Merge remote-tracking branch 'alanc/master'

2014-12-09 11:47:11 -08:00 · 2014-12-09 11:47:11 -08:00 · 6704bb0ed7
commit 6704bb0ed7
parent 8aa23f27c7 1559a94395
56 changed files with 898 additions and 315 deletions
--- a/Xext/xcmisc.c
+++ b/Xext/xcmisc.c
@ -167,6 +167,7 @@ static int
 SProcXCMiscGetXIDList(ClientPtr client)
 {
    REQUEST(xXCMiscGetXIDListReq);
    REQUEST_SIZE_MATCH(xXCMiscGetXIDListReq);
    swaps(&stuff->length);
    swapl(&stuff->count);
--- a/Xext/xvdisp.c
+++ b/Xext/xvdisp.c
@ -1121,6 +1121,7 @@ static int
 SProcXvQueryExtension(ClientPtr client)
 {
    REQUEST(xvQueryExtensionReq);
    REQUEST_SIZE_MATCH(xvQueryExtensionReq);
    swaps(&stuff->length);
    return XvProcVector[xv_QueryExtension] (client);
 }
@ -1129,6 +1130,7 @@ static int
 SProcXvQueryAdaptors(ClientPtr client)
 {
    REQUEST(xvQueryAdaptorsReq);
    REQUEST_SIZE_MATCH(xvQueryAdaptorsReq);
    swaps(&stuff->length);
    swapl(&stuff->window);
    return XvProcVector[xv_QueryAdaptors] (client);
@ -1138,6 +1140,7 @@ static int
 SProcXvQueryEncodings(ClientPtr client)
 {
    REQUEST(xvQueryEncodingsReq);
    REQUEST_SIZE_MATCH(xvQueryEncodingsReq);
    swaps(&stuff->length);
    swapl(&stuff->port);
    return XvProcVector[xv_QueryEncodings] (client);
@ -1147,6 +1150,7 @@ static int
 SProcXvGrabPort(ClientPtr client)
 {
    REQUEST(xvGrabPortReq);
    REQUEST_SIZE_MATCH(xvGrabPortReq);
    swaps(&stuff->length);
    swapl(&stuff->port);
    swapl(&stuff->time);
@ -1157,6 +1161,7 @@ static int
 SProcXvUngrabPort(ClientPtr client)
 {
    REQUEST(xvUngrabPortReq);
    REQUEST_SIZE_MATCH(xvUngrabPortReq);
    swaps(&stuff->length);
    swapl(&stuff->port);
    swapl(&stuff->time);
@ -1167,6 +1172,7 @@ static int
 SProcXvPutVideo(ClientPtr client)
 {
    REQUEST(xvPutVideoReq);
    REQUEST_SIZE_MATCH(xvPutVideoReq);
    swaps(&stuff->length);
    swapl(&stuff->port);
    swapl(&stuff->drawable);
@ -1186,6 +1192,7 @@ static int
 SProcXvPutStill(ClientPtr client)
 {
    REQUEST(xvPutStillReq);
    REQUEST_SIZE_MATCH(xvPutStillReq);
    swaps(&stuff->length);
    swapl(&stuff->port);
    swapl(&stuff->drawable);
@ -1205,6 +1212,7 @@ static int
 SProcXvGetVideo(ClientPtr client)
 {
    REQUEST(xvGetVideoReq);
    REQUEST_SIZE_MATCH(xvGetVideoReq);
    swaps(&stuff->length);
    swapl(&stuff->port);
    swapl(&stuff->drawable);
@ -1224,6 +1232,7 @@ static int
 SProcXvGetStill(ClientPtr client)
 {
    REQUEST(xvGetStillReq);
    REQUEST_SIZE_MATCH(xvGetStillReq);
    swaps(&stuff->length);
    swapl(&stuff->port);
    swapl(&stuff->drawable);
@ -1243,6 +1252,7 @@ static int
 SProcXvPutImage(ClientPtr client)
 {
    REQUEST(xvPutImageReq);
    REQUEST_AT_LEAST_SIZE(xvPutImageReq);
    swaps(&stuff->length);
    swapl(&stuff->port);
    swapl(&stuff->drawable);
@ -1266,6 +1276,7 @@ static int
 SProcXvShmPutImage(ClientPtr client)
 {
    REQUEST(xvShmPutImageReq);
    REQUEST_SIZE_MATCH(xvShmPutImageReq);
    swaps(&stuff->length);
    swapl(&stuff->port);
    swapl(&stuff->drawable);
@ -1293,6 +1304,7 @@ static int
 SProcXvSelectVideoNotify(ClientPtr client)
 {
    REQUEST(xvSelectVideoNotifyReq);
    REQUEST_SIZE_MATCH(xvSelectVideoNotifyReq);
    swaps(&stuff->length);
    swapl(&stuff->drawable);
    return XvProcVector[xv_SelectVideoNotify] (client);
@ -1302,6 +1314,7 @@ static int
 SProcXvSelectPortNotify(ClientPtr client)
 {
    REQUEST(xvSelectPortNotifyReq);
    REQUEST_SIZE_MATCH(xvSelectPortNotifyReq);
    swaps(&stuff->length);
    swapl(&stuff->port);
    return XvProcVector[xv_SelectPortNotify] (client);
@ -1311,6 +1324,7 @@ static int
 SProcXvStopVideo(ClientPtr client)
 {
    REQUEST(xvStopVideoReq);
    REQUEST_SIZE_MATCH(xvStopVideoReq);
    swaps(&stuff->length);
    swapl(&stuff->port);
    swapl(&stuff->drawable);
@ -1321,6 +1335,7 @@ static int
 SProcXvSetPortAttribute(ClientPtr client)
 {
    REQUEST(xvSetPortAttributeReq);
    REQUEST_SIZE_MATCH(xvSetPortAttributeReq);
    swaps(&stuff->length);
    swapl(&stuff->port);
    swapl(&stuff->attribute);
@ -1332,6 +1347,7 @@ static int
 SProcXvGetPortAttribute(ClientPtr client)
 {
    REQUEST(xvGetPortAttributeReq);
    REQUEST_SIZE_MATCH(xvGetPortAttributeReq);
    swaps(&stuff->length);
    swapl(&stuff->port);
    swapl(&stuff->attribute);
@ -1342,6 +1358,7 @@ static int
 SProcXvQueryBestSize(ClientPtr client)
 {
    REQUEST(xvQueryBestSizeReq);
    REQUEST_SIZE_MATCH(xvQueryBestSizeReq);
    swaps(&stuff->length);
    swapl(&stuff->port);
    swaps(&stuff->vid_w);
@ -1355,6 +1372,7 @@ static int
 SProcXvQueryPortAttributes(ClientPtr client)
 {
    REQUEST(xvQueryPortAttributesReq);
    REQUEST_SIZE_MATCH(xvQueryPortAttributesReq);
    swaps(&stuff->length);
    swapl(&stuff->port);
    return XvProcVector[xv_QueryPortAttributes] (client);
@ -1364,6 +1382,7 @@ static int
 SProcXvQueryImageAttributes(ClientPtr client)
 {
    REQUEST(xvQueryImageAttributesReq);
    REQUEST_SIZE_MATCH(xvQueryImageAttributesReq);
    swaps(&stuff->length);
    swapl(&stuff->port);
    swapl(&stuff->id);
@ -1376,6 +1395,7 @@ static int
 SProcXvListImageFormats(ClientPtr client)
 {
    REQUEST(xvListImageFormatsReq);
    REQUEST_SIZE_MATCH(xvListImageFormatsReq);
    swaps(&stuff->length);
    swapl(&stuff->port);
    return XvProcVector[xv_ListImageFormats] (client);
--- a/Xi/chgdctl.c
+++ b/Xi/chgdctl.c
@ -78,7 +78,7 @@ SProcXChangeDeviceControl(ClientPtr client)
    REQUEST(xChangeDeviceControlReq);
    swaps(&stuff->length);
-    REQUEST_AT_LEAST_SIZE(xChangeDeviceControlReq);
+    REQUEST_AT_LEAST_EXTRA_SIZE(xChangeDeviceControlReq, sizeof(xDeviceCtl));
    swaps(&stuff->control);
    ctl = (xDeviceCtl *) &stuff[1];
    swaps(&ctl->control);
@ -115,7 +115,7 @@ ProcXChangeDeviceControl(ClientPtr client)
    xDeviceEnableCtl *e;
    REQUEST(xChangeDeviceControlReq);
-    REQUEST_AT_LEAST_SIZE(xChangeDeviceControlReq);
+    REQUEST_AT_LEAST_EXTRA_SIZE(xChangeDeviceControlReq, sizeof(xDeviceCtl));
    len = stuff->length - bytes_to_int32(sizeof(xChangeDeviceControlReq));
    ret = dixLookupDevice(&dev, stuff->deviceid, client, DixManageAccess);
@ -192,6 +192,10 @@ ProcXChangeDeviceControl(ClientPtr client)
        break;
    case DEVICE_ENABLE:
        e = (xDeviceEnableCtl *) &stuff[1];
        if ((len != bytes_to_int32(sizeof(xDeviceEnableCtl)))) {
            ret = BadLength;
            goto out;
        }
        if (IsXTestDevice(dev, NULL))
            status = !Success;
--- a/Xi/chgfctl.c
+++ b/Xi/chgfctl.c
@ -467,6 +467,8 @@ ProcXChangeFeedbackControl(ClientPtr client)
        xStringFeedbackCtl *f = ((xStringFeedbackCtl *) &stuff[1]);
        if (client->swapped) {
            if (len < bytes_to_int32(sizeof(xStringFeedbackCtl)))
                return BadLength;
            swaps(&f->num_keysyms);
        }
        if (len !=
--- a/Xi/sendexev.c
+++ b/Xi/sendexev.c
@ -135,6 +135,9 @@ ProcXSendExtensionEvent(ClientPtr client)
    if (ret != Success)
        return ret;
    if (stuff->num_events == 0)
        return ret;
    /* The client's event type must be one defined by an extension. */
    first = ((xEvent *) &stuff[1]);
--- a/Xi/xiallowev.c
+++ b/Xi/xiallowev.c
@ -48,6 +48,7 @@ int
 SProcXIAllowEvents(ClientPtr client)
 {
    REQUEST(xXIAllowEventsReq);
    REQUEST_AT_LEAST_SIZE(xXIAllowEventsReq);
    swaps(&stuff->length);
    swaps(&stuff->deviceid);
@ -55,6 +56,7 @@ SProcXIAllowEvents(ClientPtr client)
    if (stuff->length > 3) {
        xXI2_2AllowEventsReq *req_xi22 = (xXI2_2AllowEventsReq *) stuff;
        REQUEST_AT_LEAST_SIZE(xXI2_2AllowEventsReq);
        swapl(&req_xi22->touchid);
        swapl(&req_xi22->grab_window);
    }
--- a/Xi/xichangecursor.c
+++ b/Xi/xichangecursor.c
@ -57,11 +57,11 @@ int
 SProcXIChangeCursor(ClientPtr client)
 {
    REQUEST(xXIChangeCursorReq);
    REQUEST_SIZE_MATCH(xXIChangeCursorReq);
    swaps(&stuff->length);
    swapl(&stuff->win);
    swapl(&stuff->cursor);
    swaps(&stuff->deviceid);
    REQUEST_SIZE_MATCH(xXIChangeCursorReq);
    return (ProcXIChangeCursor(client));
 }
--- a/Xi/xichangehierarchy.c
+++ b/Xi/xichangehierarchy.c
@ -411,7 +411,7 @@ int
 ProcXIChangeHierarchy(ClientPtr client)
 {
    xXIAnyHierarchyChangeInfo *any;
-    int required_len = sizeof(xXIChangeHierarchyReq);
+    size_t len;			/* length of data remaining in request */
    int rc = Success;
    int flags[MAXDEVICES] = { 0 };
@ -421,21 +421,46 @@ ProcXIChangeHierarchy(ClientPtr client)
    if (!stuff->num_changes)
        return rc;
    if (stuff->length > (INT_MAX >> 2))
        return BadAlloc;
    len = (stuff->length << 2) - sizeof(xXIAnyHierarchyChangeInfo);
    any = (xXIAnyHierarchyChangeInfo *) &stuff[1];
    while (stuff->num_changes--) {
        if (len < sizeof(xXIAnyHierarchyChangeInfo)) {
            rc = BadLength;
            goto unwind;
        }
        SWAPIF(swaps(&any->type));
        SWAPIF(swaps(&any->length));
-        required_len += any->length;
+        if ((any->length > (INT_MAX >> 2)) || (len < (any->length << 2)))
        if ((stuff->length * 4) < required_len)
            return BadLength;
 #define CHANGE_SIZE_MATCH(type) \
    do { \
        if ((len < sizeof(type)) || (any->length != (sizeof(type) >> 2))) { \
            rc = BadLength; \
            goto unwind; \
        } \
    } while(0)
        switch (any->type) {
        case XIAddMaster:
        {
            xXIAddMasterInfo *c = (xXIAddMasterInfo *) any;
            /* Variable length, due to appended name string */
            if (len < sizeof(xXIAddMasterInfo)) {
                rc = BadLength;
                goto unwind;
            }
            SWAPIF(swaps(&c->name_len));
            if (c->name_len > (len - sizeof(xXIAddMasterInfo))) {
                rc = BadLength;
                goto unwind;
            }
            rc = add_master(client, c, flags);
            if (rc != Success)
@ -446,6 +471,7 @@ ProcXIChangeHierarchy(ClientPtr client)
        {
            xXIRemoveMasterInfo *r = (xXIRemoveMasterInfo *) any;
            CHANGE_SIZE_MATCH(xXIRemoveMasterInfo);
            rc = remove_master(client, r, flags);
            if (rc != Success)
                goto unwind;
@ -455,6 +481,7 @@ ProcXIChangeHierarchy(ClientPtr client)
        {
            xXIDetachSlaveInfo *c = (xXIDetachSlaveInfo *) any;
            CHANGE_SIZE_MATCH(xXIDetachSlaveInfo);
            rc = detach_slave(client, c, flags);
            if (rc != Success)
                goto unwind;
@ -464,6 +491,7 @@ ProcXIChangeHierarchy(ClientPtr client)
        {
            xXIAttachSlaveInfo *c = (xXIAttachSlaveInfo *) any;
            CHANGE_SIZE_MATCH(xXIAttachSlaveInfo);
            rc = attach_slave(client, c, flags);
            if (rc != Success)
                goto unwind;
@ -471,6 +499,7 @@ ProcXIChangeHierarchy(ClientPtr client)
            break;
        }
        len -= any->length * 4;
        any = (xXIAnyHierarchyChangeInfo *) ((char *) any + any->length * 4);
    }
--- a/Xi/xigetclientpointer.c
+++ b/Xi/xigetclientpointer.c
@ -50,6 +50,7 @@ int
 SProcXIGetClientPointer(ClientPtr client)
 {
    REQUEST(xXIGetClientPointerReq);
    REQUEST_SIZE_MATCH(xXIGetClientPointerReq);
    swaps(&stuff->length);
    swapl(&stuff->win);
--- a/Xi/xigrabdev.c
+++ b/Xi/xigrabdev.c
@ -47,6 +47,11 @@ int
 SProcXIGrabDevice(ClientPtr client)
 {
    REQUEST(xXIGrabDeviceReq);
    /*
     * Check here for at least the length of the struct we swap, then
     * let ProcXIGrabDevice check the full size after we swap mask_len.
