From 3f0d3f4d97bce75c1828635c322b6560a45a037f Mon Sep 17 00:00:00 2001 From: Julien Cristau Date: Sat, 3 Jul 2010 19:42:26 +0100 Subject: [PATCH 1/5] glx: make sure screen is non-negative in validGlxScreen MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Adam Jackson Reviewed-by: Kristian Høgsberg Reviewed-by: Daniel Stone Signed-off-by: Julien Cristau --- glx/glxcmds.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/glx/glxcmds.c b/glx/glxcmds.c index de9c3f039..419cc4626 100644 --- a/glx/glxcmds.c +++ b/glx/glxcmds.c @@ -56,7 +56,7 @@ validGlxScreen(ClientPtr client, int screen, __GLXscreen **pGlxScreen, int *err) /* ** Check if screen exists. */ - if (screen >= screenInfo.numScreens) { + if (screen < 0 || screen >= screenInfo.numScreens) { client->errorValue = screen; *err = BadValue; return FALSE; From ec9c97c6bf70b523bc500bd3adf62176f1bb33a4 Mon Sep 17 00:00:00 2001 From: Julien Cristau Date: Sat, 3 Jul 2010 19:47:55 +0100 Subject: [PATCH 2/5] glx: validate request lengths MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Adam Jackson Reviewed-by: Kristian Høgsberg Reviewed-by: Daniel Stone Signed-off-by: Julien Cristau --- glx/glxcmds.c | 142 ++++++++++++++++++++++++++++++++++++++++++++++---- glx/xfont.c | 2 + 2 files changed, 135 insertions(+), 9 deletions(-) diff --git a/glx/glxcmds.c b/glx/glxcmds.c index 419cc4626..566dbbe57 100644 --- a/glx/glxcmds.c +++ b/glx/glxcmds.c @@ -314,11 +314,14 @@ DoCreateContext(__GLXclientState *cl, GLXContextID gcId, int __glXDisp_CreateContext(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXCreateContextReq *req = (xGLXCreateContextReq *) pc; __GLXconfig *config; __GLXscreen *pGlxScreen; int err; + REQUEST_SIZE_MATCH(xGLXCreateContextReq); + if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err)) return err; if (!validGlxVisual(cl->client, pGlxScreen, req->visual, &config, &err)) @@ -330,11 +333,14 @@ int __glXDisp_CreateContext(__GLXclientState *cl, GLbyte *pc) int __glXDisp_CreateNewContext(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXCreateNewContextReq *req = (xGLXCreateNewContextReq *) pc; __GLXconfig *config; __GLXscreen *pGlxScreen; int err; + REQUEST_SIZE_MATCH(xGLXCreateNewContextReq); + if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err)) return err; if (!validGlxFBConfig(cl->client, pGlxScreen, req->fbconfig, &config, &err)) @@ -346,12 +352,15 @@ int __glXDisp_CreateNewContext(__GLXclientState *cl, GLbyte *pc) int __glXDisp_CreateContextWithConfigSGIX(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXCreateContextWithConfigSGIXReq *req = (xGLXCreateContextWithConfigSGIXReq *) pc; __GLXconfig *config; __GLXscreen *pGlxScreen; int err; + REQUEST_SIZE_MATCH(xGLXCreateContextWithConfigSGIXReq); + if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err)) return err; if (!validGlxFBConfig(cl->client, pGlxScreen, req->fbconfig, &config, &err)) @@ -362,10 +371,13 @@ int __glXDisp_CreateContextWithConfigSGIX(__GLXclientState *cl, GLbyte *pc) } int __glXDisp_DestroyContext(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXDestroyContextReq *req = (xGLXDestroyContextReq *) pc; __GLXcontext *glxc; int err; + REQUEST_SIZE_MATCH(xGLXDestroyContextReq); + if (!validGlxContext(cl->client, req->context, DixDestroyAccess, &glxc, &err)) return err; @@ -685,24 +697,33 @@ DoMakeCurrent(__GLXclientState *cl, int __glXDisp_MakeCurrent(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXMakeCurrentReq *req = (xGLXMakeCurrentReq *) pc; + REQUEST_SIZE_MATCH(xGLXMakeCurrentReq); + return DoMakeCurrent( cl, req->drawable, req->drawable, req->context, req->oldContextTag ); } int __glXDisp_MakeContextCurrent(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXMakeContextCurrentReq *req = (xGLXMakeContextCurrentReq *) pc; + REQUEST_SIZE_MATCH(xGLXMakeContextCurrentReq); + return DoMakeCurrent( cl, req->drawable, req->readdrawable, req->context, req->oldContextTag ); } int __glXDisp_MakeCurrentReadSGI(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXMakeCurrentReadSGIReq *req = (xGLXMakeCurrentReadSGIReq *) pc; + REQUEST_SIZE_MATCH(xGLXMakeCurrentReadSGIReq); + return DoMakeCurrent( cl, req->drawable, req->readable, req->context, req->oldContextTag ); } @@ -715,6 +736,8 @@ int __glXDisp_IsDirect(__GLXclientState *cl, GLbyte *pc) __GLXcontext *glxc; int err; + REQUEST_SIZE_MATCH(xGLXIsDirectReq); + if (!validGlxContext(cl->client, req->context, DixReadAccess, &glxc, &err)) return err; @@ -739,6 +762,8 @@ int __glXDisp_QueryVersion(__GLXclientState *cl, GLbyte *pc) xGLXQueryVersionReply reply; GLuint major, minor; + REQUEST_SIZE_MATCH(xGLXQueryVersionReq); + major = req->majorVersion; minor = req->minorVersion; (void)major; @@ -765,11 +790,15 @@ int __glXDisp_QueryVersion(__GLXclientState *cl, GLbyte *pc) int __glXDisp_WaitGL(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXWaitGLReq *req = (xGLXWaitGLReq *)pc; - GLXContextTag tag = req->contextTag; + GLXContextTag tag; __GLXcontext *glxc = NULL; int error; + REQUEST_SIZE_MATCH(xGLXWaitGLReq); + + tag = req->contextTag; if (tag) { glxc = __glXLookupContextByTag(cl, tag); if (!glxc) @@ -789,11 +818,15 @@ int __glXDisp_WaitGL(__GLXclientState *cl, GLbyte *pc) int __glXDisp_WaitX(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXWaitXReq *req = (xGLXWaitXReq *)pc; - GLXContextTag tag = req->contextTag; + GLXContextTag tag; __GLXcontext *glxc = NULL; int error; + REQUEST_SIZE_MATCH(xGLXWaitXReq); + + tag = req->contextTag; if (tag) { glxc = __glXLookupContextByTag(cl, tag); if (!glxc) @@ -813,13 +846,19 @@ int __glXDisp_CopyContext(__GLXclientState *cl, GLbyte *pc) { ClientPtr client = cl->client; xGLXCopyContextReq *req = (xGLXCopyContextReq *) pc; - GLXContextID source = req->source; - GLXContextID dest = req->dest; - GLXContextTag tag = req->contextTag; - unsigned long mask = req->mask; + GLXContextID source; + GLXContextID dest; + GLXContextTag tag; + unsigned long mask; __GLXcontext *src, *dst; int error; + REQUEST_SIZE_MATCH(xGLXCopyContextReq); + + source = req->source; + dest = req->dest; + tag = req->contextTag; + mask = req->mask; if (!validGlxContext(cl->client, source, DixReadAccess, &src, &error)) return error; if (!validGlxContext(cl->client, dest, DixWriteAccess, &dst, &error)) @@ -902,6 +941,8 @@ int __glXDisp_GetVisualConfigs(__GLXclientState *cl, GLbyte *pc) __GLX_DECLARE_SWAP_VARIABLES; __GLX_DECLARE_SWAP_ARRAY_VARIABLES; + REQUEST_SIZE_MATCH(xGLXGetVisualConfigsReq); + if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err)) return err; @@ -1081,13 +1122,17 @@ DoGetFBConfigs(__GLXclientState *cl, unsigned screen) int __glXDisp_GetFBConfigs(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXGetFBConfigsReq *req = (xGLXGetFBConfigsReq *) pc; + REQUEST_SIZE_MATCH(xGLXGetFBConfigsReq); return DoGetFBConfigs(cl, req->screen); } int __glXDisp_GetFBConfigsSGIX(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXGetFBConfigsSGIXReq *req = (xGLXGetFBConfigsSGIXReq *) pc; + REQUEST_SIZE_MATCH(xGLXGetFBConfigsSGIXReq); return DoGetFBConfigs(cl, req->screen); } @@ -1213,11 +1258,14 @@ determineTextureTarget(ClientPtr client, XID glxDrawableID, int __glXDisp_CreateGLXPixmap(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXCreateGLXPixmapReq *req = (xGLXCreateGLXPixmapReq *) pc; __GLXconfig *config; __GLXscreen *pGlxScreen; int err; + REQUEST_SIZE_MATCH(xGLXCreateGLXPixmapReq); + if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err)) return err; if (!validGlxVisual(cl->client, pGlxScreen, req->visual, &config, &err)) @@ -1229,11 +1277,14 @@ int __glXDisp_CreateGLXPixmap(__GLXclientState *cl, GLbyte *pc) int __glXDisp_CreatePixmap(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXCreatePixmapReq *req = (xGLXCreatePixmapReq *) pc; __GLXconfig *config; __GLXscreen *pGlxScreen; int err; + REQUEST_FIXED_SIZE(xGLXCreatePixmapReq, req->numAttribs << 3); + if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err)) return err; if (!validGlxFBConfig(cl->client, pGlxScreen, req->fbconfig, &config, &err)) @@ -1252,12 +1303,15 @@ int __glXDisp_CreatePixmap(__GLXclientState *cl, GLbyte *pc) int __glXDisp_CreateGLXPixmapWithConfigSGIX(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXCreateGLXPixmapWithConfigSGIXReq *req = (xGLXCreateGLXPixmapWithConfigSGIXReq *) pc; __GLXconfig *config; __GLXscreen *pGlxScreen; int err; + REQUEST_SIZE_MATCH(xGLXCreateGLXPixmapWithConfigSGIXReq); + if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err)) return err; if (!validGlxFBConfig(cl->client, pGlxScreen, req->fbconfig, &config, &err)) @@ -1284,15 +1338,21 @@ static int DoDestroyDrawable(__GLXclientState *cl, XID glxdrawable, int type) int __glXDisp_DestroyGLXPixmap(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXDestroyGLXPixmapReq *req = (xGLXDestroyGLXPixmapReq *) pc; + REQUEST_SIZE_MATCH(xGLXDestroyGLXPixmapReq); + return DoDestroyDrawable(cl, req->glxpixmap, GLX_DRAWABLE_PIXMAP); } int __glXDisp_DestroyPixmap(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXDestroyPixmapReq *req = (xGLXDestroyPixmapReq *) pc; + REQUEST_SIZE_MATCH(xGLXDestroyPixmapReq); + return DoDestroyDrawable(cl, req->glxpixmap, GLX_DRAWABLE_PIXMAP); } @@ -1331,10 +1391,13 @@ DoCreatePbuffer(ClientPtr client, int screenNum, XID fbconfigId, int __glXDisp_CreatePbuffer(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXCreatePbufferReq *req = (xGLXCreatePbufferReq *) pc; CARD32 *attrs; int width, height, i; + REQUEST_FIXED_SIZE(xGLXCreatePbufferReq, req->numAttribs << 3); + attrs = (CARD32 *) (req + 1); width = 0; height = 0; @@ -1360,23 +1423,32 @@ int __glXDisp_CreatePbuffer(__GLXclientState *cl, GLbyte *pc) int __glXDisp_CreateGLXPbufferSGIX(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXCreateGLXPbufferSGIXReq *req = (xGLXCreateGLXPbufferSGIXReq *) pc; + REQUEST_SIZE_MATCH(xGLXCreateGLXPbufferSGIXReq); + return DoCreatePbuffer(cl->client, req->screen, req->fbconfig, req->width, req->height, req->pbuffer); } int __glXDisp_DestroyPbuffer(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXDestroyPbufferReq *req = (xGLXDestroyPbufferReq *) pc; + REQUEST_SIZE_MATCH(xGLXDestroyPbufferReq); + return DoDestroyDrawable(cl, req->pbuffer, GLX_DRAWABLE_PBUFFER); } int __glXDisp_DestroyGLXPbufferSGIX(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXDestroyGLXPbufferSGIXReq *req = (xGLXDestroyGLXPbufferSGIXReq *) pc; + REQUEST_SIZE_MATCH(xGLXDestroyGLXPbufferSGIXReq); + return