diff options
author | Mihai Moldovan <ionic@ionic.de> | 2015-04-26 23:32:32 +0200 |
---|---|---|
committer | Mihai Moldovan <ionic@ionic.de> | 2015-04-26 23:34:27 +0200 |
commit | 96efadac50bf40bc502680072570a2950f132fe3 (patch) | |
tree | acbd7103b5908636a97060581ba8bed01b5e83fa /debian/patches/1040-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch | |
parent | 79a4ed92dbae5089d3ddfcc0acec427ff057ad9b (diff) | |
download | nx-libs-96efadac50bf40bc502680072570a2950f132fe3.tar.gz nx-libs-96efadac50bf40bc502680072570a2950f132fe3.tar.bz2 nx-libs-96efadac50bf40bc502680072570a2950f132fe3.zip |
CVE patches were previously not included in release tarballs.
Rename:
- 1001-LZW-decompress-fix-for-CVE-2011-2895-From-xorg-lib-X.patch =>
1001-LZW-decompress-fix-for-CVE-2011-2895-From-xorg-.full.patch
- 1002-Fix-CVE-2011-4028-File-disclosure-vulnerability.-ups.patch =>
1002-Fix-CVE-2011-4028-File-disclosure-vulnerability.full.patch
- 1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageText-C.patch =>
1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageT.full.patch
- 1004-CVE-2013-6462-unlimited-sscanf-overflows-stack-buffe.patch =>
1004-CVE-2013-6462-unlimited-sscanf-overflows-stack-.full.patch
- 1005-CVE-2014-0209-integer-overflow-of-realloc-size-in-Fo.patch =>
1005-CVE-2014-0209-integer-overflow-of-realloc-size-.full.patch
- 1006-CVE-2014-0209-integer-overflow-of-realloc-size-in-le.patch =>
1006-CVE-2014-0209-integer-overflow-of-realloc-size-.full.patch
- 1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_conn_se.patch =>
1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_co.full.patch
- 1008-Don-t-crash-when-we-receive-an-FS_Error-from-the-fon.patch =>
1008-Don-t-crash-when-we-receive-an-FS_Error-from-th.full.patch
- 1009-CVE-2014-0210-unvalidated-lengths-when-reading-repli.patch =>
1009-CVE-2014-0210-unvalidated-lengths-when-reading-.full.patch
- 1010-CVE-2014-0211-Integer-overflow-in-fs_get_reply-_fs_s.patch =>
1010-CVE-2014-0211-Integer-overflow-in-fs_get_reply-.full.patch
- 1011-CVE-2014-0210-unvalidated-length-fields-in-fs_read_q.patch =>
1011-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch
- 1012-CVE-2014-0211-integer-overflow-in-fs_read_extent_inf.patch =>
1012-CVE-2014-0211-integer-overflow-in-fs_read_exten.full.patch
- 1013-CVE-2014-0211-integer-overflow-in-fs_alloc_glyphs-fr.patch =>
1013-CVE-2014-0211-integer-overflow-in-fs_alloc_glyp.full.patch
- 1014-CVE-2014-0210-unvalidated-length-fields-in-fs_read_e.patch =>
1014-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch
- 1015-CVE-2014-0210-unvalidated-length-fields-in-fs_read_g.patch =>
1015-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch
- 1016-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch =>
1016-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch
- 1017-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch =>
1017-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch
- 1018-unchecked-malloc-may-allow-unauthed-client-to-crash-.patch =>
1018-unchecked-malloc-may-allow-unauthed-client-to-c.full.patch
- 1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8092-1.patch =>
1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8.full.patch
- 1020-dix-integer-overflow-in-GetHosts-CVE-2014-8092-2-4.patch =>
1020-dix-integer-overflow-in-GetHosts-CVE-2014-8092-.full.patch
- 1021-dix-integer-overflow-in-RegionSizeof-CVE-2014-8092-3.patch =>
1021-dix-integer-overflow-in-RegionSizeof-CVE-2014-8.full.patch
- 1022-dix-integer-overflow-in-REQUEST_FIXED_SIZE-CVE-2014-.patch =>
1022-dix-integer-overflow-in-REQUEST_FIXED_SIZE-CVE-.full.patch
- 1023-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls-CVE-.patch =>
1023-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls.full.patch
- 1024-Xi-unvalidated-lengths-in-Xinput-extension-CVE-2014-.patch =>
1024-Xi-unvalidated-lengths-in-Xinput-extension-CVE-.full.patch
- 1025-xcmisc-unvalidated-length-in-SProcXCMiscGetXIDList-C.patch =>
1025-xcmisc-unvalidated-length-in-SProcXCMiscGetXIDL.full.patch