     */
    REQUEST_AT_LEAST_SIZE(xXIGrabDeviceReq);
    swaps(&stuff->length);
    swaps(&stuff->deviceid);
@ -71,7 +76,7 @@ ProcXIGrabDevice(ClientPtr client)
    unsigned int pointer_mode;
    REQUEST(xXIGrabDeviceReq);
-    REQUEST_AT_LEAST_SIZE(xXIGrabDeviceReq);
+    REQUEST_FIXED_SIZE(xXIGrabDeviceReq, ((size_t) stuff->mask_len) * 4);
    ret = dixLookupDevice(&dev, stuff->deviceid, client, DixGrabAccess);
    if (ret != Success)
@ -131,6 +136,7 @@ int
 SProcXIUngrabDevice(ClientPtr client)
 {
    REQUEST(xXIUngrabDeviceReq);
    REQUEST_SIZE_MATCH(xXIUngrabDeviceReq);
    swaps(&stuff->length);
    swaps(&stuff->deviceid);
@ -148,6 +154,7 @@ ProcXIUngrabDevice(ClientPtr client)
    TimeStamp time;
    REQUEST(xXIUngrabDeviceReq);
    REQUEST_SIZE_MATCH(xXIUngrabDeviceReq);
    ret = dixLookupDevice(&dev, stuff->deviceid, client, DixGetAttrAccess);
    if (ret != Success)
--- a/Xi/xipassivegrab.c
+++ b/Xi/xipassivegrab.c
@ -53,6 +53,7 @@ SProcXIPassiveGrabDevice(ClientPtr client)
    uint32_t *mods;
    REQUEST(xXIPassiveGrabDeviceReq);
    REQUEST_AT_LEAST_SIZE(xXIPassiveGrabDeviceReq);
    swaps(&stuff->length);
    swaps(&stuff->deviceid);
@ -63,6 +64,8 @@ SProcXIPassiveGrabDevice(ClientPtr client)
    swaps(&stuff->mask_len);
    swaps(&stuff->num_modifiers);
    REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq,
        ((uint32_t) stuff->mask_len + stuff->num_modifiers) *4);
    mods = (uint32_t *) &stuff[1] + stuff->mask_len;
    for (i = 0; i < stuff->num_modifiers; i++, mods++) {
@ -92,7 +95,8 @@ ProcXIPassiveGrabDevice(ClientPtr client)
    int mask_len;
    REQUEST(xXIPassiveGrabDeviceReq);
-    REQUEST_AT_LEAST_SIZE(xXIPassiveGrabDeviceReq);
+    REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq,
        ((uint32_t) stuff->mask_len + stuff->num_modifiers) * 4);
    if (stuff->deviceid == XIAllDevices)
        dev = inputInfo.all_devices;
@ -252,6 +256,7 @@ SProcXIPassiveUngrabDevice(ClientPtr client)
    uint32_t *modifiers;
    REQUEST(xXIPassiveUngrabDeviceReq);
    REQUEST_AT_LEAST_SIZE(xXIPassiveUngrabDeviceReq);
    swaps(&stuff->length);
    swapl(&stuff->grab_window);
@ -259,6 +264,8 @@ SProcXIPassiveUngrabDevice(ClientPtr client)
    swapl(&stuff->detail);
    swaps(&stuff->num_modifiers);
    REQUEST_FIXED_SIZE(xXIPassiveUngrabDeviceReq,
                       ((uint32_t) stuff->num_modifiers) << 2);
    modifiers = (uint32_t *) &stuff[1];
    for (i = 0; i < stuff->num_modifiers; i++, modifiers++)
@ -277,7 +284,8 @@ ProcXIPassiveUngrabDevice(ClientPtr client)
    int i, rc;
    REQUEST(xXIPassiveUngrabDeviceReq);
-    REQUEST_AT_LEAST_SIZE(xXIPassiveUngrabDeviceReq);
+    REQUEST_FIXED_SIZE(xXIPassiveUngrabDeviceReq,
                       ((uint32_t) stuff->num_modifiers) << 2);
    if (stuff->deviceid == XIAllDevices)
        dev = inputInfo.all_devices;
--- a/Xi/xiproperty.c
+++ b/Xi/xiproperty.c
@ -1013,10 +1013,9 @@ int
 SProcXListDeviceProperties(ClientPtr client)
 {
    REQUEST(xListDevicePropertiesReq);
    REQUEST_SIZE_MATCH(xListDevicePropertiesReq);
    swaps(&stuff->length);
    REQUEST_SIZE_MATCH(xListDevicePropertiesReq);
    return (ProcXListDeviceProperties(client));
 }
@ -1037,10 +1036,10 @@ int
 SProcXDeleteDeviceProperty(ClientPtr client)
 {
    REQUEST(xDeleteDevicePropertyReq);
    REQUEST_SIZE_MATCH(xDeleteDevicePropertyReq);
    swaps(&stuff->length);
    swapl(&stuff->property);
    REQUEST_SIZE_MATCH(xDeleteDevicePropertyReq);
    return (ProcXDeleteDeviceProperty(client));
 }
@ -1048,13 +1047,13 @@ int
 SProcXGetDeviceProperty(ClientPtr client)
 {
    REQUEST(xGetDevicePropertyReq);
    REQUEST_SIZE_MATCH(xGetDevicePropertyReq);
    swaps(&stuff->length);
    swapl(&stuff->property);
    swapl(&stuff->type);
    swapl(&stuff->longOffset);
    swapl(&stuff->longLength);
    REQUEST_SIZE_MATCH(xGetDevicePropertyReq);
    return (ProcXGetDeviceProperty(client));
 }
@ -1253,11 +1252,10 @@ int
 SProcXIListProperties(ClientPtr client)
 {
    REQUEST(xXIListPropertiesReq);
    REQUEST_SIZE_MATCH(xXIListPropertiesReq);
    swaps(&stuff->length);
    swaps(&stuff->deviceid);
    REQUEST_SIZE_MATCH(xXIListPropertiesReq);
    return (ProcXIListProperties(client));
 }
@ -1279,11 +1277,11 @@ int
 SProcXIDeleteProperty(ClientPtr client)
 {
    REQUEST(xXIDeletePropertyReq);
    REQUEST_SIZE_MATCH(xXIDeletePropertyReq);
    swaps(&stuff->length);
    swaps(&stuff->deviceid);
    swapl(&stuff->property);
    REQUEST_SIZE_MATCH(xXIDeletePropertyReq);
    return (ProcXIDeleteProperty(client));
 }
@ -1291,6 +1289,7 @@ int
 SProcXIGetProperty(ClientPtr client)
 {
    REQUEST(xXIGetPropertyReq);
    REQUEST_SIZE_MATCH(xXIGetPropertyReq);
    swaps(&stuff->length);
    swaps(&stuff->deviceid);
@ -1298,7 +1297,6 @@ SProcXIGetProperty(ClientPtr client)
    swapl(&stuff->type);
    swapl(&stuff->offset);
    swapl(&stuff->len);
    REQUEST_SIZE_MATCH(xXIGetPropertyReq);
    return (ProcXIGetProperty(client));
 }
--- a/Xi/xiquerydevice.c
+++ b/Xi/xiquerydevice.c
@ -54,6 +54,7 @@ int
 SProcXIQueryDevice(ClientPtr client)
 {
    REQUEST(xXIQueryDeviceReq);
    REQUEST_SIZE_MATCH(xXIQueryDeviceReq);
    swaps(&stuff->length);
    swaps(&stuff->deviceid);
--- a/Xi/xiquerypointer.c
+++ b/Xi/xiquerypointer.c
@ -63,6 +63,8 @@ int
 SProcXIQueryPointer(ClientPtr client)
 {
    REQUEST(xXIQueryPointerReq);
    REQUEST_SIZE_MATCH(xXIQueryPointerReq);
    swaps(&stuff->length);
    swaps(&stuff->deviceid);
    swapl(&stuff->win);
--- a/Xi/xiselectev.c
+++ b/Xi/xiselectev.c
@ -114,6 +114,7 @@ int
 SProcXISelectEvents(ClientPtr client)
 {
    int i;
    int len;
    xXIEventMask *evmask;
    REQUEST(xXISelectEventsReq);
@ -122,10 +123,17 @@ SProcXISelectEvents(ClientPtr client)
    swapl(&stuff->win);
    swaps(&stuff->num_masks);
    len = stuff->length - bytes_to_int32(sizeof(xXISelectEventsReq));
    evmask = (xXIEventMask *) &stuff[1];
    for (i = 0; i < stuff->num_masks; i++) {
        if (len < bytes_to_int32(sizeof(xXIEventMask)))
            return BadLength;
        len -= bytes_to_int32(sizeof(xXIEventMask));
        swaps(&evmask->deviceid);
        swaps(&evmask->mask_len);
        if (len < evmask->mask_len)
            return BadLength;
        len -= evmask->mask_len;
        evmask =
            (xXIEventMask *) (((char *) &evmask[1]) + evmask->mask_len * 4);
    }
--- a/Xi/xisetclientpointer.c
+++ b/Xi/xisetclientpointer.c
@ -51,10 +51,11 @@ int
 SProcXISetClientPointer(ClientPtr client)
 {
    REQUEST(xXISetClientPointerReq);
    REQUEST_SIZE_MATCH(xXISetClientPointerReq);
    swaps(&stuff->length);
    swapl(&stuff->win);
    swaps(&stuff->deviceid);
    REQUEST_SIZE_MATCH(xXISetClientPointerReq);
    return (ProcXISetClientPointer(client));
 }
--- a/Xi/xisetdevfocus.c
+++ b/Xi/xisetdevfocus.c
@ -44,6 +44,8 @@ int
 SProcXISetFocus(ClientPtr client)
 {
    REQUEST(xXISetFocusReq);
    REQUEST_AT_LEAST_SIZE(xXISetFocusReq);
    swaps(&stuff->length);
    swaps(&stuff->deviceid);
    swapl(&stuff->focus);
@ -56,6 +58,8 @@ int
 SProcXIGetFocus(ClientPtr client)
 {
    REQUEST(xXIGetFocusReq);
    REQUEST_AT_LEAST_SIZE(xXIGetFocusReq);
    swaps(&stuff->length);
    swaps(&stuff->deviceid);
--- a/Xi/xiwarppointer.c
+++ b/Xi/xiwarppointer.c
@ -56,6 +56,8 @@ int
 SProcXIWarpPointer(ClientPtr client)
 {
    REQUEST(xXIWarpPointerReq);
    REQUEST_SIZE_MATCH(xXIWarpPointerReq);
    swaps(&stuff->length);
    swapl(&stuff->src_win);
    swapl(&stuff->dst_win);
--- a/configure.ac
+++ b/configure.ac
@ -2621,6 +2621,7 @@ hw/kdrive/linux/Makefile
 hw/kdrive/src/Makefile
 hw/xwayland/Makefile
 test/Makefile
 test/xi1/Makefile
 test/xi2/Makefile
 xserver.ent
 xorg-server.pc
--- a/dbe/dbe.c
+++ b/dbe/dbe.c
@ -450,18 +450,21 @@ ProcDbeSwapBuffers(ClientPtr client)
    DbeSwapInfoPtr swapInfo;
    xDbeSwapInfo *dbeSwapInfo;
    int error;
-    register int i, j;
+    unsigned int i, j;
-    int nStuff;
+    unsigned int nStuff;
    int nStuff_i;       /* DDX API requires int for nStuff */
    REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq);
    nStuff = stuff->n;          /* use local variable for performance. */
    if (nStuff == 0) {
        REQUEST_SIZE_MATCH(xDbeSwapBuffersReq);
        return Success;
    }
    if (nStuff > UINT32_MAX / sizeof(DbeSwapInfoRec))
        return BadAlloc;
    REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, nStuff * sizeof(xDbeSwapInfo));
    /* Get to the swap info appended to the end of the request. */
    dbeSwapInfo = (xDbeSwapInfo *) &stuff[1];
@ -525,9 +528,10 @@ ProcDbeSwapBuffers(ClientPtr client)
     * could deal with cross-screen synchronization.
     */
-    while (nStuff > 0) {
+    nStuff_i = nStuff;
    while (nStuff_i > 0) {
        pDbeScreenPriv = DBE_SCREEN_PRIV_FROM_WINDOW(swapInfo[0].pWindow);
-        error = (*pDbeScreenPriv->SwapBuffers) (client, &nStuff, swapInfo);
+        error = (*pDbeScreenPriv->SwapBuffers) (client, &nStuff_i, swapInfo);
        if (error != Success) {
            free(swapInfo);
            return error;
@ -914,13 +918,16 @@ static int
 SProcDbeSwapBuffers(ClientPtr client)
 {
    REQUEST(xDbeSwapBuffersReq);
-    register int i;
+    unsigned int i;
    xDbeSwapInfo *pSwapInfo;
    swaps(&stuff->length);
    REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq);
    swapl(&stuff->n);
    if (stuff->n > UINT32_MAX / sizeof(DbeSwapInfoRec))
        return BadAlloc;
    REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, stuff->n * sizeof(xDbeSwapInfo));
    if (stuff->n != 0) {
        pSwapInfo = (xDbeSwapInfo *) stuff + 1;
--- a/dix/dispatch.c
+++ b/dix/dispatch.c
@ -2000,6 +2000,9 @@ ProcPutImage(ClientPtr client)
    tmpImage = (char *) &stuff[1];
    lengthProto = length;
    if (lengthProto >= (INT32_MAX / stuff->height))
        return BadLength;
    if ((bytes_to_int32(lengthProto * stuff->height) +
         bytes_to_int32(sizeof(xPutImageReq))) != client->req_len)
        return BadLength;
--- a/dix/region.c
+++ b/dix/region.c
@ -169,7 +169,6 @@ Equipment Corporation.
        ((r1)->y1 <= (r2)->y1) && \
        ((r1)->y2 >= (r2)->y2) )
 #define xallocData(n) malloc(RegionSizeof(n))
 #define xfreeData(reg) if ((reg)->data && (reg)->data->size) free((reg)->data)
 #define RECTALLOC_BAIL(pReg,n,bail) \
@ -205,8 +204,9 @@ if (!(pReg)->data || (((pReg)->data->numRects + (n)) > (pReg)->data->size)) \
 #define DOWNSIZE(reg,numRects)						 \
 if (((numRects) < ((reg)->data->size >> 1)) && ((reg)->data->size > 50)) \
 {									 \
-    RegDataPtr NewData;							 \
+    size_t NewSize = RegionSizeof(numRects);				 \
-    NewData = (RegDataPtr)realloc((reg)->data, RegionSizeof(numRects));	 \
+    RegDataPtr NewData =						 \
        (NewSize > 0) ? realloc((reg)->data, NewSize) : NULL ;		 \
    if (NewData)							 \
    {									 \
 	NewData->size = (numRects);					 \
@ -345,17 +345,20 @@ Bool
 RegionRectAlloc(RegionPtr pRgn, int n)
 {
    RegDataPtr data;
    size_t rgnSize;
    if (!pRgn->data) {
        n++;
-        pRgn->data = xallocData(n);
+        rgnSize = RegionSizeof(n);
        pRgn->data = (rgnSize > 0) ? malloc(rgnSize) : NULL;
        if (!pRgn->data)
            return RegionBreak(pRgn);
        pRgn->data->numRects = 1;
        *RegionBoxptr(pRgn) = pRgn->extents;
    }
    else if (!pRgn->data->size) {
-        pRgn->data = xallocData(n);
+        rgnSize = RegionSizeof(n);
        pRgn->data = (rgnSize > 0) ? malloc(rgnSize) : NULL;
        if (!pRgn->data)
            return RegionBreak(pRgn);
        pRgn->data->numRects = 0;
@ -367,7 +370,8 @@ RegionRectAlloc(RegionPtr pRgn, int n)
                n = 250;
        }
        n += pRgn->data->numRects;
-        data = (RegDataPtr) realloc(pRgn->data, RegionSizeof(n));
+        rgnSize = RegionSizeof(n);
        data = (rgnSize > 0) ? realloc(pRgn->data, rgnSize) : NULL;
        if (!data)
            return RegionBreak(pRgn);
        pRgn->data = data;
@ -1312,6 +1316,7 @@ RegionFromRects(int nrects, xRectangle *prect, int ctype)
 {
    RegionPtr pRgn;
    size_t rgnSize;
    RegDataPtr pData;
    BoxPtr pBox;
    int i;
@ -1338,7 +1343,8 @@ RegionFromRects(int nrects, xRectangle *prect, int ctype)
        }
        return pRgn;
    }
-    pData = xallocData(nrects);
+    rgnSize = RegionSizeof(nrects);
    pData = (rgnSize > 0) ? malloc(rgnSize) : NULL;
    if (!pData) {
        RegionBreak(pRgn);
        return pRgn;
--- a/dri3/dri3_request.c
+++ b/dri3/dri3_request.c
@ -321,6 +321,7 @@ static int
 sproc_dri3_query_version(ClientPtr client)
 {
    REQUEST(xDRI3QueryVersionReq);
    REQUEST_SIZE_MATCH(xDRI3QueryVersionReq);
    swaps(&stuff->length);
    swapl(&stuff->majorVersion);
@ -332,6 +333,7 @@ static int
 sproc_dri3_open(ClientPtr client)
 {
    REQUEST(xDRI3OpenReq);
    REQUEST_SIZE_MATCH(xDRI3OpenReq);
    swaps(&stuff->length);
    swapl(&stuff->drawable);
@ -343,6 +345,7 @@ static int
 sproc_dri3_pixmap_from_buffer(ClientPtr client)
 {
    REQUEST(xDRI3PixmapFromBufferReq);
    REQUEST_SIZE_MATCH(xDRI3PixmapFromBufferReq);
    swaps(&stuff->length);
    swapl(&stuff->pixmap);
@ -358,6 +361,7 @@ static int
 sproc_dri3_buffer_from_pixmap(ClientPtr client)
 {
    REQUEST(xDRI3BufferFromPixmapReq);
    REQUEST_SIZE_MATCH(xDRI3BufferFromPixmapReq);
    swaps(&stuff->length);
    swapl(&stuff->pixmap);
@ -368,6 +372,7 @@ static int
 sproc_dri3_fence_from_fd(ClientPtr client)
 {
    REQUEST(xDRI3FenceFromFDReq);
    REQUEST_SIZE_MATCH(xDRI3FenceFromFDReq);
    swaps(&stuff->length);
    swapl(&stuff->drawable);
@ -379,6 +384,7 @@ static int
 sproc_dri3_fd_from_fence(ClientPtr client)
 {
    REQUEST(xDRI3FDFromFenceReq);
    REQUEST_SIZE_MATCH(xDRI3FDFromFenceReq);
    swaps(&stuff->length);
    swapl(&stuff->drawable);
--- a/glx/clientinfo.c
+++ b/glx/clientinfo.c
@ -33,18 +33,22 @@ static int
 set_client_info(__GLXclientState * cl, xGLXSetClientInfoARBReq * req,
                unsigned bytes_per_version)
 {
    ClientPtr client = cl->client;
    char *gl_extensions;
    char *glx_extensions;
    int size;
    REQUEST_AT_LEAST_SIZE(xGLXSetClientInfoARBReq);
    /* Verify that the size of the packet matches the size inferred from the
     * sizes specified for the various fields.
