrc/xfree/xc/programs/Xserver/render/render.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: xsrc/xfree/xc/programs/Xserver/GL/glx/glxcmds.c
diff -u xsrc/xfree/xc/programs/Xserver/GL/glx/glxcmds.c:1.1.1.6 xsrc/xfree/xc/programs/Xserver/GL/glx/glxcmds.c:1.2
--- xsrc/xfree/xc/programs/Xserver/GL/glx/glxcmds.c:1.1.1.6 Fri Mar 18 13:09:55 2005
+++ xsrc/xfree/xc/programs/Xserver/GL/glx/glxcmds.c Thu Dec 11 09:46:16 2014
@@ -1427,7 +1427,7 @@ int __glXRender(__GLXclientState *cl, GL
left = (req->length << 2) - sz_xGLXRenderReq;
while (left > 0) {
__GLXrenderSizeData *entry;
- int extra;
+ int extra = 0;
void (* proc)(GLbyte *);
/*
@@ -1464,22 +1464,19 @@ int __glXRender(__GLXclientState *cl, GL
client->errorValue = commandsDone;
return __glXBadRenderRequest;
}
+ if (cmdlen < entry->bytes) {
+ return BadLength;
+ }
if (entry->varsize) {
/* variable size command */
- extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, False);
+ extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, False,
+ left - __GLX_RENDER_LARGE_HDR_SIZE);
if (extra < 0) {
- extra = 0;
- }
- if (cmdlen != __GLX_PAD(entry->bytes + extra)) {
- return BadLength;
- }
- } else {
- /* constant size command */
- if (cmdlen != __GLX_PAD(entry->bytes)) {
return BadLength;
}
}
- if (left < cmdlen) {
+
+ if (cmdlen != safe_pad(safe_add(entry->bytes, extra))) {
return BadLength;
}
@@ -1513,6 +1510,8 @@ int __glXRenderLarge(__GLXclientState *c
int error;
CARD16 opcode;
+ REQUEST_AT_LEAST_SIZE(xGLXRenderLargeReq);
+
/*
** NOTE: much of this code also appears in the byteswapping version of this
** routine, __glXSwapRenderLarge(). Any changes made here should also be
@@ -1526,12 +1525,14 @@ int __glXRenderLarge(__GLXclientState *c
__glXResetLargeCommandStatus(cl);
return error;
}
+ if (safe_pad(req->dataBytes) < 0)
+ return BadLength;
dataBytes = req->dataBytes;
/*
** Check the request length.
*/
- if ((req->length << 2) != __GLX_PAD(dataBytes) + sz_xGLXRenderLargeReq) {
+ if ((req->length << 2) != safe_pad(dataBytes) + sz_xGLXRenderLargeReq) {
client->errorValue = req->length;
/* Reset in case this isn't 1st request. */
__glXResetLargeCommandStatus(cl);
@@ -1541,7 +1542,9 @@ int __glXRenderLarge(__GLXclientState *c
if (cl->largeCmdRequestsSoFar == 0) {
__GLXrenderSizeData *entry;
- int extra, cmdlen;
+ int cmdlen;
+ int extra = 0;
+ int left = (req->length << 2) - sz_xGLXRenderLargeReq;
/*
** This is the first request of a multi request command.
** Make enough space in the buffer, then copy the entire request.
@@ -1551,9 +1554,16 @@ int __glXRenderLarge(__GLXclientState *c
return __glXBadLargeRequest;
}
+ if (dataBytes < __GLX_RENDER_LARGE_HDR_SIZE)
+ return BadLength;
+
hdr = (__GLXrenderLargeHeader *) pc;
- cmdlen = hdr->length;
opcode = hdr->opcode;
+ if ((cmdlen = safe_pad(hdr->length)) < 0)
+ return BadLength;
+
+ if (left < cmdlen)
+ return BadLength;
/*
** Check for core opcodes and grab entry data.
@@ -1583,20 +1593,18 @@ int __glXRenderLarge(__GLXclientState *c
** be computed from its parameters), all the parameters needed
** will be in the 1st request, so it's okay to do this.
*/
- extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, False);
+ extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, False,
+ left - __GLX_RENDER_HDR_SIZE);
if (extra < 0) {
- extra = 0;
- }
- /* large command's header is 4 bytes longer, so add 4 */
- if (cmdlen != __GLX_PAD(entry->bytes + 4 + extra)) {
- return BadLength;
- }
- } else {
- /* constant size command */
- if (cmdlen != __GLX_PAD(entry->bytes + 4)) {
return BadLength;
}
}
+
+ /* the +4 is safe because we know entry.bytes is small */
+ if (cmdlen != safe_pad(safe_add(entry->bytes + 4, extra))) {
+ return BadLength;
+ }
+
/*
** Make enough space in the buffer, then copy the entire request.
*/
@@ -1625,6 +1633,7 @@ int __glXRenderLarge(__GLXclientState *c
** We are receiving subsequent (i.e. not the first) requests of a
** multi request command.
*/
+ int bytesSoFar; /* including this packet */
/*
** Check the request number and the total request count.
@@ -1643,11 +1652,18 @@ int __glXRenderLarge(__GLXclientState *c
/*
** Check that we didn't get too much data.
*/
- if ((cl->largeCmdBytesSoFar + dataBytes) > cl->largeCmdBytesTotal) {
+ if ((bytesSoFar = safe_add(cl->largeCmdBytesSoFar, dataBytes)) < 0) {
client->errorValue = dataBytes;
__glXResetLargeCommandStatus(cl);
return __glXBadLargeRequest;
}
+
+ if (bytesSoFar > cl->largeCmdBytesTotal) {
+ client->errorValue = dataBytes;
+ __glXResetLargeCommandStatus(cl);
+ return __glXBadLargeRequest;
+ }
+
__glXMemcpy(cl->largeCmdBuf + cl->largeCmdBytesSoFar, pc, dataBytes);
cl->largeCmdBytesSoFar += dataBytes;
cl->largeCmdRequestsSoFar++;
@@ -1657,17 +1673,16 @@ int __glXRenderLarge(__GLXclientState *c
** This is the last request; it must have enough bytes to complete
** the command.
*/
- /* NOTE: the two pad macros have been added below; they are needed
- ** because the client library pads the total byte count, but not
- ** the per-request byte counts. The Protocol Encoding says the
- ** total byte count should not be padded, so a proposal will be
- ** made to the ARB to relax the padding constraint on the total
- ** byte count, thus preserving backward compatibility. Meanwhile,
- ** the padding done below fixes a bug that did not allow
- ** large commands of odd sizes to be accepted by the server.
+ /* NOTE: the pad macro below is needed because the client library
+ ** pads the total byte count, but not the per-request byte counts.
+ ** The Protocol Encoding says the total byte count should not be
+ ** padded, so a proposal will be made to the ARB to relax the
+ ** padding constraint on the total byte count, thus preserving
+ ** backward compatibility. Meanwhile, the padding done below
+ ** fixes a bug that did not allow large commands of odd sizes to
+ ** be accepted by the server.
*/
- if (__GLX_PAD(cl->largeCmdBytesSoFar) !=
- __GLX_PAD(cl->largeCmdBytesTotal)) {
+ if (safe_pad(cl->largeCmdBytesSoFar) != cl->largeCmdBytesTotal) {
client->errorValue = dataBytes;
__glXResetLargeCommandStatus(cl);
return __glXBadLargeRequest;
Index: xsrc/xfree/xc/programs/Xserver/GL/glx/glxcmdsswap.c
diff -u xsrc/xfree/xc/programs/Xserver/GL/glx/glxcmdsswap.c:1.1.1.6 xsrc/xfree/xc/programs/Xserver/GL/glx/glxcmdsswap.c:1.2
--- xsrc/xfree/xc/programs/Xserver/GL/glx/glxcmdsswap.c:1.1.1.6 Fri Mar 18 13:09:55 2005
+++ xsrc/xfree/xc/programs/Xserver/GL/glx/glxcmdsswap.c Thu Dec 11 09:46:16 2014
@@ -494,7 +494,7 @@ int __glXSwapRender(__GLXclientState *cl
left = (req->length << 2) - sz_xGLXRenderReq;
while (left > 0) {
__GLXrenderSizeData *entry;
- int extra;
+ int extra = 0;
void (* proc)(GLbyte *);
/*
@@ -527,22 +527,20 @@ int __glXSwapRender(__GLXclientState *cl
client->errorValue = commandsDone;
return __glXBadRenderRequest;
}
+ if (cmdlen < entry->bytes) {
+ return BadLength;
+ }
if (entry->varsize) {
/* variable size command */
- extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, True);
+ extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, True,
+ left - __GLX_RENDER_LARGE_HDR_SIZE);
if (extra < 0) {
extra = 0;
- }
- if (cmdlen != __GLX_PAD(entry->bytes + extra)) {
- return BadLength;
- }
- } else {
- /* constant size command */
- if (cmdlen != __GLX_PAD(entry->bytes)) {
return BadLength;
}
}
- if (left < cmdlen) {
+
+ if (cmdlen != safe_pad(safe_add(entry->bytes, extra))) {
return BadLength;
}
@@ -577,6 +575,8 @@ int __glXSwapRenderLarge(__GLXclientStat
CARD16 opcode;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_AT_LEAST_SIZE(xGLXRenderLargeReq);
+
/*
** NOTE: much of this code also appears in the nonswapping version of this
** routine, __glXRenderLarge(). Any changes made here should also be
@@ -600,7 +600,7 @@ int __glXSwapRenderLarge(__GLXclientStat
/*
** Check the request length.
*/
- if ((req->length << 2) != __GLX_PAD(dataBytes) + sz_xGLXRenderLargeReq) {
+ if ((req->length << 2) != safe_pad(safe_add(dataBytes, sz_xGLXRenderLargeReq))) {
client->errorValue = req->length;
/* Reset in case this isn't 1st request. */
__glXResetLargeCommandStatus(cl);
@@ -610,7 +610,8 @@ int __glXSwapRenderLarge(__GLXclientStat
if (cl->largeCmdRequestsSoFar == 0) {
__GLXrenderSizeData *entry;
- int extra;
+ int extra = 0;
+ int left = (req->length << 2) - sz_xGLXRenderLargeReq;
size_t cmdlen;
/*
** This is the first request of a multi request command.
@@ -647,26 +648,29 @@ int __glXSwapRenderLarge(__GLXclientStat
client->errorValue = opcode;
return __glXBadLargeRequest;
}
+
+ if (cmdlen < entry->bytes) {
+ return BadLength;
