glx: Pass remaining request length into ->varsize (v2) [CVE-2014-8098 8/8] (V3)

v2: Handle more multiplies in indirect_reqsize.c (Julien Cristau)

v3: RHEL5 backport

v4: backport to nx-libs 3.6.x (Mike DePaulo)

Reviewed-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>

1 files changed, 5 insertions, 2 deletions

diff --git a/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c b/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c
index 2e228c083..33a748a24 100644
--- a/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c
+++ b/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c
@@ -541,7 +541,8 @@ int __glXSwapRender(__GLXclientState *cl, GLbyte *pc)
 
         if (entry->varsize) {
             /* variable size command */
-            extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, True);
+	    extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, True,
+				      left - __GLX_RENDER_HDR_SIZE);
             if (extra < 0) {
                 return BadLength;
             }
@@ -620,6 +621,7 @@ int __glXSwapRenderLarge(__GLXclientState *cl, GLbyte *pc)
     if (cl->largeCmdRequestsSoFar == 0) {
 	__GLXrenderSizeData *entry;
 	int extra = 0;
+        int left = (req->length << 2) - sz_xGLXRenderLargeReq;
 	size_t cmdlen;
 	/*
 	** This is the first request of a multi request command.
@@ -667,7 +669,8 @@ int __glXSwapRenderLarge(__GLXclientState *cl, GLbyte *pc)
 	    ** be computed from its parameters), all the parameters needed
 	    ** will be in the 1st request, so it's okay to do this.
 	    */
-	    extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, True);
+	    extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, True,
+				      left - __GLX_RENDER_LARGE_HDR_SIZE);
 	    if (extra < 0) {
 		return BadLength;
 	    }