diff options
| -rw-r--r-- | nx-X11/programs/Xserver/GL/glx/glxcmds.c | 20 | ||||
| -rw-r--r-- | nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c | 20 |
2 files changed, 20 insertions, 20 deletions
diff --git a/nx-X11/programs/Xserver/GL/glx/glxcmds.c b/nx-X11/programs/Xserver/GL/glx/glxcmds.c index 02f3ba7f2..831c65bec 100644 --- a/nx-X11/programs/Xserver/GL/glx/glxcmds.c +++ b/nx-X11/programs/Xserver/GL/glx/glxcmds.c @@ -1443,7 +1443,7 @@ int __glXRender(__GLXclientState *cl, GLbyte *pc) left = (req->length << 2) - sz_xGLXRenderReq; while (left > 0) { __GLXrenderSizeData *entry; - int extra; + int extra = 0; void (* proc)(GLbyte *); /* @@ -1454,6 +1454,9 @@ int __glXRender(__GLXclientState *cl, GLbyte *pc) cmdlen = hdr->length; opcode = hdr->opcode; + if (left < cmdlen) + return BadLength; + /* ** Check for core opcodes and grab entry data. */ @@ -1480,22 +1483,19 @@ int __glXRender(__GLXclientState *cl, GLbyte *pc) client->errorValue = commandsDone; return __glXBadRenderRequest; } + + if (cmdlen < entry->bytes) { + return BadLength; + } + if (entry->varsize) { /* variable size command */ extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, False); if (extra < 0) { return BadLength; } - if (cmdlen != __GLX_PAD(entry->bytes + extra)) { - return BadLength; - } - } else { - /* constant size command */ - if (cmdlen != __GLX_PAD(entry->bytes)) { - return BadLength; - } } - if (left < cmdlen) { + if (cmdlen != safe_pad(safe_add(entry->bytes, extra))) { return BadLength; } diff --git a/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c b/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c index 027cba709..7174fdaec 100644 --- a/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c +++ b/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c @@ -498,7 +498,7 @@ int __glXSwapRender(__GLXclientState *cl, GLbyte *pc) left = (req->length << 2) - sz_xGLXRenderReq; while (left > 0) { __GLXrenderSizeData *entry; - int extra; + int extra = 0; void (* proc)(GLbyte *); /* @@ -511,6 +511,9 @@ int __glXSwapRender(__GLXclientState *cl, GLbyte *pc) cmdlen = hdr->length; opcode = hdr->opcode; + if (left < cmdlen) + return BadLength; + if ( (opcode >= __GLX_MIN_RENDER_OPCODE) && (opcode <= __GLX_MAX_RENDER_OPCODE) ) { entry = &__glXRenderSizeTable[opcode]; @@ -531,22 +534,19 @@ int __glXSwapRender(__GLXclientState *cl, GLbyte *pc) client->errorValue = commandsDone; return __glXBadRenderRequest; } + + if (cmdlen < entry->bytes) { + return BadLength; + } + if (entry->varsize) { /* variable size command */ extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, True); if (extra < 0) { return BadLength; } - if (cmdlen != __GLX_PAD(entry->bytes + extra)) { - return BadLength; - } - } else { - /* constant size command */ - if (cmdlen != __GLX_PAD(entry->bytes)) { - return BadLength; - } } - if (left < cmdlen) { + if (cmdlen != safe_pad(safe_add(entry->bytes, extra))) { return BadLength; } |