+ }
+
if (entry->varsize) {
/*
** If it's a variable-size command (a command whose length must
** be computed from its parameters), all the parameters needed
** will be in the 1st request, so it's okay to do this.
*/
- extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, True);
+ extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, True,
+ left - __GLX_RENDER_LARGE_HDR_SIZE);
if (extra < 0) {
- extra = 0;
- }
- /* large command's header is 4 bytes longer, so add 4 */
- if (cmdlen != __GLX_PAD(entry->bytes + 4 + extra)) {
- return BadLength;
- }
- } else {
- /* constant size command */
- if (cmdlen != __GLX_PAD(entry->bytes + 4)) {
return BadLength;
}
}
+
+ /* the +4 is safe because we know entry.bytes is small */
+ if (cmdlen != safe_pad(safe_add(entry->bytes + 4, extra))) {
+ return BadLength;
+ }
+
/*
** Make enough space in the buffer, then copy the entire request.
*/
@@ -694,6 +698,7 @@ int __glXSwapRenderLarge(__GLXclientStat
** We are receiving subsequent (i.e. not the first) requests of a
** multi request command.
*/
+ int bytesSoFar; /* including this packet */
/*
** Check the request number and the total request count.
@@ -712,11 +717,18 @@ int __glXSwapRenderLarge(__GLXclientStat
/*
** Check that we didn't get too much data.
*/
- if ((cl->largeCmdBytesSoFar + dataBytes) > cl->largeCmdBytesTotal) {
+ if ((bytesSoFar = safe_add(cl->largeCmdBytesSoFar, dataBytes)) < 0) {
client->errorValue = dataBytes;
__glXResetLargeCommandStatus(cl);
return __glXBadLargeRequest;
}
+
+ if (bytesSoFar > cl->largeCmdBytesTotal) {
+ client->errorValue = dataBytes;
+ __glXResetLargeCommandStatus(cl);
+ return __glXBadLargeRequest;
+ }
+
__glXMemcpy(cl->largeCmdBuf + cl->largeCmdBytesSoFar, pc, dataBytes);
cl->largeCmdBytesSoFar += dataBytes;
cl->largeCmdRequestsSoFar++;
@@ -726,17 +738,16 @@ int __glXSwapRenderLarge(__GLXclientStat
** This is the last request; it must have enough bytes to complete
** the command.
*/
- /* NOTE: the two pad macros have been added below; they are needed
- ** because the client library pads the total byte count, but not
- ** the per-request byte counts. The Protocol Encoding says the
- ** total byte count should not be padded, so a proposal will be
- ** made to the ARB to relax the padding constraint on the total
- ** byte count, thus preserving backward compatibility. Meanwhile,
- ** the padding done below fixes a bug that did not allow
- ** large commands of odd sizes to be accepted by the server.
+ /* NOTE: the pad macro below is needed because the client library
+ ** pads the total byte count, but not the per-request byte counts.
+ ** The Protocol Encoding says the total byte count should not be
+ ** padded, so a proposal will be made to the ARB to relax the
+ ** padding constraint on the total byte count, thus preserving
+ ** backward compatibility. Meanwhile, the padding done below
+ ** fixes a bug that did not allow large commands of odd sizes to
+ ** be accepted by the server.
*/
- if (__GLX_PAD(cl->largeCmdBytesSoFar) !=
- __GLX_PAD(cl->largeCmdBytesTotal)) {
+ if (safe_pad(cl->largeCmdBytesSoFar) != cl->largeCmdBytesTotal) {
client->errorValue = dataBytes;
__glXResetLargeCommandStatus(cl);
return __glXBadLargeRequest;
@@ -793,10 +804,12 @@ int __glXSwapRenderLarge(__GLXclientStat
int __glXSwapVendorPrivate(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXVendorPrivateReq *req;
GLint vendorcode;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateReq);
req = (xGLXVendorPrivateReq *) pc;
__GLX_SWAP_SHORT(&req->length);
@@ -831,10 +844,12 @@ int __glXSwapVendorPrivate(__GLXclientSt
int __glXSwapVendorPrivateWithReply(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXVendorPrivateWithReplyReq *req;
GLint vendorcode;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateWithReplyReq);
req = (xGLXVendorPrivateWithReplyReq *) pc;
__GLX_SWAP_SHORT(&req->length);
Index: xsrc/xfree/xc/programs/Xserver/GL/glx/glxserver.h
diff -u xsrc/xfree/xc/programs/Xserver/GL/glx/glxserver.h:1.1.1.6 xsrc/xfree/xc/programs/Xserver/GL/glx/glxserver.h:1.2
--- xsrc/xfree/xc/programs/Xserver/GL/glx/glxserver.h:1.1.1.6 Fri Mar 18 13:09:55 2005
+++ xsrc/xfree/xc/programs/Xserver/GL/glx/glxserver.h Thu Dec 11 09:46:16 2014
@@ -174,7 +174,7 @@ extern __GLXprocPtr __glXProcTable[];
*/
typedef struct {
int bytes;
- int (*varsize)(GLbyte *pc, Bool swap);
+ int (*varsize)(GLbyte *pc, Bool swap, int reqlen);
} __GLXrenderSizeData;
extern __GLXrenderSizeData __glXRenderSizeTable[];
extern __GLXrenderSizeData __glXRenderSizeTable_EXT[];
@@ -220,6 +220,49 @@ extern void glxSwapQueryServerStringRepl
* Routines for computing the size of variably-sized rendering commands.
*/
+#define _X_INLINE __inline__
+
+static _X_INLINE int
+safe_add(int a, int b)
+{
+ if (a < 0 || b < 0)
+ return -1;
+
+ if (INT_MAX - a < b)
+ return -1;
+
+ return a + b;
+}
+
+static _X_INLINE int
+safe_mul(int a, int b)
+{
+ if (a < 0 || b < 0)
+ return -1;
+
+ if (a == 0 || b == 0)
+ return 0;
+
+ if (a > INT_MAX / b)
+ return -1;
+
+ return a * b;
+}
+
+static _X_INLINE int
+safe_pad(int a)
+{
+ int ret;
+
+ if (a < 0)
+ return -1;
+
+ if ((ret = safe_add(a, 3)) < 0)
+ return -1;
+
+ return ret & (GLuint)~3;
+}
+
extern int __glXTypeSize(GLenum enm);
extern int __glXImageSize(GLenum format, GLenum type, GLsizei w, GLsizei h,
GLint rowLength, GLint skipRows, GLint alignment);
@@ -229,48 +272,48 @@ extern int __glXImage3DSize(GLenum forma
GLint skipImages, GLint skipRows,
GLint alignment);
-extern int __glXCallListsReqSize(GLbyte *pc, Bool swap);
-extern int __glXBitmapReqSize(GLbyte *pc, Bool swap);
-extern int __glXFogfvReqSize(GLbyte *pc, Bool swap);
-extern int __glXFogivReqSize(GLbyte *pc, Bool swap);
-extern int __glXLightfvReqSize(GLbyte *pc, Bool swap);
-extern int __glXLightivReqSize(GLbyte *pc, Bool swap);
-extern int __glXLightModelfvReqSize(GLbyte *pc, Bool swap);
-extern int __glXLightModelivReqSize(GLbyte *pc, Bool swap);
-extern int __glXMaterialfvReqSize(GLbyte *pc, Bool swap);
-extern int __glXMaterialivReqSize(GLbyte *pc, Bool swap);
-extern int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap);
-extern int __glXTexParameterivReqSize(GLbyte *pc, Bool swap);
-extern int __glXTexImage1DReqSize(GLbyte *pc, Bool swap);
-extern int __glXTexImage2DReqSize(GLbyte *pc, Bool swap);
-extern int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap);
-extern int __glXTexEnvivReqSize(GLbyte *pc, Bool swap);
-extern int __glXTexGendvReqSize(GLbyte *pc, Bool swap);
-extern int __glXTexGenfvReqSize(GLbyte *pc, Bool swap);
-extern int __glXTexGenivReqSize(GLbyte *pc, Bool swap);
-extern int __glXMap1dReqSize(GLbyte *pc, Bool swap);
-extern int __glXMap1fReqSize(GLbyte *pc, Bool swap);
-extern int __glXMap2dReqSize(GLbyte *pc, Bool swap);
-extern int __glXMap2fReqSize(GLbyte *pc, Bool swap);
-extern int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap);
-extern int __glXPixelMapuivReqSize(GLbyte *pc, Bool swap);
-extern int __glXPixelMapusvReqSize(GLbyte *pc, Bool swap);
-extern int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap);
-extern int __glXDrawArraysSize(GLbyte *pc, Bool swap);
-extern int __glXPrioritizeTexturesReqSize(GLbyte *pc, Bool swap);
-extern int __glXTexSubImage1DReqSize(GLbyte *pc, Bool swap);
-extern int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap);
-extern int __glXTexImage3DReqSize(GLbyte *pc, Bool swap );
-extern int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap);
-extern int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap);
-extern int __glXConvolutionFilter2DReqSize(GLbyte *pc, Bool swap);
-extern int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap);
-extern int __glXConvolutionParameterfvReqSize(GLbyte *pc, Bool swap);
-extern int __glXSeparableFilter2DReqSize(GLbyte *pc, Bool swap);
-extern int __glXColorTableReqSize(GLbyte *pc, Bool swap);
-extern int __glXColorSubTableReqSize(GLbyte *pc, Bool swap);
-extern int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap);
-extern int __glXColorTableParameterivReqSize(GLbyte *pc, Bool swap);
+extern int __glXCallListsReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXBitmapReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXFogfvReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXFogivReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXLightfvReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXLightivReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXLightModelfvReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXLightModelivReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXMaterialfvReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXMaterialivReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXTexParameterivReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXTexImage1DReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXTexImage2DReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXTexEnvivReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXTexGendvReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXTexGenfvReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXTexGenivReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXMap1dReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXMap1fReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXMap2dReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXMap2fReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXPixelMapuivReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXPixelMapusvReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXDrawArraysSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXPrioritizeTexturesReqSize(GLbyte *pc, Bool swa, int reqlenp);
+extern int __glXTexSubImage1DReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXTexImage3DReqSize(GLbyte *pc, Bool swap , int reqlen);
+extern int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXConvolutionFilter2DReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXConvolutionParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXSeparableFilter2DReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXColorTableReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXColorSubTableReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXColorTableParameterivReqSize(GLbyte *pc, Bool swap, int reqlen);
/*
* Routines for computing the size of returned data.
