diff options
Diffstat (limited to 'debian/patches/1040-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch')
-rw-r--r-- | debian/patches/1040-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch | 622 |
1 files changed, 622 insertions, 0 deletions
diff --git a/debian/patches/1040-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch b/debian/patches/1040-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch new file mode 100644 index 000000000..85181f071 --- /dev/null +++ b/debian/patches/1040-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch @@ -0,0 +1,622 @@ +From 1ea1cd8c4f93b0c03e5b34fe174b3fc9f27c7dfa Mon Sep 17 00:00:00 2001 +From: Adam Jackson <ajax@redhat.com> +Date: Mon, 10 Nov 2014 12:13:48 -0500 +Subject: [PATCH 40/40] glx: Pass remaining request length into ->varsize (v2) + [CVE-2014-8098 8/8] (V3) + +v2: Handle more multiplies in indirect_reqsize.c (Julien Cristau) + +v3: RHEL5 backport + +v4: backport to nx-libs 3.6.x (Mike DePaulo) + +Reviewed-by: Julien Cristau <jcristau@debian.org> +Reviewed-by: Michal Srb <msrb@suse.com> +Reviewed-by: Andy Ritger <aritger@nvidia.com> +Signed-off-by: Adam Jackson <ajax@redhat.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Signed-off-by: Fedora X Ninjas <x@fedoraproject.org> +Signed-off-by: Dave Airlie <airlied@redhat.com> +--- + nx-X11/programs/Xserver/GL/glx/glxcmds.c | 6 +- + nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c | 7 +- + nx-X11/programs/Xserver/GL/glx/glxserver.h | 90 +++++++++---------- + nx-X11/programs/Xserver/GL/glx/rensize.c | 125 ++++++++++++++------------- + 4 files changed, 121 insertions(+), 107 deletions(-) + +diff --git a/nx-X11/programs/Xserver/GL/glx/glxcmds.c b/nx-X11/programs/Xserver/GL/glx/glxcmds.c +index 20c12f3..a1bb259 100644 +--- a/nx-X11/programs/Xserver/GL/glx/glxcmds.c ++++ b/nx-X11/programs/Xserver/GL/glx/glxcmds.c +@@ -1490,7 +1490,7 @@ int __glXRender(__GLXclientState *cl, GLbyte *pc) + + if (entry->varsize) { + /* variable size command */ +- extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, False); ++ extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, False, left - __GLX_RENDER_HDR_SIZE); + if (extra < 0) { + return BadLength; + } +@@ -1563,6 +1563,7 @@ int __glXRenderLarge(__GLXclientState *cl, GLbyte *pc) + if (cl->largeCmdRequestsSoFar == 0) { + __GLXrenderSizeData *entry; + int extra = 0, cmdlen; ++ int left = (req->length << 2) - sz_xGLXRenderLargeReq; + /* + ** This is the first request of a multi request command. + ** Make enough space in the buffer, then copy the entire request. +@@ -1608,7 +1609,8 @@ int __glXRenderLarge(__GLXclientState *cl, GLbyte *pc) + ** be computed from its parameters), all the parameters needed + ** will be in the 1st request, so it's okay to do this. + */ +- extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, False); ++ extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, False, ++ left - __GLX_RENDER_LARGE_HDR_SIZE); + if (extra < 0) { + return BadLength; + } +diff --git a/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c b/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c +index 2e228c0..33a748a 100644 +--- a/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c ++++ b/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c +@@ -541,7 +541,8 @@ int __glXSwapRender(__GLXclientState *cl, GLbyte *pc) + + if (entry->varsize) { + /* variable size command */ +- extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, True); ++ extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, True, ++ left - __GLX_RENDER_HDR_SIZE); + if (extra < 0) { + return BadLength; + } +@@ -620,6 +621,7 @@ int __glXSwapRenderLarge(__GLXclientState *cl, GLbyte *pc) + if (cl->largeCmdRequestsSoFar == 0) { + __GLXrenderSizeData *entry; + int extra = 0; ++ int left = (req->length << 