     */
-    const unsigned expected_size = sz_xGLXSetClientInfoARBReq
+    size = sz_xGLXSetClientInfoARBReq;
-        + (req->numVersions * bytes_per_version)
+    size = safe_add(size, safe_mul(req->numVersions, bytes_per_version));
-        + __GLX_PAD(req->numGLExtensionBytes)
+    size = safe_add(size, safe_pad(req->numGLExtensionBytes));
-        + __GLX_PAD(req->numGLXExtensionBytes);
+    size = safe_add(size, safe_pad(req->numGLXExtensionBytes));
-    if (req->length != (expected_size / 4))
+    if (size < 0 || req->length != (size / 4))
        return BadLength;
    /* Verify that the actual length of the GL extension string matches what's
@ -80,8 +84,11 @@ __glXDisp_SetClientInfoARB(__GLXclientState * cl, GLbyte * pc)
 int
 __glXDispSwap_SetClientInfoARB(__GLXclientState * cl, GLbyte * pc)
 {
    ClientPtr client = cl->client;
    xGLXSetClientInfoARBReq *req = (xGLXSetClientInfoARBReq *) pc;
    REQUEST_AT_LEAST_SIZE(xGLXSetClientInfoARBReq);
    req->length = bswap_16(req->length);
    req->numVersions = bswap_32(req->numVersions);
    req->numGLExtensionBytes = bswap_32(req->numGLExtensionBytes);
@ -99,8 +106,11 @@ __glXDisp_SetClientInfo2ARB(__GLXclientState * cl, GLbyte * pc)
 int
 __glXDispSwap_SetClientInfo2ARB(__GLXclientState * cl, GLbyte * pc)
 {
    ClientPtr client = cl->client;
    xGLXSetClientInfoARBReq *req = (xGLXSetClientInfoARBReq *) pc;
    REQUEST_AT_LEAST_SIZE(xGLXSetClientInfoARBReq);
    req->length = bswap_16(req->length);
    req->numVersions = bswap_32(req->numVersions);
    req->numGLExtensionBytes = bswap_32(req->numGLExtensionBytes);
--- a/glx/glxcmds.c
+++ b/glx/glxcmds.c
@ -2025,7 +2025,7 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
    left = (req->length << 2) - sz_xGLXRenderReq;
    while (left > 0) {
        __GLXrenderSizeData entry;
-        int extra;
+        int extra = 0;
        __GLXdispatchRenderProcPtr proc;
        int err;
@ -2044,6 +2044,9 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
        cmdlen = hdr->length;
        opcode = hdr->opcode;
        if (left < cmdlen)
            return BadLength;
        /*
         ** Check for core opcodes and grab entry data.
         */
@ -2057,24 +2060,21 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
            return __glXError(GLXBadRenderRequest);
        }
        if (cmdlen < entry.bytes) {
            return BadLength;
        }
        if (entry.varsize) {
            /* variable size command */
            extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE,
-                                      client->swapped);
+                                      client->swapped,
                                      left - __GLX_RENDER_HDR_SIZE);
            if (extra < 0) {
                extra = 0;
            }
            if (cmdlen != __GLX_PAD(entry.bytes + extra)) {
                return BadLength;
            }
        }
-        else {
+
-            /* constant size command */
+        if (cmdlen != safe_pad(safe_add(entry.bytes, extra))) {
            if (cmdlen != __GLX_PAD(entry.bytes)) {
                return BadLength;
            }
        }
        if (left < cmdlen) {
            return BadLength;
        }
@ -2110,6 +2110,8 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
    __GLX_DECLARE_SWAP_VARIABLES;
    REQUEST_AT_LEAST_SIZE(xGLXRenderLargeReq);
    req = (xGLXRenderLargeReq *) pc;
    if (client->swapped) {
        __GLX_SWAP_SHORT(&req->length);
@ -2125,12 +2127,14 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
        __glXResetLargeCommandStatus(cl);
        return error;
    }
    if (safe_pad(req->dataBytes) < 0)
        return BadLength;
    dataBytes = req->dataBytes;
    /*
     ** Check the request length.
     */
-    if ((req->length << 2) != __GLX_PAD(dataBytes) + sz_xGLXRenderLargeReq) {
+    if ((req->length << 2) != safe_pad(dataBytes) + sz_xGLXRenderLargeReq) {
        client->errorValue = req->length;
        /* Reset in case this isn't 1st request. */
        __glXResetLargeCommandStatus(cl);
@ -2140,7 +2144,8 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
    if (cl->largeCmdRequestsSoFar == 0) {
        __GLXrenderSizeData entry;
-        int extra;
+        int extra = 0;
        int left = (req->length << 2) - sz_xGLXRenderLargeReq;
        size_t cmdlen;
        int err;
@ -2153,13 +2158,17 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
            return __glXError(GLXBadLargeRequest);
        }
        if (dataBytes < __GLX_RENDER_LARGE_HDR_SIZE)
            return BadLength;
        hdr = (__GLXrenderLargeHeader *) pc;
        if (client->swapped) {
            __GLX_SWAP_INT(&hdr->length);
            __GLX_SWAP_INT(&hdr->opcode);
        }
        cmdlen = hdr->length;
        opcode = hdr->opcode;
        if ((cmdlen = safe_pad(hdr->length)) < 0)
            return BadLength;
        /*
         ** Check for core opcodes and grab entry data.
@ -2177,21 +2186,18 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
             ** will be in the 1st request, so it's okay to do this.
             */
            extra = (*entry.varsize) (pc + __GLX_RENDER_LARGE_HDR_SIZE,
-                                      client->swapped);
+                                      client->swapped,
                                      left - __GLX_RENDER_LARGE_HDR_SIZE);
            if (extra < 0) {
                extra = 0;
            }
            /* large command's header is 4 bytes longer, so add 4 */
            if (cmdlen != __GLX_PAD(entry.bytes + 4 + extra)) {
                return BadLength;
            }
        }
-        else {
+
-            /* constant size command */
+        /* the +4 is safe because we know entry.bytes is small */
-            if (cmdlen != __GLX_PAD(entry.bytes + 4)) {
+        if (cmdlen != safe_pad(safe_add(entry.bytes + 4, extra))) {
-                return BadLength;
+            return BadLength;
            }
        }
        /*
         ** Make enough space in the buffer, then copy the entire request.
         */
@ -2218,6 +2224,7 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
         ** We are receiving subsequent (i.e. not the first) requests of a
         ** multi request command.
         */
        int bytesSoFar; /* including this packet */
        /*
         ** Check the request number and the total request count.
@ -2236,11 +2243,18 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
        /*
         ** Check that we didn't get too much data.
         */
-        if ((cl->largeCmdBytesSoFar + dataBytes) > cl->largeCmdBytesTotal) {
+        if ((bytesSoFar = safe_add(cl->largeCmdBytesSoFar, dataBytes)) < 0) {
            client->errorValue = dataBytes;
            __glXResetLargeCommandStatus(cl);
            return __glXError(GLXBadLargeRequest);
        }
        if (bytesSoFar > cl->largeCmdBytesTotal) {
            client->errorValue = dataBytes;
            __glXResetLargeCommandStatus(cl);
            return __glXError(GLXBadLargeRequest);
        }
        memcpy(cl->largeCmdBuf + cl->largeCmdBytesSoFar, pc, dataBytes);
        cl->largeCmdBytesSoFar += dataBytes;
        cl->largeCmdRequestsSoFar++;
@ -2252,17 +2266,16 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
             ** This is the last request; it must have enough bytes to complete
             ** the command.
             */
-            /* NOTE: the two pad macros have been added below; they are needed
+            /* NOTE: the pad macro below is needed because the client library
-             ** because the client library pads the total byte count, but not
+             ** pads the total byte count, but not the per-request byte counts.
-             ** the per-request byte counts.  The Protocol Encoding says the
+             ** The Protocol Encoding says the total byte count should not be
-             ** total byte count should not be padded, so a proposal will be
+             ** padded, so a proposal will be made to the ARB to relax the
-             ** made to the ARB to relax the padding constraint on the total
+             ** padding constraint on the total byte count, thus preserving
-             ** byte count, thus preserving backward compatibility.  Meanwhile,
+             ** backward compatibility.  Meanwhile, the padding done below
-             ** the padding done below fixes a bug that did not allow
+             ** fixes a bug that did not allow large commands of odd sizes to
-             ** large commands of odd sizes to be accepted by the server.
+             ** be accepted by the server.
             */
-            if (__GLX_PAD(cl->largeCmdBytesSoFar) !=
+            if (safe_pad(cl->largeCmdBytesSoFar) != cl->largeCmdBytesTotal) {
                __GLX_PAD(cl->largeCmdBytesTotal)) {
                client->errorValue = dataBytes;
                __glXResetLargeCommandStatus(cl);
                return __glXError(GLXBadLargeRequest);
--- a/glx/glxcmdsswap.c
+++ b/glx/glxcmdsswap.c
@ -958,11 +958,13 @@ __glXDispSwap_RenderLarge(__GLXclientState * cl, GLbyte * pc)
 int
 __glXDispSwap_VendorPrivate(__GLXclientState * cl, GLbyte * pc)
 {
    ClientPtr client = cl->client;
    xGLXVendorPrivateReq *req;
    GLint vendorcode;
    __GLXdispatchVendorPrivProcPtr proc;
    __GLX_DECLARE_SWAP_VARIABLES;
    REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateReq);
    req = (xGLXVendorPrivateReq *) pc;
    __GLX_SWAP_SHORT(&req->length);
@ -985,11 +987,13 @@ __glXDispSwap_VendorPrivate(__GLXclientState * cl, GLbyte * pc)
 int
 __glXDispSwap_VendorPrivateWithReply(__GLXclientState * cl, GLbyte * pc)
 {
    ClientPtr client = cl->client;
    xGLXVendorPrivateWithReplyReq *req;
    GLint vendorcode;
    __GLXdispatchVendorPrivProcPtr proc;
    __GLX_DECLARE_SWAP_VARIABLES;
    REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateWithReplyReq);
    req = (xGLXVendorPrivateWithReplyReq *) pc;
    __GLX_SWAP_SHORT(&req->length);
--- a/glx/glxserver.h
+++ b/glx/glxserver.h
@ -177,7 +177,7 @@ typedef int (*__GLXprocPtr) (__GLXclientState *, char *pc);
 /*
 * Tables for computing the size of each rendering command.
 */
-typedef int (*gl_proto_size_func) (const GLbyte *, Bool);
+typedef int (*gl_proto_size_func) (const GLbyte *, Bool, int);
 typedef struct {
    int bytes;
@ -228,6 +228,47 @@ extern void glxSwapQueryServerStringReply(ClientPtr client,
 * Routines for computing the size of variably-sized rendering commands.