@@ -280,7 +323,7 @@ extern int __glXConvolutionParameterfvSi
extern int __glXColorTableParameterfvSize(GLenum pname);
extern int __glXColorTableParameterivSize(GLenum pname);
-extern int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap);
-extern int __glXPointParameterivReqSize(GLbyte *pc, Bool swap);
+extern int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXPointParameterivReqSize(GLbyte *pc, Bool swap, int reqlen);
#endif /* !__GLX_server_h__ */
Index: xsrc/xfree/xc/programs/Xserver/GL/glx/single2.c
diff -u xsrc/xfree/xc/programs/Xserver/GL/glx/single2.c:1.1.1.6 xsrc/xfree/xc/programs/Xserver/GL/glx/single2.c:1.2
--- xsrc/xfree/xc/programs/Xserver/GL/glx/single2.c:1.1.1.6 Fri Mar 18 13:09:56 2005
+++ xsrc/xfree/xc/programs/Xserver/GL/glx/single2.c Thu Dec 11 09:46:16 2014
@@ -44,11 +44,14 @@
int __glXDisp_FeedbackBuffer(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
GLsizei size;
GLenum type;
__GLXcontext *cx;
int error;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
+
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
return error;
@@ -74,10 +77,13 @@ int __glXDisp_FeedbackBuffer(__GLXclient
int __glXDisp_SelectBuffer(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
__GLXcontext *cx;
GLsizei size;
int error;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
return error;
@@ -102,7 +108,7 @@ int __glXDisp_SelectBuffer(__GLXclientSt
int __glXDisp_RenderMode(__GLXclientState *cl, GLbyte *pc)
{
- ClientPtr client;
+ ClientPtr client = cl->client;
xGLXRenderModeReply reply;
__GLXcontext *cx;
GLint nitems=0, retBytes=0, retval, newModeCheck;
@@ -110,6 +116,8 @@ int __glXDisp_RenderMode(__GLXclientStat
GLenum newMode;
int error;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
return error;
@@ -184,7 +192,6 @@ int __glXDisp_RenderMode(__GLXclientStat
** selection array, as per the API for glRenderMode itself.
*/
noChangeAllowed:;
- client = cl->client;
reply.length = nitems;
reply.type = X_Reply;
reply.sequenceNumber = client->sequence;
@@ -200,9 +207,12 @@ int __glXDisp_RenderMode(__GLXclientStat
int __glXDisp_Flush(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
__GLXcontext *cx;
int error;
+ REQUEST_SIZE_MATCH(xGLXSingleReq);
+
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
return error;
@@ -215,10 +225,12 @@ int __glXDisp_Flush(__GLXclientState *cl
int __glXDisp_Finish(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
__GLXcontext *cx;
- ClientPtr client;
int error;
+ REQUEST_SIZE_MATCH(xGLXSingleReq);
+
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
return error;
@@ -298,7 +310,7 @@ char *__glXcombine_strings(const char *c
int DoGetString(__GLXclientState *cl, GLbyte *pc, GLboolean need_swap)
{
- ClientPtr client;
+ ClientPtr client = cl->client;
__GLXcontext *cx;
GLenum name;
const char *string;
@@ -307,6 +319,8 @@ int DoGetString(__GLXclientState *cl, GL
char *buf = NULL, *buf1 = NULL;
GLint length = 0;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
/* If the client has the opposite byte order, swap the contextTag and
* the name.
*/
@@ -323,7 +337,6 @@ int DoGetString(__GLXclientState *cl, GL
pc += __GLX_SINGLE_HDR_SIZE;
name = *(GLenum *)(pc + 0);
string = (const char *)glGetString(name);
- client = cl->client;
/*
** Restrict extensions to those that are supported by both the
Index: xsrc/xfree/xc/programs/Xserver/GL/glx/single2swap.c
diff -u xsrc/xfree/xc/programs/Xserver/GL/glx/single2swap.c:1.1.1.6 xsrc/xfree/xc/programs/Xserver/GL/glx/single2swap.c:1.2
--- xsrc/xfree/xc/programs/Xserver/GL/glx/single2swap.c:1.1.1.6 Fri Mar 18 13:09:56 2005
+++ xsrc/xfree/xc/programs/Xserver/GL/glx/single2swap.c Thu Dec 11 09:46:16 2014
@@ -44,12 +44,15 @@
int __glXDispSwap_FeedbackBuffer(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
GLsizei size;
GLenum type;
__GLX_DECLARE_SWAP_VARIABLES;
__GLXcontext *cx;
int error;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
+
__GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@@ -78,11 +81,14 @@ int __glXDispSwap_FeedbackBuffer(__GLXcl
int __glXDispSwap_SelectBuffer(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
__GLXcontext *cx;
GLsizei size;
__GLX_DECLARE_SWAP_VARIABLES;
int error;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
__GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@@ -109,7 +115,7 @@ int __glXDispSwap_SelectBuffer(__GLXclie
int __glXDispSwap_RenderMode(__GLXclientState *cl, GLbyte *pc)
{
- ClientPtr client;
+ ClientPtr client = cl->client;
__GLXcontext *cx;
xGLXRenderModeReply reply;
GLint nitems=0, retBytes=0, retval, newModeCheck;
@@ -119,6 +125,8 @@ int __glXDispSwap_RenderMode(__GLXclient
__GLX_DECLARE_SWAP_ARRAY_VARIABLES;
int error;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
__GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@@ -197,7 +205,6 @@ int __glXDispSwap_RenderMode(__GLXclient
** selection array, as per the API for glRenderMode itself.
*/
noChangeAllowed:;
- client = cl->client;
reply.length = nitems;
reply.type = X_Reply;
reply.sequenceNumber = client->sequence;
@@ -218,10 +225,13 @@ int __glXDispSwap_RenderMode(__GLXclient
int __glXDispSwap_Flush(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
__GLXcontext *cx;
int error;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXSingleReq);
+
__GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@@ -235,11 +245,13 @@ int __glXDispSwap_Flush(__GLXclientState
int __glXDispSwap_Finish(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
__GLXcontext *cx;
- ClientPtr client;
int error;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXSingleReq);
+
__GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@@ -251,7 +263,6 @@ int __glXDispSwap_Finish(__GLXclientStat
__GLX_NOTE_FLUSHED_CMDS(cx);
/* Send empty reply packet to indicate finish is finished */
- client = cl->client;
__GLX_BEGIN_REPLY(0);
__GLX_PUT_RETVAL(0);
__GLX_SWAP_REPLY_HEADER();
Index: xsrc/xfree/xc/programs/Xserver/GL/glx/unpack.h
diff -u xsrc/xfree/xc/programs/Xserver/GL/glx/unpack.h:1.1.1.6 xsrc/xfree/xc/programs/Xserver/GL/glx/unpack.h:1.2
--- xsrc/xfree/xc/programs/Xserver/GL/glx/unpack.h:1.1.1.6 Fri Mar 18 13:09:56 2005
+++ xsrc/xfree/xc/programs/Xserver/GL/glx/unpack.h Thu Dec 11 09:46:16 2014
@@ -85,7 +85,8 @@ extern xGLXSingleReply __glXReply;
** pointer.
*/
#define __GLX_GET_ANSWER_BUFFER(res,cl,size,align) \
- if ((size) > sizeof(answerBuffer)) { \
+ if (size < 0) return BadLength; \
+ else if ((size) > sizeof(answerBuffer)) { \
int bump; \
if ((cl)->returnBufSize < (size)+(align)) { \
(cl)->returnBuf = (GLbyte*)Xrealloc((cl)->returnBuf, \
Index: xsrc/xfree/xc/programs/Xserver/GL/glx/rensize.c
diff -u xsrc/xfree/xc/programs/Xserver/GL/glx/rensize.c:1.1.1.7 xsrc/xfree/xc/programs/Xserver/GL/glx/rensize.c:1.2
--- xsrc/xfree/xc/programs/Xserver/GL/glx/rensize.c:1.1.1.7 Fri Mar 18 13:09:55 2005
+++ xsrc/xfree/xc/programs/Xserver/GL/glx/rensize.c Thu Dec 11 09:46:16 2014
@@ -44,7 +44,7 @@
(((a & 0xff000000U)>>24) | ((a & 0xff0000U)>>8) | \
((a & 0xff00U)<<8) | ((a & 0xffU)<<24))
-int __glXCallListsReqSize(GLbyte *pc, Bool swap )
+int __glXCallListsReqSize(GLbyte *pc, Bool swap, int reqlen )
{
GLsizei n = *(GLsizei *)(pc + 0);
GLenum type = *(GLenum *)(pc + 4);
@@ -56,7 +56,7 @@ int __glXCallListsReqSize(GLbyte *pc, Bo
return __glCallLists_size( n, type ); /* defined in samplegl lib */
}
-int __glXFogivReqSize(GLbyte *pc, Bool swap )
+int __glXFogivReqSize(GLbyte *pc, Bool swap, int reqlen )
{
GLenum pname = *(GLenum *)(pc + 0);
if (swap) {
@@ -65,12 +65,12 @@ int __glXFogivReqSize(GLbyte *pc, Bool s
return 4 * __glFogiv_size( pname ); /* defined in samplegl lib */
}
-int __glXFogfvReqSize(GLbyte *pc, Bool swap )
+int __glXFogfvReqSize(GLbyte *pc, Bool swap, int reqlen )
{
- return __glXFogivReqSize( pc, swap );
+ return __glXFogivReqSize( pc, swap, reqlen );
}
-int __glXLightfvReqSize(GLbyte *pc, Bool swap )
+int __glXLightfvReqSize(GLbyte *pc, Bool swap, int reqlen )
{
GLenum pname = *(GLenum *)(pc + 4);
if (swap) {
@@ -79,12 +79,12 @@ int __glXLightfvReqSize(GLbyte *pc, Bool
return 4 * __glLightfv_size( pname ); /* defined in samplegl lib */
}
-int __glXLightivReqSize(GLbyte *pc, Bool swap )
+int __glXLightivReqSize(GLbyte *pc, Bool swap, int reqlen )
{
- return __glXLightfvReqSize( pc, swap );
+ return __glXLightfvReqSize( pc, swap, reqlen );
}
-int __glXLightModelfvReqSize(GLbyte *pc, Bool swap )
+int __glXLightModelfvReqSize(GLbyte *pc, Bool swap, int reqlen )
{
GLenum pname = *(GLenum *)(pc + 0);
if (swap) {
@@ -93,12 +93,12 @@ int __glXLightModelfvReqSize(GLbyte *pc,
return 4 * __glLightModelfv_size( pname ); /* defined in samplegl lib */
}
-int __glXLightModelivReqSize(GLbyte *pc, Bool swap )
+int __glXLightModelivReqSize(GLbyte *pc, Bool swap, int reqlen )
{
- return __glXLightModelfvReqSize( pc, swap );
+ return __glXLightModelfvReqSize( pc, swap, reqlen );
}
-int __glXMaterialfvReqSize(GLbyte *pc, Bool swap )
+int __glXMaterialfvReqSize(GLbyte *pc, Bool swap, int reqlen )
{
GLenum pname = *(GLenum *)(pc + 4);
if (swap) {
@@ -107,12 +107,12 @@ int __glXMaterialfvReqSize(GLbyte *pc, B
return 4 * __glMaterialfv_size( pname ); /* defined in samplegl lib */