DoDestroyDrawable(cl, req->pbuffer, GLX_DRAWABLE_PBUFFER); } @@ -1407,18 +1479,24 @@ DoChangeDrawableAttributes(ClientPtr client, XID glxdrawable, int __glXDisp_ChangeDrawableAttributes(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXChangeDrawableAttributesReq *req = (xGLXChangeDrawableAttributesReq *) pc; + REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3); + return DoChangeDrawableAttributes(cl->client, req->drawable, req->numAttribs, (CARD32 *) (req + 1)); } int __glXDisp_ChangeDrawableAttributesSGIX(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXChangeDrawableAttributesSGIXReq *req = (xGLXChangeDrawableAttributesSGIXReq *)pc; + REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesSGIXReq, req->numAttribs << 3); + return DoChangeDrawableAttributes(cl->client, req->drawable, req->numAttribs, (CARD32 *) (req + 1)); } @@ -1432,6 +1510,8 @@ int __glXDisp_CreateWindow(__GLXclientState *cl, GLbyte *pc) DrawablePtr pDraw; int err; + REQUEST_FIXED_SIZE(xGLXCreateWindowReq, req->numAttribs << 3); + LEGAL_NEW_RESOURCE(req->glxwindow, client); if (!validGlxScreen(client, req->screen, &pGlxScreen, &err)) @@ -1455,8 +1535,11 @@ int __glXDisp_CreateWindow(__GLXclientState *cl, GLbyte *pc) int __glXDisp_DestroyWindow(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXDestroyWindowReq *req = (xGLXDestroyWindowReq *) pc; + REQUEST_SIZE_MATCH(xGLXDestroyWindowReq); + return DoDestroyDrawable(cl, req->glxwindow, GLX_DRAWABLE_WINDOW); } @@ -1472,12 +1555,16 @@ int __glXDisp_SwapBuffers(__GLXclientState *cl, GLbyte *pc) { ClientPtr client = cl->client; xGLXSwapBuffersReq *req = (xGLXSwapBuffersReq *) pc; - GLXContextTag tag = req->contextTag; - XID drawId = req->drawable; + GLXContextTag tag; + XID drawId; __GLXcontext *glxc = NULL; __GLXdrawable *pGlxDraw; int error; + REQUEST_SIZE_MATCH(xGLXSwapBuffersReq); + + tag = req->contextTag; + drawId = req->drawable; if (tag) { glxc = __glXLookupContextByTag(cl, tag); if (!glxc) { @@ -1558,15 +1645,21 @@ DoQueryContext(__GLXclientState *cl, GLXContextID gcId) int __glXDisp_QueryContextInfoEXT(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXQueryContextInfoEXTReq *req = (xGLXQueryContextInfoEXTReq *) pc; + REQUEST_SIZE_MATCH(xGLXQueryContextInfoEXTReq); + return DoQueryContext(cl, req->context); } int __glXDisp_QueryContext(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXQueryContextReq *req = (xGLXQueryContextReq *) pc; + REQUEST_SIZE_MATCH(xGLXQueryContextReq); + return DoQueryContext(cl, req->context); } @@ -1580,6 +1673,8 @@ int __glXDisp_BindTexImageEXT(__GLXclientState *cl, GLbyte *pc) int buffer; int error; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 8); + pc += __GLX_VENDPRIV_HDR_SIZE; drawId = *((CARD32 *) (pc)); @@ -1614,6 +1709,8 @@ int __glXDisp_ReleaseTexImageEXT(__GLXclientState *cl, GLbyte *pc) int buffer; int error; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 8); + pc += __GLX_VENDPRIV_HDR_SIZE; drawId = *((CARD32 *) (pc)); @@ -1649,6 +1746,8 @@ int __glXDisp_CopySubBufferMESA(__GLXclientState *cl, GLbyte *pc) (void) client; (void) req; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 20); + pc += __GLX_VENDPRIV_HDR_SIZE; drawId = *((CARD32 *) (pc)); @@ -1737,16 +1836,22 @@ DoGetDrawableAttributes(__GLXclientState *cl, XID drawId) int __glXDisp_GetDrawableAttributes(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXGetDrawableAttributesReq *req = (xGLXGetDrawableAttributesReq *)pc; + REQUEST_SIZE_MATCH(xGLXGetDrawableAttributesReq); + return DoGetDrawableAttributes(cl, req->drawable); } int __glXDisp_GetDrawableAttributesSGIX(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXGetDrawableAttributesSGIXReq *req = (xGLXGetDrawableAttributesSGIXReq *)pc; + REQUEST_SIZE_MATCH(xGLXGetDrawableAttributesSGIXReq); + return DoGetDrawableAttributes(cl, req->drawable); } @@ -1771,6 +1876,8 @@ int __glXDisp_Render(__GLXclientState *cl, GLbyte *pc) __GLXcontext *glxc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_AT_LEAST_SIZE(xGLXRenderReq); + req = (xGLXRenderReq *) pc; if (client->swapped) { __GLX_SWAP_SHORT(&req->length); @@ -1791,6 +1898,9 @@ int __glXDisp_Render(__GLXclientState *cl, GLbyte *pc) __GLXdispatchRenderProcPtr proc; int err; + if (left < sizeof(__GLXrenderHeader)) + return BadLength; + /* ** Verify that the header length and the overall length agree. ** Also, each command must be word aligned. @@ -2069,10 +2179,12 @@ int __glXDisp_RenderLarge(__GLXclientState *cl, GLbyte *pc) int __glXDisp_VendorPrivate(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXVendorPrivateReq *req = (xGLXVendorPrivateReq *) pc; GLint vendorcode = req->vendorCode; __GLXdispatchVendorPrivProcPtr proc; + REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateReq); proc = (__GLXdispatchVendorPrivProcPtr) __glXGetProtocolDecodeFunction(& VendorPriv_dispatch_info, @@ -2088,10 +2200,12 @@ int __glXDisp_VendorPrivate(__GLXclientState *cl, GLbyte *pc) int __glXDisp_VendorPrivateWithReply(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXVendorPrivateReq *req = (xGLXVendorPrivateReq *) pc; GLint vendorcode = req->vendorCode; __GLXdispatchVendorPrivProcPtr