- 1026-Xv-unvalidated-lengths-in-XVideo-extension-swapped-p.patch =>
1026-Xv-unvalidated-lengths-in-XVideo-extension-swap.full.patch
- 1027-render-check-request-size-before-reading-it-CVE-2014.patch =>
1027-render-check-request-size-before-reading-it-CVE.full.patch
- 1028-render-unvalidated-lengths-in-Render-extn.-swapped-p.patch =>
1028-render-unvalidated-lengths-in-Render-extn.-swap.full.patch
- 1029-xfixes-unvalidated-length-in-SProcXFixesSelectSelect.patch =>
1029-xfixes-unvalidated-length-in-SProcXFixesSelectS.full.patch
- 1030-randr-unvalidated-lengths-in-RandR-extension-swapped.patch =>
1030-randr-unvalidated-lengths-in-RandR-extension-sw.full.patch
- 1031-glx-Be-more-paranoid-about-variable-length-requests-.patch =>
1031-glx-Be-more-paranoid-about-variable-length-requ.full.patch
- 1032-glx-Be-more-strict-about-rejecting-invalid-image-siz.patch =>
1032-glx-Be-more-strict-about-rejecting-invalid-imag.full.patch
- 1033-glx-Additional-paranoia-in-__glXGetAnswerBuffer-__GL.patch =>
1033-glx-Additional-paranoia-in-__glXGetAnswerBuffer.full.patch
- 1034-glx-Add-safe_-add-mul-pad-v3-CVE-2014-8093-4-6-v4.patch =>
1034-glx-Add-safe_-add-mul-pad-v3-CVE-2014-8093-4-6-.full.patch
- 1035-glx-Length-checking-for-GLXRender-requests-v2-CVE-20.patch =>
1035-glx-Length-checking-for-GLXRender-requests-v2-C.full.patch
- 1036-glx-Integer-overflow-protection-for-non-generated-re.patch =>
1036-glx-Integer-overflow-protection-for-non-generat.full.patch
- 1037-glx-Top-level-length-checking-for-swapped-VendorPriv.patch =>
1037-glx-Top-level-length-checking-for-swapped-Vendo.full.patch
- 1038-glx-Length-checking-for-non-generated-single-request.patch =>
1038-glx-Length-checking-for-non-generated-single-re.full.patch
- 1039-glx-Length-checking-for-RenderLarge-requests-v2-CVE-.patch =>
1039-glx-Length-checking-for-RenderLarge-requests-v2.full.patch
- 1040-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch =>
1040-glx-Pass-remaining-request-length-into-varsize-.full.patch
- 1041-nx-X11-lib-font-fc-fserve.c-initialize-remaining-buf.patch =>
1041-nx-X11-lib-font-fc-fserve.c-initialize-remainin.full.patch
- 1042-Do-proper-input-validation-to-fix-for-CVE-2011-2895.patch =>
1042-Do-proper-input-validation-to-fix-for-CVE-2011-.full.patch
- 1101-Coverity-844-845-846-Fix-memory-leaks.patch =>
1101-Coverity-844-845-846-Fix-memory-leaks.full.patch
- 1102-include-introduce-byte-counting-functions.patch =>
1102-include-introduce-byte-counting-functions.full.patch
- 1103-xkb-Don-t-swap-XkbSetGeometry-data-in-the-input-buff.patch =>
1103-xkb-Don-t-swap-XkbSetGeometry-data-in-the-input.full.patch
- 1104-xkb-Check-strings-length-against-request-size.patch =>
1104-xkb-Check-strings-length-against-request-size.full.patch
Diffstat (limited to 'debian/patches/1040-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch')
-rw-r--r-- | debian/patches/1040-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch | 622 |
1 files changed, 0 insertions, 622 deletions
diff --git a/debian/patches/1040-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch b/debian/patches/1040-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch deleted file mode 100644 index 85181f071..000000000 --- a/debian/patches/1040-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch +++ /dev/null @@ -1,622 +0,0 @@ -From 1ea1cd8c4f93b0c03e5b34fe174b3fc9f27c7dfa Mon Sep 17 00:00:00 2001 -From: Adam Jackson <ajax@redhat.com> -Date: Mon, 10 Nov 2014 12:13:48 -0500 -Subject: [PATCH 40/40] glx: Pass remaining request length into ->varsize (v2) - [CVE-2014-8098 8/8] (V3) - -v2: Handle more multiplies in indirect_reqsize.c (Julien Cristau) - -v3: RHEL5 backport - -v4: backport to nx-libs 3.6.x (Mike DePaulo) - -Reviewed-by: Julien Cristau <jcristau@debian.org> -Reviewed-by: Michal Srb <msrb@suse.com> -Reviewed-by: Andy Ritger <aritger@nvidia.com> -Signed-off-by: Adam Jackson <ajax@redhat.com> -Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> -Signed-off-by: Fedora X Ninjas <x@fedoraproject.org> -Signed-off-by: Dave Airlie <airlied@redhat.com> ---- - nx-X11/programs/Xserver/GL/glx/glxcmds.c | 6 +- - nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c | 7 +- - nx-X11/programs/Xserver/GL/glx/glxserver.h | 90 +++++++++---------- - nx-X11/programs/Xserver/GL/glx/rensize.c | 125 ++++++++++++++------------- - 4 files changed, 121 insertions(+), 107 deletions(-) - -diff --git a/nx-X11/programs/Xserver/GL/glx/glxcmds.c b/nx-X11/programs/Xserver/GL/glx/glxcmds.c -index 20c12f3..a1bb259 100644 ---- a/nx-X11/programs/Xserver/GL/glx/glxcmds.c -+++ b/nx-X11/programs/Xserver/GL/glx/glxcmds.c -@@ -1490,7 +1490,7 @@ int __glXRender(__GLXclientState *cl, GLbyte *pc) - - if (entry->varsize) { - /* variable size command */ -- extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, False); -+ extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, False, left - __GLX_RENDER_HDR_SIZE); - if (extra < 0) { - return BadLength; - } -@@ -1563,6 +1563,7 @@ int __glXRenderLarge(__GLXclientState *cl, GLbyte *pc) - if (cl->largeCmdRequestsSoFar == 0) { - __GLXrenderSizeData *entry; - int extra = 0, cmdlen; -+ int left = (req->length << 2) - sz_xGLXRenderLargeReq; - /* - ** This is the first request of a multi request command. - ** Make enough space in the buffer, then copy the entire request. -@@ -1608,7 +1609,8 @@ int __glXRenderLarge(__GLXclientState *cl, GLbyte *pc) - ** be computed from its parameters), all the parameters needed - ** will be in the 1st request, so it's okay to do this. - */ -- extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, False); -+ extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, False, -+ left - __GLX_RENDER_LARGE_HDR_SIZE); - if (extra < 0) { - return BadLength; - } -diff --git a/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c b/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c -index 2e228c0..33a748a 100644 ---- a/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c -+++ b/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c -@@ -541,7 +541,8 @@ int __glXSwapRender(__GLXclientState *cl, GLbyte *pc) - - if (entry->varsize) { - /* variable size command */ -- extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, True); -+ extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, True, -+ left - __GLX_RENDER_HDR_SIZE); - if (extra < 0) { - return BadLength; - } -@@ -620,6 +621,7 @@ int __glXSwapRenderLarge(__GLXclientState *cl, GLbyte *pc) - if (cl->largeCmdRequestsSoFar == 0) { - __GLXrenderSizeData *entry; - int extra = 0; -+ int left = (req->length << 2) - sz_xGLXRenderLargeReq; - size_t cmdlen; - /* - ** This is the first request of a multi request command. -@@ -667,7 +669,8 @@ int __glXSwapRenderLarge(__GLXclientState *cl, GLbyte *pc) - ** be computed from its parameters), all the parameters needed - ** will be in the 1st request, so it's okay to do this. - */ -- extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, True); -+ extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, True, -+ left - __GLX_RENDER_LARGE_HDR_SIZE); - if (extra < 0) { - return BadLength; - } -diff --git a/nx-X11/programs/Xserver/GL/glx/glxserver.h b/nx-X11/programs/Xserver/GL/glx/glxserver.h -index 4047574..193ebcb 100644 ---- a/nx-X11/programs/Xserver/GL/glx/glxserver.h -+++ b/nx-X11/programs/Xserver/GL/glx/glxserver.h -@@ -179,7 +179,7 @@ extern __GLXprocPtr __glXProcTable[]; - */ - typedef struct { - int bytes; -- int (*varsize)(GLbyte *pc, Bool swap); -+ int (*varsize)(GLbyte *pc, Bool swap, int left); - } __GLXrenderSizeData; - extern __GLXrenderSizeData __glXRenderSizeTable[]; - extern __GLXrenderSizeData __glXRenderSizeTable_EXT[]; -@@ -271,48 +271,48 @@ extern int __glXImageSize(GLenum format, GLenum type, - GLint imageHeight, GLint rowLength, GLint skipImages, GLint skipRows, - GLint alignment); - --extern int __glXCallListsReqSize(GLbyte *pc, Bool swap); --extern int __glXBitmapReqSize(GLbyte *pc, Bool swap); --extern int __glXFogfvReqSize(GLbyte *pc, Bool