}
-int __glXMaterialivReqSize(GLbyte *pc, Bool swap )
+int __glXMaterialivReqSize(GLbyte *pc, Bool swap, int reqlen )
{
- return __glXMaterialfvReqSize( pc, swap );
+ return __glXMaterialfvReqSize( pc, swap, reqlen );
}
-int __glXTexGendvReqSize(GLbyte *pc, Bool swap )
+int __glXTexGendvReqSize(GLbyte *pc, Bool swap, int reqlen )
{
GLenum pname = *(GLenum *)(pc + 4);
if (swap) {
@@ -121,7 +121,7 @@ int __glXTexGendvReqSize(GLbyte *pc, Boo
return 8 * __glTexGendv_size( pname ); /* defined in samplegl lib */
}
-int __glXTexGenfvReqSize(GLbyte *pc, Bool swap )
+int __glXTexGenfvReqSize(GLbyte *pc, Bool swap, int reqlen )
{
GLenum pname = *(GLenum *)(pc + 4);
if (swap) {
@@ -130,12 +130,12 @@ int __glXTexGenfvReqSize(GLbyte *pc, Boo
return 4 * __glTexGenfv_size( pname ); /* defined in samplegl lib */
}
-int __glXTexGenivReqSize(GLbyte *pc, Bool swap )
+int __glXTexGenivReqSize(GLbyte *pc, Bool swap, int reqlen )
{
- return __glXTexGenfvReqSize( pc, swap );
+ return __glXTexGenfvReqSize( pc, swap, reqlen );
}
-int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap )
+int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen )
{
GLenum pname = *(GLenum *)(pc + 4);
if (swap) {
@@ -144,12 +144,12 @@ int __glXTexParameterfvReqSize(GLbyte *p
return 4 * __glTexParameterfv_size( pname ); /* defined in samplegl lib */
}
-int __glXTexParameterivReqSize(GLbyte *pc, Bool swap )
+int __glXTexParameterivReqSize(GLbyte *pc, Bool swap, int reqlen )
{
- return __glXTexParameterfvReqSize( pc, swap );
+ return __glXTexParameterfvReqSize( pc, swap, reqlen );
}
-int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap )
+int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap, int reqlen )
{
GLenum pname = *(GLenum *)(pc + 4);
if (swap) {
@@ -158,21 +158,21 @@ int __glXTexEnvfvReqSize(GLbyte *pc, Boo
return 4 * __glTexEnvfv_size( pname ); /* defined in samplegl lib */
}
-int __glXTexEnvivReqSize(GLbyte *pc, Bool swap )
+int __glXTexEnvivReqSize(GLbyte *pc, Bool swap, int reqlen )
{
- return __glXTexEnvfvReqSize( pc, swap );
+ return __glXTexEnvfvReqSize( pc, swap, reqlen );
}
static int Map1Size( GLint k, GLint order)
{
if (order <= 0 || k < 0) return -1;
- return k * order;
+ return safe_mul(k, order);
}
-int __glXMap1dReqSize(GLbyte *pc, Bool swap )
+int __glXMap1dReqSize(GLbyte *pc, Bool swap, int reqlen)
{
GLenum target;
- GLint order, k;
+ GLint order;
target = *(GLenum*) (pc + 16);
order = *(GLint*) (pc + 20);
@@ -180,14 +180,15 @@ int __glXMap1dReqSize(GLbyte *pc, Bool s
target = SWAPL( target );
order = SWAPL( order );
}
- k = __glEvalComputeK( target );
- return 8 * Map1Size( k, order );
+ if (order < 1)
+ return -1;
+ return safe_mul(8, Map1Size(target, order));
}
-int __glXMap1fReqSize(GLbyte *pc, Bool swap )
+int __glXMap1fReqSize(GLbyte *pc, Bool swap, int reqlen )
{
GLenum target;
- GLint order, k;
+ GLint order;
target = *(GLenum *)(pc + 0);
order = *(GLint *)(pc + 12);
@@ -195,20 +196,22 @@ int __glXMap1fReqSize(GLbyte *pc, Bool s
target = SWAPL( target );
order = SWAPL( order );
}
- k = __glEvalComputeK(target);
- return 4 * Map1Size(k, order);
+ if (order < 1)
+ return -1;
+ return safe_mul(4, Map1Size(target, order));
}
static int Map2Size(int k, int majorOrder, int minorOrder)
{
- if (majorOrder <= 0 || minorOrder <= 0 || k < 0) return -1;
- return k * majorOrder * minorOrder;
+ if (majorOrder <= 0 || minorOrder <= 0 || k < 0)
+ return -1;
+ return safe_mul(k, safe_mul(majorOrder, minorOrder));
}
-int __glXMap2dReqSize(GLbyte *pc, Bool swap )
+int __glXMap2dReqSize(GLbyte *pc, Bool swap, int reqlen )
{
GLenum target;
- GLint uorder, vorder, k;
+ GLint uorder, vorder;
target = *(GLenum *)(pc + 32);
uorder = *(GLint *)(pc + 36);
@@ -218,14 +221,13 @@ int __glXMap2dReqSize(GLbyte *pc, Bool s
uorder = SWAPL( uorder );
vorder = SWAPL( vorder );
}
- k = __glEvalComputeK( target );
- return 8 * Map2Size( k, uorder, vorder );
+ return safe_mul(8, Map2Size(__glEvalComputeK(target), uorder, vorder));
}
-int __glXMap2fReqSize(GLbyte *pc, Bool swap )
+int __glXMap2fReqSize(GLbyte *pc, Bool swap, int reqlen )
{
GLenum target;
- GLint uorder, vorder, k;
+ GLint uorder, vorder;
target = *(GLenum *)(pc + 0);
uorder = *(GLint *)(pc + 12);
@@ -235,11 +237,10 @@ int __glXMap2fReqSize(GLbyte *pc, Bool s
uorder = SWAPL( uorder );
vorder = SWAPL( vorder );
}
- k = __glEvalComputeK( target );
- return 4 * Map2Size( k, uorder, vorder );
+ return safe_mul(4, Map2Size(__glEvalComputeK(target), uorder, vorder));
}
-int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap )
+int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap, int reqlen )
{
GLint mapsize;
mapsize = *(GLint *)(pc + 4);
@@ -249,12 +250,12 @@ int __glXPixelMapfvReqSize(GLbyte *pc, B
return 4 * mapsize;
}
-int __glXPixelMapuivReqSize(GLbyte *pc, Bool swap )
+int __glXPixelMapuivReqSize(GLbyte *pc, Bool swap, int reqlen )
{
- return __glXPixelMapfvReqSize( pc, swap );
+ return __glXPixelMapfvReqSize( pc, swap, reqlen );
}
-int __glXPixelMapusvReqSize(GLbyte *pc, Bool swap )
+int __glXPixelMapusvReqSize(GLbyte *pc, Bool swap, int reqlen )
{
GLint mapsize;
mapsize = *(GLint *)(pc + 4);
@@ -281,12 +282,20 @@ int __glXImage3DSize( GLenum format, GLe
GLint bytesPerElement, elementsPerGroup, groupsPerRow;
GLint groupSize, rowSize, padding, imageSize;
+ if (w == 0 || h == 0 || d == 0)
+ return 0;
+
if (w < 0 || h < 0 || d < 0 ||
(type == GL_BITMAP &&
(format != GL_COLOR_INDEX && format != GL_STENCIL_INDEX))) {
return -1;
}
- if (w==0 || h==0 || d == 0) return 0;
+
+ /* real data has to have real sizes */
+ if (imageHeight < 0 || rowLength < 0 || skipImages < 0 || skipRows < 0)
+ return -1;
+ if (alignment != 1 && alignment != 2 && alignment != 4 && alignment != 8)
+ return -1;
if (type == GL_BITMAP) {
if (rowLength > 0) {
@@ -295,11 +304,13 @@ int __glXImage3DSize( GLenum format, GLe
groupsPerRow = w;
}
rowSize = (groupsPerRow + 7) >> 3;
+ if (rowSize < 0)
+ return -1;
padding = (rowSize % alignment);
if (padding) {
rowSize += alignment - padding;
}
- return ((h + skipRows) * rowSize);
+ return safe_mul(safe_add(h, skipRows), rowSize);
} else {
switch(format) {
case GL_COLOR_INDEX:
@@ -380,28 +391,32 @@ int __glXImage3DSize( GLenum format, GLe
default:
return -1;
}
+ /* known safe by the switches above, not checked */
groupSize = bytesPerElement * elementsPerGroup;
if (rowLength > 0) {
groupsPerRow = rowLength;
} else {
groupsPerRow = w;
}
- rowSize = groupsPerRow * groupSize;
+ if ((rowSize = safe_mul(groupsPerRow, groupSize)) < 0)
+ return -1;
padding = (rowSize % alignment);
if (padding) {
rowSize += alignment - padding;
}
- if (imageHeight > 0) {
- imageSize = (imageHeight + skipRows) * rowSize;
- } else {
- imageSize = (h + skipRows) * rowSize;
- }
- return ((d + skipImages) * imageSize);
+
+ if (imageHeight > 0)
+ h = imageHeight;
+ h = safe_add(h, skipRows);
+
+ imageSize = safe_mul(h, rowSize);
+
+ return safe_mul(safe_add(d, skipImages), imageSize);
}
}
-int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap )
+int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap, int reqlen )
{
__GLXdispatchDrawPixelsHeader *hdr = (__GLXdispatchDrawPixelsHeader *) pc;
GLenum format = hdr->format;
@@ -424,7 +439,7 @@ int __glXDrawPixelsReqSize(GLbyte *pc, B
return __glXImageSize( format, type, w, h, rowLength, skipRows, alignment );
}
-int __glXBitmapReqSize(GLbyte *pc, Bool swap )
+int __glXBitmapReqSize(GLbyte *pc, Bool swap, int reqlen )
{
__GLXdispatchBitmapHeader *hdr = (__GLXdispatchBitmapHeader *) pc;
GLint w = hdr->width;
@@ -444,7 +459,7 @@ int __glXBitmapReqSize(GLbyte *pc, Bool
rowLength, skipRows, alignment );
}
-int __glXTexImage1DReqSize(GLbyte *pc, Bool swap )
+int __glXTexImage1DReqSize(GLbyte *pc, Bool swap, int reqlen )
{
__GLXdispatchTexImageHeader *hdr = (__GLXdispatchTexImageHeader *) pc;
GLenum target = hdr->target;
@@ -472,7 +487,7 @@ int __glXTexImage1DReqSize(GLbyte *pc, B
return __glXImageSize( format, type, w, 1, rowLength, skipRows, alignment );
}
-int __glXTexImage2DReqSize(GLbyte *pc, Bool swap )
+int __glXTexImage2DReqSize(GLbyte *pc, Bool swap, int reqlen )
{
__GLXdispatchTexImageHeader *hdr = (__GLXdispatchTexImageHeader *) pc;
GLenum target = hdr->target;
@@ -518,13 +533,14 @@ int __glXTypeSize(GLenum enm)
}
}
-int __glXDrawArraysSize( GLbyte *pc, Bool swap )
+int __glXDrawArraysSize( GLbyte *pc, Bool swap, int reqlen )
{
__GLXdispatchDrawArraysHeader *hdr = (__GLXdispatchDrawArraysHeader *) pc;
__GLXdispatchDrawArraysComponentHeader *compHeader;
GLint numVertexes = hdr->numVertexes;
GLint numComponents = hdr->numComponents;
GLint arrayElementSize = 0;
+ GLint x, size;
int i;
if (swap) {
@@ -533,6 +549,13 @@ int __glXDrawArraysSize( GLbyte *pc, Boo
}
pc += sizeof(__GLXdispatchDrawArraysHeader);
+ reqlen -= sizeof(__GLXdispatchDrawArraysHeader);
+
+ size = safe_mul(sizeof(__GLXdispatchDrawArraysComponentHeader),
+ numComponents);
+ if (size < 0 || reqlen < 0 || reqlen < size)
+ return -1;
+
compHeader = (__GLXdispatchDrawArraysComponentHeader *) pc;
for (i=0; i<numComponents; i++) {
@@ -585,14 +608,14 @@ int __glXDrawArraysSize( GLbyte *pc, Boo