proc; + REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateReq); proc = (__GLXdispatchVendorPrivProcPtr) __glXGetProtocolDecodeFunction(& VendorPriv_dispatch_info, @@ -2114,6 +2228,8 @@ int __glXDisp_QueryExtensionsString(__GLXclientState *cl, GLbyte *pc) char *buf; int err; + REQUEST_SIZE_MATCH(xGLXQueryExtensionsStringReq); + if (!validGlxScreen(client, req->screen, &pGlxScreen, &err)) return err; @@ -2153,6 +2269,8 @@ int __glXDisp_QueryServerString(__GLXclientState *cl, GLbyte *pc) int err; char ver_str[16]; + REQUEST_SIZE_MATCH(xGLXQueryServerStringReq); + if (!validGlxScreen(client, req->screen, &pGlxScreen, &err)) return err; @@ -2200,13 +2318,19 @@ int __glXDisp_QueryServerString(__GLXclientState *cl, GLbyte *pc) int __glXDisp_ClientInfo(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXClientInfoReq *req = (xGLXClientInfoReq *) pc; const char *buf; + REQUEST_AT_LEAST_SIZE(xGLXClientInfoReq); + + buf = (const char *)(req+1); + if (!memchr(buf, 0, (client->req_len << 2) - sizeof(xGLXClientInfoReq))) + return BadLength; + cl->GLClientmajorVersion = req->major; cl->GLClientminorVersion = req->minor; free(cl->GLClientextensions); - buf = (const char *)(req+1); cl->GLClientextensions = strdup(buf); return Success; diff --git a/glx/xfont.c b/glx/xfont.c index 99437842e..84a301f9b 100644 --- a/glx/xfont.c +++ b/glx/xfont.c @@ -154,6 +154,8 @@ int __glXDisp_UseXFont(__GLXclientState *cl, GLbyte *pc) __GLXcontext *cx; int error; + REQUEST_SIZE_MATCH(xGLXUseXFontReq); + req = (xGLXUseXFontReq *) pc; cx = __glXForceCurrent(cl, req->contextTag, &error); if (!cx) { From 6c69235a9dfc52e4b4e47630ff4bab1a820eb543 Mon Sep 17 00:00:00 2001 From: Julien Cristau Date: Sun, 22 Aug 2010 00:50:05 +0100 Subject: [PATCH 3/5] glx: check request length before swapping MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Kristian Høgsberg Reviewed-by: Daniel Stone Signed-off-by: Julien Cristau --- glx/glxcmdsswap.c | 135 ++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 130 insertions(+), 5 deletions(-) diff --git a/glx/glxcmdsswap.c b/glx/glxcmdsswap.c index ce4d69a0b..9276e2f37 100644 --- a/glx/glxcmdsswap.c +++ b/glx/glxcmdsswap.c @@ -60,9 +60,12 @@ int __glXDispSwap_CreateContext(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXCreateContextReq *req = (xGLXCreateContextReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXCreateContextReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->context); __GLX_SWAP_INT(&req->visual); @@ -74,9 +77,12 @@ int __glXDispSwap_CreateContext(__GLXclientState *cl, GLbyte *pc) int __glXDispSwap_CreateNewContext(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXCreateNewContextReq *req = (xGLXCreateNewContextReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXCreateNewContextReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->context); __GLX_SWAP_INT(&req->fbconfig); @@ -89,10 +95,13 @@ int __glXDispSwap_CreateNewContext(__GLXclientState *cl, GLbyte *pc) int __glXDispSwap_CreateContextWithConfigSGIX(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXCreateContextWithConfigSGIXReq *req = (xGLXCreateContextWithConfigSGIXReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXCreateContextWithConfigSGIXReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->context); __GLX_SWAP_INT(&req->fbconfig); @@ -105,9 +114,12 @@ int __glXDispSwap_CreateContextWithConfigSGIX(__GLXclientState *cl, GLbyte *pc) int __glXDispSwap_DestroyContext(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXDestroyContextReq *req = (xGLXDestroyContextReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXDestroyContextReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->context); @@ -116,9 +128,12 @@ int __glXDispSwap_DestroyContext(__GLXclientState *cl, GLbyte *pc) int __glXDispSwap_MakeCurrent(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXMakeCurrentReq *req = (xGLXMakeCurrentReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXMakeCurrentReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->drawable); __GLX_SWAP_INT(&req->context); @@ -129,9 +144,12 @@ int __glXDispSwap_MakeCurrent(__GLXclientState *cl, GLbyte *pc) int __glXDispSwap_MakeContextCurrent(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXMakeContextCurrentReq *req = (xGLXMakeContextCurrentReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXMakeContextCurrentReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->drawable); __GLX_SWAP_INT(&req->readdrawable); @@ -143,9 +161,12 @@ int __glXDispSwap_MakeContextCurrent(__GLXclientState *cl, GLbyte *pc) int __glXDispSwap_MakeCurrentReadSGI(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXMakeCurrentReadSGIReq *req = (xGLXMakeCurrentReadSGIReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXMakeCurrentReadSGIReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->drawable); __GLX_SWAP_INT(&req->readable); @@ -157,9 +178,12 @@ int __glXDispSwap_MakeCurrentReadSGI(__GLXclientState *cl, GLbyte *pc) int __glXDispSwap_IsDirect(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXIsDirectReq *req = (xGLXIsDirectReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXIsDirectReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->context); @@ -168,9 +192,12 @@ int __glXDispSwap_IsDirect(__GLXclientState *cl, GLbyte *pc) int __glXDispSwap_QueryVersion(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXQueryVersionReq *req = (xGLXQueryVersionReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXQueryVersionReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->majorVersion); __GLX_SWAP_INT(&req->minorVersion); @@ -180,9 +207,12 @@ int __glXDispSwap_QueryVersion(__GLXclientState *cl, GLbyte *pc) int __glXDispSwap_WaitGL(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXWaitGLReq *req = (xGLXWaitGLReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXWaitGLReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->contextTag); @@ -191,9 +221,12 @@ int __glXDispSwap_WaitGL(__GLXclientState *cl, GLbyte *pc) int __glXDispSwap_WaitX(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXWaitXReq *req = (xGLXWaitXReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXWaitXReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->contextTag); @@ -202,9 +235,12 @@ int __glXDispSwap_WaitX(__GLXclientState *cl, GLbyte *pc) int __glXDispSwap_CopyContext(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXCopyContextReq *req = (xGLXCopyContextReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXCopyContextReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->source); __GLX_SWAP_INT(&req->dest); @@ -215,36 +251,48 @@ int __glXDispSwap_CopyContext(__GLXclientState *cl, GLbyte *pc) int __glXDispSwap_GetVisualConfigs(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXGetVisualConfigsReq *req = (xGLXGetVisualConfigsReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXGetVisualConfigsReq); + __GLX_SWAP_INT(&req->screen); return __glXDisp_GetVisualConfigs(cl, pc); } int __glXDispSwap_GetFBConfigs(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXGetFBConfigsReq *req = (xGLXGetFBConfigsReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXGetFBConfigsReq); + __GLX_SWAP_INT(&req->screen); return __glXDisp_GetFBConfigs(cl, pc); } int __glXDispSwap_GetFBConfigsSGIX(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXGetFBConfigsSGIXReq *req = (xGLXGetFBConfigsSGIXReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXGetFBConfigsSGIXReq); + __GLX_SWAP_INT(&req->screen); return __glXDisp_GetFBConfigsSGIX(cl, pc); } int __glXDispSwap_CreateGLXPixmap(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXCreateGLXPixmapReq *req = (xGLXCreateGLXPixmapReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXCreateGLXPixmapReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->screen); __GLX_SWAP_INT(&req->visual); @@ -256,17 +304,22 @@ int __glXDispSwap_CreateGLXPixmap(__GLXclientState *cl, GLbyte *pc) int __glXDispSwap_CreatePixmap(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXCreatePixmapReq *req = (xGLXCreatePixmapReq *) pc; CARD32 *attribs; __GLX_DECLARE_SWAP_VARIABLES; __GLX_DECLARE_SWAP_ARRAY_VARIABLES; + REQUEST_AT_LEAST_SIZE(xGLXCreatePixmapReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->screen); __GLX_SWAP_INT(&req->fbconfig); __GLX_SWAP_INT(&req->pixmap); __GLX_SWAP_INT(&req->glxpixmap); __GLX_SWAP_INT(&req->numAttribs); + + REQUEST_FIXED_SIZE(xGLXCreatePixmapReq, req->numAttribs << 3); attribs = (CARD32*)(req + 1); __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs); @@ -275,10 +328,13 @@ int __glXDispSwap_CreatePixmap(__GLXclientState *cl, GLbyte *pc) int __glXDispSwap_CreateGLXPixmapWithConfigSGIX(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXCreateGLXPixmapWithConfigSGIXReq *req = (xGLXCreateGLXPixmapWithConfigSGIXReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXCreateGLXPixmapWithConfigSGIXReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->screen); __GLX_SWAP_INT(&req->fbconfig); @@ -290,9 +346,12 @@ int __glXDispSwap_CreateGLXPixmapWithConfigSGIX(__GLXclientState *cl, GLbyte *pc int __glXDispSwap_DestroyGLXPixmap(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXDestroyGLXPixmapReq *req = (xGLXDestroyGLXPixmapReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXDestroyGLXPixmapReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->glxpixmap); @@ -301,9 +360,12 @@ int __glXDispSwap_DestroyGLXPixmap(__GLXclientState *cl, GLbyte *pc) int __glXDispSwap_DestroyPixmap(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXDestroyGLXPixmapReq *req = (xGLXDestroyGLXPixmapReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXDestroyGLXPixmapReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->glxpixmap); @@ -312,9 +374,12 @@ int __glXDispSwap_DestroyPixmap(__GLXclientState *cl, GLbyte *pc) int __glXDispSwap_QueryContext(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXQueryContextReq *req = (xGLXQueryContextReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXQueryContextReq); + __GLX_SWAP_INT(&req->context); return __glXDisp_QueryContext(cl, pc); @@ -322,15 +387,20 @@ int __glXDispSwap_QueryContext(__GLXclientState *cl, GLbyte *pc) int __glXDispSwap_CreatePbuffer(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXCreatePbufferReq *req = (xGLXCreatePbufferReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; __GLX_DECLARE_SWAP_ARRAY_VARIABLES; CARD32 *attribs; + REQUEST_AT_LEAST_SIZE(xGLXCreatePbufferReq); + __GLX_SWAP_INT(&req->screen); __GLX_SWAP_INT(&req->fbconfig); __GLX_SWAP_INT(&req->pbuffer); __GLX_SWAP_INT(&req->numAttribs); + + REQUEST_FIXED_SIZE(xGLXCreatePbufferReq, req->numAttribs << 3); attribs = (CARD32*)(req + 1); __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs); @@ -339,9 +409,12 @@ int __glXDispSwap_CreatePbuffer(__GLXclientState *cl, GLbyte *pc) int __glXDispSwap_CreateGLXPbufferSGIX(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXCreateGLXPbufferSGIXReq *req = (xGLXCreateGLXPbufferSGIXReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXCreateGLXPbufferSGIXReq); + __GLX_SWAP_INT(&req->screen); __GLX_SWAP_INT(&req->fbconfig); __GLX_SWAP_INT(&req->pbuffer); @@ -353,9 +426,12 @@ int __glXDispSwap_CreateGLXPbufferSGIX(__GLXclientState *cl, GLbyte *pc) int __glXDispSwap_DestroyPbuffer(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXDestroyPbufferReq *req = (xGLXDestroyPbufferReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXDestroyPbufferReq); + __GLX_SWAP_INT(&req->pbuffer); return __glXDisp_DestroyPbuffer(cl, pc); @@ -363,9 +439,12 @@ int __glXDispSwap_DestroyPbuffer(__GLXclientState *cl, GLbyte *pc) int __glXDispSwap_DestroyGLXPbufferSGIX(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXDestroyGLXPbufferSGIXReq *req = (xGLXDestroyGLXPbufferSGIXReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXDestroyGLXPbufferSGIXReq); + __GLX_SWAP_INT(&req->pbuffer); return __glXDisp_DestroyGLXPbufferSGIX(cl, pc); @@ -373,14 +452,19 @@ int __glXDispSwap_DestroyGLXPbufferSGIX(__GLXclientState *cl, GLbyte *pc) int __glXDispSwap_ChangeDrawableAttributes(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXChangeDrawableAttributesReq *req = (xGLXChangeDrawableAttributesReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; __GLX_DECLARE_SWAP_ARRAY_VARIABLES; CARD32 *attribs; + REQUEST_AT_LEAST_SIZE(xGLXChangeDrawableAttributesReq); + __GLX_SWAP_INT(&req->drawable); __GLX_SWAP_INT(&req->numAttribs); + + REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3); attribs = (CARD32*)(req + 1); __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs); @@ -390,14 +474,19 @@ int __glXDispSwap_ChangeDrawableAttributes(__GLXclientState *cl, GLbyte *pc) int __glXDispSwap_ChangeDrawableAttributesSGIX(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXChangeDrawableAttributesSGIXReq *req = (xGLXChangeDrawableAttributesSGIXReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; __GLX_DECLARE_SWAP_ARRAY_VARIABLES; CARD32 *attribs; + REQUEST_AT_LEAST_SIZE(xGLXChangeDrawableAttributesSGIXReq); + __GLX_SWAP_INT(&req->drawable); __GLX_SWAP_INT(&req->numAttribs); + + REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesSGIXReq, req->numAttribs << 3); attribs = (CARD32*)(req + 1); __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs); @@ -406,16 +495,21 @@ int __glXDispSwap_ChangeDrawableAttributesSGIX(__GLXclientState *cl, int __glXDispSwap_CreateWindow(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXCreateWindowReq *req = (xGLXCreateWindowReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; __GLX_DECLARE_SWAP_ARRAY_VARIABLES; CARD32 *attribs; + REQUEST_AT_LEAST_SIZE(xGLXCreateWindowReq); + __GLX_SWAP_INT(&req->screen); __GLX_SWAP_INT(&req->fbconfig); __GLX_SWAP_INT(&req->window); __GLX_SWAP_INT(&req->glxwindow); __GLX_SWAP_INT(&req->numAttribs); + + REQUEST_FIXED_SIZE(xGLXCreateWindowReq, req->numAttribs << 3); attribs = (CARD32*)(req + 1); __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs); @@ -424,9 +518,12 @@ int __glXDispSwap_CreateWindow(__GLXclientState *cl, GLbyte *pc) int __glXDispSwap_DestroyWindow(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXDestroyWindowReq *req = (xGLXDestroyWindowReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXDestroyWindowReq); + __GLX_SWAP_INT(&req->glxwindow); return __glXDisp_DestroyWindow(cl, pc); @@ -434,9 +531,12 @@ int __glXDispSwap_DestroyWindow(__GLXclientState *cl, GLbyte *pc) int __glXDispSwap_SwapBuffers(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXSwapBuffersReq *req = (xGLXSwapBuffersReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXSwapBuffersReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->contextTag); __GLX_SWAP_INT(&req->drawable); @@ -446,9 +546,12 @@ int __glXDispSwap_SwapBuffers(__GLXclientState *cl, GLbyte *pc) int __glXDispSwap_UseXFont(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXUseXFontReq *req = (xGLXUseXFontReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXUseXFontReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->contextTag); __GLX_SWAP_INT(&req->font); @@ -462,9 +565,12 @@ int __glXDispSwap_UseXFont(__GLXclientState *cl, GLbyte *pc) int __glXDispSwap_QueryExtensionsString(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXQueryExtensionsStringReq *req = (xGLXQueryExtensionsStringReq *)pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXQueryExtensionsStringReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->screen); @@ -473,9 +579,12 @@ int __glXDispSwap_QueryExtensionsString(__GLXclientState *cl, GLbyte *pc) int __glXDispSwap_QueryServerString(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXQueryServerStringReq *req = (xGLXQueryServerStringReq *)pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXQueryServerStringReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->screen); __GLX_SWAP_INT(&req->name); @@ -485,9 +594,12 @@ int __glXDispSwap_QueryServerString(__GLXclientState *cl, GLbyte *pc) int __glXDispSwap_ClientInfo(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXClientInfoReq *req = (xGLXClientInfoReq *)pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_AT_LEAST_SIZE(xGLXClientInfoReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->major); __GLX_SWAP_INT(&req->minor); @@ -498,9 +610,12 @@ int __glXDispSwap_ClientInfo(__GLXclientState *cl, GLbyte *pc) int __glXDispSwap_QueryContextInfoEXT(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXQueryContextInfoEXTReq *req = (xGLXQueryContextInfoEXTReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXQueryContextInfoEXTReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->context); @@ -509,12 +624,14 @@ int __glXDispSwap_QueryContextInfoEXT(__GLXclientState *cl, GLbyte *pc) int __glXDispSwap_BindTexImageEXT(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXVendorPrivateReq *req = (xGLXVendorPrivateReq *) pc; GLXDrawable *drawId; int *buffer; - __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 8); + pc += __GLX_VENDPRIV_HDR_SIZE; drawId = ((GLXDrawable *) (pc)); @@ -530,12 +647,14 @@ int __glXDispSwap_BindTexImageEXT(__GLXclientState *cl, GLbyte *pc) int __glXDispSwap_ReleaseTexImageEXT(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXVendorPrivateReq *req = (xGLXVendorPrivateReq *) pc; GLXDrawable *drawId; int *buffer; - __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 8); + pc += __GLX_VENDPRIV_HDR_SIZE; drawId = ((GLXDrawable *) (pc)); @@ -551,12 +670,14 @@ int __glXDispSwap_ReleaseTexImageEXT(__GLXclientState *cl, GLbyte *pc) int __glXDispSwap_CopySubBufferMESA(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXVendorPrivateReq *req = (xGLXVendorPrivateReq *) pc; GLXDrawable *drawId; int *buffer; - __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 20); + (void) drawId; (void) buffer; @@ -576,11 +697,13 @@ int __glXDispSwap_CopySubBufferMESA(__GLXclientState *cl, GLbyte *pc) int __glXDispSwap_GetDrawableAttributesSGIX(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXVendorPrivateWithReplyReq *req = (xGLXVendorPrivateWithReplyReq *)pc; CARD32 *data; - __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXGetDrawableAttributesSGIXReq); + data = (CARD32 *) (req + 1); __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->contextTag); @@ -591,10 +714,12 @@ int __glXDispSwap_GetDrawableAttributesSGIX(__GLXclientState *cl, GLbyte *pc) int __glXDispSwap_GetDrawableAttributes(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXGetDrawableAttributesReq *req = (xGLXGetDrawableAttributesReq *)pc; - __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXGetDrawableAttributesReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->drawable); From 62319e8381ebd645ae36b25e5fc3c0e9b098387b Mon Sep 17 00:00:00 2001 From: Julien Cristau Date: Sun, 22 Aug 2010 16:20:45 +0100 Subject: [PATCH 4/5] glx: swap the request arrays entirely, not just half of them MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Various glx requests include a list of pairs of attributes. We were only swapping the first half. Reviewed-by: Kristian Høgsberg Reviewed-by: Daniel Stone Signed-off-by: Julien Cristau --- glx/glxcmdsswap.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/glx/glxcmdsswap.c b/glx/glxcmdsswap.c index 9276e2f37..87bf75b79 100644 --- a/glx/glxcmdsswap.c +++ b/glx/glxcmdsswap.c @@ -321,7 +321,7 @@ int __glXDispSwap_CreatePixmap(__GLXclientState *cl, GLbyte *pc) REQUEST_FIXED_SIZE(xGLXCreatePixmapReq, req->numAttribs << 3); attribs = (CARD32*)(req + 1); - __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs); + __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1); return __glXDisp_CreatePixmap(cl, pc); } @@ -402,7 +402,7 @@ int __glXDispSwap_CreatePbuffer(__GLXclientState *cl, GLbyte *pc) REQUEST_FIXED_SIZE(xGLXCreatePbufferReq, req->numAttribs << 3); attribs = (CARD32*)(req + 1); - __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs); + __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1); return __glXDisp_CreatePbuffer(cl, pc); } @@ -466,7 +466,7 @@ int __glXDispSwap_ChangeDrawableAttributes(__GLXclientState *cl, GLbyte *pc) REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3); attribs = (CARD32*)(req + 1); - __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs); + __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1); return __glXDisp_ChangeDrawableAttributes(cl, pc); } @@ -488,7 +488,7 @@ int __glXDispSwap_ChangeDrawableAttributesSGIX(__GLXclientState *cl, REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesSGIXReq, req->numAttribs << 3); attribs = (CARD32*)(req + 1); - __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs); + __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1); return __glXDisp_ChangeDrawableAttributesSGIX(cl, pc); } @@ -511,7 +511,7 @@ int __glXDispSwap_CreateWindow(__GLXclientState *cl, GLbyte *pc) REQUEST_FIXED_SIZE(xGLXCreateWindowReq, req->numAttribs << 3); attribs = (CARD32*)(req + 1); - __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs); + __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1); return __glXDisp_CreateWindow(cl, pc); } From d9225b9602c85603ae616a7381c784f5cf5e811c Mon Sep 17 00:00:00 2001 From: Julien Cristau Date: Wed, 10 Nov 2010 22:39:54 +0100 Subject: [PATCH 5/5] glx: validate numAttribs field before using it MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Kristian Høgsberg Reviewed-by: Daniel Stone Signed-off-by: Julien Cristau --- glx/glxcmds.c | 25 +++++++++++++++++++++++++ glx/glxcmdsswap.c | 20 ++++++++++++++++++++ 2 files changed, 45 insertions(+) diff --git a/glx/glxcmds.c b/glx/glxcmds.c index 566dbbe57..3ef567d10 100644 --- a/glx/glxcmds.c +++ b/glx/glxcmds.c @@ -1283,6 +1283,11 @@ int __glXDisp_CreatePixmap(__GLXclientState *cl, GLbyte *pc) __GLXscreen *pGlxScreen; int err; + REQUEST_AT_LEAST_SIZE(xGLXCreatePixmapReq); + if (req->numAttribs > (UINT32_MAX >> 3)) { + client->errorValue = req->numAttribs; + return BadValue; + } REQUEST_FIXED_SIZE(xGLXCreatePixmapReq, req->numAttribs << 3); if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err)) @@ -1396,6 +1401,11 @@ int __glXDisp_CreatePbuffer(__GLXclientState *cl, GLbyte *pc) CARD32 *attrs; int width, height, i; + REQUEST_AT_LEAST_SIZE(xGLXCreatePbufferReq); + if (req->numAttribs > (UINT32_MAX >> 3)) { + client->errorValue = req->numAttribs; + return BadValue; + } REQUEST_FIXED_SIZE(xGLXCreatePbufferReq, req->numAttribs << 3); attrs = (CARD32 *) (req + 1); @@ -1483,6 +1493,11 @@ int __glXDisp_ChangeDrawableAttributes(__GLXclientState *cl, GLbyte *pc) xGLXChangeDrawableAttributesReq *req = (xGLXChangeDrawableAttributesReq *) pc; + REQUEST_AT_LEAST_SIZE(xGLXChangeDrawableAttributesReq); + if (req->numAttribs > (UINT32_MAX >> 3)) { + client->errorValue = req->numAttribs; + return BadValue; + } REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3); return DoChangeDrawableAttributes(cl->client, req->drawable, @@ -1495,6 +1510,11 @@ int __glXDisp_ChangeDrawableAttributesSGIX(__GLXclientState *cl, GLbyte *pc) xGLXChangeDrawableAttributesSGIXReq *req = (xGLXChangeDrawableAttributesSGIXReq *)pc; + REQUEST_AT_LEAST_SIZE(xGLXChangeDrawableAttributesSGIXReq); + if (req->numAttribs > (UINT32_MAX >> 3)) { + client->errorValue = req->numAttribs; + return BadValue; + } REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesSGIXReq, req->numAttribs << 3); return DoChangeDrawableAttributes(cl->client, req->drawable, @@ -1510,6 +1530,11 @@ int __glXDisp_CreateWindow(__GLXclientState *cl, GLbyte *pc) DrawablePtr pDraw; int err; + REQUEST_AT_LEAST_SIZE(xGLXCreateWindowReq); + if (req->numAttribs > (UINT32_MAX >> 3)) { + client->errorValue = req->numAttribs; + return BadValue; + } REQUEST_FIXED_SIZE(xGLXCreateWindowReq, req->numAttribs << 3); LEGAL_NEW_RESOURCE(req->glxwindow, client); diff --git a/glx/glxcmdsswap.c b/glx/glxcmdsswap.c index 87bf75b79..3bb4cade9 100644 --- a/glx/glxcmdsswap.c +++ b/glx/glxcmdsswap.c @@ -319,6 +319,10 @@ int __glXDispSwap_CreatePixmap(__GLXclientState *cl, GLbyte *pc) __GLX_SWAP_INT(&req->glxpixmap); __GLX_SWAP_INT(&req->numAttribs); + if (req->numAttribs > (UINT32_MAX >> 3)) { + client->errorValue = req->numAttribs; + return BadValue; + } REQUEST_FIXED_SIZE(xGLXCreatePixmapReq, req->numAttribs << 3); attribs = (CARD32*)(req + 1); __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1); @@ -400,6 +404,10 @@ int __glXDispSwap_CreatePbuffer(__GLXclientState *cl, GLbyte *pc) __GLX_SWAP_INT(&req->pbuffer); __GLX_SWAP_INT(&req->numAttribs); + if (req->numAttribs > (UINT32_MAX >> 3)) { + client->errorValue = req->numAttribs; + return BadValue; + } REQUEST_FIXED_SIZE(xGLXCreatePbufferReq, req->numAttribs << 3); attribs = (CARD32*)(req + 1); __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1); @@ -464,6 +472,10 @@ int __glXDispSwap_ChangeDrawableAttributes(__GLXclientState *cl, GLbyte *pc) __GLX_SWAP_INT(&req->drawable); __GLX_SWAP_INT(&req->numAttribs); + if (req->numAttribs > (UINT32_MAX >> 3)) { + client->errorValue = req->numAttribs; + return BadValue; + } REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3); attribs = (CARD32*)(req + 1); __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1); @@ -486,6 +498,10 @@ int __glXDispSwap_ChangeDrawableAttributesSGIX(__GLXclientState *cl, __GLX_SWAP_INT(&req->drawable); __GLX_SWAP_INT(&req->numAttribs); + if (req->numAttribs > (UINT32_MAX >> 3)) { + client->errorValue = req->numAttribs; + return BadValue; + } REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesSGIXReq, req->numAttribs << 3); attribs = (CARD32*)(req + 1); __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1); @@ -509,6 +525,10 @@ int __glXDispSwap_CreateWindow(__GLXclientState *cl, GLbyte *pc) __GLX_SWAP_INT(&req->glxwindow); __GLX_SWAP_INT(&req->numAttribs); + if (req->numAttribs > (UINT32_MAX >> 3)) { + client->errorValue = req->numAttribs; + return BadValue; + } REQUEST_FIXED_SIZE(xGLXCreateWindowReq, req->numAttribs << 3); attribs = (CARD32*)(req + 1); __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);