swap); --extern int __glXFogivReqSize(GLbyte *pc, Bool swap); --extern int __glXLightfvReqSize(GLbyte *pc, Bool swap); --extern int __glXLightivReqSize(GLbyte *pc, Bool swap); --extern int __glXLightModelfvReqSize(GLbyte *pc, Bool swap); --extern int __glXLightModelivReqSize(GLbyte *pc, Bool swap); --extern int __glXMaterialfvReqSize(GLbyte *pc, Bool swap); --extern int __glXMaterialivReqSize(GLbyte *pc, Bool swap); --extern int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap); --extern int __glXTexParameterivReqSize(GLbyte *pc, Bool swap); --extern int __glXTexImage1DReqSize(GLbyte *pc, Bool swap); --extern int __glXTexImage2DReqSize(GLbyte *pc, Bool swap); --extern int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap); --extern int __glXTexEnvivReqSize(GLbyte *pc, Bool swap); --extern int __glXTexGendvReqSize(GLbyte *pc, Bool swap); --extern int __glXTexGenfvReqSize(GLbyte *pc, Bool swap); --extern int __glXTexGenivReqSize(GLbyte *pc, Bool swap); --extern int __glXMap1dReqSize(GLbyte *pc, Bool swap); --extern int __glXMap1fReqSize(GLbyte *pc, Bool swap); --extern int __glXMap2dReqSize(GLbyte *pc, Bool swap); --extern int __glXMap2fReqSize(GLbyte *pc, Bool swap); --extern int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap); --extern int __glXPixelMapuivReqSize(GLbyte *pc, Bool swap); --extern int __glXPixelMapusvReqSize(GLbyte *pc, Bool swap); --extern int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap); --extern int __glXDrawArraysSize(GLbyte *pc, Bool swap); --extern int __glXPrioritizeTexturesReqSize(GLbyte *pc, Bool swap); --extern int __glXTexSubImage1DReqSize(GLbyte *pc, Bool swap); --extern int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap); --extern int __glXTexImage3DReqSize(GLbyte *pc, Bool swap ); --extern int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap); --extern int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap); --extern int __glXConvolutionFilter2DReqSize(GLbyte *pc, Bool swap); --extern int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap); --extern int __glXConvolutionParameterfvReqSize(GLbyte *pc, Bool swap); --extern int __glXSeparableFilter2DReqSize(GLbyte *pc, Bool swap); --extern int __glXColorTableReqSize(GLbyte *pc, Bool swap); --extern int __glXColorSubTableReqSize(GLbyte *pc, Bool swap); --extern int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap); --extern int __glXColorTableParameterivReqSize(GLbyte *pc, Bool swap); -+extern int __glXCallListsReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXBitmapReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXFogfvReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXFogivReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXLightfvReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXLightivReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXLightModelfvReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXLightModelivReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXMaterialfvReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXMaterialivReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXTexParameterivReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXTexImage1DReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXTexImage2DReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXTexEnvivReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXTexGendvReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXTexGenfvReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXTexGenivReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXMap1dReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXMap1fReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXMap2dReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXMap2fReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXPixelMapuivReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXPixelMapusvReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXDrawArraysSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXPrioritizeTexturesReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXTexSubImage1DReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXTexImage3DReqSize(GLbyte *pc, Bool swap, int reqlen ); -+extern int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXConvolutionFilter2DReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXConvolutionParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXSeparableFilter2DReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXColorTableReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXColorSubTableReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXColorTableParameterivReqSize(GLbyte *pc, Bool swap, int reqlen); - - /* - * Routines for computing the size of returned data. -@@ -322,7 +322,7 @@ extern int __glXConvolutionParameterfvSize(GLenum pname); - extern int __glXColorTableParameterfvSize(GLenum pname); - extern int __glXColorTableParameterivSize(GLenum pname); - --extern int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap); --extern int __glXPointParameterivReqSize(GLbyte *pc, Bool swap); -+extern int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXPointParameterivReqSize(GLbyte *pc, Bool swap, int reqlen); - - #endif /* !__GLX_server_h__ */ -diff --git a/nx-X11/programs/Xserver/GL/glx/rensize.c b/nx-X11/programs/Xserver/GL/glx/rensize.c -index 9bf0d00..dc3475e 100644 ---- a/nx-X11/programs/Xserver/GL/glx/rensize.c -+++ b/nx-X11/programs/Xserver/GL/glx/rensize.c -@@ -48,7 +48,7 @@ - (((a & 0xff000000U)>>24) | ((a & 0xff0000U)>>8) | \ - ((a & 0xff00U)<<8) | ((a & 0xffU)<<24)) - --int __glXCallListsReqSize(GLbyte *pc, Bool swap ) -+int __glXCallListsReqSize(GLbyte *pc, Bool swap, int reqlen) - { - GLsizei n = *(GLsizei *)(pc + 0); - GLenum type = *(GLenum *)(pc + 4); -@@ -60,7 +60,7 @@ int __glXCallListsReqSize(GLbyte *pc, Bool swap ) - return n * __glCallLists_size( type ); - } - --int __glXFogivReqSize(GLbyte *pc, Bool swap ) -+int __glXFogivReqSize(GLbyte *pc, Bool swap, int reqlen) - { - GLenum pname = *(GLenum *)(pc + 0); - if (swap) { -@@ -69,12 +69,12 @@ int __glXFogivReqSize(GLbyte *pc, Bool swap ) - return 4 * __glFogiv_size( pname ); /* defined in samplegl lib */ - } - --int __glXFogfvReqSize(GLbyte *pc, Bool swap ) -+int __glXFogfvReqSize(GLbyte *pc, Bool swap, int reqlen) - { -- return __glXFogivReqSize( pc, swap ); -+ return __glXFogivReqSize( pc, swap, reqlen); - } - --int __glXLightfvReqSize(GLbyte *pc, Bool swap ) -+int __glXLightfvReqSize(GLbyte *pc, Bool swap, int reqlen) - { - GLenum pname = *(GLenum *)(pc + 4); - if (swap) { -@@ -83,12 +83,12 @@ int __glXLightfvReqSize(GLbyte *pc, Bool swap ) - return 4 * __glLightfv_size( pname ); /* defined in samplegl lib */ - } - --int __glXLightivReqSize(GLbyte *pc, Bool swap ) -+int __glXLightivReqSize(GLbyte *pc, Bool swap, int reqlen) - { -- return __glXLightfvReqSize( pc, swap ); -+ return __glXLightfvReqSize( pc, swap, reqlen); - } - --int __glXLightModelfvReqSize(GLbyte *pc, Bool swap ) -+int __glXLightModelfvReqSize(GLbyte *pc, Bool swap, int reqlen) - { - GLenum pname = *(GLenum *)(pc + 0); - if (swap) { -@@ -97,12 +97,12 @@ int __glXLightModelfvReqSize(GLbyte *pc, Bool swap ) - return 4 * __glLightModelfv_size( pname ); /* defined in samplegl lib */ - } - --int __glXLightModelivReqSize(GLbyte *pc, Bool swap ) -+int __glXLightModelivReqSize(GLbyte *pc, Bool swap, int reqlen) - { -- return __glXLightModelfvReqSize( pc, swap ); -+ return __glXLightModelfvReqSize( pc, swap, reqlen); - } - --int __glXMaterialfvReqSize(GLbyte *pc, Bool swap ) -+int __glXMaterialfvReqSize(GLbyte *pc, Bool swap, int reqlen) - { - GLenum pname = *(GLenum *)(pc + 4); - if (swap) { -@@ -111,12 +111,12 @@ int __glXMaterialfvReqSize(GLbyte *pc, Bool swap ) - return 4 * __glMaterialfv_size( pname ); /* defined in samplegl lib */ - } - --int __glXMaterialivReqSize(GLbyte *pc, Bool swap ) -+int __glXMaterialivReqSize(GLbyte *pc, Bool swap, int reqlen) - { -- return __glXMaterialfvReqSize( pc, swap ); -+ return __glXMaterialfvReqSize( pc, swap, reqlen); - } - --int __glXTexGendvReqSize(GLbyte *pc, Bool swap ) -+int __glXTexGendvReqSize(GLbyte *pc, Bool swap, int reqlen) - { - GLenum pname = *(GLenum *)(pc + 4); - if (swap) { -@@ -125,7 +125,7 @@ int __glXTexGendvReqSize(GLbyte *pc, Bool swap ) - return 8 * __glTexGendv_size( pname ); /* defined in samplegl lib */ - } - --int __glXTexGenfvReqSize(GLbyte *pc, Bool swap ) -+int __glXTexGenfvReqSize(GLbyte *pc, Bool swap, int reqlen) - { - GLenum pname = *(GLenum *)(pc + 4); - if (swap) { -@@ -134,12 +134,12 @@ int __glXTexGenfvReqSize(GLbyte *pc, Bool swap ) - return 4 * __glTexGenfv_size( pname ); /* defined in samplegl lib */ - } - --int __glXTexGenivReqSize(GLbyte *pc, Bool swap ) -+int __glXTexGenivReqSize(GLbyte *pc, Bool swap, int reqlen) - { -- return __glXTexGenfvReqSize( pc, swap ); -+ return __glXTexGenfvReqSize( pc, swap, reqlen); - } - --int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap ) -+int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen) - { - GLenum pname = *(GLenum *)(pc + 4); - if (swap) { -@@ -148,12 +148,12 @@ int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap ) - return 4 * __glTexParameterfv_size( pname ); /* defined in samplegl lib */ - } - --int __glXTexParameterivReqSize(GLbyte *pc, Bool swap ) -+int __glXTexParameterivReqSize(GLbyte *pc, Bool swap, int reqlen) - { -- return __glXTexParameterfvReqSize( pc, swap ); -+ return __glXTexParameterfvReqSize( pc, swap, reqlen); - } - --int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap ) -+int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap, int reqlen) - { - GLenum pname = *(GLenum *)(pc + 4); - if (swap) { -@@ -162,12 +162,12 @@ int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap ) - return 4 * __glTexEnvfv_size( pname ); /* defined in samplegl lib */ - } - --int __glXTexEnvivReqSize(GLbyte *pc, Bool swap ) -+int __glXTexEnvivReqSize(GLbyte *pc, Bool swap, int reqlen ) - { -- return __glXTexEnvfvReqSize( pc, swap ); -+ return __glXTexEnvfvReqSize( pc, swap, reqlen); - } - --int __glXMap1dReqSize(GLbyte *pc, Bool swap ) -+int __glXMap1dReqSize(GLbyte *pc, Bool swap, int reqlen ) - { - GLenum target; - GLint order; -@@ -183,7 +183,7 @@ int __glXMap1dReqSize(GLbyte *pc, Bool swap ) - return safe_mul(8, safe_mul(__glMap1d_size(target), order)); - } - --int __glXMap1fReqSize(GLbyte *pc, Bool swap ) -+int __glXMap1fReqSize(GLbyte *pc, Bool swap, int reqlen ) - { - GLenum target; - GLint order; -@@ -205,7 +205,7 @@ static int Map2Size(int k, int majorOrder, int minorOrder) - return safe_mul(k, safe_mul(majorOrder, minorOrder)); - } - --int __glXMap2dReqSize(GLbyte *pc, Bool swap ) -+int __glXMap2dReqSize(GLbyte *pc, Bool swap, int reqlen) - { - GLenum target; - GLint uorder, vorder; -@@ -221,7 +221,7 @@ int __glXMap2dReqSize(GLbyte *pc, Bool swap ) - return safe_mul(8, Map2Size(__glMap2d_size(target), uorder, vorder)); - } - --int __glXMap2fReqSize(GLbyte *pc, Bool swap ) -+int __glXMap2fReqSize(GLbyte *pc, Bool swap, int reqlen) - { - GLenum target; - GLint uorder, vorder; -@@ -237,7 +237,7 @@ int __glXMap2fReqSize(GLbyte *pc, Bool swap ) - return safe_mul(4, Map2Size(__glMap2f_size(target), uorder, vorder)); - } - --int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap ) -+int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap, int reqlen) - { - GLint mapsize; - mapsize = *(GLint *)(pc + 4); -@@ -247,12 +247,12 @@ int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap ) - return 4 * mapsize; - } - --int __glXPixelMapuivReqSize(GLbyte *pc, Bool swap ) -+int __glXPixelMapuivReqSize(GLbyte *pc, Bool swap, int reqlen) - { -- return __glXPixelMapfvReqSize( pc, swap ); -+ return __glXPixelMapfvReqSize( pc, swap, reqlen); - } - --int __glXPixelMapusvReqSize(GLbyte *pc, Bool swap ) -+int __glXPixelMapusvReqSize(GLbyte *pc, Bool swap, int reqlen) - { - GLint mapsize; - mapsize = *(GLint *)(pc + 4); -@@ -458,7 +458,7 @@ int __glXImageSize( GLenum format, GLenum