 */
 static _X_INLINE int
 safe_add(int a, int b)
 {
    if (a < 0 || b < 0)
        return -1;
    if (INT_MAX - a < b)
        return -1;
    return a + b;
 }
 static _X_INLINE int
 safe_mul(int a, int b)
 {
    if (a < 0 || b < 0)
        return -1;
    if (a == 0 || b == 0)
        return 0;
    if (a > INT_MAX / b)
        return -1;
    return a * b;
 }
 static _X_INLINE int
 safe_pad(int a)
 {
    int ret;
    if (a < 0)
        return -1;
    if ((ret = safe_add(a, 3)) < 0)
        return -1;
    return ret & (GLuint)~3;
 }
 extern int __glXTypeSize(GLenum enm);
 extern int __glXImageSize(GLenum format, GLenum type,
                          GLenum target, GLsizei w, GLsizei h, GLsizei d,
--- a/glx/indirect_program.c
+++ b/glx/indirect_program.c
@ -56,6 +56,8 @@ DoGetProgramString(struct __GLXclientStateRec *cl, GLbyte * pc,
    __GLXcontext *const cx = __glXForceCurrent(cl, req->contextTag, &error);
    ClientPtr client = cl->client;
    REQUEST_FIXED_SIZE(xGLXVendorPrivateWithReplyReq, 8);
    pc += __GLX_VENDPRIV_HDR_SIZE;
    if (cx != NULL) {
        GLenum target;
--- a/glx/indirect_reqsize.c
+++ b/glx/indirect_reqsize.c
@ -31,24 +31,22 @@
 #include "indirect_size.h"
 #include "indirect_reqsize.h"
 #define __GLX_PAD(x)  (((x) + 3) & ~3)
 #if defined(__CYGWIN__) || defined(__MINGW32__)
 #undef HAVE_ALIAS
 #endif
 #ifdef HAVE_ALIAS
 #define ALIAS2(from,to) \
-    GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap ) \
+    GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap, int reqlen ) \
        __attribute__ ((alias( # to )));
 #define ALIAS(from,to) ALIAS2( from, __glX ## to ## ReqSize )
 #else
 #define ALIAS(from,to) \
-    GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap ) \
+    GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap, int reqlen ) \
-    { return __glX ## to ## ReqSize( pc, swap ); }
+    { return __glX ## to ## ReqSize( pc, swap, reqlen ); }
 #endif
 int
-__glXCallListsReqSize(const GLbyte * pc, Bool swap)
+__glXCallListsReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
    GLsizei n = *(GLsizei *) (pc + 0);
    GLenum type = *(GLenum *) (pc + 4);
@ -60,11 +58,11 @@ __glXCallListsReqSize(const GLbyte * pc, Bool swap)
    }
    compsize = __glCallLists_size(type);
-    return __GLX_PAD((compsize * n));
+    return safe_pad(safe_mul(compsize, n));
 }
 int
-__glXBitmapReqSize(const GLbyte * pc, Bool swap)
+__glXBitmapReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
    GLint row_length = *(GLint *) (pc + 4);
    GLint image_height = 0;
@ -88,7 +86,7 @@ __glXBitmapReqSize(const GLbyte * pc, Bool swap)
 }
 int
-__glXFogfvReqSize(const GLbyte * pc, Bool swap)
+__glXFogfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
    GLenum pname = *(GLenum *) (pc + 0);
    GLsizei compsize;
@ -98,11 +96,11 @@ __glXFogfvReqSize(const GLbyte * pc, Bool swap)
    }
    compsize = __glFogfv_size(pname);
-    return __GLX_PAD((compsize * 4));
+    return safe_pad(safe_mul(compsize, 4));
 }
 int
-__glXLightfvReqSize(const GLbyte * pc, Bool swap)
+__glXLightfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
    GLenum pname = *(GLenum *) (pc + 4);
    GLsizei compsize;
@ -112,11 +110,11 @@ __glXLightfvReqSize(const GLbyte * pc, Bool swap)
    }
    compsize = __glLightfv_size(pname);
-    return __GLX_PAD((compsize * 4));
+    return safe_pad(safe_mul(compsize, 4));
 }
 int
-__glXLightModelfvReqSize(const GLbyte * pc, Bool swap)
+__glXLightModelfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
    GLenum pname = *(GLenum *) (pc + 0);
    GLsizei compsize;
@ -126,11 +124,11 @@ __glXLightModelfvReqSize(const GLbyte * pc, Bool swap)
    }
    compsize = __glLightModelfv_size(pname);
-    return __GLX_PAD((compsize * 4));
+    return safe_pad(safe_mul(compsize, 4));
 }
 int
-__glXMaterialfvReqSize(const GLbyte * pc, Bool swap)
+__glXMaterialfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
    GLenum pname = *(GLenum *) (pc + 4);
    GLsizei compsize;
@ -140,11 +138,11 @@ __glXMaterialfvReqSize(const GLbyte * pc, Bool swap)
    }
    compsize = __glMaterialfv_size(pname);
-    return __GLX_PAD((compsize * 4));
+    return safe_pad(safe_mul(compsize, 4));
 }
 int
-__glXPolygonStippleReqSize(const GLbyte * pc, Bool swap)
+__glXPolygonStippleReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
    GLint row_length = *(GLint *) (pc + 4);
    GLint image_height = 0;
@ -164,7 +162,7 @@ __glXPolygonStippleReqSize(const GLbyte * pc, Bool swap)
 }
 int
-__glXTexParameterfvReqSize(const GLbyte * pc, Bool swap)
+__glXTexParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
    GLenum pname = *(GLenum *) (pc + 4);
    GLsizei compsize;
@ -174,11 +172,11 @@ __glXTexParameterfvReqSize(const GLbyte * pc, Bool swap)
    }
    compsize = __glTexParameterfv_size(pname);
-    return __GLX_PAD((compsize * 4));
+    return safe_pad(safe_mul(compsize, 4));
 }
 int
-__glXTexImage1DReqSize(const GLbyte * pc, Bool swap)
+__glXTexImage1DReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
    GLint row_length = *(GLint *) (pc + 4);
    GLint image_height = 0;
@ -206,7 +204,7 @@ __glXTexImage1DReqSize(const GLbyte * pc, Bool swap)
 }
 int
-__glXTexImage2DReqSize(const GLbyte * pc, Bool swap)
+__glXTexImage2DReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
    GLint row_length = *(GLint *) (pc + 4);
    GLint image_height = 0;
@ -236,7 +234,7 @@ __glXTexImage2DReqSize(const GLbyte * pc, Bool swap)
 }
 int
-__glXTexEnvfvReqSize(const GLbyte * pc, Bool swap)
+__glXTexEnvfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
    GLenum pname = *(GLenum *) (pc + 4);
    GLsizei compsize;
@ -246,11 +244,11 @@ __glXTexEnvfvReqSize(const GLbyte * pc, Bool swap)
    }
    compsize = __glTexEnvfv_size(pname);
-    return __GLX_PAD((compsize * 4));
+    return safe_pad(safe_mul(compsize, 4));
 }
 int
-__glXTexGendvReqSize(const GLbyte * pc, Bool swap)
+__glXTexGendvReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
    GLenum pname = *(GLenum *) (pc + 4);
    GLsizei compsize;
@ -260,11 +258,11 @@ __glXTexGendvReqSize(const GLbyte * pc, Bool swap)
    }
    compsize = __glTexGendv_size(pname);
-    return __GLX_PAD((compsize * 8));
+    return safe_pad(safe_mul(compsize, 8));
 }
 int
-__glXTexGenfvReqSize(const GLbyte * pc, Bool swap)
+__glXTexGenfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
    GLenum pname = *(GLenum *) (pc + 4);
    GLsizei compsize;
@ -274,11 +272,11 @@ __glXTexGenfvReqSize(const GLbyte * pc, Bool swap)
    }
    compsize = __glTexGenfv_size(pname);
-    return __GLX_PAD((compsize * 4));
+    return safe_pad(safe_mul(compsize, 4));
 }
 int
-__glXPixelMapfvReqSize(const GLbyte * pc, Bool swap)
+__glXPixelMapfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
    GLsizei mapsize = *(GLsizei *) (pc + 4);
@ -286,11 +284,11 @@ __glXPixelMapfvReqSize(const GLbyte * pc, Bool swap)
        mapsize = bswap_32(mapsize);
    }
-    return __GLX_PAD((mapsize * 4));
+    return safe_pad(safe_mul(mapsize, 4));
 }
 int
-__glXPixelMapusvReqSize(const GLbyte * pc, Bool swap)
+__glXPixelMapusvReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
    GLsizei mapsize = *(GLsizei *) (pc + 4);
@ -298,11 +296,11 @@ __glXPixelMapusvReqSize(const GLbyte * pc, Bool swap)
        mapsize = bswap_32(mapsize);
    }
-    return __GLX_PAD((mapsize * 2));
+    return safe_pad(safe_mul(mapsize, 2));
 }
 int
-__glXDrawPixelsReqSize(const GLbyte * pc, Bool swap)
+__glXDrawPixelsReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
    GLint row_length = *(GLint *) (pc + 4);
    GLint image_height = 0;
@ -330,7 +328,7 @@ __glXDrawPixelsReqSize(const GLbyte * pc, Bool swap)
 }
 int
-__glXPrioritizeTexturesReqSize(const GLbyte * pc, Bool swap)
+__glXPrioritizeTexturesReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
    GLsizei n = *(GLsizei *) (pc + 0);
@ -338,11 +336,11 @@ __glXPrioritizeTexturesReqSize(const GLbyte * pc, Bool swap)
        n = bswap_32(n);
    }
-    return __GLX_PAD((n * 4) + (n * 4));
+    return safe_pad(safe_add(safe_mul(n, 4), safe_mul(n, 4)));
 }
 int
-__glXTexSubImage1DReqSize(const GLbyte * pc, Bool swap)
+__glXTexSubImage1DReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
    GLint row_length = *(GLint *) (pc + 4);
    GLint image_height = 0;
@ -370,7 +368,7 @@ __glXTexSubImage1DReqSize(const GLbyte * pc, Bool swap)
 }
 int
-__glXTexSubImage2DReqSize(const GLbyte * pc, Bool swap)
+__glXTexSubImage2DReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
    GLint row_length = *(GLint *) (pc + 4);
    GLint image_height = 0;
@ -400,7 +398,7 @@ __glXTexSubImage2DReqSize(const GLbyte * pc, Bool swap)
 }
 int
-__glXColorTableReqSize(const GLbyte * pc, Bool swap)
+__glXColorTableReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
    GLint row_length = *(GLint *) (pc + 4);
    GLint image_height = 0;
@ -428,7 +426,7 @@ __glXColorTableReqSize(const GLbyte * pc, Bool swap)
 }
 int
-__glXColorTableParameterfvReqSize(const GLbyte * pc, Bool swap)
+__glXColorTableParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
    GLenum pname = *(GLenum *) (pc + 4);
    GLsizei compsize;
@ -438,11 +436,11 @@ __glXColorTableParameterfvReqSize(const GLbyte * pc, Bool swap)
    }
    compsize = __glColorTableParameterfv_size(pname);
-    return __GLX_PAD((compsize * 4));
+    return safe_pad(safe_mul(compsize, 4));
 }
 int
-__glXColorSubTableReqSize(const GLbyte * pc, Bool swap)
+__glXColorSubTableReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
    GLint row_length = *(GLint *) (pc + 4);
    GLint image_height = 0;
@ -470,7 +468,7 @@ __glXColorSubTableReqSize(const GLbyte * pc, Bool swap)
 }
 int
-__glXConvolutionFilter1DReqSize(const GLbyte * pc, Bool swap)
+__glXConvolutionFilter1DReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
    GLint row_length = *(GLint *) (pc + 4);
    GLint image_height = 0;
@ -498,7 +496,7 @@ __glXConvolutionFilter1DReqSize(const GLbyte * pc, Bool swap)
 }
 int
-__glXConvolutionFilter2DReqSize(const GLbyte * pc, Bool swap)
+__glXConvolutionFilter2DReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
    GLint row_length = *(GLint *) (pc + 4);
    GLint image_height = 0;
@ -528,7 +526,7 @@ __glXConvolutionFilter2DReqSize(const GLbyte * pc, Bool swap)
 }
 int
-__glXConvolutionParameterfvReqSize(const GLbyte * pc, Bool swap)
+__glXConvolutionParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
    GLenum pname = *(GLenum *) (pc + 4);
    GLsizei compsize;
@ -538,11 +536,11 @@ __glXConvolutionParameterfvReqSize(const GLbyte * pc, Bool swap)
    }
    compsize = __glConvolutionParameterfv_size(pname);
-    return __GLX_PAD((compsize * 4));
+    return safe_pad(safe_mul(compsize, 4));
 }
 int
-__glXTexImage3DReqSize(const GLbyte * pc, Bool swap)
+__glXTexImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
    GLint row_length = *(GLint *) (pc + 4);
    GLint image_height = *(GLint *) (pc + 8);
@ -579,7 +577,7 @@ __glXTexImage3DReqSize(const GLbyte * pc, Bool swap)
 }
 int
-__glXTexSubImage3DReqSize(const GLbyte * pc, Bool swap)
+__glXTexSubImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
    GLint row_length = *(GLint *) (pc + 4);
    GLint image_height = *(GLint *) (pc + 8);
@ -613,7 +611,7 @@ __glXTexSubImage3DReqSize(const GLbyte * pc, Bool swap)
 }
 int
-__glXCompressedTexImage1DReqSize(const GLbyte * pc, Bool swap)
+__glXCompressedTexImage1DReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
    GLsizei imageSize = *(GLsizei *) (pc + 20);
@ -621,11 +619,11 @@ __glXCompressedTexImage1DReqSize(const GLbyte * pc, Bool swap)
        imageSize = bswap_32(imageSize);
    }
-    return __GLX_PAD(imageSize);
+    return safe_pad(imageSize);
 }
 int
-__glXCompressedTexImage2DReqSize(const GLbyte * pc, Bool swap)
+__glXCompressedTexImage2DReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
    GLsizei imageSize = *(GLsizei *) (pc + 24);
@ -633,11 +631,11 @@ __glXCompressedTexImage2DReqSize(const GLbyte * pc, Bool swap)
        imageSize = bswap_32(imageSize);
    }
-    return __GLX_PAD(imageSize);
+    return safe_pad(imageSize);
 }
 int
-__glXCompressedTexImage3DReqSize(const GLbyte * pc, Bool swap)
+__glXCompressedTexImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
    GLsizei imageSize = *(GLsizei *) (pc + 28);
@ -645,11 +643,11 @@ __glXCompressedTexImage3DReqSize(const GLbyte * pc, Bool swap)
        imageSize = bswap_32(imageSize);
    }
-    return __GLX_PAD(imageSize);
+    return safe_pad(imageSize);
 }
 int
-__glXCompressedTexSubImage3DReqSize(const GLbyte * pc, Bool swap)
+__glXCompressedTexSubImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
    GLsizei imageSize = *(GLsizei *) (pc + 36);
@ -657,11 +655,11 @@ __glXCompressedTexSubImage3DReqSize(const GLbyte * pc, Bool swap)
        imageSize = bswap_32(imageSize);
    }
-    return __GLX_PAD(imageSize);
+    return safe_pad(imageSize);
 }
 int
-__glXPointParameterfvReqSize(const GLbyte * pc, Bool swap)
+__glXPointParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
    GLenum pname = *(GLenum *) (pc + 0);
    GLsizei compsize;
@ -671,11 +669,11 @@ __glXPointParameterfvReqSize(const GLbyte * pc, Bool swap)
    }
    compsize = __glPointParameterfv_size(pname);
-    return __GLX_PAD((compsize * 4));
+    return safe_pad(safe_mul(compsize, 4));
 }
 int
-__glXDrawBuffersReqSize(const GLbyte * pc, Bool swap)
+__glXDrawBuffersReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
    GLsizei n = *(GLsizei *) (pc + 0);
@ -683,11 +681,11 @@ __glXDrawBuffersReqSize(const GLbyte * pc, Bool swap)
        n = bswap_32(n);
    }
-    return __GLX_PAD((n * 4));
+    return safe_pad(safe_mul(n, 4));
 }
 int
-__glXProgramStringARBReqSize(const GLbyte * pc, Bool swap)
+__glXProgramStringARBReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
    GLsizei len = *(GLsizei *) (pc + 8);
@ -695,11 +693,11 @@ __glXProgramStringARBReqSize(const GLbyte * pc, Bool swap)
        len = bswap_32(len);
    }
-    return __GLX_PAD(len);
+    return safe_pad(len);
 }
 int
-__glXVertexAttribs1dvNVReqSize(const GLbyte * pc, Bool swap)
+__glXVertexAttribs1dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
    GLsizei n = *(GLsizei *) (pc + 4);
@ -707,11 +705,11 @@ __glXVertexAttribs1dvNVReqSize(const GLbyte * pc, Bool swap)
        n = bswap_32(n);
    }
-    return __GLX_PAD((n * 8));
+    return safe_pad(safe_mul(n, 8));
 }
 int
-__glXVertexAttribs2dvNVReqSize(const GLbyte * pc, Bool swap)
+__glXVertexAttribs2dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
    GLsizei n = *(GLsizei *) (pc + 4);
@ -719,11 +717,11 @@ __glXVertexAttribs2dvNVReqSize(const GLbyte * pc, Bool swap)
        n = bswap_32(n);
    }
-    return __GLX_PAD((n * 16));
+    return safe_pad(safe_mul(n, 16));
 }
 int
-__glXVertexAttribs3dvNVReqSize(const GLbyte * pc, Bool swap)
+__glXVertexAttribs3dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
    GLsizei n = *(GLsizei *) (pc + 4);
@ -731,11 +729,11 @@ __glXVertexAttribs3dvNVReqSize(const GLbyte * pc, Bool swap)
        n = bswap_32(n);
    }
-    return __GLX_PAD((n * 24));
+    return safe_pad(safe_mul(n, 24));
 }
 int
-__glXVertexAttribs3fvNVReqSize(const GLbyte * pc, Bool swap)
+__glXVertexAttribs3fvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
    GLsizei n = *(GLsizei *) (pc + 4);
@ -743,11 +741,11 @@ __glXVertexAttribs3fvNVReqSize(const GLbyte * pc, Bool swap)
        n = bswap_32(n);
    }
-    return __GLX_PAD((n * 12));
+    return safe_pad(safe_mul(n, 12));
 }
 int
-__glXVertexAttribs3svNVReqSize(const GLbyte * pc, Bool swap)
+__glXVertexAttribs3svNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
    GLsizei n = *(GLsizei *) (pc + 4);
@ -755,11 +753,11 @@ __glXVertexAttribs3svNVReqSize(const GLbyte * pc, Bool swap)
        n = bswap_32(n);
    }
-    return __GLX_PAD((n * 6));
+    return safe_pad(safe_mul(n, 6));
 }
 int
-__glXVertexAttribs4dvNVReqSize(const GLbyte * pc, Bool swap)
+__glXVertexAttribs4dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