(numVertexes * arrayElementSize));
}
-int __glXPrioritizeTexturesReqSize(GLbyte *pc, Bool swap )
+int __glXPrioritizeTexturesReqSize(GLbyte *pc, Bool swap, int reqlen )
{
GLint n = *(GLsizei *)(pc + 0);
if (swap) n = SWAPL(n);
return(8*n); /* 4*n for textures, 4*n for priorities */
}
-int __glXTexSubImage1DReqSize(GLbyte *pc, Bool swap )
+int __glXTexSubImage1DReqSize(GLbyte *pc, Bool swap, int reqlen )
{
__GLXdispatchTexSubImageHeader *hdr = (__GLXdispatchTexSubImageHeader *) pc;
GLenum format = hdr->format;
@@ -613,7 +636,7 @@ int __glXTexSubImage1DReqSize(GLbyte *pc
return __glXImageSize( format, type, w, 1, rowLength, skipRows, alignment );
}
-int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap )
+int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap, int reqlen )
{
__GLXdispatchTexSubImageHeader *hdr = (__GLXdispatchTexSubImageHeader *) pc;
GLenum format = hdr->format;
@@ -636,7 +659,7 @@ int __glXTexSubImage2DReqSize(GLbyte *pc
return __glXImageSize( format, type, w, h, rowLength, skipRows, alignment );
}
-int __glXTexImage3DReqSize(GLbyte *pc, Bool swap )
+int __glXTexImage3DReqSize(GLbyte *pc, Bool swap, int reqlen )
{
__GLXdispatchTexImage3DHeader *hdr = (__GLXdispatchTexImage3DHeader *) pc;
GLenum target = hdr->target;
@@ -674,7 +697,7 @@ int __glXTexImage3DReqSize(GLbyte *pc, B
}
}
-int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap )
+int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap, int reqlen )
{
__GLXdispatchTexSubImage3DHeader *hdr =
(__GLXdispatchTexSubImage3DHeader *) pc;
@@ -712,7 +735,7 @@ int __glXTexSubImage3DReqSize(GLbyte *pc
}
}
-int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap )
+int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap, int reqlen )
{
__GLXdispatchConvolutionFilterHeader *hdr =
(__GLXdispatchConvolutionFilterHeader *) pc;
@@ -734,7 +757,7 @@ int __glXConvolutionFilter1DReqSize(GLby
return __glXImageSize ( format, type, w, 1, rowLength, 0, alignment );
}
-int __glXConvolutionFilter2DReqSize(GLbyte *pc, Bool swap )
+int __glXConvolutionFilter2DReqSize(GLbyte *pc, Bool swap, int reqlen )
{
__GLXdispatchConvolutionFilterHeader *hdr =
(__GLXdispatchConvolutionFilterHeader *) pc;
@@ -779,7 +802,7 @@ int __glXConvolutionParameterfvSize(GLen
return __glXConvolutionParameterivSize(pname);
}
-int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap )
+int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap, int reqlen )
{
GLenum pname = *(GLenum *)(pc + 4);
if (swap) {
@@ -788,12 +811,12 @@ int __glXConvolutionParameterivReqSize(G
return 4 * __glXConvolutionParameterivSize( pname );
}
-int __glXConvolutionParameterfvReqSize(GLbyte *pc, Bool swap )
+int __glXConvolutionParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen )
{
- return __glXConvolutionParameterivReqSize( pc, swap );
+ return __glXConvolutionParameterivReqSize( pc, swap, reqlen );
}
-int __glXSeparableFilter2DReqSize(GLbyte *pc, Bool swap )
+int __glXSeparableFilter2DReqSize(GLbyte *pc, Bool swap, int reqlen )
{
__GLXdispatchConvolutionFilterHeader *hdr =
(__GLXdispatchConvolutionFilterHeader *) pc;
@@ -817,10 +840,9 @@ int __glXSeparableFilter2DReqSize(GLbyte
/* XXX Should rowLength be used for either or both image? */
image1size = __glXImageSize ( format, type, w, 1, rowLength, 0, alignment );
- image1size = __GLX_PAD(image1size);
image2size = __glXImageSize ( format, type, h, 1, rowLength, 0, alignment );
- return image1size + image2size;
+ return safe_add(safe_pad(image1size), image2size);
}
int __glXColorTableParameterfvSize(GLenum pname)
@@ -841,7 +863,7 @@ int __glXColorTableParameterivSize(GLenu
return __glXColorTableParameterfvSize(pname);
}
-int __glXColorTableReqSize(GLbyte *pc, Bool swap )
+int __glXColorTableReqSize(GLbyte *pc, Bool swap, int reqlen )
{
__GLXdispatchColorTableHeader *hdr =
(__GLXdispatchColorTableHeader *) pc;
@@ -875,7 +897,7 @@ int __glXColorTableReqSize(GLbyte *pc, B
return __glXImageSize ( format, type, w, 1, rowLength, 0, alignment );
}
-int __glXColorSubTableReqSize(GLbyte *pc, Bool swap )
+int __glXColorSubTableReqSize(GLbyte *pc, Bool swap, int reqlen )
{
__GLXdispatchColorSubTableHeader *hdr =
(__GLXdispatchColorSubTableHeader *) pc;
@@ -897,7 +919,7 @@ int __glXColorSubTableReqSize(GLbyte *pc
return __glXImageSize ( format, type, count, 1, rowLength, 0, alignment );
}
-int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap )
+int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen )
{
GLenum pname = *(GLenum *)(pc + 4);
if (swap) {
@@ -906,13 +928,13 @@ int __glXColorTableParameterfvReqSize(GL
return 4 * __glXColorTableParameterfvSize(pname);
}
-int __glXColorTableParameterivReqSize(GLbyte *pc, Bool swap )
+int __glXColorTableParameterivReqSize(GLbyte *pc, Bool swap, int reqlen )
{
/* no difference between fv and iv versions */
- return __glXColorTableParameterfvReqSize(pc, swap);
+ return __glXColorTableParameterfvReqSize(pc, swap, reqlen);
}
-int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap )
+int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap, int reqlen )
{
GLenum pname = *(GLenum *)(pc + 0);
if (swap) {
@@ -921,8 +943,8 @@ int __glXPointParameterfvARBReqSize(GLby
return 4 * __glPointParameterfvARB_size( pname );
}
-int __glXPointParameterivReqSize(GLbyte *pc, Bool swap )
+int __glXPointParameterivReqSize(GLbyte *pc, Bool swap, int reqlen )
{
/* no difference between fv and iv versions */
- return __glXPointParameterfvARBReqSize(pc, swap);
+ return __glXPointParameterfvARBReqSize(pc, swap, reqlen);
}
Index: xsrc/xfree/xc/programs/Xserver/GL/glx/singlepix.c
diff -u xsrc/xfree/xc/programs/Xserver/GL/glx/singlepix.c:1.1.1.3 xsrc/xfree/xc/programs/Xserver/GL/glx/singlepix.c:1.2
--- xsrc/xfree/xc/programs/Xserver/GL/glx/singlepix.c:1.1.1.3 Sat Jun 9 14:58:07 2001
+++ xsrc/xfree/xc/programs/Xserver/GL/glx/singlepix.c Thu Dec 11 09:46:16 2014
@@ -53,6 +53,8 @@ int __glXDisp_ReadPixels(__GLXclientStat
int error;
char *answer, answerBuffer[200];
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 28);
+
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
return error;
@@ -66,7 +68,8 @@ int __glXDisp_ReadPixels(__GLXclientStat
swapBytes = *(GLboolean *)(pc + 24);
lsbFirst = *(GLboolean *)(pc + 25);
compsize = __glReadPixels_size(format,type,width,height);
- if (compsize < 0) compsize = 0;
+ if (compsize < 0)
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
glPixelStorei(GL_PACK_LSB_FIRST, lsbFirst);
@@ -104,6 +107,8 @@ int __glXDisp_GetTexImage(__GLXclientSta
char *answer, answerBuffer[200];
GLint width=0, height=0, depth=1;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 20);
+
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
return error;
@@ -126,7 +131,8 @@ int __glXDisp_GetTexImage(__GLXclientSta
* are illegal, but then width, height, and depth would still be zero anyway.
*/
compsize = __glGetTexImage_size(target,level,format,type,width,height,depth);
- if (compsize < 0) compsize = 0;
+ if (compsize < 0)
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
__GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1);
@@ -162,6 +168,8 @@ int __glXDisp_GetPolygonStipple(__GLXcli
GLubyte answerBuffer[200];
char *answer;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
return error;
@@ -200,6 +208,8 @@ int __glXDisp_GetSeparableFilter(__GLXcl
char *answer, answerBuffer[200];
GLint width=0, height=0;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
+
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
return error;
@@ -223,13 +233,13 @@ int __glXDisp_GetSeparableFilter(__GLXcl
compsize = __glGetTexImage_size(target,1,format,type,width,1,1);
compsize2 = __glGetTexImage_size(target,1,format,type,height,1,1);
- if (compsize < 0) compsize = 0;
- if (compsize2 < 0) compsize2 = 0;
- compsize = __GLX_PAD(compsize);
- compsize2 = __GLX_PAD(compsize2);
+ if ((compsize = safe_pad(compsize)) < 0)
+ return BadLength;
+ if ((compsize2 = safe_pad(compsize2)) < 0)
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
- __GLX_GET_ANSWER_BUFFER(answer,cl,compsize + compsize2,1);
+ __GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1);
__glXClearErrorOccured();
glGetSeparableFilter(
*(GLenum *)(pc + 0),
@@ -265,6 +275,8 @@ int __glXDisp_GetConvolutionFilter(__GLX
char *answer, answerBuffer[200];
GLint width=0, height=0;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
+
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
return error;
@@ -287,7 +299,8 @@ int __glXDisp_GetConvolutionFilter(__GLX
* are illegal, but then width and height would still be zero anyway.
*/
compsize = __glGetTexImage_size(target,1,format,type,width,height,1);
- if (compsize < 0) compsize = 0;
+ if (compsize < 0)
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
__GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1);
@@ -324,6 +337,8 @@ int __glXDisp_GetHistogram(__GLXclientSt
char *answer, answerBuffer[200];
GLint width=0;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
+
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
return error;
@@ -342,7 +357,8 @@ int __glXDisp_GetHistogram(__GLXclientSt
* are illegal, but then width would still be zero anyway.
