Module Name: xsrc Committed By: martin Date: Thu Dec 11 13:33:15 UTC 2014
Modified Files: xsrc/xfree/xc/programs/Xserver/GL/glx [netbsd-7]: glxcmds.c glxcmdsswap.c glxserver.h rensize.c single2.c single2swap.c singlepix.c singlepixswap.c unpack.h xsrc/xfree/xc/programs/Xserver/Xext [netbsd-7]: xcmisc.c xvdisp.c xsrc/xfree/xc/programs/Xserver/Xi [netbsd-7]: chgdctl.c chgfctl.c sendexev.c xsrc/xfree/xc/programs/Xserver/dbe [netbsd-7]: dbe.c xsrc/xfree/xc/programs/Xserver/dix [netbsd-7]: dispatch.c xsrc/xfree/xc/programs/Xserver/include [netbsd-7]: dix.h misc.h xsrc/xfree/xc/programs/Xserver/os [netbsd-7]: access.c rpcauth.c xsrc/xfree/xc/programs/Xserver/randr [netbsd-7]: randr.c xsrc/xfree/xc/programs/Xserver/render [netbsd-7]: render.c Log Message: Pull up following revision(s) (requested by mrg in ticket #308): xfree/xc/programs/Xserver/dix/dispatch.c: revision 1.2 xfree/xc/programs/Xserver/Xext/xvdisp.c: revision 1.2 xfree/xc/programs/Xserver/include/misc.h: revision 1.2 xfree/xc/programs/Xserver/render/render.c: revision 1.4 xfree/xc/programs/Xserver/GL/glx/singlepixswap.c: revision 1.2 xfree/xc/programs/Xserver/Xi/sendexev.c: revision 1.2 xfree/xc/programs/Xserver/include/dix.h: revision 1.2 xfree/xc/programs/Xserver/os/access.c: revision 1.7 xfree/xc/programs/Xserver/GL/glx/glxserver.h: revision 1.2 xfree/xc/programs/Xserver/GL/glx/rensize.c: revision 1.2 xfree/xc/programs/Xserver/GL/glx/unpack.h: revision 1.2 xfree/xc/programs/Xserver/GL/glx/singlepix.c: revision 1.2 xfree/xc/programs/Xserver/Xi/chgfctl.c: revision 1.2 xfree/xc/programs/Xserver/Xi/chgdctl.c: revision 1.2 xfree/xc/programs/Xserver/GL/glx/glxcmds.c: revision 1.2 xfree/xc/programs/Xserver/Xext/xcmisc.c: revision 1.3 xfree/xc/programs/Xserver/randr/randr.c: revision 1.2 xfree/xc/programs/Xserver/GL/glx/glxcmdsswap.c: revision 1.2 xfree/xc/programs/Xserver/os/rpcauth.c: revision 1.2 xfree/xc/programs/Xserver/dbe/dbe.c: revision 1.3 xfree/xc/programs/Xserver/GL/glx/single2.c: revision 1.2 xfree/xc/programs/Xserver/GL/glx/single2swap.c: revision 1.2 pull over from xorg-server, porting as necessary. - -- apply fixes for: X.Org Security Advisory: Dec. 9, 2014 Protocol handling issues in X Window System servers backported to 1.10.x by myself. included are fixes for: denial of service due to unchecked malloc in client authentication CVE-2014-8091 integer overflows calculating memory needs for requests CVE-2014-8092 CVE-2014-8093 CVE-2014-8094 out of bounds access due to not validating length or offset values in requests CVE-2014-8095 CVE-2014-8096 CVE-2014-8097 CVE-2014-8098 CVE-2014-8099 CVE-2014-8100 CVE-2014-8101 CVE-2014-8102 CVE-2014-8103 - -- apply two more parts of CVE-2014-8092: Missing parens in REQUEST_FIXED_SIZE macro [CVE-2014-8092 pt. 5] dix: GetHosts bounds check using wrong pointer value [CVE-2014-8092 pt. 6] - -- To generate a diff of this commit: cvs rdiff -u -r1.1.1.6 -r1.1.1.6.24.1 \ xsrc/xfree/xc/programs/Xserver/GL/glx/glxcmds.c \ xsrc/xfree/xc/programs/Xserver/GL/glx/glxcmdsswap.c \ xsrc/xfree/xc/programs/Xserver/GL/glx/glxserver.h \ xsrc/xfree/xc/programs/Xserver/GL/glx/single2.c \ xsrc/xfree/xc/programs/Xserver/GL/glx/single2swap.c \ xsrc/xfree/xc/programs/Xserver/GL/glx/unpack.h cvs rdiff -u -r1.1.1.7 -r1.1.1.7.24.1 \ xsrc/xfree/xc/programs/Xserver/GL/glx/rensize.c cvs rdiff -u -r1.1.1.3 -r1.1.1.3.38.1 \ xsrc/xfree/xc/programs/Xserver/GL/glx/singlepix.c cvs rdiff -u -r1.1.1.4 -r1.1.1.4.38.1 \ xsrc/xfree/xc/programs/Xserver/GL/glx/singlepixswap.c cvs rdiff -u -r1.2 -r1.2.18.1 xsrc/xfree/xc/programs/Xserver/Xext/xcmisc.c cvs rdiff -u -r1.1.1.5 -r1.1.1.5.36.1 \ xsrc/xfree/xc/programs/Xserver/Xext/xvdisp.c cvs rdiff -u -r1.1.1.4 -r1.1.1.4.38.1 \ xsrc/xfree/xc/programs/Xserver/Xi/chgdctl.c \ xsrc/xfree/xc/programs/Xserver/Xi/chgfctl.c \ xsrc/xfree/xc/programs/Xserver/Xi/sendexev.c cvs rdiff -u -r1.2 -r1.2.18.1 xsrc/xfree/xc/programs/Xserver/dbe/dbe.c cvs rdiff -u -r1.1.1.7 -r1.1.1.7.24.1 \ xsrc/xfree/xc/programs/Xserver/dix/dispatch.c cvs rdiff -u -r1.1.1.6 -r1.1.1.6.36.1 \ xsrc/xfree/xc/programs/Xserver/include/dix.h cvs rdiff -u -r1.1.1.6 -r1.1.1.6.24.1 \ xsrc/xfree/xc/programs/Xserver/include/misc.h cvs rdiff -u -r1.6 -r1.6.24.1 xsrc/xfree/xc/programs/Xserver/os/access.c cvs rdiff -u -r1.1.1.5 -r1.1.1.5.36.1 \ xsrc/xfree/xc/programs/Xserver/os/rpcauth.c cvs rdiff -u -r1.1.1.3 -r1.1.1.3.36.1 \ xsrc/xfree/xc/programs/Xserver/randr/randr.c cvs rdiff -u -r1.3 -r1.3.18.1 xsrc/xfree/xc/programs/Xserver/render/render.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: xsrc/xfree/xc/programs/Xserver/GL/glx/glxcmds.c diff -u xsrc/xfree/xc/programs/Xserver/GL/glx/glxcmds.c:1.1.1.6 xsrc/xfree/xc/programs/Xserver/GL/glx/glxcmds.c:1.1.1.6.24.1 --- xsrc/xfree/xc/programs/Xserver/GL/glx/glxcmds.c:1.1.1.6 Fri Mar 18 13:09:55 2005 +++ xsrc/xfree/xc/programs/Xserver/GL/glx/glxcmds.c Thu Dec 11 13:33:15 2014 @@ -1427,7 +1427,7 @@ int __glXRender(__GLXclientState *cl, GL left = (req->length << 2) - sz_xGLXRenderReq; while (left > 0) { __GLXrenderSizeData *entry; - int extra; + int extra = 0; void (* proc)(GLbyte *); /* @@ -1464,22 +1464,19 @@ int __glXRender(__GLXclientState *cl, GL client->errorValue = commandsDone; return __glXBadRenderRequest; } + if (cmdlen < entry->bytes) { + return BadLength; + } if (entry->varsize) { /* variable size command */ - extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, False); + extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, False, + left - __GLX_RENDER_LARGE_HDR_SIZE); if (extra < 0) { - extra = 0; - } - if (cmdlen != __GLX_PAD(entry->bytes + extra)) { - return BadLength; - } - } else { - /* constant size command */ - if (cmdlen != __GLX_PAD(entry->bytes)) { return BadLength; } } - if (left < cmdlen) { + + if (cmdlen != safe_pad(safe_add(entry->bytes, extra))) { return BadLength; } @@ -1513,6 +1510,8 @@ int __glXRenderLarge(__GLXclientState *c int error; CARD16 opcode; + REQUEST_AT_LEAST_SIZE(xGLXRenderLargeReq); + /* ** NOTE: much of this code also appears in the byteswapping version of this ** routine, __glXSwapRenderLarge(). Any changes made here should also be @@ -1526,12 +1525,14 @@ int __glXRenderLarge(__GLXclientState *c __glXResetLargeCommandStatus(cl); return error; } + if (safe_pad(req->dataBytes) < 0) + return BadLength; dataBytes = req->dataBytes; /* ** Check the request length. */ - if ((req->length << 2) != __GLX_PAD(dataBytes) + sz_xGLXRenderLargeReq) { + if ((req->length << 2) != safe_pad(dataBytes) + sz_xGLXRenderLargeReq) { client->errorValue = req->length; /* Reset in case this isn't 1st request. */ __glXResetLargeCommandStatus(cl); @@ -1541,7 +1542,9 @@ int __glXRenderLarge(__GLXclientState *c if (cl->largeCmdRequestsSoFar == 0) { __GLXrenderSizeData *entry; - int extra, cmdlen; + int cmdlen; + int extra = 0; + int left = (req->length << 2) - sz_xGLXRenderLargeReq; /* ** This is the first request of a multi request command. ** Make enough space in the buffer, then copy the entire request. @@ -1551,9 +1554,16 @@ int __glXRenderLarge(__GLXclientState *c return __glXBadLargeRequest; } + if (dataBytes < __GLX_RENDER_LARGE_HDR_SIZE) + return BadLength; + hdr = (__GLXrenderLargeHeader *) pc; - cmdlen = hdr->length; opcode = hdr->opcode; + if ((cmdlen = safe_pad(hdr->length)) < 0) + return BadLength; + + if (left < cmdlen) + return BadLength; /* ** Check for core opcodes and grab entry data. @@ -1583,20 +1593,18 @@ int __glXRenderLarge(__GLXclientState *c ** be computed from its parameters), all the parameters needed ** will be in the 1st request, so it's okay to do this. */ - extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, False); + extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, False, + left - __GLX_RENDER_HDR_SIZE); if (extra < 0) { - extra = 0; - } - /* large command's header is 4 bytes longer, so add 4 */ - if (cmdlen != __GLX_PAD(entry->bytes + 4 + extra)) { - return BadLength; - } - } else { - /* constant size command */ - if (cmdlen != __GLX_PAD(entry->bytes + 4)) { return BadLength; } } + + /* the +4 is safe because we know entry.bytes is small */ + if (cmdlen != safe_pad(safe_add(entry->bytes + 4, extra))) { + return BadLength; + } + /* ** Make enough space in the buffer, then copy the entire request. */ @@ -1625,6 +1633,7 @@ int __glXRenderLarge(__GLXclientState *c ** We are receiving subsequent (i.e. not the first) requests of a ** multi request command. */ + int bytesSoFar; /* including this packet */ /* ** Check the request number and the total request count. @@ -1643,11 +1652,18 @@ int __glXRenderLarge(__GLXclientState *c /* ** Check that we didn't get too much data. */ - if ((cl->largeCmdBytesSoFar + dataBytes) > cl->largeCmdBytesTotal) { + if ((bytesSoFar = safe_add(cl->largeCmdBytesSoFar, dataBytes)) < 0) { client->errorValue = dataBytes; __glXResetLargeCommandStatus(cl); return __glXBadLargeRequest; } + + if (bytesSoFar > cl->largeCmdBytesTotal) { + client->errorValue = dataBytes; + __glXResetLargeCommandStatus(cl); + return __glXBadLargeRequest; + } + __glXMemcpy(cl->largeCmdBuf + cl->largeCmdBytesSoFar, pc, dataBytes); cl->largeCmdBytesSoFar += dataBytes; cl->largeCmdRequestsSoFar++; @@ -1657,17 +1673,16 @@ int __glXRenderLarge(__GLXclientState *c ** This is the last request; it must have enough bytes to complete ** the command. */ - /* NOTE: the two pad macros have been added below; they are needed - ** because the client library pads the total byte count, but not - ** the per-request byte counts. The Protocol Encoding says the - ** total byte count should not be padded, so a proposal will be - ** made to the