    GLsizei n = *(GLsizei *) (pc + 4);
@ -767,7 +765,7 @@ __glXVertexAttribs4dvNVReqSize(const GLbyte * pc, Bool swap)
        n = bswap_32(n);
    }
-    return __GLX_PAD((n * 32));
+    return safe_pad(safe_mul(n, 32));
 }
 ALIAS(Fogiv, Fogfv)
--- a/glx/indirect_reqsize.h
+++ b/glx/indirect_reqsize.h
@ -36,115 +36,156 @@
 #define PURE
 #endif
-extern PURE _X_HIDDEN int __glXCallListsReqSize(const GLbyte * pc, Bool swap);
+extern PURE _X_HIDDEN int __glXCallListsReqSize(const GLbyte * pc, Bool swap,
-extern PURE _X_HIDDEN int __glXBitmapReqSize(const GLbyte * pc, Bool swap);
+                                                int reqlen);
-extern PURE _X_HIDDEN int __glXFogfvReqSize(const GLbyte * pc, Bool swap);
+extern PURE _X_HIDDEN int __glXBitmapReqSize(const GLbyte * pc, Bool swap,
-extern PURE _X_HIDDEN int __glXFogivReqSize(const GLbyte * pc, Bool swap);
+                                             int reqlen);
-extern PURE _X_HIDDEN int __glXLightfvReqSize(const GLbyte * pc, Bool swap);
+extern PURE _X_HIDDEN int __glXFogfvReqSize(const GLbyte * pc, Bool swap,
-extern PURE _X_HIDDEN int __glXLightivReqSize(const GLbyte * pc, Bool swap);
+                                            int reqlen);
-extern PURE _X_HIDDEN int __glXLightModelfvReqSize(const GLbyte * pc,
+extern PURE _X_HIDDEN int __glXFogivReqSize(const GLbyte * pc, Bool swap,
-                                                   Bool swap);
+                                            int reqlen);
-extern PURE _X_HIDDEN int __glXLightModelivReqSize(const GLbyte * pc,
+extern PURE _X_HIDDEN int __glXLightfvReqSize(const GLbyte * pc, Bool swap,
-                                                   Bool swap);
+                                              int reqlen);
-extern PURE _X_HIDDEN int __glXMaterialfvReqSize(const GLbyte * pc, Bool swap);
+extern PURE _X_HIDDEN int __glXLightivReqSize(const GLbyte * pc, Bool swap,
-extern PURE _X_HIDDEN int __glXMaterialivReqSize(const GLbyte * pc, Bool swap);
+                                              int reqlen);
 extern PURE _X_HIDDEN int __glXLightModelfvReqSize(const GLbyte * pc, Bool swap,
                                                   int reqlen);
 extern PURE _X_HIDDEN int __glXLightModelivReqSize(const GLbyte * pc, Bool swap,
                                                   int reqlen);
 extern PURE _X_HIDDEN int __glXMaterialfvReqSize(const GLbyte * pc, Bool swap,
                                                 int reqlen);
 extern PURE _X_HIDDEN int __glXMaterialivReqSize(const GLbyte * pc, Bool swap,
                                                 int reqlen);
 extern PURE _X_HIDDEN int __glXPolygonStippleReqSize(const GLbyte * pc,
-                                                     Bool swap);
+                                                     Bool swap, int reqlen);
 extern PURE _X_HIDDEN int __glXTexParameterfvReqSize(const GLbyte * pc,
-                                                     Bool swap);
+                                                     Bool swap, int reqlen);
 extern PURE _X_HIDDEN int __glXTexParameterivReqSize(const GLbyte * pc,
-                                                     Bool swap);
+                                                     Bool swap, int reqlen);
-extern PURE _X_HIDDEN int __glXTexImage1DReqSize(const GLbyte * pc, Bool swap);
+extern PURE _X_HIDDEN int __glXTexImage1DReqSize(const GLbyte * pc, Bool swap,
-extern PURE _X_HIDDEN int __glXTexImage2DReqSize(const GLbyte * pc, Bool swap);
+                                                 int reqlen);
-extern PURE _X_HIDDEN int __glXTexEnvfvReqSize(const GLbyte * pc, Bool swap);
+extern PURE _X_HIDDEN int __glXTexImage2DReqSize(const GLbyte * pc, Bool swap,
-extern PURE _X_HIDDEN int __glXTexEnvivReqSize(const GLbyte * pc, Bool swap);
+                                                 int reqlen);
-extern PURE _X_HIDDEN int __glXTexGendvReqSize(const GLbyte * pc, Bool swap);
+extern PURE _X_HIDDEN int __glXTexEnvfvReqSize(const GLbyte * pc, Bool swap,
-extern PURE _X_HIDDEN int __glXTexGenfvReqSize(const GLbyte * pc, Bool swap);
+                                               int reqlen);
-extern PURE _X_HIDDEN int __glXTexGenivReqSize(const GLbyte * pc, Bool swap);
+extern PURE _X_HIDDEN int __glXTexEnvivReqSize(const GLbyte * pc, Bool swap,
-extern PURE _X_HIDDEN int __glXMap1dReqSize(const GLbyte * pc, Bool swap);
+                                               int reqlen);
-extern PURE _X_HIDDEN int __glXMap1fReqSize(const GLbyte * pc, Bool swap);
+extern PURE _X_HIDDEN int __glXTexGendvReqSize(const GLbyte * pc, Bool swap,
-extern PURE _X_HIDDEN int __glXMap2dReqSize(const GLbyte * pc, Bool swap);
+                                               int reqlen);
-extern PURE _X_HIDDEN int __glXMap2fReqSize(const GLbyte * pc, Bool swap);
+extern PURE _X_HIDDEN int __glXTexGenfvReqSize(const GLbyte * pc, Bool swap,
-extern PURE _X_HIDDEN int __glXPixelMapfvReqSize(const GLbyte * pc, Bool swap);
+                                               int reqlen);
-extern PURE _X_HIDDEN int __glXPixelMapuivReqSize(const GLbyte * pc, Bool swap);
+extern PURE _X_HIDDEN int __glXTexGenivReqSize(const GLbyte * pc, Bool swap,
-extern PURE _X_HIDDEN int __glXPixelMapusvReqSize(const GLbyte * pc, Bool swap);
+                                               int reqlen);
-extern PURE _X_HIDDEN int __glXDrawPixelsReqSize(const GLbyte * pc, Bool swap);
+extern PURE _X_HIDDEN int __glXMap1dReqSize(const GLbyte * pc, Bool swap,
-extern PURE _X_HIDDEN int __glXDrawArraysReqSize(const GLbyte * pc, Bool swap);
+                                            int reqlen);
 extern PURE _X_HIDDEN int __glXMap1fReqSize(const GLbyte * pc, Bool swap,
                                            int reqlen);
 extern PURE _X_HIDDEN int __glXMap2dReqSize(const GLbyte * pc, Bool swap,
                                            int reqlen);
 extern PURE _X_HIDDEN int __glXMap2fReqSize(const GLbyte * pc, Bool swap,
                                            int reqlen);
 extern PURE _X_HIDDEN int __glXPixelMapfvReqSize(const GLbyte * pc, Bool swap,
                                                 int reqlen);
 extern PURE _X_HIDDEN int __glXPixelMapuivReqSize(const GLbyte * pc, Bool swap,
                                                  int reqlen);
 extern PURE _X_HIDDEN int __glXPixelMapusvReqSize(const GLbyte * pc, Bool swap,
                                                  int reqlen);
 extern PURE _X_HIDDEN int __glXDrawPixelsReqSize(const GLbyte * pc, Bool swap,
                                                 int reqlen);
 extern PURE _X_HIDDEN int __glXDrawArraysReqSize(const GLbyte * pc, Bool swap,
                                                 int reqlen);
 extern PURE _X_HIDDEN int __glXPrioritizeTexturesReqSize(const GLbyte * pc,
-                                                         Bool swap);
+                                                         Bool swap, int reqlen);
 extern PURE _X_HIDDEN int __glXTexSubImage1DReqSize(const GLbyte * pc,
-                                                    Bool swap);
+                                                    Bool swap, int reqlen);
 extern PURE _X_HIDDEN int __glXTexSubImage2DReqSize(const GLbyte * pc,
-                                                    Bool swap);
+                                                    Bool swap, int reqlen);
-extern PURE _X_HIDDEN int __glXColorTableReqSize(const GLbyte * pc, Bool swap);
+extern PURE _X_HIDDEN int __glXColorTableReqSize(const GLbyte * pc, Bool swap,
                                                 int reqlen);
 extern PURE _X_HIDDEN int __glXColorTableParameterfvReqSize(const GLbyte * pc,
-                                                            Bool swap);
+                                                            Bool swap,
                                                            int reqlen);
 extern PURE _X_HIDDEN int __glXColorTableParameterivReqSize(const GLbyte * pc,
-                                                            Bool swap);
+                                                            Bool swap,
                                                            int reqlen);
 extern PURE _X_HIDDEN int __glXColorSubTableReqSize(const GLbyte * pc,
-                                                    Bool swap);
+                                                    Bool swap, int reqlen);
 extern PURE _X_HIDDEN int __glXConvolutionFilter1DReqSize(const GLbyte * pc,
-                                                          Bool swap);
+                                                          Bool swap,
                                                          int reqlen);
 extern PURE _X_HIDDEN int __glXConvolutionFilter2DReqSize(const GLbyte * pc,
-                                                          Bool swap);
+                                                          Bool swap,
                                                          int reqlen);
 extern PURE _X_HIDDEN int __glXConvolutionParameterfvReqSize(const GLbyte * pc,
-                                                             Bool swap);
+                                                             Bool swap,
                                                             int reqlen);
 extern PURE _X_HIDDEN int __glXConvolutionParameterivReqSize(const GLbyte * pc,
-                                                             Bool swap);
+                                                             Bool swap,
                                                             int reqlen);
 extern PURE _X_HIDDEN int __glXSeparableFilter2DReqSize(const GLbyte * pc,
-                                                        Bool swap);
+                                                        Bool swap, int reqlen);
-extern PURE _X_HIDDEN int __glXTexImage3DReqSize(const GLbyte * pc, Bool swap);
+extern PURE _X_HIDDEN int __glXTexImage3DReqSize(const GLbyte * pc, Bool swap,
                                                 int reqlen);
 extern PURE _X_HIDDEN int __glXTexSubImage3DReqSize(const GLbyte * pc,
-                                                    Bool swap);
+                                                    Bool swap, int reqlen);
 extern PURE _X_HIDDEN int __glXCompressedTexImage1DReqSize(const GLbyte * pc,
-                                                           Bool swap);
+                                                           Bool swap,
                                                           int reqlen);
 extern PURE _X_HIDDEN int __glXCompressedTexImage2DReqSize(const GLbyte * pc,
-                                                           Bool swap);
+                                                           Bool swap,
                                                           int reqlen);
 extern PURE _X_HIDDEN int __glXCompressedTexImage3DReqSize(const GLbyte * pc,
-                                                           Bool swap);
+                                                           Bool swap,
                                                           int reqlen);
 extern PURE _X_HIDDEN int __glXCompressedTexSubImage1DReqSize(const GLbyte * pc,
-                                                              Bool swap);
+                                                              Bool swap,
                                                              int reqlen);
 extern PURE _X_HIDDEN int __glXCompressedTexSubImage2DReqSize(const GLbyte * pc,
-                                                              Bool swap);
+                                                              Bool swap,
                                                              int reqlen);
 extern PURE _X_HIDDEN int __glXCompressedTexSubImage3DReqSize(const GLbyte * pc,
-                                                              Bool swap);
+                                                              Bool swap,
                                                              int reqlen);
 extern PURE _X_HIDDEN int __glXPointParameterfvReqSize(const GLbyte * pc,
-                                                       Bool swap);
+                                                       Bool swap, int reqlen);
 extern PURE _X_HIDDEN int __glXPointParameterivReqSize(const GLbyte * pc,
-                                                       Bool swap);
+                                                       Bool swap, int reqlen);
-extern PURE _X_HIDDEN int __glXDrawBuffersReqSize(const GLbyte * pc, Bool swap);
+extern PURE _X_HIDDEN int __glXDrawBuffersReqSize(const GLbyte * pc, Bool swap,
                                                  int reqlen);
 extern PURE _X_HIDDEN int __glXProgramStringARBReqSize(const GLbyte * pc,
-                                                       Bool swap);
+                                                       Bool swap, int reqlen);
 extern PURE _X_HIDDEN int __glXDeleteFramebuffersReqSize(const GLbyte * pc,
-                                                         Bool swap);
+                                                         Bool swap, int reqlen);
 extern PURE _X_HIDDEN int __glXDeleteRenderbuffersReqSize(const GLbyte * pc,
-                                                          Bool swap);
+                                                          Bool swap,
                                                          int reqlen);
 extern PURE _X_HIDDEN int __glXVertexAttribs1dvNVReqSize(const GLbyte * pc,
-                                                         Bool swap);
+                                                         Bool swap, int reqlen);
 extern PURE _X_HIDDEN int __glXVertexAttribs1fvNVReqSize(const GLbyte * pc,
-                                                         Bool swap);
+                                                         Bool swap, int reqlen);
 extern PURE _X_HIDDEN int __glXVertexAttribs1svNVReqSize(const GLbyte * pc,
-                                                         Bool swap);
+                                                         Bool swap, int reqlen);
 extern PURE _X_HIDDEN int __glXVertexAttribs2dvNVReqSize(const GLbyte * pc,
-                                                         Bool swap);
+                                                         Bool swap, int reqlen);
 extern PURE _X_HIDDEN int __glXVertexAttribs2fvNVReqSize(const GLbyte * pc,
-                                                         Bool swap);
+                                                         Bool swap, int reqlen);
 extern PURE _X_HIDDEN int __glXVertexAttribs2svNVReqSize(const GLbyte * pc,
-                                                         Bool swap);
+                                                         Bool swap, int reqlen);
 extern PURE _X_HIDDEN int __glXVertexAttribs3dvNVReqSize(const GLbyte * pc,
-                                                         Bool swap);
+                                                         Bool swap, int reqlen);
 extern PURE _X_HIDDEN int __glXVertexAttribs3fvNVReqSize(const GLbyte * pc,
-                                                         Bool swap);
+                                                         Bool swap, int reqlen);
 extern PURE _X_HIDDEN int __glXVertexAttribs3svNVReqSize(const GLbyte * pc,
-                                                         Bool swap);
+                                                         Bool swap, int reqlen);
 extern PURE _X_HIDDEN int __glXVertexAttribs4dvNVReqSize(const GLbyte * pc,
-                                                         Bool swap);
+                                                         Bool swap, int reqlen);
 extern PURE _X_HIDDEN int __glXVertexAttribs4fvNVReqSize(const GLbyte * pc,
-                                                         Bool swap);