*/
compsize = __glGetTexImage_size(target,1,format,type,width,1,1);
- if (compsize < 0) compsize = 0;
+ if (compsize < 0)
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
__GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1);
@@ -371,6 +387,7 @@ int __glXDisp_GetMinmax(__GLXclientState
ClientPtr client = cl->client;
int error;
char *answer, answerBuffer[200];
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@@ -385,7 +402,8 @@ int __glXDisp_GetMinmax(__GLXclientState
reset = *(GLboolean *)(pc + 13);
compsize = __glGetTexImage_size(target,1,format,type,2,1,1);
- if (compsize < 0) compsize = 0;
+ if (compsize < 0)
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
__GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1);
@@ -414,6 +432,7 @@ int __glXDisp_GetColorTable(__GLXclientS
int error;
char *answer, answerBuffer[200];
GLint width=0;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@@ -432,7 +451,8 @@ int __glXDisp_GetColorTable(__GLXclientS
* are illegal, but then width would still be zero anyway.
*/
compsize = __glGetTexImage_size(target,1,format,type,width,1,1);
- if (compsize < 0) compsize = 0;
+ if (compsize < 0)
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
__GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1);
Index: xsrc/xfree/xc/programs/Xserver/GL/glx/singlepixswap.c
diff -u xsrc/xfree/xc/programs/Xserver/GL/glx/singlepixswap.c:1.1.1.4 xsrc/xfree/xc/programs/Xserver/GL/glx/singlepixswap.c:1.2
--- xsrc/xfree/xc/programs/Xserver/GL/glx/singlepixswap.c:1.1.1.4 Sat Jan 19 14:59:54 2002
+++ xsrc/xfree/xc/programs/Xserver/GL/glx/singlepixswap.c Thu Dec 11 09:46:16 2014
@@ -54,6 +54,8 @@ int __glXDispSwap_ReadPixels(__GLXclient
int error;
char *answer, answerBuffer[200];
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 28);
+
__GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@@ -75,7 +77,8 @@ int __glXDispSwap_ReadPixels(__GLXclient
swapBytes = *(GLboolean *)(pc + 24);
lsbFirst = *(GLboolean *)(pc + 25);
compsize = __glReadPixels_size(format,type,width,height);
- if (compsize < 0) compsize = 0;
+ if (compsize < 0)
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
glPixelStorei(GL_PACK_LSB_FIRST, lsbFirst);
@@ -116,6 +119,8 @@ int __glXDispSwap_GetTexImage(__GLXclien
char *answer, answerBuffer[200];
GLint width=0, height=0, depth=1;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 20);
+
__GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@@ -144,7 +149,8 @@ int __glXDispSwap_GetTexImage(__GLXclien
* are illegal, but then width, height, and depth would still be zero anyway.
*/
compsize = __glGetTexImage_size(target,level,format,type,width,height,depth);
- if (compsize < 0) compsize = 0;
+ if (compsize < 0)
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
__GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1);
@@ -186,6 +192,8 @@ int __glXDispSwap_GetPolygonStipple(__GL
char *answer;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
__GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@@ -225,6 +233,8 @@ int __glXDispSwap_GetSeparableFilter(__G
__GLX_DECLARE_SWAP_VARIABLES;
char *answer, answerBuffer[200];
GLint width=0, height=0;
+
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@@ -253,13 +263,13 @@ int __glXDispSwap_GetSeparableFilter(__G
compsize = __glGetTexImage_size(target,1,format,type,width,1,1);
compsize2 = __glGetTexImage_size(target,1,format,type,height,1,1);
- if (compsize < 0) compsize = 0;
- if (compsize2 < 0) compsize2 = 0;
- compsize = __GLX_PAD(compsize);
- compsize2 = __GLX_PAD(compsize2);
+ if ((compsize = safe_pad(compsize)) < 0)
+ return BadLength;
+ if ((compsize2 = safe_pad(compsize2)) < 0)
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
- __GLX_GET_ANSWER_BUFFER(answer,cl,compsize + compsize2,1);
+ __GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1);
__glXClearErrorOccured();
glGetSeparableFilter(
*(GLenum *)(pc + 0),
@@ -297,6 +307,8 @@ int __glXDispSwap_GetConvolutionFilter(_
__GLX_DECLARE_SWAP_VARIABLES;
char *answer, answerBuffer[200];
GLint width=0, height=0;
+
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@@ -324,7 +336,8 @@ int __glXDispSwap_GetConvolutionFilter(_
* are illegal, but then width and height would still be zero anyway.
*/
compsize = __glGetTexImage_size(target,1,format,type,width,height,1);
- if (compsize < 0) compsize = 0;
+ if (compsize < 0)
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
__GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1);
@@ -363,6 +376,8 @@ int __glXDispSwap_GetHistogram(__GLXclie
__GLX_DECLARE_SWAP_VARIABLES;
char *answer, answerBuffer[200];
GLint width=0;
+
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@@ -386,7 +401,8 @@ int __glXDispSwap_GetHistogram(__GLXclie
* are illegal, but then width would still be zero anyway.
*/
compsize = __glGetTexImage_size(target,1,format,type,width,1,1);
- if (compsize < 0) compsize = 0;
+ if (compsize < 0)
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
__GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1);
@@ -417,6 +433,8 @@ int __glXDispSwap_GetMinmax(__GLXclientS
int error;
__GLX_DECLARE_SWAP_VARIABLES;
char *answer, answerBuffer[200];
+
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@@ -435,7 +453,8 @@ int __glXDispSwap_GetMinmax(__GLXclientS
reset = *(GLboolean *)(pc + 13);
compsize = __glGetTexImage_size(target,1,format,type,2,1,1);
- if (compsize < 0) compsize = 0;
+ if (compsize < 0)
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
__GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1);
@@ -465,6 +484,8 @@ int __glXDispSwap_GetColorTable(__GLXcli
__GLX_DECLARE_SWAP_VARIABLES;
char *answer, answerBuffer[200];
GLint width=0;
+
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@@ -487,7 +508,8 @@ int __glXDispSwap_GetColorTable(__GLXcli
* are illegal, but then width would still be zero anyway.
*/
compsize = __glGetTexImage_size(target,1,format,type,width,1,1);
- if (compsize < 0) compsize = 0;
+ if (compsize < 0)
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
__GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1);
Index: xsrc/xfree/xc/programs/Xserver/Xext/xcmisc.c
diff -u xsrc/xfree/xc/programs/Xserver/Xext/xcmisc.c:1.2 xsrc/xfree/xc/programs/Xserver/Xext/xcmisc.c:1.3
--- xsrc/xfree/xc/programs/Xserver/Xext/xcmisc.c:1.2 Tue Apr 3 20:07:50 2007
+++ xsrc/xfree/xc/programs/Xserver/Xext/xcmisc.c Thu Dec 11 09:46:16 2014
@@ -224,6 +224,7 @@ SProcXCMiscGetXIDList(client)
{
register int n;
REQUEST(xXCMiscGetXIDListReq);
+ REQUEST_SIZE_MATCH(xXCMiscGetXIDListReq);
swaps(&stuff->length, n);
swapl(&stuff->count, n);
Index: xsrc/xfree/xc/programs/Xserver/Xext/xvdisp.c
diff -u xsrc/xfree/xc/programs/Xserver/Xext/xvdisp.c:1.1.1.5 xsrc/xfree/xc/programs/Xserver/Xext/xvdisp.c:1.2
--- xsrc/xfree/xc/programs/Xserver/Xext/xvdisp.c:1.1.1.5 Fri Mar 5 14:27:40 2004
+++ xsrc/xfree/xc/programs/Xserver/Xext/xvdisp.c Thu Dec 11 09:46:16 2014
@@ -1342,6 +1342,7 @@ SProcXvQueryExtension(ClientPtr client)
{
register char n;
REQUEST(xvQueryExtensionReq);
+ REQUEST_SIZE_MATCH(xvQueryExtensionReq);
swaps(&stuff->length, n);
return ProcXvQueryExtension(client);
}
@@ -1351,6 +1352,7 @@ SProcXvQueryAdaptors(ClientPtr client)
{
register char n;
REQUEST(xvQueryAdaptorsReq);
+ REQUEST_SIZE_MATCH(xvQueryAdaptorsReq);
swaps(&stuff->length, n);
swapl(&stuff->window, n);
return ProcXvQueryAdaptors(client);
@@ -1361,6 +1363,7 @@ SProcXvQueryEncodings(ClientPtr client)
{
register char n;
REQUEST(xvQueryEncodingsReq);
+ REQUEST_SIZE_MATCH(xvQueryEncodingsReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
return ProcXvQueryEncodings(client);
@@ -1371,6 +1374,7 @@ SProcXvGrabPort(ClientPtr client)
{
register char n;
REQUEST(xvGrabPortReq);
+ REQUEST_SIZE_MATCH(xvGrabPortReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
swapl(&stuff->time, n);
@@ -1382,6 +1386,7 @@ SProcXvUngrabPort(ClientPtr client)
{
register char n;
REQUEST(xvUngrabPortReq);
+ REQUEST_SIZE_MATCH(xvUngrabPortReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
swapl(&stuff->time, n);
@@ -1393,6 +1398,7 @@ SProcXvPutVideo(ClientPtr client)
{
register char n;
REQUEST(xvPutVideoReq);
+ REQUEST_SIZE_MATCH(xvPutVideoReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
swapl(&stuff->drawable, n);
@@ -1413,6 +1419,7 @@ SProcXvPutStill(ClientPtr client)
{
register char n;
REQUEST(xvPutStillReq);
+ REQUEST_SIZE_MATCH(xvPutStillReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
swapl(&stuff->drawable, n);
@@ -1433,6 +1440,7 @@ SProcXvGetVideo(ClientPtr client)
{
register char n;
REQUEST(xvGetVideoReq);
+ REQUEST_SIZE_MATCH(xvGetVideoReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