ARB to relax the padding constraint on the total - ** byte count, thus preserving backward compatibility. Meanwhile, - ** the padding done below fixes a bug that did not allow - ** large commands of odd sizes to be accepted by the server. + /* NOTE: the pad macro below is needed because the client library + ** pads the total byte count, but not the per-request byte counts. + ** The Protocol Encoding says the total byte count should not be + ** padded, so a proposal will be made to the ARB to relax the + ** padding constraint on the total byte count, thus preserving + ** backward compatibility. Meanwhile, the padding done below + ** fixes a bug that did not allow large commands of odd sizes to + ** be accepted by the server. */ - if (__GLX_PAD(cl->largeCmdBytesSoFar) != - __GLX_PAD(cl->largeCmdBytesTotal)) { + if (safe_pad(cl->largeCmdBytesSoFar) != cl->largeCmdBytesTotal) { client->errorValue = dataBytes; __glXResetLargeCommandStatus(cl); return __glXBadLargeRequest; Index: xsrc/xfree/xc/programs/Xserver/GL/glx/glxcmdsswap.c diff -u xsrc/xfree/xc/programs/Xserver/GL/glx/glxcmdsswap.c:1.1.1.6 xsrc/xfree/xc/programs/Xserver/GL/glx/glxcmdsswap.c:1.1.1.6.24.1 --- xsrc/xfree/xc/programs/Xserver/GL/glx/glxcmdsswap.c:1.1.1.6 Fri Mar 18 13:09:55 2005 +++ xsrc/xfree/xc/programs/Xserver/GL/glx/glxcmdsswap.c Thu Dec 11 13:33:15 2014 @@ -494,7 +494,7 @@ int __glXSwapRender(__GLXclientState *cl left = (req->length << 2) - sz_xGLXRenderReq; while (left > 0) { __GLXrenderSizeData *entry; - int extra; + int extra = 0; void (* proc)(GLbyte *); /* @@ -527,22 +527,20 @@ int __glXSwapRender(__GLXclientState *cl client->errorValue = commandsDone; return __glXBadRenderRequest; } + if (cmdlen < entry->bytes) { + return BadLength; + } if (entry->varsize) { /* variable size command */ - extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, True); + extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, True, + left - __GLX_RENDER_LARGE_HDR_SIZE); if (extra < 0) { extra = 0; - } - if (cmdlen != __GLX_PAD(entry->bytes + extra)) { - return BadLength; - } - } else { - /* constant size command */ - if (cmdlen != __GLX_PAD(entry->bytes)) { return BadLength; } } - if (left < cmdlen) { + + if (cmdlen != safe_pad(safe_add(entry->bytes, extra))) { return BadLength; } @@ -577,6 +575,8 @@ int __glXSwapRenderLarge(__GLXclientStat CARD16 opcode; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_AT_LEAST_SIZE(xGLXRenderLargeReq); + /* ** NOTE: much of this code also appears in the nonswapping version of this ** routine, __glXRenderLarge(). Any changes made here should also be @@ -600,7 +600,7 @@ int __glXSwapRenderLarge(__GLXclientStat /* ** Check the request length. */ - if ((req->length << 2) != __GLX_PAD(dataBytes) + sz_xGLXRenderLargeReq) { + if ((req->length << 2) != safe_pad(safe_add(dataBytes, sz_xGLXRenderLargeReq))) { client->errorValue = req->length; /* Reset in case this isn't 1st request. */ __glXResetLargeCommandStatus(cl); @@ -610,7 +610,8 @@ int __glXSwapRenderLarge(__GLXclientStat if (cl->largeCmdRequestsSoFar == 0) { __GLXrenderSizeData *entry; - int extra; + int extra = 0; + int left = (req->length << 2) - sz_xGLXRenderLargeReq; size_t cmdlen; /* ** This is the first request of a multi request command. @@ -647,26 +648,29 @@ int __glXSwapRenderLarge(__GLXclientStat client->errorValue = opcode; return __glXBadLargeRequest; } + + if (cmdlen < entry->bytes) { + return BadLength; + } + if (entry->varsize) { /* ** If it's a variable-size command (a command whose length must ** be computed from its parameters), all the parameters needed ** will be in the 1st request, so it's okay to do this. */ - extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, True); + extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, True, + left - __GLX_RENDER_LARGE_HDR_SIZE); if (extra < 0) { - extra = 0; - } - /* large command's header is 4 bytes longer, so add 4 */ - if (cmdlen != __GLX_PAD(entry->bytes + 4 + extra)) { - return BadLength; - } - } else { - /* constant size command */ - if (cmdlen != __GLX_PAD(entry->bytes + 4)) { return BadLength; } } + + /* the +4 is safe because we know entry.bytes is small */ + if (cmdlen != safe_pad(safe_add(entry->bytes + 4, extra))) { + return BadLength; + } + /* ** Make enough space in the buffer, then copy the entire request. */ @@ -694,6 +698,7 @@ int __glXSwapRenderLarge(__GLXclientStat ** We are receiving subsequent (i.e. not the first) requests of a ** multi request command. */ + int bytesSoFar; /* including this packet */ /* ** Check the request number and the total request count. @@ -712,11 +717,18 @@ int __glXSwapRenderLarge(__GLXclientStat /* ** Check that we didn't get too much data. */ - if ((cl->largeCmdBytesSoFar + dataBytes) > cl->largeCmdBytesTotal) { + if ((bytesSoFar = safe_add(cl->largeCmdBytesSoFar, dataBytes)) < 0) { client->errorValue = dataBytes; __glXResetLargeCommandStatus(cl); return __glXBadLargeRequest; } + + if (bytesSoFar > cl->largeCmdBytesTotal) { + client->errorValue = dataBytes; + __glXResetLargeCommandStatus(cl); + return __glXBadLargeRequest; + } + __glXMemcpy(cl->largeCmdBuf + cl->largeCmdBytesSoFar, pc, dataBytes); cl->largeCmdBytesSoFar += dataBytes; cl->largeCmdRequestsSoFar++; @@ -726,17 +738,16 @@ int __glXSwapRenderLarge(__GLXclientStat ** This is the last request; it must have enough bytes to complete ** the command. */ - /* NOTE: the two pad macros have been added below; they are needed - ** because the client library pads the total byte count, but not - ** the per-request byte counts. The Protocol Encoding says the - ** total byte count should not be padded, so a proposal will be - ** made to the ARB to relax the padding constraint on the total - ** byte count, thus preserving backward compatibility. Meanwhile, - ** the padding done below fixes a bug that did not allow - ** large commands of odd sizes to be accepted by the server. + /* NOTE: the pad macro below is needed because the client library + ** pads the total byte count, but not the per-request byte counts. + ** The Protocol Encoding says the total byte count should not be + ** padded, so a proposal will be made to the ARB to relax the + ** padding constraint on the total byte count, thus preserving + ** backward compatibility. Meanwhile, the padding done below + ** fixes a bug that did not allow large commands of odd sizes to + ** be accepted by the server. */ - if (__GLX_PAD(cl->largeCmdBytesSoFar) != - __GLX_PAD(cl->largeCmdBytesTotal)) { + if (safe_pad(cl->largeCmdBytesSoFar) != cl->largeCmdBytesTotal) { client->errorValue = dataBytes; __glXResetLargeCommandStatus(cl); return __glXBadLargeRequest; @@ -793,10 +804,12 @@ int __glXSwapRenderLarge(__GLXclientStat int __glXSwapVendorPrivate(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXVendorPrivateReq *req; GLint vendorcode; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateReq); req = (xGLXVendorPrivateReq *) pc; __GLX_SWAP_SHORT(&req->length); @@ -831,10 +844,12 @@ int __glXSwapVendorPrivate(__GLXclientSt int __glXSwapVendorPrivateWithReply(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXVendorPrivateWithReplyReq *req; GLint vendorcode; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateWithReplyReq); req = (xGLXVendorPrivateWithReplyReq *) pc; __GLX_SWAP_SHORT(&req->length); Index: xsrc/xfree/xc/programs/Xserver/GL/glx/glxserver.h diff -u xsrc/xfree/xc/programs/Xserver/GL/glx/glxserver.h:1.1.1.6 xsrc/xfree/xc/programs/Xserver/GL/glx/glxserver.h:1.1.1.6.24.1 --- xsrc/xfree/xc/programs/Xserver/GL/glx/glxserver.h:1.1.1.6 Fri Mar 18 13:09:55 2005 +++ xsrc/xfree/xc/programs/Xserver/GL/glx/glxserver.h Thu Dec 11 13:33:15 2014 @@ -174,7 +174,7 @@ extern __GLXprocPtr __glXProcTable[]; */ typedef struct { int bytes; - int (*varsize)(GLbyte *pc, Bool swap); + int (*varsize)(GLbyte *pc, Bool swap, int reqlen); } __GLXrenderSizeData; extern __GLXrenderSizeData __glXRenderSizeTable[]; extern __GLXrenderSizeData __glXRenderSizeTable_EXT[]; @@ -220,6 +220,49 @@ extern void glxSwapQueryServerStringRepl * Routines for computing the size of variably-sized rendering commands. */ +#define _X_INLINE __inline__ + +static _X_INLINE int +safe_add(int a, int b) +{ + if (a < 0 || b < 0) + return -1; + + if (INT_MAX - a < b) + return -1; + + return a + b; +} + +static _X_INLINE int +safe_mul(int a, int b) +{ + if (a < 0 || b < 0) + return -1; + + if (a == 0 || b == 0) + return 0; + + if (a > INT_MAX / b) + return -1; + + return a * b; +} + +static _X_INLINE int +safe_pad(int a) +{ + int ret; + + if (a < 0) + return -1; + + if ((ret = safe_add(a, 3)) < 0) + return -1; + + return ret & (GLuint)~3; +} + extern int __glXTypeSize(GLenum enm); extern int __glXImageSize(GLenum format, GLenum type, GLsizei w, GLsizei h, GLint rowLength, GLint skipRows, GLint alignment); @@ -229,48 +272,48 @@ extern int __glXImage3DSize(GLenum forma GLint skipImages, GLint skipRows, GLint alignment); -extern int __glXCallListsReqSize(GLbyte *pc, Bool swap); -extern int __glXBitmapReqSize(GLbyte *pc, Bool swap); -extern int __glXFogfvReqSize(GLbyte *pc, Bool swap); -extern int __glXFogivReqSize(GLbyte *pc, Bool swap); -extern int __glXLightfvReqSize(GLbyte *pc, Bool swap); -extern int __glXLightivReqSize(GLbyte *pc, Bool swap); -extern int __glXLightModelfvReqSize(GLbyte *pc, Bool swap); -extern int __glXLightModelivReqSize(GLbyte *pc, Bool swap); -extern int __glXMaterialfvReqSize(GLbyte *pc, Bool swap); -extern int __glXMaterialivReqSize(GLbyte *pc, Bool swap); -extern int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap); -extern int __glXTexParameterivReqSize(GLbyte *pc, Bool swap); -extern int __glXTexImage1DReqSize(GLbyte *pc, Bool swap); -extern int __glXTexImage2DReqSize(GLbyte *pc, Bool swap); -extern int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap); -extern int __glXTexEnvivReqSize(GLbyte *pc, Bool swap); -extern int __glXTexGendvReqSize(GLbyte *pc, Bool swap); -extern int __glXTexGenfvReqSize(GLbyte *pc, Bool swap); -extern int __glXTexGenivReqSize(GLbyte *pc, Bool swap); -extern int __glXMap1dReqSize(GLbyte *pc, Bool swap); -extern int __glXMap1fReqSize(GLbyte *pc, Bool swap); -extern int __glXMap2dReqSize(GLbyte *pc, Bool swap); -extern int __glXMap2fReqSize(GLbyte *pc, Bool swap); -extern int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap); -extern int __glXPixelMapuivReqSize(GLbyte *pc, Bool swap); -extern int __glXPixelMapusvReqSize(GLbyte *pc, Bool swap); -extern int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap); -extern int __glXDrawArraysSize(GLbyte *pc, Bool swap); -extern int __glXPrioritizeTexturesReqSize(GLbyte *pc, Bool swap); -extern int __glXTexSubImage1DReqSize(GLbyte *pc, Bool swap); -extern int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap); -extern int __glXTexImage3DReqSize(GLbyte *pc, Bool swap ); -extern int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap); -extern int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap); -extern int __glXConvolutionFilter2DReqSize(GLbyte *pc, Bool swap); -extern int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap); -extern int __glXConvolutionParameterfvReqSize(GLbyte *pc, Bool swap); -extern int __glXSeparableFilter2DReqSize(GLbyte *pc, Bool swap); -extern int __glXColorTableReqSize(GLbyte *pc, Bool swap); -extern int __glXColorSubTableReqSize(GLbyte *pc, Bool swap); -extern int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap); -extern int __glXColorTableParameterivReqSize(GLbyte *pc, Bool swap); +extern int __glXCallListsReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXBitmapReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXFogfvReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXFogivReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXLightfvReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXLightivReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXLightModelfvReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXLightModelivReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXMaterialfvReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXMaterialivReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXTexParameterivReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXTexImage1DReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXTexImage2DReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXTexEnvivReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXTexGendvReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXTexGenfvReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXTexGenivReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXMap1dReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXMap1fReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXMap2dReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXMap2fReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXPixelMapuivReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXPixelMapusvReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXDrawArraysSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXPrioritizeTexturesReqSize(GLbyte *pc, Bool swa, int reqlenp); +extern int __glXTexSubImage1DReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXTexImage3DReqSize(GLbyte *pc, Bool swap , int reqlen); +extern int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXConvolutionFilter2DReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXConvolutionParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXSeparableFilter2DReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXColorTableReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXColorSubTableReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXColorTableParameterivReqSize(GLbyte *pc, Bool swap, int reqlen); /* * Routines for computing the size of returned data. @@ -280,7 +323,7 @@ extern int __glXConvolutionParameterfvSi extern int __glXColorTableParameterfvSize(GLenum pname); extern int __glXColorTableParameterivSize(GLenum pname); -extern int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap); -extern int __glXPointParameterivReqSize(GLbyte *pc, Bool swap); +extern int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXPointParameterivReqSize(GLbyte *pc, Bool swap, int reqlen); #endif /* !__GLX_server_h__ */ Index: xsrc/xfree/xc/programs/Xserver/GL/glx/single2.c diff -u xsrc/xfree/xc/programs/Xserver/GL/glx/single2.c:1.1.1.6 xsrc/xfree/xc/programs/Xserver/GL/glx/single2.c:1.1.1.6.24.1 --- xsrc/xfree/xc/programs/Xserver/GL/glx/single2.c:1.1.1.6 Fri Mar 18 13:09:56 2005 +++ xsrc/xfree/xc/programs/Xserver/GL/glx/single2.c Thu Dec 11 13:33:15 2014 @@ -44,11 +44,14 @@ int __glXDisp_FeedbackBuffer(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; GLsizei size; GLenum type; __GLXcontext *cx; int error; + REQUEST_FIXED_SIZE(xGLXSingleReq, 8); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { return error; @@ -74,10 +77,13 @@ int __glXDisp_FeedbackBuffer(__GLXclient int __glXDisp_SelectBuffer(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; __GLXcontext *cx; GLsizei size; int error; + REQUEST_FIXED_SIZE(xGLXSingleReq, 4); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { return error; @@ -102,7 +108,7 @@ int __glXDisp_SelectBuffer(__GLXclientSt int __glXDisp_RenderMode(__GLXclientState *cl, GLbyte *pc) { - ClientPtr client; + ClientPtr client = cl->client; xGLXRenderModeReply reply; __GLXcontext *cx; GLint nitems=0, retBytes=0, retval, newModeCheck; @@ -110,6 +116,8 @@ int __glXDisp_RenderMode(__GLXclientStat GLenum newMode; int error; + REQUEST_FIXED_SIZE(xGLXSingleReq, 4); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { return error; @@ -184,7 +192,6 @@ int __glXDisp_RenderMode(__GLXclientStat ** selection array, as per the API for glRenderMode itself. */ noChangeAllowed:; - client = cl->client; reply.length = nitems; reply.type = X_Reply; reply.sequenceNumber = client->sequence; @@ -200,9 +207,12 @@ int __glXDisp_RenderMode(__GLXclientStat int __glXDisp_Flush(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; __GLXcontext *cx; int error; + REQUEST_SIZE_MATCH(xGLXSingleReq); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { return error; @@ -215,10 +225,12 @@ int __glXDisp_Flush(__GLXclientState *cl int __glXDisp_Finish(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; __GLXcontext *cx; - ClientPtr client; int error; + REQUEST_SIZE_MATCH(xGLXSingleReq); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { return error; @@ -298,7 +310,7 @@ char *__glXcombine_strings(const char *c int DoGetString(__GLXclientState *cl, GLbyte *pc, GLboolean need_swap) { - ClientPtr client; + ClientPtr client = cl->client; __GLXcontext *cx; GLenum name; const char *string; @@ -307,6 +319,8 @@ int DoGetString(__GLXclientState *cl, GL char *buf = NULL, *buf1 = NULL; GLint length = 0; + REQUEST_FIXED_SIZE(xGLXSingleReq, 4); + /* If the client has the opposite byte order, swap the contextTag and * the name. */ @@ -323,7 +337,6 @@ int DoGetString(__GLXclientState *cl, GL pc += __GLX_SINGLE_HDR_SIZE; name = *(GLenum *)(pc + 0); string = (const char *)glGetString(name); - client = cl->client; /* ** Restrict extensions to those that are supported by both the Index: xsrc/xfree/xc/programs/Xserver/GL/glx/single2swap.c diff -u xsrc/xfree/xc/programs/Xserver/GL/glx/single2swap.c:1.1.1.6 xsrc/xfree/xc/programs/Xserver/GL/glx/single2swap.c:1.1.1.6.24.1 --- xsrc/xfree/xc/programs/Xserver/GL/glx/single2swap.c:1.1.1.6 Fri Mar 18 13:09:56 2005 +++ xsrc/xfree/xc/programs/Xserver/GL/glx/single2swap.c Thu Dec 11 13:33:15 2014 @@ -44,12 +44,15 @@ int __glXDispSwap_FeedbackBuffer(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; GLsizei size; GLenum type; __GLX_DECLARE_SWAP_VARIABLES; __GLXcontext *cx; int error; + REQUEST_FIXED_SIZE(xGLXSingleReq, 8); + __GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag); cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { @@ -78,11 +81,14 @@ int __glXDispSwap_FeedbackBuffer(__GLXcl int __glXDispSwap_SelectBuffer(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; __GLXcontext *cx; GLsizei size; __GLX_DECLARE_SWAP_VARIABLES; int error; + REQUEST_FIXED_SIZE(xGLXSingleReq, 4); + __GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag); cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { @@ -109,7 +115,7 @@ int __glXDispSwap_SelectBuffer(__GLXclie int __glXDispSwap_RenderMode(__GLXclientState *cl, GLbyte *pc) { - ClientPtr client; + ClientPtr client = cl->client; __GLXcontext *cx; xGLXRenderModeReply reply; GLint nitems=0, retBytes=0, retval, newModeCheck; @@ -119,6 +125,8 @@ int __glXDispSwap_RenderMode(__GLXclient __GLX_DECLARE_SWAP_ARRAY_VARIABLES; int error; + REQUEST_FIXED_SIZE(xGLXSingleReq, 4); + __GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag); cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { @@ -197,7 +205,6 @@ int __glXDispSwap_RenderMode(__GLXclient ** selection array, as per the API for glRenderMode itself. */ noChangeAllowed:; - client = cl->client; reply.length = nitems; reply.type = X_Reply; reply.sequenceNumber = client->sequence; @@ -218,10 +225,13 @@ int __glXDispSwap_RenderMode(__GLXclient int __glXDispSwap_Flush(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; __GLXcontext *cx; int error; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXSingleReq); + __GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag); cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { @@ -235,11 +245,13 @@ int __glXDispSwap_Flush(__GLXclientState int __glXDispSwap_Finish(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; __GLXcontext *cx; - ClientPtr client; int error; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXSingleReq); + __GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag); cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { @@ -251,7 +263,6 @@ int __glXDispSwap_Finish(__GLXclientStat __GLX_NOTE_FLUSHED_CMDS(cx); /* Send empty reply packet to indicate finish is finished */ - client = cl->client; __GLX_BEGIN_REPLY(0); __GLX_PUT_RETVAL(0); __GLX_SWAP_REPLY_HEADER(); Index: xsrc/xfree/xc/programs/Xserver/GL/glx/unpack.h diff -u xsrc/xfree/xc/programs/Xserver/GL/glx/unpack.h:1.1.1.6 xsrc/xfree/xc/programs/Xserver/GL/glx/unpack.h:1.1.1.6.24.1 --- xsrc/xfree/xc/programs/Xserver/GL/glx/unpack.h:1.1.1.6 Fri Mar 18 13:09:56 2005 +++ xsrc/xfree/xc/programs/Xserver/GL/glx/unpack.h Thu Dec 11 13:33:15 2014 @@ -85,7 +85,8 @@ extern xGLXSingleReply __glXReply; ** pointer. */ #define __GLX_GET_ANSWER_BUFFER(res,cl,size,align) \ - if ((size) > sizeof(answerBuffer)) { \ + if (size < 0) return BadLength; \ + else if ((size) > sizeof(answerBuffer)) { \ int bump; \ if ((cl)->returnBufSize < (size)+(align)) { \ (cl)->returnBuf = (GLbyte*)Xrealloc((cl)->returnBuf, \ Index: xsrc/xfree/xc/programs/Xserver/GL/glx/rensize.c diff -u xsrc/xfree/xc/programs/Xserver/GL/glx/rensize.c:1.1.1.7 xsrc/xfree/xc/programs/Xserver/GL/glx/rensize.c:1.1.1.7.24.1 --- xsrc/xfree/xc/programs/Xserver/GL/glx/rensize.c:1.1.1.7 Fri Mar 18 13:09:55 2005 +++ xsrc/xfree/xc/programs/Xserver/GL/glx/rensize.c Thu Dec 11 13:33:15 2014 @@ -44,7 +44,7 @@ (((a & 0xff000000U)>>24) | ((a & 0xff0000U)>>8) | \ ((a & 0xff00U)<<8) | ((a & 0xffU)<<24)) -int __glXCallListsReqSize(GLbyte *pc, Bool swap ) +int __glXCallListsReqSize(GLbyte *pc, Bool swap, int reqlen ) { GLsizei n = *(GLsizei *)(pc + 0); GLenum type = *(GLenum *)(pc + 4); @@ -56,7 +56,7 @@ int __glXCallListsReqSize(GLbyte *pc, Bo return __glCallLists_size( n, type ); /* defined in samplegl lib */ } -int __glXFogivReqSize(GLbyte *pc, Bool swap ) +int __glXFogivReqSize(GLbyte *pc, Bool swap, int reqlen ) { GLenum pname = *(GLenum *)(pc + 0); if (swap) { @@ -65,12 +65,12 @@ int __glXFogivReqSize(GLbyte *pc, Bool s return 4 * __glFogiv_size( pname ); /* defined in samplegl lib */ } -int __glXFogfvReqSize(GLbyte *pc, Bool swap ) +int __glXFogfvReqSize(GLbyte *pc, Bool swap, int reqlen ) { - return __glXFogivReqSize( pc, swap ); + return __glXFogivReqSize( pc, swap, reqlen ); } -int __glXLightfvReqSize(GLbyte *pc, Bool swap ) +int __glXLightfvReqSize(GLbyte *pc, Bool swap, int reqlen ) { GLenum pname = *(GLenum *)(pc + 4); if (swap) { @@ -79,12 +79,12 @@ int __glXLightfvReqSize(GLbyte *pc, Bool return 4 * __glLightfv_size( pname ); /* defined in samplegl lib */ } -int __glXLightivReqSize(GLbyte *pc, Bool swap ) +int __glXLightivReqSize(GLbyte *pc, Bool swap, int reqlen ) { - return __glXLightfvReqSize( pc, swap ); + return __glXLightfvReqSize( pc, swap, reqlen ); } -int __glXLightModelfvReqSize(GLbyte *pc, Bool swap ) +int __glXLightModelfvReqSize(GLbyte *pc, Bool swap, int reqlen ) { GLenum pname = *(GLenum *)(pc + 0); if (swap) { @@ -93,12 +93,12 @@ int __glXLightModelfvReqSize(GLbyte *pc, return 4 * __glLightModelfv_size( pname ); /* defined in samplegl lib */ } -int __glXLightModelivReqSize(GLbyte *pc, Bool swap ) +int __glXLightModelivReqSize(GLbyte *pc, Bool swap, int reqlen ) { - return __glXLightModelfvReqSize( pc, swap ); + return __glXLightModelfvReqSize( pc, swap, reqlen ); } -int __glXMaterialfvReqSize(GLbyte *pc, Bool swap ) +int __glXMaterialfvReqSize(GLbyte *pc, Bool swap, int reqlen ) { GLenum pname = *(GLenum *)(pc + 4); if (swap) { @@ -107,12 +107,12 @@ int __glXMaterialfvReqSize(GLbyte *pc, B return 4 * __glMaterialfv_size( pname ); /* defined in samplegl lib */ } -int __glXMaterialivReqSize(GLbyte *pc, Bool swap ) +int __glXMaterialivReqSize(GLbyte *pc, Bool swap, int reqlen ) { - return __glXMaterialfvReqSize( pc, swap ); + return __glXMaterialfvReqSize( pc, swap, reqlen ); } -int __glXTexGendvReqSize(GLbyte *pc, Bool swap ) +int __glXTexGendvReqSize(GLbyte *pc, Bool swap, int reqlen ) { GLenum pname = *(GLenum *)(pc + 4); if (swap) { @@ -121,7 +121,7 @@ int __glXTexGendvReqSize(GLbyte *pc, Boo return 8 * __glTexGendv_size( pname ); /* defined in samplegl lib */ } -int __glXTexGenfvReqSize(GLbyte *pc, Bool swap ) +int __glXTexGenfvReqSize(GLbyte *pc, Bool swap, int reqlen ) { GLenum pname = *(GLenum *)(pc + 4); if (swap) { @@ -130,12 +130,12 @@ int __glXTexGenfvReqSize(GLbyte *pc, Boo return 4 * __glTexGenfv_size( pname ); /* defined in samplegl lib */ } -int __glXTexGenivReqSize(GLbyte *pc, Bool swap ) +int __glXTexGenivReqSize(GLbyte *pc, Bool swap, int reqlen ) { - return __glXTexGenfvReqSize( pc, swap ); + return __glXTexGenfvReqSize( pc, swap, reqlen ); } -int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap ) +int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen ) { GLenum pname = *(GLenum *)(pc + 4); if (swap) { @@ -144,12 +144,12 @@ int __glXTexParameterfvReqSize(GLbyte *p return 4 * __glTexParameterfv_size( pname ); /* defined in samplegl lib */ } -int __glXTexParameterivReqSize(GLbyte *pc, Bool swap ) +int __glXTexParameterivReqSize(GLbyte *pc, Bool swap, int reqlen ) { - return __glXTexParameterfvReqSize( pc, swap ); + return __glXTexParameterfvReqSize( pc, swap, reqlen ); } -int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap ) +int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap, int reqlen ) { GLenum pname = *(GLenum *)(pc + 4); if (swap) { @@ -158,21 +158,21 @@ int __glXTexEnvfvReqSize(GLbyte *pc, Boo return 4 * __glTexEnvfv_size( pname ); /* defined in samplegl lib */ } -int __glXTexEnvivReqSize(GLbyte *pc, Bool swap ) +int __glXTexEnvivReqSize(GLbyte *pc, Bool swap, int reqlen ) { - return __glXTexEnvfvReqSize( pc, swap ); + return __glXTexEnvfvReqSize( pc, swap, reqlen ); } static int Map1Size( GLint k, GLint order) { if (order <= 0 || k < 0) return -1; - return k * order; + return safe_mul(k, order); } -int __glXMap1dReqSize(GLbyte *pc, Bool swap ) +int __glXMap1dReqSize(GLbyte *pc, Bool swap, int reqlen) { GLenum target; - GLint order, k; + GLint order; target = *(GLenum*) (pc + 16); order = *(GLint*) (pc + 20); @@ -180,14 +180,15 @@ int __glXMap1dReqSize(GLbyte *pc, Bool s target = SWAPL( target ); order = SWAPL( order ); } - k = __glEvalComputeK( target ); - return 8 * Map1Size( k, order ); + if (order < 1) + return -1; + return safe_mul(8, Map1Size(target, order)); } -int __glXMap1fReqSize(GLbyte *pc, Bool swap ) +int __glXMap1fReqSize(GLbyte *pc, Bool swap, int reqlen ) { GLenum target; - GLint order, k; + GLint order; target = *(GLenum *)(pc + 0); order = *(GLint *)(pc + 12); @@ -195,20 +196,22 @@ int __glXMap1fReqSize(GLbyte *pc, Bool s target = SWAPL( target ); order = SWAPL( order ); } - k = __glEvalComputeK(target); - return 4 * Map1Size(k, order); + if (order < 1) + return -1; + return safe_mul(4, Map1Size(target, order)); } static int Map2Size(int k, int majorOrder, int minorOrder) { - if (majorOrder <= 0 || minorOrder <= 0 || k < 0) return -1; - return k * majorOrder * minorOrder; + if (majorOrder <= 0 || minorOrder <= 0 || k < 0) + return -1; + return safe_mul(k, safe_mul(majorOrder, minorOrder)); } -int __glXMap2dReqSize(GLbyte *pc, Bool swap ) +int __glXMap2dReqSize(GLbyte *pc, Bool swap, int reqlen ) { GLenum target; - GLint uorder, vorder, k; + GLint uorder, vorder; target = *(GLenum *)(pc + 32); uorder = *(GLint *)(pc + 36); @@ -218,14 +221,13 @@ int __glXMap2dReqSize(GLbyte *pc, Bool s uorder = SWAPL( uorder ); vorder = SWAPL( vorder ); } - k = __glEvalComputeK( target ); - return 8 * Map2Size( k, uorder, vorder ); + return safe_mul(8, Map2Size(__glEvalComputeK(target), uorder, vorder)); } -int __glXMap2fReqSize(GLbyte *pc, Bool swap ) +int __glXMap2fReqSize(GLbyte *pc, Bool swap, int reqlen ) { GLenum target; - GLint uorder, vorder, k; + GLint uorder, vorder; target = *(GLenum *)(pc + 0); uorder = *(GLint *)(pc + 12); @@ -235,11 +237,10 @@ int __glXMap2fReqSize(GLbyte *pc, Bool s uorder = SWAPL( uorder ); vorder = SWAPL( vorder ); } - k = __glEvalComputeK( target ); - return 4 * Map2Size( k, uorder, vorder ); + return safe_mul(4, Map2Size(__glEvalComputeK(target), uorder, vorder)); } -int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap ) +int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap, int reqlen ) { GLint mapsize; mapsize = *(GLint *)(pc + 4); @@ -249,12 +250,12 @@ int __glXPixelMapfvReqSize(GLbyte *pc, B return 4 * mapsize; } -int __glXPixelMapuivReqSize(GLbyte *pc, Bool swap ) +int __glXPixelMapuivReqSize(GLbyte *pc, Bool swap, int reqlen ) { - return __glXPixelMapfvReqSize( pc, swap ); + return __glXPixelMapfvReqSize( pc, swap, reqlen ); } -int __glXPixelMapusvReqSize(GLbyte *pc, Bool swap ) +int __glXPixelMapusvReqSize(GLbyte *pc, Bool swap, int reqlen ) { GLint mapsize; mapsize = *(GLint *)(pc + 4); @@ -281,12 +282,20 @@ int __glXImage3DSize( GLenum format, GLe GLint bytesPerElement, elementsPerGroup, groupsPerRow; GLint groupSize, rowSize, padding, imageSize; + if (w == 0 || h == 0 || d == 0) + return 0; + if (w < 0 || h < 0 || d < 0 || (type == GL_BITMAP && (format != GL_COLOR_INDEX && format != GL_STENCIL_INDEX))) { return -1; } - if (w==0 || h==0 || d == 0) return 0; + + /* real data has to have real sizes */ + if (imageHeight < 0 || rowLength < 0 || skipImages < 0 || skipRows < 0) + return -1; + if (alignment != 1 && alignment != 2 && alignment != 4 && alignment != 8) + return -1; if (type == GL_BITMAP) { if (rowLength > 0) { @@ -295,11 +304,13 @@ int __glXImage3DSize( GLenum format, GLe groupsPerRow = w; } rowSize = (groupsPerRow + 7) >> 3; + if (rowSize < 0) + return -1; padding = (rowSize % alignment); if (padding) { rowSize += alignment - padding; } - return ((h + skipRows) * rowSize); + return safe_mul(safe_add(h, skipRows), rowSize); } else { switch(format) { case GL_COLOR_INDEX: @@ -380,28 +391,32 @@ int __glXImage3DSize( GLenum format, GLe default: return -1; } + /* known safe by the switches above, not checked */ groupSize = bytesPerElement * elementsPerGroup; if (rowLength > 0) { groupsPerRow = rowLength; } else { groupsPerRow = w; } - rowSize = groupsPerRow * groupSize; + if ((rowSize = safe_mul(groupsPerRow, groupSize)) < 0) + return -1; padding = (rowSize % alignment); if (padding) { rowSize += alignment - padding; } - if (imageHeight > 0) { - imageSize = (imageHeight + skipRows) * rowSize; - } else { - imageSize = (h + skipRows) * rowSize; - } - return ((d + skipImages) * imageSize); + + if (imageHeight > 0) + h = imageHeight; + h = safe_add(h, skipRows); + + imageSize = safe_mul(h, rowSize); + + return safe_mul(safe_add(d, skipImages), imageSize); } } -int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap ) +int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap, int reqlen ) { __GLXdispatchDrawPixelsHeader *hdr = (__GLXdispatchDrawPixelsHeader *) pc; GLenum format = hdr->format; @@ -424,7 +439,7 @@ int __glXDrawPixelsReqSize(GLbyte *pc, B return __glXImageSize( format, type, w, h, rowLength, skipRows, alignment ); } -int __glXBitmapReqSize(GLbyte *pc, Bool swap ) +int __glXBitmapReqSize(GLbyte *pc, Bool swap, int reqlen ) { __GLXdispatchBitmapHeader *hdr = (__GLXdispatchBitmapHeader *) pc; GLint w = hdr->width; @@ -444,7 +459,7 @@ int __glXBitmapReqSize(GLbyte *pc, Bool rowLength, skipRows, alignment ); } -int __glXTexImage1DReqSize(GLbyte *pc, Bool swap ) +int __glXTexImage1DReqSize(GLbyte *pc, Bool swap, int reqlen ) { __GLXdispatchTexImageHeader *hdr = (__GLXdispatchTexImageHeader *) pc; GLenum target = hdr->target; @@ -472,7 +487,7 @@ int __glXTexImage1DReqSize(GLbyte *pc, B return __glXImageSize( format, type, w, 1, rowLength, skipRows, alignment ); } -int __glXTexImage2DReqSize(GLbyte *pc, Bool swap ) +int __glXTexImage2DReqSize(GLbyte *pc, Bool swap, int reqlen ) { __GLXdispatchTexImageHeader *hdr = (__GLXdispatchTexImageHeader *) pc; GLenum target = hdr->target; @@ -518,13 +533,14 @@ int __glXTypeSize(GLenum enm) } } -int __glXDrawArraysSize( GLbyte *pc, Bool swap ) +int __glXDrawArraysSize( GLbyte *pc, Bool swap, int reqlen ) { __GLXdispatchDrawArraysHeader *hdr = (__GLXdispatchDrawArraysHeader *) pc; __GLXdispatchDrawArraysComponentHeader *compHeader; GLint numVertexes = hdr->numVertexes; GLint numComponents = hdr->numComponents; GLint arrayElementSize = 0; + GLint x, size; int i; if (swap) { @@ -533,6 +549,13 @@ int __glXDrawArraysSize( GLbyte *pc, Boo } pc += sizeof(__GLXdispatchDrawArraysHeader); + reqlen -= sizeof(__GLXdispatchDrawArraysHeader); + + size = safe_mul(sizeof(__GLXdispatchDrawArraysComponentHeader), + numComponents); + if (size < 0 || reqlen < 0 || reqlen < size) + return -1; + compHeader = (__GLXdispatchDrawArraysComponentHeader *) pc; for (i=0; i<numComponents; i++) { @@ -585,14 +608,14 @@ int __glXDrawArraysSize( GLbyte *pc, Boo (numVertexes * arrayElementSize)); } -int __glXPrioritizeTexturesReqSize(GLbyte *pc, Bool swap ) +int __glXPrioritizeTexturesReqSize(GLbyte *pc, Bool swap, int reqlen ) { GLint n = *(GLsizei *)(pc + 0); if (swap) n = SWAPL(n); return(8*n); /* 4*n for textures, 4*n for priorities */ } -int __glXTexSubImage1DReqSize(GLbyte *pc, Bool swap ) +int __glXTexSubImage1DReqSize(GLbyte *pc, Bool swap, int reqlen ) { __GLXdispatchTexSubImageHeader *hdr = (__GLXdispatchTexSubImageHeader *) pc; GLenum format = hdr->format; @@ -613,7 +636,7 @@ int __glXTexSubImage1DReqSize(GLbyte *pc return __glXImageSize( format, type, w, 1, rowLength, skipRows, alignment ); } -int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap ) +int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap, int reqlen ) { __GLXdispatchTexSubImageHeader *hdr = (__GLXdispatchTexSubImageHeader *) pc; GLenum format = hdr->format; @@ -636,7 +659,7 @@ int __glXTexSubImage2DReqSize(GLbyte *pc return __glXImageSize( format, type, w, h, rowLength, skipRows, alignment ); } -int __glXTexImage3DReqSize(GLbyte *pc, Bool swap ) +int __glXTexImage3DReqSize(GLbyte *pc, Bool swap, int reqlen ) { __GLXdispatchTexImage3DHeader *hdr = (__GLXdispatchTexImage3DHeader *) pc; GLenum target = hdr->target; @@ -674,7 +697,7 @@ int __glXTexImage3DReqSize(GLbyte *pc, B } } -int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap ) +int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap, int reqlen ) { __GLXdispatchTexSubImage3DHeader *hdr = (__GLXdispatchTexSubImage3DHeader *) pc; @@ -712,7 +735,7 @@ int __glXTexSubImage3DReqSize(GLbyte *pc } } -int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap ) +int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap, int reqlen ) { __GLXdispatchConvolutionFilterHeader *hdr = (__GLXdispatchConvolutionFilterHeader *) pc; @@ -734,7 +757,7 @@ int __glXConvolutionFilter1DReqSize(GLby return __glXImageSize ( format, type, w, 1, rowLength, 0, alignment ); } -int __glXConvolutionFilter2DReqSize(GLbyte *pc, Bool swap ) +int __glXConvolutionFilter2DReqSize(GLbyte *pc, Bool swap, int reqlen ) { __GLXdispatchConvolutionFilterHeader *hdr = (__GLXdispatchConvolutionFilterHeader *) pc; @@ -779,7 +802,7 @@ int __glXConvolutionParameterfvSize(GLen return __glXConvolutionParameterivSize(pname); } -int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap ) +int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap, int reqlen ) { GLenum pname = *(GLenum *)(pc + 4); if (swap) { @@ -788,12 +811,12 @@ int __glXConvolutionParameterivReqSize(G return 4 * __glXConvolutionParameterivSize( pname ); } -int __glXConvolutionParameterfvReqSize(GLbyte *pc, Bool swap ) +int __glXConvolutionParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen ) { - return __glXConvolutionParameterivReqSize( pc, swap ); + return __glXConvolutionParameterivReqSize( pc, swap, reqlen ); } -int __glXSeparableFilter2DReqSize(GLbyte *pc, Bool swap ) +int __glXSeparableFilter2DReqSize(GLbyte *pc, Bool swap, int reqlen ) { __GLXdispatchConvolutionFilterHeader *hdr = (__GLXdispatchConvolutionFilterHeader *) pc; @@ -817,10 +840,9 @@ int __glXSeparableFilter2DReqSize(GLbyte /* XXX Should rowLength be used for either or both image? */ image1size = __glXImageSize ( format, type, w, 1, rowLength, 0, alignment ); - image1size = __GLX_PAD(image1size); image2size = __glXImageSize ( format, type, h, 1, rowLength, 0, alignment ); - return image1size + image2size; + return safe_add(safe_pad(image1size), image2size); } int __glXColorTableParameterfvSize(GLenum pname) @@ -841,7 +863,7 @@ int __glXColorTableParameterivSize(GLenu return __glXColorTableParameterfvSize(pname); } -int __glXColorTableReqSize(GLbyte *pc, Bool swap ) +int __glXColorTableReqSize(GLbyte *pc, Bool swap, int reqlen ) { __GLXdispatchColorTableHeader *hdr = (__GLXdispatchColorTableHeader *) pc; @@ -875,7 +897,7 @@ int __glXColorTableReqSize(GLbyte *pc, B return __glXImageSize ( format, type, w, 1, rowLength, 0, alignment ); } -int __glXColorSubTableReqSize(GLbyte *pc, Bool swap ) +int __glXColorSubTableReqSize(GLbyte *pc, Bool swap, int reqlen ) { __GLXdispatchColorSubTableHeader *hdr = (__GLXdispatchColorSubTableHeader *) pc; @@ -897,7 +919,7 @@ int __glXColorSubTableReqSize(GLbyte *pc return __glXImageSize ( format, type, count, 1, rowLength, 0, alignment ); } -int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap ) +int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen ) { GLenum pname = *(GLenum *)(pc + 4); if (swap) { @@ -906,13 +928,13 @@ int __glXColorTableParameterfvReqSize(GL return 4 * __glXColorTableParameterfvSize(pname); } -int __glXColorTableParameterivReqSize(GLbyte *pc, Bool swap ) +int __glXColorTableParameterivReqSize(GLbyte *pc, Bool swap, int reqlen ) { /* no difference between fv and iv versions */ - return __glXColorTableParameterfvReqSize(pc, swap); + return __glXColorTableParameterfvReqSize(pc, swap, reqlen); } -int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap ) +int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap, int reqlen ) { GLenum pname = *(GLenum *)(pc + 0); if (swap) { @@ -921,8 +943,8 @@ int __glXPointParameterfvARBReqSize(GLby return 4 * __glPointParameterfvARB_size( pname ); } -int __glXPointParameterivReqSize(GLbyte *pc, Bool swap ) +int __glXPointParameterivReqSize(GLbyte *pc, Bool swap, int reqlen ) { /* no difference between fv and iv versions */ - return __glXPointParameterfvARBReqSize(pc, swap); + return __glXPointParameterfvARBReqSize(pc, swap, reqlen); } Index: xsrc/xfree/xc/programs/Xserver/GL/glx/singlepix.c diff -u xsrc/xfree/xc/programs/Xserver/GL/glx/singlepix.c:1.1.1.3 xsrc/xfree/xc/programs/Xserver/GL/glx/singlepix.c:1.1.1.3.38.1 --- xsrc/xfree/xc/programs/Xserver/GL/glx/singlepix.c:1.1.1.3 Sat Jun 9 14:58:07 2001 +++ xsrc/xfree/xc/programs/Xserver/GL/glx/singlepix.c Thu Dec 11 13:33:15 2014 @@ -53,6 +53,8 @@ int __glXDisp_ReadPixels(__GLXclientStat int error; char *answer, answerBuffer[200]; + REQUEST_FIXED_SIZE(xGLXSingleReq, 28); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { return error; @@ -66,7 +68,8 @@ int __glXDisp_ReadPixels(__GLXclientStat swapBytes = *(GLboolean *)(pc + 24); lsbFirst = *(GLboolean *)(pc + 25); compsize = __glReadPixels_size(format,type,width,height); - if (compsize < 0) compsize = 0; + if (compsize < 0) + return BadLength; glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes); glPixelStorei(GL_PACK_LSB_FIRST, lsbFirst); @@ -104,6 +107,8 @@ int __glXDisp_GetTexImage(__GLXclientSta char *answer, answerBuffer[200]; GLint width=0, height=0, depth=1; + REQUEST_FIXED_SIZE(xGLXSingleReq, 20); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { return error; @@ -126,7 +131,8 @@ int __glXDisp_GetTexImage(__GLXclientSta * are illegal, but then width, height, and depth would still be zero anyway. */ compsize = __glGetTexImage_size(target,level,format,type,width,height,depth); - if (compsize < 0) compsize = 0; + if (compsize < 0) + return BadLength; glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes); __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1); @@ -162,6 +168,8 @@ int __glXDisp_GetPolygonStipple(__GLXcli GLubyte answerBuffer[200]; char *answer; + REQUEST_FIXED_SIZE(xGLXSingleReq, 4); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { return error; @@ -200,6 +208,8 @@ int __glXDisp_GetSeparableFilter(__GLXcl char *answer, answerBuffer[200]; GLint width=0, height=0; + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { return error; @@ -223,13 +233,13 @@ int __glXDisp_GetSeparableFilter(__GLXcl compsize = __glGetTexImage_size(target,1,format,type,width,1,1); compsize2 = __glGetTexImage_size(target,1,format,type,height,1,1); - if (compsize < 0) compsize = 0; - if (compsize2 < 0) compsize2 = 0; - compsize = __GLX_PAD(compsize); - compsize2 = __GLX_PAD(compsize2); + if ((compsize = safe_pad(compsize)) < 0) + return BadLength; + if ((compsize2 = safe_pad(compsize2)) < 0) + return BadLength; glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes); - __GLX_GET_ANSWER_BUFFER(answer,cl,compsize + compsize2,1); + __GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1); __glXClearErrorOccured(); glGetSeparableFilter( *(GLenum *)(pc + 0), @@ -265,6 +275,8 @@ int __glXDisp_GetConvolutionFilter(__GLX char *answer, answerBuffer[200]; GLint width=0, height=0; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { return error; @@ -287,7 +299,8 @@ int __glXDisp_GetConvolutionFilter(__GLX * are illegal, but then width and height would still be zero anyway. */ compsize = __glGetTexImage_size(target,1,format,type,width,height,1); - if (compsize < 0) compsize = 0; + if (compsize < 0) + return BadLength; glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes); __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1); @@ -324,6 +337,8 @@ int __glXDisp_GetHistogram(__GLXclientSt char *answer, answerBuffer[200]; GLint width=0; + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { return error; @@ -342,7 +357,8 @@ int __glXDisp_GetHistogram(__GLXclientSt * are illegal, but then width would still be zero anyway. */ compsize = __glGetTexImage_size(target,1,format,type,width,1,1); - if (compsize < 0) compsize = 0; + if (compsize < 0) + return BadLength; glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes); __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1); @@ -371,6 +387,7 @@ int __glXDisp_GetMinmax(__GLXclientState ClientPtr client = cl->client; int error; char *answer, answerBuffer[200]; + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { @@ -385,7 +402,8 @@ int __glXDisp_GetMinmax(__GLXclientState reset = *(GLboolean *)(pc + 13); compsize = __glGetTexImage_size(target,1,format,type,2,1,1); - if (compsize < 0) compsize = 0; + if (compsize < 0) + return BadLength; glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes); __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1); @@ -414,6 +432,7 @@ int __glXDisp_GetColorTable(__GLXclientS int error; char *answer, answerBuffer[200]; GLint width=0; + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { @@ -432,7 +451,8 @@ int __glXDisp_GetColorTable(__GLXclientS * are illegal, but then width would still be zero anyway. */ compsize = __glGetTexImage_size(target,1,format,type,width,1,1); - if (compsize < 0) compsize = 0; + if (compsize < 0) + return BadLength; glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes); __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1); Index: xsrc/xfree/xc/programs/Xserver/GL/glx/singlepixswap.c diff -u xsrc/xfree/xc/programs/Xserver/GL/glx/singlepixswap.c:1.1.1.4 xsrc/xfree/xc/programs/Xserver/GL/glx/singlepixswap.c:1.1.1.4.38.1 --- xsrc/xfree/xc/programs/Xserver/GL/glx/singlepixswap.c:1.1.1.4 Sat Jan 19 14:59:54 2002 +++ xsrc/xfree/xc/programs/Xserver/GL/glx/singlepixswap.c Thu Dec 11 13:33:15 2014 @@ -54,6 +54,8 @@ int __glXDispSwap_ReadPixels(__GLXclient int error; char *answer, answerBuffer[200]; + REQUEST_FIXED_SIZE(xGLXSingleReq, 28); + __GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag); cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { @@ -75,7 +77,8 @@ int __glXDispSwap_ReadPixels(__GLXclient swapBytes = *(GLboolean *)(pc + 24); lsbFirst = *(GLboolean *)(pc + 25); compsize = __glReadPixels_size(format,type,width,height); - if (compsize < 0) compsize = 0; + if (compsize < 0) + return BadLength; glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes); glPixelStorei(GL_PACK_LSB_FIRST, lsbFirst); @@ -116,6 +119,8 @@ int __glXDispSwap_GetTexImage(__GLXclien char *answer, answerBuffer[200]; GLint width=0, height=0, depth=1; + REQUEST_FIXED_SIZE(xGLXSingleReq, 20); + __GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag); cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { @@ -144,7 +149,8 @@ int __glXDispSwap_GetTexImage(__GLXclien * are illegal, but then width, height, and depth would still be zero anyway. */ compsize = __glGetTexImage_size(target,level,format,type,width,height,depth); - if (compsize < 0) compsize = 0; + if (compsize < 0) + return BadLength; glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes); __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1); @@ -186,6 +192,8 @@ int __glXDispSwap_GetPolygonStipple(__GL char *answer; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_FIXED_SIZE(xGLXSingleReq, 4); + __GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag); cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { @@ -225,6 +233,8 @@ int __glXDispSwap_GetSeparableFilter(__G __GLX_DECLARE_SWAP_VARIABLES; char *answer, answerBuffer[200]; GLint width=0, height=0; + + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { @@ -253,13 +263,13 @@ int __glXDispSwap_GetSeparableFilter(__G compsize = __glGetTexImage_size(target,1,format,type,width,1,1); compsize2 = __glGetTexImage_size(target,1,format,type,height,1,1); - if (compsize < 0) compsize = 0; - if (compsize2 < 0) compsize2 = 0; - compsize = __GLX_PAD(compsize); - compsize2 = __GLX_PAD(compsize2); + if ((compsize = safe_pad(compsize)) < 0) + return BadLength; + if ((compsize2 = safe_pad(compsize2)) < 0) + return BadLength; glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes); - __GLX_GET_ANSWER_BUFFER(answer,cl,compsize + compsize2,1); + __GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1); __glXClearErrorOccured(); glGetSeparableFilter( *(GLenum *)(pc + 0), @@ -297,6 +307,8 @@ int __glXDispSwap_GetConvolutionFilter(_ __GLX_DECLARE_SWAP_VARIABLES; char *answer, answerBuffer[200]; GLint width=0, height=0; + + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { @@ -324,7 +336,8 @@ int __glXDispSwap_GetConvolutionFilter(_ * are illegal, but then width and height would still be zero anyway. */ compsize = __glGetTexImage_size(target,1,format,type,width,height,1); - if (compsize < 0) compsize = 0; + if (compsize < 0) + return BadLength; glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes); __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1); @@ -363,6 +376,8 @@ int __glXDispSwap_GetHistogram(__GLXclie __GLX_DECLARE_SWAP_VARIABLES; char *answer, answerBuffer[200]; GLint width=0; + + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { @@ -386,7 +401,8 @@ int __glXDispSwap_GetHistogram(__GLXclie * are illegal, but then width would still be zero anyway. */ compsize = __glGetTexImage_size(target,1,format,type,width,1,1); - if (compsize < 0) compsize = 0; + if (compsize < 0) + return BadLength; glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes); __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1); @@ -417,6 +433,8 @@ int __glXDispSwap_GetMinmax(__GLXclientS int error; __GLX_DECLARE_SWAP_VARIABLES; char *answer, answerBuffer[200]; + + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { @@ -435,7 +453,8 @@ int __glXDispSwap_GetMinmax(__GLXclientS reset = *(GLboolean *)(pc + 13); compsize = __glGetTexImage_size(target,1,format,type,2,1,1); - if (compsize < 0) compsize = 0; + if (compsize < 0) + return BadLength; glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes); __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1); @@ -465,6 +484,8 @@ int __glXDispSwap_GetColorTable(__GLXcli __GLX_DECLARE_SWAP_VARIABLES; char *answer, answerBuffer[200]; GLint width=0; + + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { @@ -487,7 +508,8 @@ int __glXDispSwap_GetColorTable(__GLXcli * are illegal, but then width would still be zero anyway. */ compsize = __glGetTexImage_size(target,1,format,type,width,1,1); - if (compsize < 0) compsize = 0; + if (compsize < 0) + return BadLength; glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes); __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1); Index: xsrc/xfree/xc/programs/Xserver/Xext/xcmisc.c diff -u xsrc/xfree/xc/programs/Xserver/Xext/xcmisc.c:1.2 xsrc/xfree/xc/programs/Xserver/Xext/xcmisc.c:1.2.18.1 --- xsrc/xfree/xc/programs/Xserver/Xext/xcmisc.c:1.2 Tue Apr 3 20:07:50 2007 +++ xsrc/xfree/xc/programs/Xserver/Xext/xcmisc.c Thu Dec 11 13:33:15 2014 @@ -224,6 +224,7 @@ SProcXCMiscGetXIDList(client) { register int n; REQUEST(xXCMiscGetXIDListReq); + REQUEST_SIZE_MATCH(xXCMiscGetXIDListReq); swaps(&stuff->length, n); swapl(&stuff->count, n); Index: xsrc/xfree/xc/programs/Xserver/Xext/xvdisp.c diff -u xsrc/xfree/xc/programs/Xserver/Xext/xvdisp.c:1.1.1.5 xsrc/xfree/xc/programs/Xserver/Xext/xvdisp.c:1.1.1.5.36.1 --- xsrc/xfree/xc/programs/Xserver/Xext/xvdisp.c:1.1.1.5 Fri Mar 5 14:27:40 2004 +++ xsrc/xfree/xc/programs/Xserver/Xext/xvdisp.c Thu Dec 11 13:33:15 2014 @@ -1342,6 +1342,7 @@ SProcXvQueryExtension(ClientPtr client) { register char n; REQUEST(xvQueryExtensionReq); + REQUEST_SIZE_MATCH(xvQueryExtensionReq); swaps(&stuff->length, n); return ProcXvQueryExtension(client); } @@ -1351,6 +1352,7 @@ SProcXvQueryAdaptors(ClientPtr client) { register char n; REQUEST(xvQueryAdaptorsReq); + REQUEST_SIZE_MATCH(xvQueryAdaptorsReq); swaps(&stuff->length, n); swapl(&stuff->window, n); return ProcXvQueryAdaptors(client); @@ -1361,6 +1363,7 @@ SProcXvQueryEncodings(ClientPtr client) { register char n; REQUEST(xvQueryEncodingsReq); + REQUEST_SIZE_MATCH(xvQueryEncodingsReq); swaps(&stuff->length, n); swapl(&stuff->port, n); return ProcXvQueryEncodings(client); @@ -1371,6 +1374,7 @@ SProcXvGrabPort(ClientPtr client) { register char n; REQUEST(xvGrabPortReq); + REQUEST_SIZE_MATCH(xvGrabPortReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->time, n); @@ -1382,6 +1386,7 @@ SProcXvUngrabPort(ClientPtr client) { register char n; REQUEST(xvUngrabPortReq); + REQUEST_SIZE_MATCH(xvUngrabPortReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->time, n); @@ -1393,6 +1398,7 @@ SProcXvPutVideo(ClientPtr client) { register char n; REQUEST(xvPutVideoReq); + REQUEST_SIZE_MATCH(xvPutVideoReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->drawable, n); @@ -1413,6 +1419,7 @@ SProcXvPutStill(ClientPtr client) { register char n; REQUEST(xvPutStillReq); + REQUEST_SIZE_MATCH(xvPutStillReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->drawable, n); @@ -1433,6 +1440,7 @@ SProcXvGetVideo(ClientPtr client) { register char n; REQUEST(xvGetVideoReq); + REQUEST_SIZE_MATCH(xvGetVideoReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->drawable, n); @@ -1453,6 +1461,7 @@ SProcXvGetStill(ClientPtr client) { register char n; REQUEST(xvGetStillReq); + REQUEST_SIZE_MATCH(xvGetStillReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->drawable, n); @@ -1473,6 +1482,7 @@ SProcXvPutImage(ClientPtr client) { register char n; REQUEST(xvPutImageReq); + REQUEST_AT_LEAST_SIZE(xvPutImageReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->drawable, n); @@ -1497,6 +1507,7 @@ SProcXvShmPutImage(ClientPtr client) { register char n; REQUEST(xvShmPutImageReq); + REQUEST_SIZE_MATCH(xvShmPutImageReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->drawable, n); @@ -1524,6 +1535,7 @@ SProcXvSelectVideoNotify(ClientPtr clien { register char n; REQUEST(xvSelectVideoNotifyReq); + REQUEST_SIZE_MATCH(xvSelectVideoNotifyReq); swaps(&stuff->length, n); swapl(&stuff->drawable, n); return ProcXvSelectVideoNotify(client); @@ -1534,6 +1546,7 @@ SProcXvSelectPortNotify(ClientPtr client { register char n; REQUEST(xvSelectPortNotifyReq); + REQUEST_SIZE_MATCH(xvSelectPortNotifyReq); swaps(&stuff->length, n); swapl(&stuff->port, n); return ProcXvSelectPortNotify(client); @@ -1544,6 +1557,7 @@ SProcXvStopVideo(ClientPtr client) { register char n; REQUEST(xvStopVideoReq); + REQUEST_SIZE_MATCH(xvStopVideoReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->drawable, n); @@ -1555,6 +1569,7 @@ SProcXvSetPortAttribute(ClientPtr client { register char n; REQUEST(xvSetPortAttributeReq); + REQUEST_SIZE_MATCH(xvSetPortAttributeReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->attribute, n); @@ -1566,6 +1581,7 @@ SProcXvGetPortAttribute(ClientPtr client { register char n; REQUEST(xvGetPortAttributeReq); + REQUEST_SIZE_MATCH(xvGetPortAttributeReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->attribute, n); @@ -1577,6 +1593,7 @@ SProcXvQueryBestSize(ClientPtr client) { register char n; REQUEST(xvQueryBestSizeReq); + REQUEST_SIZE_MATCH(xvQueryBestSizeReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swaps(&stuff->vid_w, n); @@ -1591,6 +1608,7 @@ SProcXvQueryPortAttributes(ClientPtr cli { register char n; REQUEST(xvQueryPortAttributesReq); + REQUEST_SIZE_MATCH(xvQueryPortAttributesReq); swaps(&stuff->length, n); swapl(&stuff->port, n); return ProcXvQueryPortAttributes(client); @@ -1601,6 +1619,7 @@ SProcXvQueryImageAttributes(ClientPtr cl { register char n; REQUEST(xvQueryImageAttributesReq); + REQUEST_SIZE_MATCH(xvQueryImageAttributesReq); swaps(&stuff->length, n); swapl(&stuff->id, n); swaps(&stuff->width, n); @@ -1613,6 +1632,7 @@ SProcXvListImageFormats(ClientPtr client { register char n; REQUEST(xvListImageFormatsReq); + REQUEST_SIZE_MATCH(xvListImageFormatsReq); swaps(&stuff->length, n); swapl(&stuff->port, n); return ProcXvListImageFormats(client); Index: xsrc/xfree/xc/programs/Xserver/Xi/chgdctl.c diff -u xsrc/xfree/xc/programs/Xserver/Xi/chgdctl.c:1.1.1.4 xsrc/xfree/xc/programs/Xserver/Xi/chgdctl.c:1.1.1.4.38.1 --- xsrc/xfree/xc/programs/Xserver/Xi/chgdctl.c:1.1.1.4 Sat Jan 19 15:01:32 2002 +++ xsrc/xfree/xc/programs/Xserver/Xi/chgdctl.c Thu Dec 11 13:33:15 2014 @@ -83,7 +83,7 @@ SProcXChangeDeviceControl(client) REQUEST(xChangeDeviceControlReq); swaps(&stuff->length, n); - REQUEST_AT_LEAST_SIZE(xChangeDeviceControlReq); + REQUEST_AT_LEAST_EXTRA_SIZE(xChangeDeviceControlReq, sizeof(xDeviceCtl)); swaps(&stuff->control, n); return(ProcXChangeDeviceControl(client)); } @@ -107,7 +107,7 @@ ProcXChangeDeviceControl(client) CARD32 *resolution; REQUEST(xChangeDeviceControlReq); - REQUEST_AT_LEAST_SIZE(xChangeDeviceControlReq); + REQUEST_AT_LEAST_EXTRA_SIZE(xChangeDeviceControlReq, sizeof(xDeviceCtl)); len = stuff->length - (sizeof(xChangeDeviceControlReq) >>2); dev = LookupDeviceIntRec (stuff->deviceid); Index: xsrc/xfree/xc/programs/Xserver/Xi/chgfctl.c diff -u xsrc/xfree/xc/programs/Xserver/Xi/chgfctl.c:1.1.1.4 xsrc/xfree/xc/programs/Xserver/Xi/chgfctl.c:1.1.1.4.38.1 --- xsrc/xfree/xc/programs/Xserver/Xi/chgfctl.c:1.1.1.4 Sat Jan 19 15:01:32 2002 +++ xsrc/xfree/xc/programs/Xserver/Xi/chgfctl.c Thu Dec 11 13:33:15 2014 @@ -156,6 +156,8 @@ ProcXChangeFeedbackControl(client) xStringFeedbackCtl *f = ((xStringFeedbackCtl *) &stuff[1]); if (client->swapped) { + if (len < bytes_to_int32(sizeof(xStringFeedbackCtl))) + return BadLength; swaps(&f->num_keysyms,n); } if (len != ((sizeof(xStringFeedbackCtl)>>2) + f->num_keysyms)) Index: xsrc/xfree/xc/programs/Xserver/Xi/sendexev.c diff -u xsrc/xfree/xc/programs/Xserver/Xi/sendexev.c:1.1.1.4 xsrc/xfree/xc/programs/Xserver/Xi/sendexev.c:1.1.1.4.38.1 --- xsrc/xfree/xc/programs/Xserver/Xi/sendexev.c:1.1.1.4 Sat Jan 19 15:01:35 2002 +++ xsrc/xfree/xc/programs/Xserver/Xi/sendexev.c Thu Dec 11 13:33:15 2014 @@ -149,6 +149,9 @@ ProcXSendExtensionEvent (client) return Success; } + if (stuff->num_events == 0) + return ret; + /* The client's event type must be one defined by an extension. */ first = ((xEvent *) &stuff[1]); Index: xsrc/xfree/xc/programs/Xserver/dbe/dbe.c diff -u xsrc/xfree/xc/programs/Xserver/dbe/dbe.c:1.2 xsrc/xfree/xc/programs/Xserver/dbe/dbe.c:1.2.18.1 --- xsrc/xfree/xc/programs/Xserver/dbe/dbe.c:1.2 Wed Jan 10 17:08:24 2007 +++ xsrc/xfree/xc/programs/Xserver/dbe/dbe.c Thu Dec 11 13:33:15 2014 @@ -50,6 +50,8 @@ #include "xf86_ansic.h" #endif +#include <stdint.h> + /* GLOBALS */ /* Per-screen initialization functions [init'ed by DbeRegisterFunction()] */ @@ -716,8 +718,8 @@ ProcDbeSwapBuffers(client) DbeSwapInfoPtr swapInfo; xDbeSwapInfo *dbeSwapInfo; int error; - register int i, j; - int nStuff; + unsigned int i, j; + unsigned int nStuff; REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq); @@ -725,11 +727,13 @@ ProcDbeSwapBuffers(client) if (nStuff == 0) { + REQUEST_SIZE_MATCH(xDbeSwapBuffersReq); return(Success); } if (nStuff > (CARD32)(-1L) / sizeof(DbeSwapInfoRec)) return BadAlloc; + REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, nStuff * sizeof(xDbeSwapInfo)); /* Get to the swap info appended to the end of the request. */ dbeSwapInfo = (xDbeSwapInfo *)&stuff[1]; @@ -1280,7 +1284,7 @@ SProcDbeSwapBuffers(client) ClientPtr client; { REQUEST(xDbeSwapBuffersReq); - register int i, n; + unsigned int i, n; xDbeSwapInfo *pSwapInfo; @@ -1288,6 +1292,9 @@ SProcDbeSwapBuffers(client) REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq); swapl(&stuff->n, n); + if (stuff->n > UINT32_MAX / sizeof(DbeSwapInfoRec)) + return BadAlloc; + REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, stuff->n * sizeof(xDbeSwapInfo)); if (stuff->n != 0) { Index: xsrc/xfree/xc/programs/Xserver/dix/dispatch.c diff -u xsrc/xfree/xc/programs/Xserver/dix/dispatch.c:1.1.1.7 xsrc/xfree/xc/programs/Xserver/dix/dispatch.c:1.1.1.7.24.1 --- xsrc/xfree/xc/programs/Xserver/dix/dispatch.c:1.1.1.7 Fri Mar 18 13:10:48 2005 +++ xsrc/xfree/xc/programs/Xserver/dix/dispatch.c Thu Dec 11 13:33:15 2014 @@ -111,6 +111,8 @@ int ProcInitialConnection(); #include "lbxserve.h" #endif +#include <stdint.h> + #define mskcnt ((MAXCLIENTS + 31) / 32) #define BITMASK(i) (1U << ((i) & 31)) #define MASKIDX(i) ((i) >> 5) @@ -2073,6 +2075,9 @@ ProcPutImage(client) tmpImage = (char *)&stuff[1]; lengthProto = length; + + if (lengthProto >= (INT32_MAX / stuff->height)) + return BadLength; if (((((lengthProto * stuff->height) + (unsigned)3) >> 2) + (sizeof(xPutImageReq) >> 2)) != client->req_len) Index: xsrc/xfree/xc/programs/Xserver/include/dix.h diff -u xsrc/xfree/xc/programs/Xserver/include/dix.h:1.1.1.6 xsrc/xfree/xc/programs/Xserver/include/dix.h:1.1.1.6.36.1 --- xsrc/xfree/xc/programs/Xserver/include/dix.h:1.1.1.6 Fri Mar 5 14:29:36 2004 +++ xsrc/xfree/xc/programs/Xserver/include/dix.h Thu Dec 11 13:33:15 2014 @@ -71,9 +71,14 @@ SOFTWARE. if ((sizeof(req) >> 2) > client->req_len )\ return(BadLength) +#define REQUEST_AT_LEAST_EXTRA_SIZE(req, extra) \ + if (((sizeof(req) + ((uint64_t) extra)) >> 2) > client->req_len ) \ + return(BadLength) + #define REQUEST_FIXED_SIZE(req, n)\ if (((sizeof(req) >> 2) > client->req_len) || \ - (((sizeof(req) + (n) + 3) >> 2) != client->req_len)) \ + (((n) >> 2) >= client->req_len) || \ + ((((uint64_t) sizeof(req) + (n) + 3) >> 2) != (uint64_t) client->req_len)) \ return(BadLength) #define LEGAL_NEW_RESOURCE(id,client)\ Index: xsrc/xfree/xc/programs/Xserver/include/misc.h diff -u xsrc/xfree/xc/programs/Xserver/include/misc.h:1.1.1.6 xsrc/xfree/xc/programs/Xserver/include/misc.h:1.1.1.6.24.1 --- xsrc/xfree/xc/programs/Xserver/include/misc.h:1.1.1.6 Fri Mar 18 13:13:06 2005 +++ xsrc/xfree/xc/programs/Xserver/include/misc.h Thu Dec 11 13:33:15 2014 @@ -193,6 +193,36 @@ typedef struct _xReq *xReqPtr; #endif +/** + * Calculate the number of bytes needed to hold bits. + * @param bits The minimum number of bits needed. + * @return The number of bytes needed to hold bits. + */ +static inline int +bits_to_bytes(const int bits) { + return ((bits + 7) >> 3); +} +/** + * Calculate the number of 4-byte units needed to hold the given number of + * bytes. + * @param bytes The minimum number of bytes needed. + * @return The number of 4-byte units needed to hold bytes. + */ +static inline int +bytes_to_int32(const int bytes) { + return (((bytes) + 3) >> 2); +} + +/** + * Calculate the number of bytes (in multiples of 4) needed to hold bytes. + * @param bytes The minimum number of bytes needed. + * @return The closest multiple of 4 that is equal or higher than bytes. + */ +static inline int +pad_to_int32(const int bytes) { + return (((bytes) + 3) & ~3); +} + /* some macros to help swap requests, replies, and events */ #define LengthRestB(stuff) \ Index: xsrc/xfree/xc/programs/Xserver/os/access.c diff -u xsrc/xfree/xc/programs/Xserver/os/access.c:1.6 xsrc/xfree/xc/programs/Xserver/os/access.c:1.6.24.1 --- xsrc/xfree/xc/programs/Xserver/os/access.c:1.6 Fri Mar 18 14:55:16 2005 +++ xsrc/xfree/xc/programs/Xserver/os/access.c Thu Dec 11 13:33:15 2014 @@ -1557,6 +1557,10 @@ GetHosts ( { nHosts++; n += (((host->len + 3) >> 2) << 2) + sizeof(xHostEntry); + /* Could check for INT_MAX, but in reality having more than 1mb of + hostnames in the access list is ridiculous */ + if (n >= 1048576) + break; } if (n) { @@ -1568,6 +1572,8 @@ GetHosts ( for (host = validhosts; host; host = host->next) { len = host->len; + if ((ptr + sizeof(xHostEntry) + len) > ((unsigned char *) *data + n)) + break; ((xHostEntry *)ptr)->family = host->family; ((xHostEntry *)ptr)->length = len; ptr += sizeof(xHostEntry); Index: xsrc/xfree/xc/programs/Xserver/os/rpcauth.c diff -u xsrc/xfree/xc/programs/Xserver/os/rpcauth.c:1.1.1.5 xsrc/xfree/xc/programs/Xserver/os/rpcauth.c:1.1.1.5.36.1 --- xsrc/xfree/xc/programs/Xserver/os/rpcauth.c:1.1.1.5 Fri Mar 5 14:29:43 2004 +++ xsrc/xfree/xc/programs/Xserver/os/rpcauth.c Thu Dec 11 13:33:15 2014 @@ -74,6 +74,10 @@ authdes_ezdecode(char *inmsg, int len) SVCXPRT xprt; temp_inmsg = (char *) xalloc(len); + if (temp_inmsg == NULL) { + why = AUTH_FAILED; /* generic error, since there is no AUTH_BADALLOC */ + return NULL; + } memmove(temp_inmsg, inmsg, len); memset((char *)&msg, 0, sizeof(msg)); Index: xsrc/xfree/xc/programs/Xserver/randr/randr.c diff -u xsrc/xfree/xc/programs/Xserver/randr/randr.c:1.1.1.3 xsrc/xfree/xc/programs/Xserver/randr/randr.c:1.1.1.3.36.1 --- xsrc/xfree/xc/programs/Xserver/randr/randr.c:1.1.1.3 Fri Mar 5 14:29:43 2004 +++ xsrc/xfree/xc/programs/Xserver/randr/randr.c Thu Dec 11 13:33:15 2014 @@ -1035,6 +1035,7 @@ SProcRRQueryVersion (ClientPtr client) register int n; REQUEST(xRRQueryVersionReq); + REQUEST_SIZE_MATCH(xRRQueryVersionReq); swaps(&stuff->length, n); swapl(&stuff->majorVersion, n); swapl(&stuff->minorVersion, n); @@ -1047,6 +1048,7 @@ SProcRRGetScreenInfo (ClientPtr client) register int n; REQUEST(xRRGetScreenInfoReq); + REQUEST_SIZE_MATCH(xRRGetScreenInfoReq); swaps(&stuff->length, n); swapl(&stuff->window, n); return ProcRRGetScreenInfo(client); @@ -1082,6 +1084,7 @@ SProcRRSelectInput (ClientPtr client) register int n; REQUEST(xRRSelectInputReq); + REQUEST_SIZE_MATCH(xRRSelectInputReq); swaps(&stuff->length, n); swapl(&stuff->window, n); return ProcRRSelectInput(client); Index: xsrc/xfree/xc/programs/Xserver/render/render.c diff -u xsrc/xfree/xc/programs/Xserver/render/render.c:1.3 xsrc/xfree/xc/programs/Xserver/render/render.c:1.3.18.1 --- xsrc/xfree/xc/programs/Xserver/render/render.c:1.3 Wed Jan 10 17:08:24 2007 +++ xsrc/xfree/xc/programs/Xserver/render/render.c Thu Dec 11 13:33:15 2014 @@ -253,11 +253,11 @@ ProcRenderQueryVersion (ClientPtr client xRenderQueryVersionReply rep; register int n; REQUEST(xRenderQueryVersionReq); + REQUEST_SIZE_MATCH(xRenderQueryVersionReq); pRenderClient->major_version = stuff->majorVersion; pRenderClient->minor_version = stuff->minorVersion; - REQUEST_SIZE_MATCH(xRenderQueryVersionReq); rep.type = X_Reply; rep.length = 0; rep.sequenceNumber = client->sequence; @@ -1831,6 +1831,7 @@ SProcRenderQueryVersion (ClientPtr clien { register int n; REQUEST(xRenderQueryVersionReq); + REQUEST_SIZE_MATCH(xRenderQueryVersionReq); swaps(&stuff->length, n); swapl(&stuff->majorVersion, n); @@ -1843,6 +1844,7 @@ SProcRenderQueryPictFormats (ClientPtr c { register int n; REQUEST(xRenderQueryPictFormatsReq); + REQUEST_SIZE_MATCH(xRenderQueryPictFormatsReq); swaps(&stuff->length, n); return (*ProcRenderVector[stuff->renderReqType]) (client); } @@ -1852,6 +1854,7 @@ SProcRenderQueryPictIndexValues (ClientP { register int n; REQUEST(xRenderQueryPictIndexValuesReq); + REQUEST_AT_LEAST_SIZE(xRenderQueryPictIndexValuesReq); swaps(&stuff->length, n); swapl(&stuff->format, n); return (*ProcRenderVector[stuff->renderReqType]) (client); @@ -1868,6 +1871,7 @@ SProcRenderCreatePicture (ClientPtr clie { register int n; REQUEST(xRenderCreatePictureReq); + REQUEST_AT_LEAST_SIZE(xRenderCreatePictureReq); swaps(&stuff->length, n); swapl(&stuff->pid, n); swapl(&stuff->drawable, n); @@ -1882,6 +1886,7 @@ SProcRenderChangePicture (ClientPtr clie { register int n; REQUEST(xRenderChangePictureReq); + REQUEST_AT_LEAST_SIZE(xRenderChangePictureReq); swaps(&stuff->length, n); swapl(&stuff->picture, n); swapl(&stuff->mask, n); @@ -1894,6 +1899,7 @@ SProcRenderSetPictureClipRectangles (Cli { register int n; REQUEST(xRenderSetPictureClipRectanglesReq); + REQUEST_AT_LEAST_SIZE(xRenderSetPictureClipRectanglesReq); swaps(&stuff->length, n); swapl(&stuff->picture, n); SwapRestS(stuff); @@ -1905,6 +1911,7 @@ SProcRenderFreePicture (ClientPtr client { register int n; REQUEST(xRenderFreePictureReq); + REQUEST_SIZE_MATCH(xRenderFreePictureReq); swaps(&stuff->length, n); swapl(&stuff->picture, n); return (*ProcRenderVector[stuff->renderReqType]) (client); @@ -1915,6 +1922,7 @@ SProcRenderComposite (ClientPtr client) { register int n; REQUEST(xRenderCompositeReq); + REQUEST_SIZE_MATCH(xRenderCompositeReq); swaps(&stuff->length, n); swapl(&stuff->src, n); swapl(&stuff->mask, n); @@ -1935,6 +1943,7 @@ SProcRenderScale (ClientPtr client) { register int n; REQUEST(xRenderScaleReq); + REQUEST_SIZE_MATCH(xRenderScaleReq); swaps(&stuff->length, n); swapl(&stuff->src, n); swapl(&stuff->dst, n); @@ -2040,6 +2049,7 @@ SProcRenderCreateGlyphSet (ClientPtr cli { register int n; REQUEST(xRenderCreateGlyphSetReq); + REQUEST_SIZE_MATCH(xRenderCreateGlyphSetReq); swaps(&stuff->length, n); swapl(&stuff->gsid, n); swapl(&stuff->format, n); @@ -2051,6 +2061,7 @@ SProcRenderReferenceGlyphSet (ClientPtr { register int n; REQUEST(xRenderReferenceGlyphSetReq); + REQUEST_SIZE_MATCH(xRenderReferenceGlyphSetReq); swaps(&stuff->length, n); swapl(&stuff->gsid, n); swapl(&stuff->existing, n); @@ -2062,6 +2073,7 @@ SProcRenderFreeGlyphSet (ClientPtr clien { register int n; REQUEST(xRenderFreeGlyphSetReq); + REQUEST_SIZE_MATCH(xRenderFreeGlyphSetReq); swaps(&stuff->length, n); swapl(&stuff->glyphset, n); return (*ProcRenderVector[stuff->renderReqType]) (client); @@ -2076,6 +2088,7 @@ SProcRenderAddGlyphs (ClientPtr client) void *end; xGlyphInfo *gi; REQUEST(xRenderAddGlyphsReq); + REQUEST_AT_LEAST_SIZE(xRenderAddGlyphsReq); swaps(&stuff->length, n); swapl(&stuff->glyphset, n); swapl(&stuff->nglyphs, n); @@ -2112,6 +2125,7 @@ SProcRenderFreeGlyphs (ClientPtr client) { register int n; REQUEST(xRenderFreeGlyphsReq); + REQUEST_AT_LEAST_SIZE(xRenderFreeGlyphsReq); swaps(&stuff->length, n); swapl(&stuff->glyphset, n); SwapRestL(stuff); @@ -2130,6 +2144,7 @@ SProcRenderCompositeGlyphs (ClientPtr cl int size; REQUEST(xRenderCompositeGlyphsReq); + REQUEST_AT_LEAST_SIZE(xRenderCompositeGlyphsReq); switch (stuff->renderReqType) { default: size = 1; break;