+                                                         Bool swap, int reqlen);
 extern PURE _X_HIDDEN int __glXVertexAttribs4svNVReqSize(const GLbyte * pc,
-                                                         Bool swap);
+                                                         Bool swap, int reqlen);
 extern PURE _X_HIDDEN int __glXVertexAttribs4ubvNVReqSize(const GLbyte * pc,
-                                                          Bool swap);
+                                                          Bool swap,
                                                          int reqlen);
 #undef PURE
--- a/glx/indirect_texture_compression.c
+++ b/glx/indirect_texture_compression.c
@ -43,6 +43,8 @@ __glXDisp_GetCompressedTexImage(struct __GLXclientStateRec *cl, GLbyte * pc)
    __GLXcontext *const cx = __glXForceCurrent(cl, req->contextTag, &error);
    ClientPtr client = cl->client;
    REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
    pc += __GLX_SINGLE_HDR_SIZE;
    if (cx != NULL) {
        const GLenum target = *(GLenum *) (pc + 0);
@ -87,6 +89,8 @@ __glXDispSwap_GetCompressedTexImage(struct __GLXclientStateRec *cl, GLbyte * pc)
        __glXForceCurrent(cl, bswap_32(req->contextTag), &error);
    ClientPtr client = cl->client;
    REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
    pc += __GLX_SINGLE_HDR_SIZE;
    if (cx != NULL) {
        const GLenum target = (GLenum) bswap_32(*(int *) (pc + 0));
--- a/glx/indirect_util.c
+++ b/glx/indirect_util.c
@ -73,12 +73,17 @@ __glXGetAnswerBuffer(__GLXclientState * cl, size_t required_size,
                     void *local_buffer, size_t local_size, unsigned alignment)
 {
    void *buffer = local_buffer;
-    const unsigned mask = alignment - 1;
+    const intptr_t mask = alignment - 1;
    if (local_size < required_size) {
-        const size_t worst_case_size = required_size + alignment;
+        size_t worst_case_size;
        intptr_t temp_buf;
        if (required_size < SIZE_MAX - alignment)
            worst_case_size = required_size + alignment;
        else
            return NULL;
        if (cl->returnBufSize < worst_case_size) {
            void *temp = realloc(cl->returnBuf, worst_case_size);
--- a/glx/rensize.c
+++ b/glx/rensize.c
@ -43,19 +43,11 @@
  (((a & 0xff000000U)>>24) | ((a & 0xff0000U)>>8) | \
   ((a & 0xff00U)<<8) | ((a & 0xffU)<<24))
 static int
 Map1Size(GLint k, GLint order)
 {
    if (order <= 0 || k < 0)
        return -1;
    return k * order;
 }
 int
-__glXMap1dReqSize(const GLbyte * pc, Bool swap)
+__glXMap1dReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
    GLenum target;
-    GLint order, k;
+    GLint order;
    target = *(GLenum *) (pc + 16);
    order = *(GLint *) (pc + 20);
@ -63,15 +55,16 @@ __glXMap1dReqSize(const GLbyte * pc, Bool swap)
        target = SWAPL(target);
        order = SWAPL(order);
    }
-    k = __glMap1d_size(target);
+    if (order < 1)
-    return 8 * Map1Size(k, order);
+        return -1;
    return safe_mul(8, safe_mul(__glMap1d_size(target), order));
 }
 int
-__glXMap1fReqSize(const GLbyte * pc, Bool swap)
+__glXMap1fReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
    GLenum target;
-    GLint order, k;
+    GLint order;
    target = *(GLenum *) (pc + 0);
    order = *(GLint *) (pc + 12);
@ -79,23 +72,24 @@ __glXMap1fReqSize(const GLbyte * pc, Bool swap)
        target = SWAPL(target);
        order = SWAPL(order);
    }
-    k = __glMap1f_size(target);
+    if (order < 1)
-    return 4 * Map1Size(k, order);
+        return -1;
    return safe_mul(4, safe_mul(__glMap1f_size(target), order));
 }
 static int
 Map2Size(int k, int majorOrder, int minorOrder)
 {
-    if (majorOrder <= 0 || minorOrder <= 0 || k < 0)
+    if (majorOrder < 1 || minorOrder < 1)
        return -1;
-    return k * majorOrder * minorOrder;
+    return safe_mul(k, safe_mul(majorOrder, minorOrder));
 }
 int
-__glXMap2dReqSize(const GLbyte * pc, Bool swap)
+__glXMap2dReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
    GLenum target;
-    GLint uorder, vorder, k;
+    GLint uorder, vorder;
    target = *(GLenum *) (pc + 32);
    uorder = *(GLint *) (pc + 36);
@ -105,15 +99,14 @@ __glXMap2dReqSize(const GLbyte * pc, Bool swap)
        uorder = SWAPL(uorder);
        vorder = SWAPL(vorder);
    }
-    k = __glMap2d_size(target);
+    return safe_mul(8, Map2Size(__glMap2d_size(target), uorder, vorder));
    return 8 * Map2Size(k, uorder, vorder);
 }
 int
-__glXMap2fReqSize(const GLbyte * pc, Bool swap)
+__glXMap2fReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
    GLenum target;
-    GLint uorder, vorder, k;
+    GLint uorder, vorder;
    target = *(GLenum *) (pc + 0);
    uorder = *(GLint *) (pc + 12);
@ -123,8 +116,7 @@ __glXMap2fReqSize(const GLbyte * pc, Bool swap)
        uorder = SWAPL(uorder);
        vorder = SWAPL(vorder);
    }
-    k = __glMap2f_size(target);
+    return safe_mul(4, Map2Size(__glMap2f_size(target), uorder, vorder));
    return 4 * Map2Size(k, uorder, vorder);
 }
 /**
@ -175,14 +167,16 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
    GLint bytesPerElement, elementsPerGroup, groupsPerRow;
    GLint groupSize, rowSize, padding, imageSize;
    if (w == 0 || h == 0 || d == 0)
        return 0;
    if (w < 0 || h < 0 || d < 0 ||
        (type == GL_BITMAP &&
         (format != GL_COLOR_INDEX && format != GL_STENCIL_INDEX))) {
        return -1;
    }
    if (w == 0 || h == 0 || d == 0)
        return 0;
    /* proxy targets have no data */
    switch (target) {
    case GL_PROXY_TEXTURE_1D:
    case GL_PROXY_TEXTURE_2D:
@ -199,6 +193,12 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
        return 0;
    }
    /* real data has to have real sizes */
    if (imageHeight < 0 || rowLength < 0 || skipImages < 0 || skipRows < 0)
        return -1;
    if (alignment != 1 && alignment != 2 && alignment != 4 && alignment != 8)
        return -1;
    if (type == GL_BITMAP) {
        if (rowLength > 0) {
            groupsPerRow = rowLength;
@ -207,11 +207,14 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
            groupsPerRow = w;
        }
        rowSize = bits_to_bytes(groupsPerRow);
        if (rowSize < 0)
            return -1;
        padding = (rowSize % alignment);
        if (padding) {
            rowSize += alignment - padding;
        }
-        return ((h + skipRows) * rowSize);
+
        return safe_mul(safe_add(h, skipRows), rowSize);
    }
    else {
        switch (format) {
@ -224,6 +227,11 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
        case GL_ALPHA:
        case GL_LUMINANCE:
        case GL_INTENSITY:
        case GL_RED_INTEGER_EXT:
        case GL_GREEN_INTEGER_EXT:
        case GL_BLUE_INTEGER_EXT:
        case GL_ALPHA_INTEGER_EXT:
        case GL_LUMINANCE_INTEGER_EXT:
            elementsPerGroup = 1;
            break;
        case GL_422_EXT:
@ -234,14 +242,19 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
        case GL_DEPTH_STENCIL_MESA:
        case GL_YCBCR_MESA:
        case GL_LUMINANCE_ALPHA:
        case GL_LUMINANCE_ALPHA_INTEGER_EXT:
            elementsPerGroup = 2;
            break;
        case GL_RGB:
        case GL_BGR:
        case GL_RGB_INTEGER_EXT:
        case GL_BGR_INTEGER_EXT:
            elementsPerGroup = 3;
            break;
        case GL_RGBA:
        case GL_BGRA:
        case GL_RGBA_INTEGER_EXT:
        case GL_BGRA_INTEGER_EXT:
        case GL_ABGR_EXT:
            elementsPerGroup = 4;
            break;
@ -293,6 +306,7 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
        default:
            return -1;
        }
        /* known safe by the switches above, not checked */
        groupSize = bytesPerElement * elementsPerGroup;
        if (rowLength > 0) {
            groupsPerRow = rowLength;
@ -300,18 +314,21 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
        else {
            groupsPerRow = w;
        }
-        rowSize = groupsPerRow * groupSize;
+
        if ((rowSize = safe_mul(groupsPerRow, groupSize)) < 0)
            return -1;
        padding = (rowSize % alignment);
        if (padding) {
            rowSize += alignment - padding;
        }
-        if (imageHeight > 0) {
+
-            imageSize = (imageHeight + skipRows) * rowSize;
+        if (imageHeight > 0)
-        }
+            h = imageHeight;
-        else {
+        h = safe_add(h, skipRows);
-            imageSize = (h + skipRows) * rowSize;
+
-        }
+        imageSize = safe_mul(h, rowSize);
-        return ((d + skipImages) * imageSize);
+
        return safe_mul(safe_add(d, skipImages), imageSize);
    }
 }
@ -342,13 +359,14 @@ __glXTypeSize(GLenum enm)
 }
 int
-__glXDrawArraysReqSize(const GLbyte * pc, Bool swap)
+__glXDrawArraysReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
    __GLXdispatchDrawArraysHeader *hdr = (__GLXdispatchDrawArraysHeader *) pc;
    __GLXdispatchDrawArraysComponentHeader *compHeader;
    GLint numVertexes = hdr->numVertexes;
    GLint numComponents = hdr->numComponents;
    GLint arrayElementSize = 0;
    GLint x, size;
    int i;
    if (swap) {
@ -357,6 +375,13 @@ __glXDrawArraysReqSize(const GLbyte * pc, Bool swap)
    }
    pc += sizeof(__GLXdispatchDrawArraysHeader);
    reqlen -= sizeof(__GLXdispatchDrawArraysHeader);
    size = safe_mul(sizeof(__GLXdispatchDrawArraysComponentHeader),
                    numComponents);
    if (size < 0 || reqlen < 0 || reqlen < size)
        return -1;
    compHeader = (__GLXdispatchDrawArraysComponentHeader *) pc;
    for (i = 0; i < numComponents; i++) {
@ -400,17 +425,18 @@ __glXDrawArraysReqSize(const GLbyte * pc, Bool swap)
            return -1;
        }
-        arrayElementSize += __GLX_PAD(numVals * __glXTypeSize(datatype));
+        x = safe_pad(safe_mul(numVals, __glXTypeSize(datatype)));
        if ((arrayElementSize = safe_add(arrayElementSize, x)) < 0)
            return -1;
        pc += sizeof(__GLXdispatchDrawArraysComponentHeader);
    }
-    return ((numComponents * sizeof(__GLXdispatchDrawArraysComponentHeader)) +
+    return safe_add(size, safe_mul(numVertexes, arrayElementSize));
            (numVertexes * arrayElementSize));
 }
 int
-__glXSeparableFilter2DReqSize(const GLbyte * pc, Bool swap)
+__glXSeparableFilter2DReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
    __GLXdispatchConvolutionFilterHeader *hdr =
        (__GLXdispatchConvolutionFilterHeader *) pc;
@ -435,9 +461,7 @@ __glXSeparableFilter2DReqSize(const GLbyte * pc, Bool swap)
    /* XXX Should rowLength be used for either or both image? */
    image1size = __glXImageSize(format, type, 0, w, 1, 1,
                                0, rowLength, 0, 0, alignment);
    image1size = __GLX_PAD(image1size);
    image2size = __glXImageSize(format, type, 0, h, 1, 1,
                                0, rowLength, 0, 0, alignment);
-    return image1size + image2size;
+    return safe_add(safe_pad(image1size), image2size);
 }
--- a/glx/single2.c
+++ b/glx/single2.c
@ -45,11 +45,14 @@
 int
 __glXDisp_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
 {
    ClientPtr client = cl->client;
    GLsizei size;
    GLenum type;
    __GLXcontext *cx;
    int error;
    REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
    cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
    if (!cx) {
        return error;
@ -76,10 +79,13 @@ __glXDisp_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
 int
 __glXDisp_SelectBuffer(__GLXclientState * cl, GLbyte * pc)
 {
    ClientPtr client = cl->client;
    __GLXcontext *cx;
    GLsizei size;
    int error;
    REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
    cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
    if (!cx) {
        return error;
@ -104,7 +110,7 @@ __glXDisp_SelectBuffer(__GLXclientState * cl, GLbyte * pc)
 int
 __glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc)
 {
-    ClientPtr client;
+    ClientPtr client = cl->client;
    xGLXRenderModeReply reply;
    __GLXcontext *cx;
    GLint nitems = 0, retBytes = 0, retval, newModeCheck;
@ -112,6 +118,8 @@ __glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc)
    GLenum newMode;
    int error;
    REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
    cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
    if (!cx) {
        return error;
@ -188,7 +196,6 @@ __glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc)
     ** selection array, as per the API for glRenderMode itself.
     */
 noChangeAllowed:;
    client = cl->client;
    reply = (xGLXRenderModeReply) {
        .type = X_Reply,
        .sequenceNumber = client->sequence,
@ -207,9 +214,12 @@ __glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc)
 int
 __glXDisp_Flush(__GLXclientState * cl, GLbyte * pc)
 {
    ClientPtr client = cl->client;
    __GLXcontext *cx;
    int error;
    REQUEST_SIZE_MATCH(xGLXSingleReq);
    cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
    if (!cx) {
        return error;
@ -223,10 +233,12 @@ __glXDisp_Flush(__GLXclientState * cl, GLbyte * pc)
 int
 __glXDisp_Finish(__GLXclientState * cl, GLbyte * pc)
 {
    ClientPtr client = cl->client;
    __GLXcontext *cx;
    ClientPtr client;
    int error;
    REQUEST_SIZE_MATCH(xGLXSingleReq);
    cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
    if (!cx) {
        return error;
@ -317,7 +329,7 @@ __glXcombine_strings(const char *cext_string, const char *sext_string)
 int
 DoGetString(__GLXclientState * cl, GLbyte * pc, GLboolean need_swap)
 {
-    ClientPtr client;
+    ClientPtr client = cl->client;
    __GLXcontext *cx;
    GLenum name;
    const char *string;
@ -327,6 +339,8 @@ DoGetString(__GLXclientState * cl, GLbyte * pc, GLboolean need_swap)
    char *buf = NULL, *buf1 = NULL;
    GLint length = 0;
    REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
    /* If the client has the opposite byte order, swap the contextTag and
     * the name.
     */
@ -343,7 +357,6 @@ DoGetString(__GLXclientState * cl, GLbyte * pc, GLboolean need_swap)
    pc += __GLX_SINGLE_HDR_SIZE;
    name = *(GLenum *) (pc + 0);
    string = (const char *) glGetString(name);
    client = cl->client;
    if (string == NULL)
        string = "";
--- a/glx/single2swap.c
+++ b/glx/single2swap.c
@ -41,6 +41,7 @@
 int
 __glXDispSwap_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
 {
    ClientPtr client = cl->client;
    GLsizei size;
    GLenum type;
@ -48,6 +49,8 @@ __glXDispSwap_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
    __GLXcontext *cx;
    int error;
    REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
    __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
    cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
    if (!cx) {
@ -77,12 +80,15 @@ __glXDispSwap_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
 int
 __glXDispSwap_SelectBuffer(__GLXclientState * cl, GLbyte * pc)
 {
    ClientPtr client = cl->client;
    __GLXcontext *cx;
    GLsizei size;
    __GLX_DECLARE_SWAP_VARIABLES;
    int error;
    REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
    __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
    cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
    if (!cx) {
@ -109,7 +115,7 @@ __glXDispSwap_SelectBuffer(__GLXclientState * cl, GLbyte * pc)
 int
 __glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc)
 {
-    ClientPtr client;
+    ClientPtr client = cl->client;
    __GLXcontext *cx;
    xGLXRenderModeReply reply;
    GLint nitems = 0, retBytes = 0, retval, newModeCheck;
@ -120,6 +126,8 @@ __glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc)
    __GLX_DECLARE_SWAP_ARRAY_VARIABLES;
    int error;
    REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
    __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
    cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
    if (!cx) {
@ -200,7 +208,6 @@ __glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc)