swapl(&stuff->drawable, n);
@@ -1453,6 +1461,7 @@ SProcXvGetStill(ClientPtr client)
{
register char n;
REQUEST(xvGetStillReq);
+ REQUEST_SIZE_MATCH(xvGetStillReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
swapl(&stuff->drawable, n);
@@ -1473,6 +1482,7 @@ SProcXvPutImage(ClientPtr client)
{
register char n;
REQUEST(xvPutImageReq);
+ REQUEST_AT_LEAST_SIZE(xvPutImageReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
swapl(&stuff->drawable, n);
@@ -1497,6 +1507,7 @@ SProcXvShmPutImage(ClientPtr client)
{
register char n;
REQUEST(xvShmPutImageReq);
+ REQUEST_SIZE_MATCH(xvShmPutImageReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
swapl(&stuff->drawable, n);
@@ -1524,6 +1535,7 @@ SProcXvSelectVideoNotify(ClientPtr clien
{
register char n;
REQUEST(xvSelectVideoNotifyReq);
+ REQUEST_SIZE_MATCH(xvSelectVideoNotifyReq);
swaps(&stuff->length, n);
swapl(&stuff->drawable, n);
return ProcXvSelectVideoNotify(client);
@@ -1534,6 +1546,7 @@ SProcXvSelectPortNotify(ClientPtr client
{
register char n;
REQUEST(xvSelectPortNotifyReq);
+ REQUEST_SIZE_MATCH(xvSelectPortNotifyReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
return ProcXvSelectPortNotify(client);
@@ -1544,6 +1557,7 @@ SProcXvStopVideo(ClientPtr client)
{
register char n;
REQUEST(xvStopVideoReq);
+ REQUEST_SIZE_MATCH(xvStopVideoReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
swapl(&stuff->drawable, n);
@@ -1555,6 +1569,7 @@ SProcXvSetPortAttribute(ClientPtr client
{
register char n;
REQUEST(xvSetPortAttributeReq);
+ REQUEST_SIZE_MATCH(xvSetPortAttributeReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
swapl(&stuff->attribute, n);
@@ -1566,6 +1581,7 @@ SProcXvGetPortAttribute(ClientPtr client
{
register char n;
REQUEST(xvGetPortAttributeReq);
+ REQUEST_SIZE_MATCH(xvGetPortAttributeReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
swapl(&stuff->attribute, n);
@@ -1577,6 +1593,7 @@ SProcXvQueryBestSize(ClientPtr client)
{
register char n;
REQUEST(xvQueryBestSizeReq);
+ REQUEST_SIZE_MATCH(xvQueryBestSizeReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
swaps(&stuff->vid_w, n);
@@ -1591,6 +1608,7 @@ SProcXvQueryPortAttributes(ClientPtr cli
{
register char n;
REQUEST(xvQueryPortAttributesReq);
+ REQUEST_SIZE_MATCH(xvQueryPortAttributesReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
return ProcXvQueryPortAttributes(client);
@@ -1601,6 +1619,7 @@ SProcXvQueryImageAttributes(ClientPtr cl
{
register char n;
REQUEST(xvQueryImageAttributesReq);
+ REQUEST_SIZE_MATCH(xvQueryImageAttributesReq);
swaps(&stuff->length, n);
swapl(&stuff->id, n);
swaps(&stuff->width, n);
@@ -1613,6 +1632,7 @@ SProcXvListImageFormats(ClientPtr client
{
register char n;
REQUEST(xvListImageFormatsReq);
+ REQUEST_SIZE_MATCH(xvListImageFormatsReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
return ProcXvListImageFormats(client);
Index: xsrc/xfree/xc/programs/Xserver/Xi/chgdctl.c
diff -u xsrc/xfree/xc/programs/Xserver/Xi/chgdctl.c:1.1.1.4 xsrc/xfree/xc/programs/Xserver/Xi/chgdctl.c:1.2
--- xsrc/xfree/xc/programs/Xserver/Xi/chgdctl.c:1.1.1.4 Sat Jan 19 15:01:32 2002
+++ xsrc/xfree/xc/programs/Xserver/Xi/chgdctl.c Thu Dec 11 09:46:16 2014
@@ -83,7 +83,7 @@ SProcXChangeDeviceControl(client)
REQUEST(xChangeDeviceControlReq);
swaps(&stuff->length, n);
- REQUEST_AT_LEAST_SIZE(xChangeDeviceControlReq);
+ REQUEST_AT_LEAST_EXTRA_SIZE(xChangeDeviceControlReq, sizeof(xDeviceCtl));
swaps(&stuff->control, n);
return(ProcXChangeDeviceControl(client));
}
@@ -107,7 +107,7 @@ ProcXChangeDeviceControl(client)
CARD32 *resolution;
REQUEST(xChangeDeviceControlReq);
- REQUEST_AT_LEAST_SIZE(xChangeDeviceControlReq);
+ REQUEST_AT_LEAST_EXTRA_SIZE(xChangeDeviceControlReq, sizeof(xDeviceCtl));
len = stuff->length - (sizeof(xChangeDeviceControlReq) >>2);
dev = LookupDeviceIntRec (stuff->deviceid);
Index: xsrc/xfree/xc/programs/Xserver/Xi/chgfctl.c
diff -u xsrc/xfree/xc/programs/Xserver/Xi/chgfctl.c:1.1.1.4 xsrc/xfree/xc/programs/Xserver/Xi/chgfctl.c:1.2
--- xsrc/xfree/xc/programs/Xserver/Xi/chgfctl.c:1.1.1.4 Sat Jan 19 15:01:32 2002
+++ xsrc/xfree/xc/programs/Xserver/Xi/chgfctl.c Thu Dec 11 09:46:16 2014
@@ -156,6 +156,8 @@ ProcXChangeFeedbackControl(client)
xStringFeedbackCtl *f = ((xStringFeedbackCtl *) &stuff[1]);
if (client->swapped)
{
+ if (len < bytes_to_int32(sizeof(xStringFeedbackCtl)))
+ return BadLength;
swaps(&f->num_keysyms,n);
}
if (len != ((sizeof(xStringFeedbackCtl)>>2) + f->num_keysyms))
Index: xsrc/xfree/xc/programs/Xserver/Xi/sendexev.c
diff -u xsrc/xfree/xc/programs/Xserver/Xi/sendexev.c:1.1.1.4 xsrc/xfree/xc/programs/Xserver/Xi/sendexev.c:1.2
--- xsrc/xfree/xc/programs/Xserver/Xi/sendexev.c:1.1.1.4 Sat Jan 19 15:01:35 2002
+++ xsrc/xfree/xc/programs/Xserver/Xi/sendexev.c Thu Dec 11 09:46:16 2014
@@ -149,6 +149,9 @@ ProcXSendExtensionEvent (client)
return Success;
}
+ if (stuff->num_events == 0)
+ return ret;
+
/* The client's event type must be one defined by an extension. */
first = ((xEvent *) &stuff[1]);
Index: xsrc/xfree/xc/programs/Xserver/dbe/dbe.c
diff -u xsrc/xfree/xc/programs/Xserver/dbe/dbe.c:1.2 xsrc/xfree/xc/programs/Xserver/dbe/dbe.c:1.3
--- xsrc/xfree/xc/programs/Xserver/dbe/dbe.c:1.2 Wed Jan 10 17:08:24 2007
+++ xsrc/xfree/xc/programs/Xserver/dbe/dbe.c Thu Dec 11 09:46:16 2014
@@ -50,6 +50,8 @@
#include "xf86_ansic.h"
#endif
+#include <stdint.h>
+
/* GLOBALS */
/* Per-screen initialization functions [init'ed by DbeRegisterFunction()] */
@@ -716,8 +718,8 @@ ProcDbeSwapBuffers(client)
DbeSwapInfoPtr swapInfo;
xDbeSwapInfo *dbeSwapInfo;
int error;
- register int i, j;
- int nStuff;
+ unsigned int i, j;
+ unsigned int nStuff;
REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq);
@@ -725,11 +727,13 @@ ProcDbeSwapBuffers(client)
if (nStuff == 0)
{
+ REQUEST_SIZE_MATCH(xDbeSwapBuffersReq);
return(Success);
}
if (nStuff > (CARD32)(-1L) / sizeof(DbeSwapInfoRec))
return BadAlloc;
+ REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, nStuff * sizeof(xDbeSwapInfo));
/* Get to the swap info appended to the end of the request. */
dbeSwapInfo = (xDbeSwapInfo *)&stuff[1];
@@ -1280,7 +1284,7 @@ SProcDbeSwapBuffers(client)
ClientPtr client;
{
REQUEST(xDbeSwapBuffersReq);
- register int i, n;
+ unsigned int i, n;
xDbeSwapInfo *pSwapInfo;
@@ -1288,6 +1292,9 @@ SProcDbeSwapBuffers(client)
REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq);
swapl(&stuff->n, n);
+ if (stuff->n > UINT32_MAX / sizeof(DbeSwapInfoRec))
+ return BadAlloc;
+ REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, stuff->n * sizeof(xDbeSwapInfo));
if (stuff->n != 0)
{
Index: xsrc/xfree/xc/programs/Xserver/dix/dispatch.c
diff -u xsrc/xfree/xc/programs/Xserver/dix/dispatch.c:1.1.1.7 xsrc/xfree/xc/programs/Xserver/dix/dispatch.c:1.2
--- xsrc/xfree/xc/programs/Xserver/dix/dispatch.c:1.1.1.7 Fri Mar 18 13:10:48 2005
+++ xsrc/xfree/xc/programs/Xserver/dix/dispatch.c Thu Dec 11 09:46:16 2014
@@ -111,6 +111,8 @@ int ProcInitialConnection();
#include "lbxserve.h"
#endif
+#include <stdint.h>
+
#define mskcnt ((MAXCLIENTS + 31) / 32)
#define BITMASK(i) (1U << ((i) & 31))
#define MASKIDX(i) ((i) >> 5)
@@ -2073,6 +2075,9 @@ ProcPutImage(client)
tmpImage = (char *)&stuff[1];
lengthProto = length;
+
+ if (lengthProto >= (INT32_MAX / stuff->height))
+ return BadLength;
if (((((lengthProto * stuff->height) + (unsigned)3) >> 2) +
(sizeof(xPutImageReq) >> 2)) != client->req_len)
Index: xsrc/xfree/xc/programs/Xserver/include/dix.h
diff -u xsrc/xfree/xc/programs/Xserver/include/dix.h:1.1.1.6 xsrc/xfree/xc/programs/Xserver/include/dix.h:1.2
--- xsrc/xfree/xc/programs/Xserver/include/dix.h:1.1.1.6 Fri Mar 5 14:29:36 2004
+++ xsrc/xfree/xc/programs/Xserver/include/dix.h Thu Dec 11 09:46:17 2014
@@ -71,9 +71,14 @@ SOFTWARE.
if ((sizeof(req) >> 2) > client->req_len )\
return(BadLength)
+#define REQUEST_AT_LEAST_EXTRA_SIZE(req, extra) \
+ if (((sizeof(req) + ((uint64_t) extra)) >> 2) > client->req_len ) \
+ return(BadLength)
+
#define REQUEST_FIXED_SIZE(req, n)\
if (((sizeof(req) >> 2) > client->req_len) || \
- (((sizeof(req) + (n) + 3) >> 2) != client->req_len)) \
+ (((n) >> 2) >= client->req_len) || \
+ ((((uint64_t) sizeof(req) + (n) + 3) >> 2) != (uint64_t) client->req_len)) \
return(BadLength)
#define LEGAL_NEW_RESOURCE(id,client)\
Index: xsrc/xfree/xc/programs/Xserver/include/misc.h
diff -u xsrc/xfree/xc/programs/Xserver/include/misc.h:1.1.1.6 xsrc/xfree/xc/programs/Xserver/include/misc.h:1.2
--- xsrc/xfree/xc/programs/Xserver/include/misc.h:1.1.1.6 Fri Mar 18 13:13:06 2005
+++ xsrc/xfree/xc/programs/Xserver/include/misc.h Thu Dec 11 09:46:17 2014
@@ -193,6 +193,36 @@ typedef struct _xReq *xReqPtr;
#endif
+/**
+ * Calculate the number of bytes needed to hold bits.