type, GLenum target, - } - - --int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap ) -+int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap, int reqlen) - { - __GLXdispatchDrawPixelsHeader *hdr = (__GLXdispatchDrawPixelsHeader *) pc; - GLenum format = hdr->format; -@@ -482,7 +482,7 @@ int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap ) - 0, rowLength, 0, skipRows, alignment ); - } - --int __glXBitmapReqSize(GLbyte *pc, Bool swap ) -+int __glXBitmapReqSize(GLbyte *pc, Bool swap, int reqlen) - { - __GLXdispatchBitmapHeader *hdr = (__GLXdispatchBitmapHeader *) pc; - GLint w = hdr->width; -@@ -502,7 +502,7 @@ int __glXBitmapReqSize(GLbyte *pc, Bool swap ) - 0, rowLength, 0, skipRows, alignment ); - } - --int __glXTexImage1DReqSize(GLbyte *pc, Bool swap ) -+int __glXTexImage1DReqSize(GLbyte *pc, Bool swap, int reqlen) - { - __GLXdispatchTexImageHeader *hdr = (__GLXdispatchTexImageHeader *) pc; - GLenum target = hdr->target; -@@ -531,7 +531,7 @@ int __glXTexImage1DReqSize(GLbyte *pc, Bool swap ) - 0, rowLength, 0, skipRows, alignment ); - } - --int __glXTexImage2DReqSize(GLbyte *pc, Bool swap ) -+int __glXTexImage2DReqSize(GLbyte *pc, Bool swap, int reqlen) - { - __GLXdispatchTexImageHeader *hdr = (__GLXdispatchTexImageHeader *) pc; - GLenum target = hdr->target; -@@ -578,13 +578,14 @@ int __glXTypeSize(GLenum enm) - } - } - --int __glXDrawArraysSize( GLbyte *pc, Bool swap ) -+int __glXDrawArraysSize( GLbyte *pc, Bool swap, int reqlen) - { - __GLXdispatchDrawArraysHeader *hdr = (__GLXdispatchDrawArraysHeader *) pc; - __GLXdispatchDrawArraysComponentHeader *compHeader; - GLint numVertexes = hdr->numVertexes; - GLint numComponents = hdr->numComponents; - GLint arrayElementSize = 0; -+ GLint x, size; - int i; - - if (swap) { -@@ -593,6 +594,13 @@ int __glXDrawArraysSize( GLbyte *pc, Bool swap ) - } - - pc += sizeof(__GLXdispatchDrawArraysHeader); -+ reqlen -= sizeof(__GLXdispatchDrawArraysHeader); -+ -+ size = safe_mul(sizeof(__GLXdispatchDrawArraysComponentHeader), -+ numComponents); -+ if (size < 0 || reqlen < 0 || reqlen < size) -+ return -1; -+ - compHeader = (__GLXdispatchDrawArraysComponentHeader *) pc; - - for (i=0; i<numComponents; i++) { -@@ -636,23 +644,24 @@ int __glXDrawArraysSize( GLbyte *pc, Bool swap ) - return -1; - } - -- arrayElementSize += __GLX_PAD(numVals * __glXTypeSize(datatype)); -+ x = safe_pad(safe_mul(numVals, __glXTypeSize(datatype))); -+ if ((arrayElementSize = safe_add(arrayElementSize, x)) < 0) -+ return -1; - - pc += sizeof(__GLXdispatchDrawArraysComponentHeader); - } - -- return ((numComponents * sizeof(__GLXdispatchDrawArraysComponentHeader)) + -- (numVertexes * arrayElementSize)); -+ return safe_add(size, safe_mul(numVertexes, arrayElementSize)); - } - --int __glXPrioritizeTexturesReqSize(GLbyte *pc, Bool swap ) -+int __glXPrioritizeTexturesReqSize(GLbyte *pc, Bool swap, int reqlen) - { - GLint n = *(GLsizei *)(pc + 0); - if (swap) n = SWAPL(n); - return(8*n); /* 4*n for textures, 4*n for priorities */ - } - --int __glXTexSubImage1DReqSize(GLbyte *pc, Bool swap ) -+int __glXTexSubImage1DReqSize(GLbyte *pc, Bool swap, int reqlen) - { - __GLXdispatchTexSubImageHeader *hdr = (__GLXdispatchTexSubImageHeader *) pc; - GLenum format = hdr->format; -@@ -674,7 +683,7 @@ int __glXTexSubImage1DReqSize(GLbyte *pc, Bool swap ) - 0, rowLength, 0, skipRows, alignment ); - } - --int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap ) -+int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap, int reqlen) - { - __GLXdispatchTexSubImageHeader *hdr = (__GLXdispatchTexSubImageHeader *) pc; - GLenum format = hdr->format; -@@ -698,7 +707,7 @@ int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap ) - 0, rowLength, 0, skipRows, alignment ); - } - --int __glXTexImage3DReqSize(GLbyte *pc, Bool swap ) -+int __glXTexImage3DReqSize(GLbyte *pc, Bool swap, int reqlen) - { - __GLXdispatchTexImage3DHeader *hdr = (__GLXdispatchTexImage3DHeader *) pc; - GLenum target = hdr->target; -@@ -735,7 +744,7 @@ int __glXTexImage3DReqSize(GLbyte *pc, Bool swap ) - } - } - --int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap ) -+int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap, int reqlen) - { - __GLXdispatchTexSubImage3DHeader *hdr = - (__GLXdispatchTexSubImage3DHeader *) pc; -@@ -772,7 +781,7 @@ int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap ) - } - } - --int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap ) -+int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap, int reqlen) - { - __GLXdispatchConvolutionFilterHeader *hdr = - (__GLXdispatchConvolutionFilterHeader *) pc; -@@ -795,7 +804,7 @@ int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap ) - 0, rowLength, 0, 0, alignment ); - } - --int __glXConvolutionFilter2DReqSize(GLbyte *pc, Bool swap ) -+int __glXConvolutionFilter2DReqSize(GLbyte *pc, Bool swap, int reqlen) - { - __GLXdispatchConvolutionFilterHeader *hdr = - (__GLXdispatchConvolutionFilterHeader *) pc; -@@ -841,7 +850,7 @@ int __glXConvolutionParameterfvSize(GLenum pname) - return __glXConvolutionParameterivSize(pname); - } - --int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap ) -+int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap, int reqlen) - { - GLenum pname = *(GLenum *)(pc + 4); - if (swap) { -@@ -850,12 +859,12 @@ int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap ) - return 4 * __glXConvolutionParameterivSize( pname ); - } - --int __glXConvolutionParameterfvReqSize(GLbyte *pc, Bool swap ) -+int __glXConvolutionParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen) - { -- return __glXConvolutionParameterivReqSize( pc, swap ); -+ return __glXConvolutionParameterivReqSize( pc, swap, reqlen); - } - --int __glXSeparableFilter2DReqSize(GLbyte *pc, Bool swap ) -+int __glXSeparableFilter2DReqSize(GLbyte *pc, Bool swap, int reqlen) - { - __GLXdispatchConvolutionFilterHeader *hdr = - (__GLXdispatchConvolutionFilterHeader *) pc; -@@ -904,7 +913,7 @@ int __glXColorTableParameterivSize(GLenum pname) - return __glXColorTableParameterfvSize(pname); - } - --int __glXColorTableReqSize(GLbyte *pc, Bool swap ) -+int __glXColorTableReqSize(GLbyte *pc, Bool swap, int reqlen) - { - __GLXdispatchColorTableHeader *hdr = - (__GLXdispatchColorTableHeader *) pc; -@@ -939,7 +948,7 @@ int __glXColorTableReqSize(GLbyte *pc, Bool swap ) - 0, rowLength, 0, 0, alignment ); - } - --int __glXColorSubTableReqSize(GLbyte *pc, Bool swap ) -+int __glXColorSubTableReqSize(GLbyte *pc, Bool swap, int reqlen) - { - __GLXdispatchColorSubTableHeader *hdr = - (__GLXdispatchColorSubTableHeader *) pc; -@@ -962,7 +971,7 @@ int __glXColorSubTableReqSize(GLbyte *pc, Bool swap ) - 0, rowLength, 0, 0, alignment ); - } - --int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap ) -+int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen) - { - GLenum pname = *(GLenum *)(pc + 4); - if (swap) { -@@ -971,13 +980,13 @@ int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap ) - return 4 * __glXColorTableParameterfvSize(pname); - } - --int __glXColorTableParameterivReqSize(GLbyte *pc, Bool swap ) -+int __glXColorTableParameterivReqSize(GLbyte *pc, Bool swap, int reqlen) - { - /* no difference between fv and iv versions */ -- return __glXColorTableParameterfvReqSize(pc, swap); -+ return __glXColorTableParameterfvReqSize(pc, swap, reqlen); - } - --int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap ) -+int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap, int reqlen) - { - GLenum pname = *(GLenum *)(pc + 0); - if (swap) { -@@ -986,8 +995,8 @@ int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap ) - return 4 * __glPointParameterfvEXT_size( pname ); - } - --int __glXPointParameterivReqSize(GLbyte *pc, Bool swap ) -+int __glXPointParameterivReqSize(GLbyte *pc, Bool swap, int reqlen) - { - /* no difference between fv and iv versions */ -- return __glXPointParameterfvARBReqSize(pc, swap); -+ return __glXPointParameterfvARBReqSize(pc, swap, reqlen); - } --- -2.1.4 - |