     ** selection array, as per the API for glRenderMode itself.
     */
 noChangeAllowed:;
    client = cl->client;
    reply = (xGLXRenderModeReply) {
        .type = X_Reply,
        .sequenceNumber = client->sequence,
@ -224,11 +231,14 @@ __glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc)
 int
 __glXDispSwap_Flush(__GLXclientState * cl, GLbyte * pc)
 {
    ClientPtr client = cl->client;
    __GLXcontext *cx;
    int error;
    __GLX_DECLARE_SWAP_VARIABLES;
    REQUEST_SIZE_MATCH(xGLXSingleReq);
    __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
    cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
    if (!cx) {
@ -243,12 +253,14 @@ __glXDispSwap_Flush(__GLXclientState * cl, GLbyte * pc)
 int
 __glXDispSwap_Finish(__GLXclientState * cl, GLbyte * pc)
 {
    ClientPtr client = cl->client;
    __GLXcontext *cx;
    ClientPtr client;
    int error;
    __GLX_DECLARE_SWAP_VARIABLES;
    REQUEST_SIZE_MATCH(xGLXSingleReq);
    __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
    cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
    if (!cx) {
@ -260,7 +272,6 @@ __glXDispSwap_Finish(__GLXclientState * cl, GLbyte * pc)
    cx->hasUnflushedCommands = GL_FALSE;
    /* Send empty reply packet to indicate finish is finished */
    client = cl->client;
    __GLX_BEGIN_REPLY(0);
    __GLX_PUT_RETVAL(0);
    __GLX_SWAP_REPLY_HEADER();
--- a/glx/singlepix.c
+++ b/glx/singlepix.c
@ -51,6 +51,8 @@ __glXDisp_ReadPixels(__GLXclientState * cl, GLbyte * pc)
    int error;
    char *answer, answerBuffer[200];
    REQUEST_FIXED_SIZE(xGLXSingleReq, 28);
    cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
    if (!cx) {
        return error;
@ -65,7 +67,7 @@ __glXDisp_ReadPixels(__GLXclientState * cl, GLbyte * pc)
    lsbFirst = *(GLboolean *) (pc + 25);
    compsize = __glReadPixels_size(format, type, width, height);
    if (compsize < 0)
-        compsize = 0;
+        return BadLength;
    glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
    glPixelStorei(GL_PACK_LSB_FIRST, lsbFirst);
@ -100,6 +102,8 @@ __glXDisp_GetTexImage(__GLXclientState * cl, GLbyte * pc)
    char *answer, answerBuffer[200];
    GLint width = 0, height = 0, depth = 1;
    REQUEST_FIXED_SIZE(xGLXSingleReq, 20);
    cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
    if (!cx) {
        return error;
@ -124,7 +128,7 @@ __glXDisp_GetTexImage(__GLXclientState * cl, GLbyte * pc)
    compsize =
        __glGetTexImage_size(target, level, format, type, width, height, depth);
    if (compsize < 0)
-        compsize = 0;
+        return BadLength;
    glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
    __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
@ -157,6 +161,8 @@ __glXDisp_GetPolygonStipple(__GLXclientState * cl, GLbyte * pc)
    GLubyte answerBuffer[200];
    char *answer;
    REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
    cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
    if (!cx) {
        return error;
@ -217,15 +223,13 @@ GetSeparableFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
    compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
    compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1);
-    if (compsize < 0)
+    if ((compsize = safe_pad(compsize)) < 0)
-        compsize = 0;
+        return BadLength;
-    if (compsize2 < 0)
+    if ((compsize2 = safe_pad(compsize2)) < 0)
-        compsize2 = 0;
+        return BadLength;
    compsize = __GLX_PAD(compsize);
    compsize2 = __GLX_PAD(compsize2);
    glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
-    __GLX_GET_ANSWER_BUFFER(answer, cl, compsize + compsize2, 1);
+    __GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1);
    __glXClearErrorOccured();
    glGetSeparableFilter(*(GLenum *) (pc + 0), *(GLenum *) (pc + 4),
                         *(GLenum *) (pc + 8), answer, answer + compsize, NULL);
@ -249,7 +253,8 @@ int
 __glXDisp_GetSeparableFilter(__GLXclientState * cl, GLbyte * pc)
 {
    const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
-
+    ClientPtr client = cl->client;
    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
    return GetSeparableFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
 }
@ -257,7 +262,8 @@ int
 __glXDisp_GetSeparableFilterEXT(__GLXclientState * cl, GLbyte * pc)
 {
    const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
-
+    ClientPtr client = cl->client;
    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
    return GetSeparableFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
 }
@ -296,7 +302,7 @@ GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
     */
    compsize = __glGetTexImage_size(target, 1, format, type, width, height, 1);
    if (compsize < 0)
-        compsize = 0;
+        return BadLength;
    glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
    __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
@ -323,7 +329,8 @@ int
 __glXDisp_GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc)
 {
    const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
-
+    ClientPtr client = cl->client;
    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
    return GetConvolutionFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
 }
@ -331,7 +338,8 @@ int
 __glXDisp_GetConvolutionFilterEXT(__GLXclientState * cl, GLbyte * pc)
 {
    const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
-
+    ClientPtr client = cl->client;
    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
    return GetConvolutionFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
 }
@ -365,7 +373,7 @@ GetHistogram(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
     */
    compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
    if (compsize < 0)
-        compsize = 0;
+        return BadLength;
    glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
    __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
@ -390,7 +398,8 @@ int
 __glXDisp_GetHistogram(__GLXclientState * cl, GLbyte * pc)
 {
    const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
-
+    ClientPtr client = cl->client;
    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
    return GetHistogram(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
 }
@ -398,7 +407,8 @@ int
 __glXDisp_GetHistogramEXT(__GLXclientState * cl, GLbyte * pc)
 {
    const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
-
+    ClientPtr client = cl->client;
    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
    return GetHistogram(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
 }
@ -426,7 +436,7 @@ GetMinmax(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
    compsize = __glGetTexImage_size(target, 1, format, type, 2, 1, 1);
    if (compsize < 0)
-        compsize = 0;
+        return BadLength;
    glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
    __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
@ -450,7 +460,8 @@ int
 __glXDisp_GetMinmax(__GLXclientState * cl, GLbyte * pc)
 {
    const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
-
+    ClientPtr client = cl->client;
    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
    return GetMinmax(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
 }
@ -458,7 +469,8 @@ int
 __glXDisp_GetMinmaxEXT(__GLXclientState * cl, GLbyte * pc)
 {
    const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
-
+    ClientPtr client = cl->client;
    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
    return GetMinmax(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
 }
@ -491,7 +503,7 @@ GetColorTable(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
     */
    compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
    if (compsize < 0)
-        compsize = 0;
+        return BadLength;
    glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
    __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
@ -517,7 +529,8 @@ int
 __glXDisp_GetColorTable(__GLXclientState * cl, GLbyte * pc)
 {
    const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
-
+    ClientPtr client = cl->client;
    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
    return GetColorTable(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
 }
@ -525,6 +538,7 @@ int
 __glXDisp_GetColorTableSGI(__GLXclientState * cl, GLbyte * pc)
 {
    const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
-
+    ClientPtr client = cl->client;
    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
    return GetColorTable(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
 }
--- a/glx/singlepixswap.c
+++ b/glx/singlepixswap.c
@ -53,6 +53,8 @@ __glXDispSwap_ReadPixels(__GLXclientState * cl, GLbyte * pc)
    int error;
    char *answer, answerBuffer[200];
    REQUEST_FIXED_SIZE(xGLXSingleReq, 28);
    __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
    cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
    if (!cx) {
@ -75,7 +77,7 @@ __glXDispSwap_ReadPixels(__GLXclientState * cl, GLbyte * pc)
    lsbFirst = *(GLboolean *) (pc + 25);
    compsize = __glReadPixels_size(format, type, width, height);
    if (compsize < 0)
-        compsize = 0;
+        return BadLength;
    glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
    glPixelStorei(GL_PACK_LSB_FIRST, lsbFirst);
@ -114,6 +116,8 @@ __glXDispSwap_GetTexImage(__GLXclientState * cl, GLbyte * pc)
    char *answer, answerBuffer[200];
    GLint width = 0, height = 0, depth = 1;
    REQUEST_FIXED_SIZE(xGLXSingleReq, 20);
    __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
    cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
    if (!cx) {
@ -144,7 +148,7 @@ __glXDispSwap_GetTexImage(__GLXclientState * cl, GLbyte * pc)
    compsize =
        __glGetTexImage_size(target, level, format, type, width, height, depth);
    if (compsize < 0)
-        compsize = 0;
+        return BadLength;
    glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
    __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
@ -184,6 +188,8 @@ __glXDispSwap_GetPolygonStipple(__GLXclientState * cl, GLbyte * pc)
    __GLX_DECLARE_SWAP_VARIABLES;
    REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
    __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
    cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
    if (!cx) {
@ -251,15 +257,13 @@ GetSeparableFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
    compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
    compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1);
-    if (compsize < 0)
+    if ((compsize = safe_pad(compsize)) < 0)
-        compsize = 0;
+        return BadLength;
-    if (compsize2 < 0)
+    if ((compsize2 = safe_pad(compsize2)) < 0)
-        compsize2 = 0;
+        return BadLength;
    compsize = __GLX_PAD(compsize);
    compsize2 = __GLX_PAD(compsize2);
    glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
-    __GLX_GET_ANSWER_BUFFER(answer, cl, compsize + compsize2, 1);
+    __GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1);
    __glXClearErrorOccured();
    glGetSeparableFilter(*(GLenum *) (pc + 0), *(GLenum *) (pc + 4),
                         *(GLenum *) (pc + 8), answer, answer + compsize, NULL);
@ -285,7 +289,9 @@ int
 __glXDispSwap_GetSeparableFilter(__GLXclientState * cl, GLbyte * pc)
 {
    const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
    ClientPtr client = cl->client;
    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
    return GetSeparableFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
 }
@ -293,7 +299,9 @@ int
 __glXDispSwap_GetSeparableFilterEXT(__GLXclientState * cl, GLbyte * pc)
 {
    const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
    ClientPtr client = cl->client;
    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
    return GetSeparableFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
 }
@ -338,7 +346,7 @@ GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
     */
    compsize = __glGetTexImage_size(target, 1, format, type, width, height, 1);
    if (compsize < 0)
-        compsize = 0;
+        return BadLength;
    glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
    __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
@ -367,7 +375,9 @@ int
 __glXDispSwap_GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc)
 {
    const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
    ClientPtr client = cl->client;
    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
    return GetConvolutionFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
 }
@ -375,7 +385,9 @@ int
 __glXDispSwap_GetConvolutionFilterEXT(__GLXclientState * cl, GLbyte * pc)
 {
    const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
    ClientPtr client = cl->client;
    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
    return GetConvolutionFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
 }
@ -415,7 +427,7 @@ GetHistogram(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
     */
    compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
    if (compsize < 0)
-        compsize = 0;
+        return BadLength;
    glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
    __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
@ -441,7 +453,9 @@ int
 __glXDispSwap_GetHistogram(__GLXclientState * cl, GLbyte * pc)
 {
    const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
    ClientPtr client = cl->client;
    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
    return GetHistogram(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
 }
@ -449,7 +463,9 @@ int
 __glXDispSwap_GetHistogramEXT(__GLXclientState * cl, GLbyte * pc)
 {
    const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
    ClientPtr client = cl->client;
    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
    return GetHistogram(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
 }
@ -483,7 +499,7 @@ GetMinmax(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
    compsize = __glGetTexImage_size(target, 1, format, type, 2, 1, 1);
    if (compsize < 0)
-        compsize = 0;
+        return BadLength;
    glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
    __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
@ -507,7 +523,9 @@ int
 __glXDispSwap_GetMinmax(__GLXclientState * cl, GLbyte * pc)
 {
    const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
    ClientPtr client = cl->client;
    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
    return GetMinmax(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
 }
@ -515,7 +533,9 @@ int
 __glXDispSwap_GetMinmaxEXT(__GLXclientState * cl, GLbyte * pc)
 {
    const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
    ClientPtr client = cl->client;
    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
    return GetMinmax(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
 }
@ -554,7 +574,7 @@ GetColorTable(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
     */
    compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
    if (compsize < 0)
-        compsize = 0;
+        return BadLength;
    glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
    __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
@ -581,7 +601,9 @@ int
 __glXDispSwap_GetColorTable(__GLXclientState * cl, GLbyte * pc)
 {
    const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
    ClientPtr client = cl->client;
    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
    return GetColorTable(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
 }
@ -589,6 +611,8 @@ int
 __glXDispSwap_GetColorTableSGI(__GLXclientState * cl, GLbyte * pc)
 {
    const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
    ClientPtr client = cl->client;
    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
    return GetColorTable(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
 }
--- a/glx/swap_interval.c
+++ b/glx/swap_interval.c
@ -46,6 +46,8 @@ DoSwapInterval(__GLXclientState * cl, GLbyte * pc, int do_swap)
    __GLXcontext *cx;
    GLint interval;
    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 4);
    cx = __glXLookupContextByTag(cl, tag);
    if ((cx == NULL) || (cx->pGlxScreen == NULL)) {
--- a/glx/unpack.h
+++ b/glx/unpack.h
@ -83,7 +83,8 @@ extern xGLXSingleReply __glXReply;
 ** pointer.
 */
 #define __GLX_GET_ANSWER_BUFFER(res,cl,size,align)			 \
-    if ((size) > sizeof(answerBuffer)) {				 \
+    if (size < 0) return BadLength;                                      \
    else if ((size) > sizeof(answerBuffer)) {				 \
 	int bump;							 \
 	if ((cl)->returnBufSize < (size)+(align)) {			 \
 	    (cl)->returnBuf = (GLbyte*)realloc((cl)->returnBuf,	 	 \
--- a/hw/xfree86/dri2/dri2ext.c
+++ b/hw/xfree86/dri2/dri2ext.c
@ -270,6 +270,9 @@ ProcDRI2GetBuffers(ClientPtr client)
    unsigned int *attachments;
    REQUEST_FIXED_SIZE(xDRI2GetBuffersReq, stuff->count * 4);
    if (stuff->count > (INT_MAX / 4))
        return BadLength;
    if (!validDrawable(client, stuff->drawable, DixReadAccess | DixWriteAccess,
                       &pDrawable, &status))
        return status;
--- a/include/dix.h
+++ b/include/dix.h
@ -74,9 +74,14 @@ SOFTWARE.
    if ((sizeof(req) >> 2) > client->req_len )\
         return(BadLength)
 #define REQUEST_AT_LEAST_EXTRA_SIZE(req, extra)  \
    if (((sizeof(req) + ((uint64_t) extra)) >> 2) > client->req_len ) \
         return(BadLength)
 #define REQUEST_FIXED_SIZE(req, n)\
    if (((sizeof(req) >> 2) > client->req_len) || \
-        (((sizeof(req) + (n) + 3) >> 2) != client->req_len)) \
+        (((n) >> 2) >= client->req_len) ||                              \
        ((((uint64_t) sizeof(req) + (n) + 3) >> 2) != (uint64_t) client->req_len))  \