+ * @param bits The minimum number of bits needed.
+ * @return The number of bytes needed to hold bits.
+ */
+static inline int
+bits_to_bytes(const int bits) {
+ return ((bits + 7) >> 3);
+}
+/**
+ * Calculate the number of 4-byte units needed to hold the given number of
+ * bytes.
+ * @param bytes The minimum number of bytes needed.
+ * @return The number of 4-byte units needed to hold bytes.
+ */
+static inline int
+bytes_to_int32(const int bytes) {
+ return (((bytes) + 3) >> 2);
+}
+
+/**
+ * Calculate the number of bytes (in multiples of 4) needed to hold bytes.
+ * @param bytes The minimum number of bytes needed.
+ * @return The closest multiple of 4 that is equal or higher than bytes.
+ */
+static inline int
+pad_to_int32(const int bytes) {
+ return (((bytes) + 3) & ~3);
+}
+
/* some macros to help swap requests, replies, and events */
#define LengthRestB(stuff) \
Index: xsrc/xfree/xc/programs/Xserver/os/access.c
diff -u xsrc/xfree/xc/programs/Xserver/os/access.c:1.6 xsrc/xfree/xc/programs/Xserver/os/access.c:1.7
--- xsrc/xfree/xc/programs/Xserver/os/access.c:1.6 Fri Mar 18 14:55:16 2005
+++ xsrc/xfree/xc/programs/Xserver/os/access.c Thu Dec 11 09:46:17 2014
@@ -1557,6 +1557,10 @@ GetHosts (
{
nHosts++;
n += (((host->len + 3) >> 2) << 2) + sizeof(xHostEntry);
+ /* Could check for INT_MAX, but in reality having more than 1mb of
+ hostnames in the access list is ridiculous */
+ if (n >= 1048576)
+ break;
}
if (n)
{
@@ -1568,6 +1572,8 @@ GetHosts (
for (host = validhosts; host; host = host->next)
{
len = host->len;
+ if ((ptr + sizeof(xHostEntry) + len) > ((unsigned char *) *data + n))
+ break;
((xHostEntry *)ptr)->family = host->family;
((xHostEntry *)ptr)->length = len;
ptr += sizeof(xHostEntry);
Index: xsrc/xfree/xc/programs/Xserver/os/rpcauth.c
diff -u xsrc/xfree/xc/programs/Xserver/os/rpcauth.c:1.1.1.5 xsrc/xfree/xc/programs/Xserver/os/rpcauth.c:1.2
--- xsrc/xfree/xc/programs/Xserver/os/rpcauth.c:1.1.1.5 Fri Mar 5 14:29:43 2004
+++ xsrc/xfree/xc/programs/Xserver/os/rpcauth.c Thu Dec 11 09:46:17 2014
@@ -74,6 +74,10 @@ authdes_ezdecode(char *inmsg, int len)
SVCXPRT xprt;
temp_inmsg = (char *) xalloc(len);
+ if (temp_inmsg == NULL) {
+ why = AUTH_FAILED; /* generic error, since there is no AUTH_BADALLOC */
+ return NULL;
+ }
memmove(temp_inmsg, inmsg, len);
memset((char *)&msg, 0, sizeof(msg));
Index: xsrc/xfree/xc/programs/Xserver/randr/randr.c
diff -u xsrc/xfree/xc/programs/Xserver/randr/randr.c:1.1.1.3 xsrc/xfree/xc/programs/Xserver/randr/randr.c:1.2
--- xsrc/xfree/xc/programs/Xserver/randr/randr.c:1.1.1.3 Fri Mar 5 14:29:43 2004
+++ xsrc/xfree/xc/programs/Xserver/randr/randr.c Thu Dec 11 09:46:17 2014
@@ -1035,6 +1035,7 @@ SProcRRQueryVersion (ClientPtr client)
register int n;
REQUEST(xRRQueryVersionReq);
+ REQUEST_SIZE_MATCH(xRRQueryVersionReq);
swaps(&stuff->length, n);
swapl(&stuff->majorVersion, n);
swapl(&stuff->minorVersion, n);
@@ -1047,6 +1048,7 @@ SProcRRGetScreenInfo (ClientPtr client)
register int n;
REQUEST(xRRGetScreenInfoReq);
+ REQUEST_SIZE_MATCH(xRRGetScreenInfoReq);
swaps(&stuff->length, n);
swapl(&stuff->window, n);
return ProcRRGetScreenInfo(client);
@@ -1082,6 +1084,7 @@ SProcRRSelectInput (ClientPtr client)
register int n;
REQUEST(xRRSelectInputReq);
+ REQUEST_SIZE_MATCH(xRRSelectInputReq);
swaps(&stuff->length, n);
swapl(&stuff->window, n);
return ProcRRSelectInput(client);
Index: xsrc/xfree/xc/programs/Xserver/render/render.c
diff -u xsrc/xfree/xc/programs/Xserver/render/render.c:1.3 xsrc/xfree/xc/programs/Xserver/render/render.c:1.4
--- xsrc/xfree/xc/programs/Xserver/render/render.c:1.3 Wed Jan 10 17:08:24 2007
+++ xsrc/xfree/xc/programs/Xserver/render/render.c Thu Dec 11 09:46:17 2014
@@ -253,11 +253,11 @@ ProcRenderQueryVersion (ClientPtr client
xRenderQueryVersionReply rep;
register int n;
REQUEST(xRenderQueryVersionReq);
+ REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
pRenderClient->major_version = stuff->majorVersion;
pRenderClient->minor_version = stuff->minorVersion;
- REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
rep.type = X_Reply;
rep.length = 0;
rep.sequenceNumber = client->sequence;
@@ -1831,6 +1831,7 @@ SProcRenderQueryVersion (ClientPtr clien
{
register int n;
REQUEST(xRenderQueryVersionReq);
+ REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
swaps(&stuff->length, n);
swapl(&stuff->majorVersion, n);
@@ -1843,6 +1844,7 @@ SProcRenderQueryPictFormats (ClientPtr c
{
register int n;
REQUEST(xRenderQueryPictFormatsReq);
+ REQUEST_SIZE_MATCH(xRenderQueryPictFormatsReq);
swaps(&stuff->length, n);
return (*ProcRenderVector[stuff->renderReqType]) (client);
}
@@ -1852,6 +1854,7 @@ SProcRenderQueryPictIndexValues (ClientP
{
register int n;
REQUEST(xRenderQueryPictIndexValuesReq);
+ REQUEST_AT_LEAST_SIZE(xRenderQueryPictIndexValuesReq);
swaps(&stuff->length, n);
swapl(&stuff->format, n);
return (*ProcRenderVector[stuff->renderReqType]) (client);
@@ -1868,6 +1871,7 @@ SProcRenderCreatePicture (ClientPtr clie
{
register int n;
REQUEST(xRenderCreatePictureReq);
+ REQUEST_AT_LEAST_SIZE(xRenderCreatePictureReq);
swaps(&stuff->length, n);
swapl(&stuff->pid, n);
swapl(&stuff->drawable, n);
@@ -1882,6 +1886,7 @@ SProcRenderChangePicture (ClientPtr clie
{
register int n;
REQUEST(xRenderChangePictureReq);
+ REQUEST_AT_LEAST_SIZE(xRenderChangePictureReq);
swaps(&stuff->length, n);
swapl(&stuff->picture, n);
swapl(&stuff->mask, n);
@@ -1894,6 +1899,7 @@ SProcRenderSetPictureClipRectangles (Cli
{
register int n;
REQUEST(xRenderSetPictureClipRectanglesReq);
+ REQUEST_AT_LEAST_SIZE(xRenderSetPictureClipRectanglesReq);
swaps(&stuff->length, n);
swapl(&stuff->picture, n);
SwapRestS(stuff);
@@ -1905,6 +1911,7 @@ SProcRenderFreePicture (ClientPtr client
{
register int n;
REQUEST(xRenderFreePictureReq);
+ REQUEST_SIZE_MATCH(xRenderFreePictureReq);
swaps(&stuff->length, n);
swapl(&stuff->picture, n);
return (*ProcRenderVector[stuff->renderReqType]) (client);
@@ -1915,6 +1922,7 @@ SProcRenderComposite (ClientPtr client)
{
register int n;
REQUEST(xRenderCompositeReq);
+ REQUEST_SIZE_MATCH(xRenderCompositeReq);
swaps(&stuff->length, n);
swapl(&stuff->src, n);
swapl(&stuff->mask, n);
@@ -1935,6 +1943,7 @@ SProcRenderScale (ClientPtr client)
{
register int n;
REQUEST(xRenderScaleReq);
+ REQUEST_SIZE_MATCH(xRenderScaleReq);
swaps(&stuff->length, n);
swapl(&stuff->src, n);
swapl(&stuff->dst, n);
@@ -2040,6 +2049,7 @@ SProcRenderCreateGlyphSet (ClientPtr cli
{
register int n;
REQUEST(xRenderCreateGlyphSetReq);
+ REQUEST_SIZE_MATCH(xRenderCreateGlyphSetReq);
swaps(&stuff->length, n);
swapl(&stuff->gsid, n);
swapl(&stuff->format, n);
@@ -2051,6 +2061,7 @@ SProcRenderReferenceGlyphSet (ClientPtr
{
register int n;
REQUEST(xRenderReferenceGlyphSetReq);
+ REQUEST_SIZE_MATCH(xRenderReferenceGlyphSetReq);
swaps(&stuff->length, n);
swapl(&stuff->gsid, n);
swapl(&stuff->existing, n);
@@ -2062,6 +2073,7 @@ SProcRenderFreeGlyphSet (ClientPtr clien
{
register int n;
REQUEST(xRenderFreeGlyphSetReq);
+ REQUEST_SIZE_MATCH(xRenderFreeGlyphSetReq);
swaps(&stuff->length, n);
swapl(&stuff->glyphset, n);
return (*ProcRenderVector[stuff->renderReqType]) (client);
@@ -2076,6 +2088,7 @@ SProcRenderAddGlyphs (ClientPtr client)
void *end;
xGlyphInfo *gi;
REQUEST(xRenderAddGlyphsReq);
+ REQUEST_AT_LEAST_SIZE(xRenderAddGlyphsReq);
swaps(&stuff->length, n);
swapl(&stuff->glyphset, n);
swapl(&stuff->nglyphs, n);
@@ -2112,6 +2125,7 @@ SProcRenderFreeGlyphs (ClientPtr client)
{
register int n;
REQUEST(xRenderFreeGlyphsReq);
+ REQUEST_AT_LEAST_SIZE(xRenderFreeGlyphsReq);
swaps(&stuff->length, n);
swapl(&stuff->glyphset, n);
SwapRestL(stuff);
@@ -2130,6 +2144,7 @@ SProcRenderCompositeGlyphs (ClientPtr cl
int size;
REQUEST(xRenderCompositeGlyphsReq);
+ REQUEST_AT_LEAST_SIZE(xRenderCompositeGlyphsReq);
switch (stuff->renderReqType) {
default: size = 1; break;