         return(BadLength)
 #define LEGAL_NEW_RESOURCE(id,client)\
--- a/include/regionstr.h
+++ b/include/regionstr.h
@ -127,7 +127,10 @@ RegionEnd(RegionPtr reg)
 static inline size_t
 RegionSizeof(size_t n)
 {
-    return (sizeof(RegDataRec) + ((n) * sizeof(BoxRec)));
+    if (n < ((INT_MAX - sizeof(RegDataRec)) / sizeof(BoxRec)))
        return (sizeof(RegDataRec) + ((n) * sizeof(BoxRec)));
    else
        return 0;
 }
 static inline void
@ -138,9 +141,10 @@ RegionInit(RegionPtr _pReg, BoxPtr _rect, int _size)
        (_pReg)->data = (RegDataPtr) NULL;
    }
    else {
        size_t rgnSize;
        (_pReg)->extents = RegionEmptyBox;
-        if (((_size) > 1) && ((_pReg)->data =
+        if (((_size) > 1) && ((rgnSize = RegionSizeof(_size)) > 0) &&
-                              (RegDataPtr) malloc(RegionSizeof(_size)))) {
+            (((_pReg)->data = malloc(rgnSize)) != NULL)) {
            (_pReg)->data->size = (_size);
            (_pReg)->data->numRects = 0;
        }
--- a/os/access.c
+++ b/os/access.c
@ -1296,6 +1296,10 @@ GetHosts(void **data, int *pnHosts, int *pLen, BOOL * pEnabled)
    for (host = validhosts; host; host = host->next) {
        nHosts++;
        n += pad_to_int32(host->len) + sizeof(xHostEntry);
        /* Could check for INT_MAX, but in reality having more than 1mb of
           hostnames in the access list is ridiculous */
        if (n >= 1048576)
            break;
    }
    if (n) {
        *data = ptr = malloc(n);
@ -1304,6 +1308,8 @@ GetHosts(void **data, int *pnHosts, int *pLen, BOOL * pEnabled)
        }
        for (host = validhosts; host; host = host->next) {
            len = host->len;
            if ((ptr + sizeof(xHostEntry) + len) > ((unsigned char *) *data + n))
                break;
            ((xHostEntry *) ptr)->family = host->family;
            ((xHostEntry *) ptr)->length = len;
            ptr += sizeof(xHostEntry);
--- a/os/rpcauth.c
+++ b/os/rpcauth.c
@ -66,6 +66,10 @@ authdes_ezdecode(const char *inmsg, int len)
    SVCXPRT xprt;
    temp_inmsg = malloc(len);
    if (temp_inmsg == NULL) {
        why = AUTH_FAILED; /* generic error, since there is no AUTH_BADALLOC */
        return NULL;
    }
    memmove(temp_inmsg, inmsg, len);
    memset((char *) &msg, 0, sizeof(msg));
--- a/present/present_request.c
+++ b/present/present_request.c
@ -210,6 +210,7 @@ proc_present_query_capabilities (ClientPtr client)
    RRCrtcPtr   crtc = NULL;
    int         r;
    REQUEST_SIZE_MATCH(xPresentQueryCapabilitiesReq);
    r = dixLookupWindow(&window, stuff->target, client, DixGetAttrAccess);
    switch (r) {
    case Success:
@ -254,6 +255,7 @@ static int
 sproc_present_query_version(ClientPtr client)
 {
    REQUEST(xPresentQueryVersionReq);
    REQUEST_SIZE_MATCH(xPresentQueryVersionReq);
    swaps(&stuff->length);
    swapl(&stuff->majorVersion);
@ -265,6 +267,7 @@ static int
 sproc_present_pixmap(ClientPtr client)
 {
    REQUEST(xPresentPixmapReq);
    REQUEST_AT_LEAST_SIZE(xPresentPixmapReq);
    swaps(&stuff->length);
    swapl(&stuff->window);
@ -284,6 +287,7 @@ static int
 sproc_present_notify_msc(ClientPtr client)
 {
    REQUEST(xPresentNotifyMSCReq);
    REQUEST_SIZE_MATCH(xPresentNotifyMSCReq);
    swaps(&stuff->length);
    swapl(&stuff->window);
@ -297,6 +301,7 @@ static int
 sproc_present_select_input (ClientPtr client)
 {
    REQUEST(xPresentSelectInputReq);
    REQUEST_SIZE_MATCH(xPresentSelectInputReq);
    swaps(&stuff->length);
    swapl(&stuff->window);
@ -308,6 +313,7 @@ static int
 sproc_present_query_capabilities (ClientPtr client)
 {
    REQUEST(xPresentQueryCapabilitiesReq);
    REQUEST_SIZE_MATCH(xPresentQueryCapabilitiesReq);
    swaps(&stuff->length);
    swapl(&stuff->target);
    return (*proc_present_vector[stuff->presentReqType]) (client);
--- a/randr/rrsdispatch.c
+++ b/randr/rrsdispatch.c
@ -27,6 +27,7 @@ SProcRRQueryVersion(ClientPtr client)
 {
    REQUEST(xRRQueryVersionReq);
    REQUEST_SIZE_MATCH(xRRQueryVersionReq);
    swaps(&stuff->length);
    swapl(&stuff->majorVersion);
    swapl(&stuff->minorVersion);
@ -38,6 +39,7 @@ SProcRRGetScreenInfo(ClientPtr client)
 {
    REQUEST(xRRGetScreenInfoReq);
    REQUEST_SIZE_MATCH(xRRGetScreenInfoReq);
    swaps(&stuff->length);
    swapl(&stuff->window);
    return (*ProcRandrVector[stuff->randrReqType]) (client);
@ -69,6 +71,7 @@ SProcRRSelectInput(ClientPtr client)
 {
    REQUEST(xRRSelectInputReq);
    REQUEST_SIZE_MATCH(xRRSelectInputReq);
    swaps(&stuff->length);
    swapl(&stuff->window);
    swaps(&stuff->enable);
@ -152,6 +155,7 @@ SProcRRConfigureOutputProperty(ClientPtr client)
 {
    REQUEST(xRRConfigureOutputPropertyReq);
    REQUEST_AT_LEAST_SIZE(xRRConfigureOutputPropertyReq);
    swaps(&stuff->length);
    swapl(&stuff->output);
    swapl(&stuff->property);
--- a/render/render.c
+++ b/render/render.c
@ -276,11 +276,11 @@ ProcRenderQueryVersion(ClientPtr client)
    REQUEST(xRenderQueryVersionReq);
    REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
    pRenderClient->major_version = stuff->majorVersion;
    pRenderClient->minor_version = stuff->minorVersion;
    REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
    if ((stuff->majorVersion * 1000 + stuff->minorVersion) <
        (SERVER_RENDER_MAJOR_VERSION * 1000 + SERVER_RENDER_MINOR_VERSION)) {
        rep.majorVersion = stuff->majorVersion;
@ -1995,7 +1995,7 @@ static int
 SProcRenderQueryVersion(ClientPtr client)
 {
    REQUEST(xRenderQueryVersionReq);
-
+    REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
    swaps(&stuff->length);
    swapl(&stuff->majorVersion);
    swapl(&stuff->minorVersion);
@ -2006,6 +2006,7 @@ static int
 SProcRenderQueryPictFormats(ClientPtr client)
 {
    REQUEST(xRenderQueryPictFormatsReq);
    REQUEST_SIZE_MATCH(xRenderQueryPictFormatsReq);
    swaps(&stuff->length);
    return (*ProcRenderVector[stuff->renderReqType]) (client);
 }
@ -2014,6 +2015,7 @@ static int
 SProcRenderQueryPictIndexValues(ClientPtr client)
 {
    REQUEST(xRenderQueryPictIndexValuesReq);
    REQUEST_AT_LEAST_SIZE(xRenderQueryPictIndexValuesReq);
    swaps(&stuff->length);
    swapl(&stuff->format);
    return (*ProcRenderVector[stuff->renderReqType]) (client);
@ -2029,6 +2031,7 @@ static int
 SProcRenderCreatePicture(ClientPtr client)
 {
    REQUEST(xRenderCreatePictureReq);
    REQUEST_AT_LEAST_SIZE(xRenderCreatePictureReq);
    swaps(&stuff->length);
    swapl(&stuff->pid);
    swapl(&stuff->drawable);
@ -2042,6 +2045,7 @@ static int
 SProcRenderChangePicture(ClientPtr client)
 {
    REQUEST(xRenderChangePictureReq);
    REQUEST_AT_LEAST_SIZE(xRenderChangePictureReq);
    swaps(&stuff->length);
    swapl(&stuff->picture);
    swapl(&stuff->mask);
@ -2053,6 +2057,7 @@ static int
 SProcRenderSetPictureClipRectangles(ClientPtr client)
 {
    REQUEST(xRenderSetPictureClipRectanglesReq);
    REQUEST_AT_LEAST_SIZE(xRenderSetPictureClipRectanglesReq);
    swaps(&stuff->length);
    swapl(&stuff->picture);
    swaps(&stuff->xOrigin);
@ -2065,6 +2070,7 @@ static int
 SProcRenderFreePicture(ClientPtr client)
 {
    REQUEST(xRenderFreePictureReq);
    REQUEST_SIZE_MATCH(xRenderFreePictureReq);
    swaps(&stuff->length);
    swapl(&stuff->picture);
    return (*ProcRenderVector[stuff->renderReqType]) (client);
@ -2074,6 +2080,7 @@ static int
 SProcRenderComposite(ClientPtr client)
 {
    REQUEST(xRenderCompositeReq);
    REQUEST_SIZE_MATCH(xRenderCompositeReq);
    swaps(&stuff->length);
    swapl(&stuff->src);
    swapl(&stuff->mask);
@ -2093,6 +2100,7 @@ static int
 SProcRenderScale(ClientPtr client)
 {
    REQUEST(xRenderScaleReq);
    REQUEST_SIZE_MATCH(xRenderScaleReq);
    swaps(&stuff->length);
    swapl(&stuff->src);
    swapl(&stuff->dst);
@ -2193,6 +2201,7 @@ static int
 SProcRenderCreateGlyphSet(ClientPtr client)
 {
    REQUEST(xRenderCreateGlyphSetReq);
    REQUEST_SIZE_MATCH(xRenderCreateGlyphSetReq);
    swaps(&stuff->length);
    swapl(&stuff->gsid);
    swapl(&stuff->format);
@ -2203,6 +2212,7 @@ static int
 SProcRenderReferenceGlyphSet(ClientPtr client)
 {
    REQUEST(xRenderReferenceGlyphSetReq);
    REQUEST_SIZE_MATCH(xRenderReferenceGlyphSetReq);
    swaps(&stuff->length);
    swapl(&stuff->gsid);
    swapl(&stuff->existing);
@ -2213,6 +2223,7 @@ static int
 SProcRenderFreeGlyphSet(ClientPtr client)
 {
    REQUEST(xRenderFreeGlyphSetReq);
    REQUEST_SIZE_MATCH(xRenderFreeGlyphSetReq);
    swaps(&stuff->length);
    swapl(&stuff->glyphset);
    return (*ProcRenderVector[stuff->renderReqType]) (client);
@ -2227,6 +2238,7 @@ SProcRenderAddGlyphs(ClientPtr client)
    xGlyphInfo *gi;
    REQUEST(xRenderAddGlyphsReq);
    REQUEST_AT_LEAST_SIZE(xRenderAddGlyphsReq);
    swaps(&stuff->length);
    swapl(&stuff->glyphset);
    swapl(&stuff->nglyphs);
@ -2261,6 +2273,7 @@ static int
 SProcRenderFreeGlyphs(ClientPtr client)
 {
    REQUEST(xRenderFreeGlyphsReq);
    REQUEST_AT_LEAST_SIZE(xRenderFreeGlyphsReq);
    swaps(&stuff->length);
    swapl(&stuff->glyphset);
    SwapRestL(stuff);
@ -2278,6 +2291,7 @@ SProcRenderCompositeGlyphs(ClientPtr client)
    int size;
    REQUEST(xRenderCompositeGlyphsReq);
    REQUEST_AT_LEAST_SIZE(xRenderCompositeGlyphsReq);
    switch (stuff->renderReqType) {
    default:
--- a/test/Makefile.am
+++ b/test/Makefile.am
@ -4,7 +4,7 @@ noinst_PROGRAMS = list string
 if XORG
 # Tests that require at least some DDX functions in order to fully link
 # For now, requires xf86 ddx, could be adjusted to use another
-SUBDIRS += xi2
+SUBDIRS += xi1 xi2
 noinst_PROGRAMS += xkb input xtest misc fixes xfree86 os signal-logging touch
 if RES
 noinst_PROGRAMS += hashtabletest
--- a/test/misc.c
+++ b/test/misc.c
@ -28,6 +28,8 @@
 #include <stdint.h>
 #include "misc.h"
 #include "scrnintstr.h"
 #include "dix.h"
 #include "dixstruct.h"
 ScreenInfo screenInfo;
@ -155,11 +157,46 @@ dix_update_desktop_dimensions(void)
    assert_dimensions(-w2, -h2, w2, h2);
 }
 static int
 dix_request_fixed_size_overflow(ClientRec *client)
 {
    xReq req = { 0 };
    client->req_len = req.length = 1;
    REQUEST_FIXED_SIZE(req, SIZE_MAX);
    return Success;
 }
 static int
 dix_request_fixed_size_match(ClientRec *client)
 {
    xReq req = { 0 };
    client->req_len = req.length = 9;
    REQUEST_FIXED_SIZE(req, 30);
    return Success;
 }
 static void
 dix_request_size_checks(void)
 {
    ClientRec client = { 0 };
    int rc;
    rc = dix_request_fixed_size_overflow(&client);
    assert(rc == BadLength);
    rc = dix_request_fixed_size_match(&client);
    assert(rc == Success);
 }
 int
 main(int argc, char **argv)
 {
    dix_version_compare();
    dix_update_desktop_dimensions();
    dix_request_size_checks();
    return 0;
 }
--- a/test/xi1/Makefile.am
+++ b/test/xi1/Makefile.am
@ -0,0 +1,34 @@
 if ENABLE_UNIT_TESTS
 if HAVE_LD_WRAP
 noinst_PROGRAMS =  \
 	protocol-xchangedevicecontrol
 TESTS=$(noinst_PROGRAMS)
 TESTS_ENVIRONMENT = $(XORG_MALLOC_DEBUG_ENV)
 AM_CFLAGS = $(DIX_CFLAGS) @XORG_CFLAGS@
 AM_CPPFLAGS = @XORG_INCS@ -I$(srcdir)/../xi2
 TEST_LDADD=../libxservertest.la $(XORG_SYS_LIBS) $(XSERVER_SYS_LIBS) $(GLX_SYS_LIBS)
 COMMON_SOURCES=$(srcdir)/../xi2/protocol-common.c
 if SPECIAL_DTRACE_OBJECTS
 TEST_LDADD += $(OS_LIB) $(DIX_LIB)
 endif
 protocol_xchangedevicecontrol_LDADD=$(TEST_LDADD)
 protocol_xchangedevicecontrol_LDFLAGS=$(AM_LDFLAGS) -Wl,-wrap,WriteToClient
 protocol_xchangedevicecontrol_SOURCES=$(COMMON_SOURCES) protocol-xchangedevicecontrol.c
 else
 # Print that xi1-tests were skipped (exit code 77 for automake test harness)
 TESTS = xi1-tests
 CLEANFILES = $(TESTS)
 xi1-tests:
 	@echo 'echo "ld -wrap support required for xi1 unit tests, skipping"' > $@
 	@echo 'exit 77' >> $@
 	$(AM_V_GEN)chmod +x $@
 endif
 endif
--- a/test/xi1/protocol-xchangedevicecontrol.c
+++ b/test/xi1/protocol-xchangedevicecontrol.c
@ -0,0 +1,122 @@
 /**
 * Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved.
 *
 * Permission is hereby granted, free of charge, to any person obtaining a
 * copy of this software and associated documentation files (the "Software"),
 * to deal in the Software without restriction, including without limitation
 * the rights to use, copy, modify, merge, publish, distribute, sublicense,
 * and/or sell copies of the Software, and to permit persons to whom the
 * Software is furnished to do so, subject to the following conditions:
 *
 * The above copyright notice and this permission notice (including the next
 * paragraph) shall be included in all copies or substantial portions of the
 * Software.
 *
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
 * DEALINGS IN THE SOFTWARE.
 */
 #ifdef HAVE_DIX_CONFIG_H
 #include <dix-config.h>
 #endif
 /*
 * Protocol testing for ChangeDeviceControl request.
 */
 #include <stdint.h>
 #include <X11/X.h>
 #include <X11/Xproto.h>
 #include <X11/extensions/XIproto.h>
 #include "inputstr.h"
 #include "chgdctl.h"
 #include "protocol-common.h"
 static ClientRec client_request;
 static void
 reply_ChangeDeviceControl(ClientPtr client, int len, char *data, void *userdata)
 {
    xChangeDeviceControlReply *rep = (xChangeDeviceControlReply *) data;
    if (client->swapped) {
        swapl(&rep->length);
        swaps(&rep->sequenceNumber);
    }
    reply_check_defaults(rep, len, ChangeDeviceControl);
    /* XXX: check status code in reply */
 }
 static void
 request_ChangeDeviceControl(ClientPtr client, xChangeDeviceControlReq * req,
                            xDeviceCtl *ctl, int error)
 {
    int rc;
    client_request.req_len = req->length;
    rc = ProcXChangeDeviceControl(&client_request);
    assert(rc == error);
    /* XXX: ChangeDeviceControl doesn't seem to fill in errorValue to check */
    client_request.swapped = TRUE;
    swaps(&req->length);
    swaps(&req->control);
    swaps(&ctl->length);
    swaps(&ctl->control);
    /* XXX: swap other contents of ctl, depending on type */
    rc = SProcXChangeDeviceControl(&client_request);
    assert(rc == error);
 }
 static unsigned char *data[4096];       /* the request buffer */
 static void
 test_ChangeDeviceControl(void)
 {
    xChangeDeviceControlReq *request = (xChangeDeviceControlReq *) data;
    xDeviceCtl *control = (xDeviceCtl *) (&request[1]);
    request_init(request, ChangeDeviceControl);
    reply_handler = reply_ChangeDeviceControl;
    client_request = init_client(request->length, request);
    printf("Testing invalid lengths:\n");
    printf(" -- no control struct\n");
    request_ChangeDeviceControl(&client_request, request, control, BadLength);
    printf(" -- xDeviceResolutionCtl\n");
    request_init(request, ChangeDeviceControl);
    request->control = DEVICE_RESOLUTION;
    control->length = (sizeof(xDeviceResolutionCtl) >> 2);
    request->length += control->length - 2;
    request_ChangeDeviceControl(&client_request, request, control, BadLength);
    printf(" -- xDeviceEnableCtl\n");
    request_init(request, ChangeDeviceControl);
    request->control = DEVICE_ENABLE;
    control->length = (sizeof(xDeviceEnableCtl) >> 2);
    request->length += control->length - 2;
    request_ChangeDeviceControl(&client_request, request, control, BadLength);
    /* XXX: Test functionality! */
 }
 int
 main(int argc, char **argv)
 {
    init_simple();
    test_ChangeDeviceControl();
    return 0;
 }
--- a/test/xi2/protocol-xigetclientpointer.c
+++ b/test/xi2/protocol-xigetclientpointer.c
@ -124,6 +124,11 @@ test_XIGetClientPointer(void)
    request.win = INVALID_WINDOW_ID;
    request_XIGetClientPointer(&client_request, &request, BadWindow);
    printf("Testing invalid length\n");
    client_request.req_len -= 4;
    request_XIGetClientPointer(&client_request, &request, BadLength);
    client_request.req_len += 4;
    test_data.cp_is_set = FALSE;
    printf("Testing window None, unset ClientPointer.\n");
--- a/test/xi2/protocol-xipassivegrabdevice.c
+++ b/test/xi2/protocol-xipassivegrabdevice.c
@ -139,6 +139,7 @@ request_XIPassiveGrabDevice(ClientPtr client, xXIPassiveGrabDeviceReq * req,
    int local_modifiers;
    int mask_len;
    client_request.req_len = req->length;
    rc = ProcXIPassiveGrabDevice(&client_request);
    assert(rc == error);
@ -190,6 +191,13 @@ test_XIPassiveGrabDevice(void)
    request_XIPassiveGrabDevice(&client_request, request, BadDevice,
                                request->deviceid);
    printf("Testing invalid length\n");
    request->length -= 2;
    request_XIPassiveGrabDevice(&client_request, request, BadLength,
                                client_request.errorValue);
    /* re-init request since swapped length test leaves some values swapped */
    request_init(request, XIPassiveGrabDevice);
    request->grab_window = CLIENT_WINDOW_ID;
    request->deviceid = XIAllMasterDevices;
    printf("Testing invalid grab types\n");
--- a/test/xi2/protocol-xiquerypointer.c
+++ b/test/xi2/protocol-xiquerypointer.c
@ -201,6 +201,10 @@ test_XIQueryPointer(void)
    test_data.dev = devices.mouse;
    request.deviceid = devices.mouse->id;
    request_XIQueryPointer(&client_request, &request, Success);
    /* test REQUEST_SIZE_MATCH */
    client_request.req_len -= 4;
    request_XIQueryPointer(&client_request, &request, BadLength);
 }
 int
--- a/test/xi2/protocol-xiwarppointer.c
+++ b/test/xi2/protocol-xiwarppointer.c
@ -198,6 +198,9 @@ test_XIWarpPointer(void)
    request_XIWarpPointer(&client_request, &request, Success);
    /* FIXME: src_x/y checks */
    client_request.req_len -= 2; /* invalid length */
    request_XIWarpPointer(&client_request, &request, BadLength);
 }
 int
--- a/xfixes/select.c
+++ b/xfixes/select.c
@ -201,6 +201,7 @@ SProcXFixesSelectSelectionInput(ClientPtr client)
 {
    REQUEST(xXFixesSelectSelectionInputReq);
    REQUEST_SIZE_MATCH(xXFixesSelectSelectionInputReq);
    swaps(&stuff->length);
    swapl(&stuff->window);
    swapl(&stuff->selection);