2) - sz_xGLXRenderLargeReq; + size_t cmdlen; + /* + ** This is the first request of a multi request command. +@@ -667,7 +669,8 @@ int __glXSwapRenderLarge(__GLXclientState *cl, GLbyte *pc) + ** be computed from its parameters), all the parameters needed + ** will be in the 1st request, so it's okay to do this. + */ +- extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, True); ++ extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, True, ++ left - __GLX_RENDER_LARGE_HDR_SIZE); + if (extra < 0) { + return BadLength; + } +diff --git a/nx-X11/programs/Xserver/GL/glx/glxserver.h b/nx-X11/programs/Xserver/GL/glx/glxserver.h +index 4047574..193ebcb 100644 +--- a/nx-X11/programs/Xserver/GL/glx/glxserver.h ++++ b/nx-X11/programs/Xserver/GL/glx/glxserver.h +@@ -179,7 +179,7 @@ extern __GLXprocPtr __glXProcTable[]; + */ + typedef struct { + int bytes; +- int (*varsize)(GLbyte *pc, Bool swap); ++ int (*varsize)(GLbyte *pc, Bool swap, int left); + } __GLXrenderSizeData; + extern __GLXrenderSizeData __glXRenderSizeTable[]; + extern __GLXrenderSizeData __glXRenderSizeTable_EXT[]; +@@ -271,48 +271,48 @@ extern int __glXImageSize(GLenum format, GLenum type, + GLint imageHeight, GLint rowLength, GLint skipImages, GLint skipRows, + GLint alignment); + +-extern int __glXCallListsReqSize(GLbyte *pc, Bool swap); +-extern int __glXBitmapReqSize(GLbyte *pc, Bool swap); +-extern int __glXFogfvReqSize(GLbyte *pc, Bool swap); +-extern int __glXFogivReqSize(GLbyte *pc, Bool swap); +-extern int __glXLightfvReqSize(GLbyte *pc, Bool swap); +-extern int __glXLightivReqSize(GLbyte *pc, Bool swap); +-extern int __glXLightModelfvReqSize(GLbyte *pc, Bool swap); +-extern int __glXLightModelivReqSize(GLbyte *pc, Bool swap); +-extern int __glXMaterialfvReqSize(GLbyte *pc, Bool swap); +-extern int __glXMaterialivReqSize(GLbyte *pc, Bool swap); +-extern int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap); +-extern int __glXTexParameterivReqSize(GLbyte *pc, Bool swap); +-extern int __glXTexImage1DReqSize(GLbyte *pc, Bool swap); +-extern int __glXTexImage2DReqSize(GLbyte *pc, Bool swap); +-extern int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap); +-extern int __glXTexEnvivReqSize(GLbyte *pc, Bool swap); +-extern int __glXTexGendvReqSize(GLbyte *pc, Bool swap); +-extern int __glXTexGenfvReqSize(GLbyte *pc, Bool swap); +-extern int __glXTexGenivReqSize(GLbyte *pc, Bool swap); +-extern int __glXMap1dReqSize(GLbyte *pc, Bool swap); +-extern int __glXMap1fReqSize(GLbyte *pc, Bool swap); +-extern int __glXMap2dReqSize(GLbyte *pc, Bool swap); +-extern int __glXMap2fReqSize(GLbyte *pc, Bool swap); +-extern int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap); +-extern int __glXPixelMapuivReqSize(GLbyte *pc, Bool swap); +-extern int __glXPixelMapusvReqSize(GLbyte *pc, Bool swap); +-extern int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap); +-extern int __glXDrawArraysSize(GLbyte *pc, Bool swap); +-extern int __glXPrioritizeTexturesReqSize(GLbyte *pc, Bool swap); +-extern int __glXTexSubImage1DReqSize(GLbyte *pc, Bool swap); +-extern int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap); +-extern int __glXTexImage3DReqSize(GLbyte *pc, Bool swap ); +-extern int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap); +-extern int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap); +-extern int __glXConvolutionFilter2DReqSize(GLbyte *pc, Bool swap); +-extern int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap); +-extern int __glXConvolutionParameterfvReqSize(GLbyte *pc, Bool swap); +-extern int __glXSeparableFilter2DReqSize(GLbyte *pc, Bool swap); +-extern int __glXColorTableReqSize(GLbyte *pc, Bool swap); +-extern int __glXColorSubTableReqSize(GLbyte *pc, Bool swap); +-extern int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap); +-extern int __glXColorTableParameterivReqSize(GLbyte *pc, Bool swap); ++extern int __glXCallListsReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXBitmapReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXFogfvReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXFogivReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXLightfvReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXLightivReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXLightModelfvReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXLightModelivReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXMaterialfvReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXMaterialivReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXTexParameterivReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXTexImage1DReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXTexImage2DReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXTexEnvivReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXTexGendvReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXTexGenfvReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXTexGenivReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXMap1dReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXMap1fReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXMap2dReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXMap2fReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXPixelMapuivReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXPixelMapusvReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXDrawArraysSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXPrioritizeTexturesReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXTexSubImage1DReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXTexImage3DReqSize(GLbyte *pc, Bool swap, int reqlen ); ++extern int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXConvolutionFilter2DReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXConvolutionParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXSeparableFilter2DReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXColorTableReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXColorSubTableReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXColorTableParameterivReqSize(GLbyte *pc, Bool swap, int reqlen); + + /* + * Routines for computing the size of returned data. +@@ -322,7 +322,7 @@ extern int __glXConvolutionParameterfvSize(GLenum pname); + extern int __glXColorTableParameterfvSize(GLenum pname); + extern int __glXColorTableParameterivSize(GLenum pname); + +-extern int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap); +-extern int __glXPointParameterivReqSize(GLbyte *pc, Bool swap); ++extern int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXPointParameterivReqSize(GLbyte *pc, Bool swap, int reqlen); + + #endif /* !__GLX_server_h__ */ +diff --git a/nx-X11/programs/Xserver/GL/glx/rensize.c b/nx-X11/programs/Xserver/GL/glx/rensize.c +index 9bf0d00..dc3475e 100644 +--- a/nx-X11/programs/Xserver/GL/glx/rensize.c ++++ b/nx-X11/programs/Xserver/GL/glx/rensize.c +@@ -48,7 +48,7 @@ + (((a & 0xff000000U)>>24) | ((a & 0xff0000U)>>8) | \ + ((a & 0xff00U)<<8) | ((a & 0xffU)<<24)) + +-int __glXCallListsReqSize(GLbyte *pc, Bool swap ) ++int __glXCallListsReqSize(GLbyte *pc, Bool swap, int reqlen) + { + GLsizei n = *(GLsizei *)(pc + 0); + GLenum type = *(GLenum *)(pc + 4); +@@ -60,7 +60,7 @@ int __glXCallListsReqSize(GLbyte *pc, Bool swap ) + return n * __glCallLists_size( type ); + } + +-int __glXFogivReqSize(GLbyte *pc, Bool swap ) ++int __glXFogivReqSize(GLbyte *pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *)(pc + 0); + if (swap) { +@@ -69,12 +69,12 @@ int __glXFogivReqSize(GLbyte *pc, Bool swap ) + return 4 * __glFogiv_size( pname ); /* defined in samplegl lib */ + } + +-int __glXFogfvReqSize(GLbyte *pc, Bool swap ) ++int __glXFogfvReqSize(GLbyte *pc, Bool swap, int reqlen) + { +- return __glXFogivReqSize( pc, swap ); ++ return __glXFogivReqSize( pc, swap, reqlen); + } + +-int __glXLightfvReqSize(GLbyte *pc, Bool swap ) ++int __glXLightfvReqSize(GLbyte *pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *)(pc + 4); + if (swap) { +@@ -83,12 +83,12 @@ int __glXLightfvReqSize(GLbyte *pc, Bool swap ) + return 4 * __glLightfv_size( pname ); /* defined in samplegl lib */ + } + +-int __glXLightivReqSize(GLbyte *pc, Bool swap ) ++int __glXLightivReqSize(GLbyte *pc, Bool swap, int reqlen) + { +- return __glXLightfvReqSize( pc, swap ); ++ return __glXLightfvReqSize( pc, swap, reqlen); + } + +-int __glXLightModelfvReqSize(GLbyte *pc, Bool swap ) ++int __glXLightModelfvReqSize(GLbyte *pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *)(pc + 0); + if (swap) { +@@ -97,12 +97,12 @@ int __glXLightModelfvReqSize(GLbyte *pc, Bool swap ) + return 4 * __glLightModelfv_size( pname ); /* defined in samplegl lib */ + } + +-int __glXLightModelivReqSize(GLbyte *pc, Bool swap ) ++int __glXLightModelivReqSize(GLbyte *pc, Bool swap, int reqlen) + { +- return __glXLightModelfvReqSize( pc, swap ); ++ return __glXLightModelfvReqSize( pc, swap, reqlen); + } + +-int __glXMaterialfvReqSize(GLbyte *pc, Bool swap ) ++int __glXMaterialfvReqSize(GLbyte *pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *)(pc + 4); + if (swap) { +@@ -111,12 +111,12 @@ int __glXMaterialfvReqSize(GLbyte *pc, Bool swap ) + return 4 * __glMaterialfv_size( pname ); /* defined in samplegl lib */ + } + +-int __glXMaterialivReqSize(GLbyte *pc, Bool swap ) ++int __glXMaterialivReqSize(GLbyte *pc, Bool swap, int reqlen) + { +- return __glXMaterialfvReqSize( pc, swap ); ++ return __glXMaterialfvReqSize( pc, swap, reqlen); + } + +-int __glXTexGendvReqSize(GLbyte *pc, Bool swap ) ++int __glXTexGendvReqSize(GLbyte *pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *)(pc + 4); + if (swap) { +@@ -125,7 +125,7 @@ int __glXTexGendvReqSize(GLbyte *pc, Bool swap ) + return 8 * __glTexGendv_size( pname ); /* defined in samplegl lib */ + } + +-int __glXTexGenfvReqSize(GLbyte *pc, Bool swap ) ++int __glXTexGenfvReqSize(GLbyte *pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *)(pc + 4); + if (swap) { +@@ -134,12 +134,12 @@ int __glXTexGenfvReqSize(GLbyte *pc, Bool swap ) + return 4 * __glTexGenfv_size( pname ); /* defined in samplegl lib */ + } + +-int __glXTexGenivReqSize(GLbyte *pc, Bool swap ) ++int __glXTexGenivReqSize(GLbyte *pc, Bool swap, int reqlen) + { +- return __glXTexGenfvReqSize( pc, swap ); ++ return __glXTexGenfvReqSize( pc, swap, reqlen); + } + +-int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap ) ++int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *)(pc + 4); + if (swap) { +@@ -148,12 +148,12 @@ int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap ) + return 4 * __glTexParameterfv_size( pname ); /* defined in samplegl lib */ + } + +-int __glXTexParameterivReqSize(GLbyte *pc, Bool swap ) ++int __glXTexParameterivReqSize(GLbyte *pc, Bool swap, int reqlen) + { +- return __glXTexParameterfvReqSize( pc, swap ); ++ return __glXTexParameterfvReqSize( pc, swap, reqlen); + } + +-int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap ) ++int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *)(pc + 4); + if (swap) { +@@ -162,12 +162,12 @@ int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap ) + return 4 * __glTexEnvfv_size( pname ); /* defined in samplegl lib */ + } + +-int __glXTexEnvivReqSize(GLbyte *pc, Bool swap ) ++int __glXTexEnvivReqSize(GLbyte *pc, Bool swap, int reqlen ) + { +- return __glXTexEnvfvReqSize( pc, swap ); ++ return __glXTexEnvfvReqSize( pc, swap, reqlen); + } + +-int __glXMap1dReqSize(GLbyte *pc, Bool swap ) ++int __glXMap1dReqSize(GLbyte *pc, Bool swap, int reqlen ) + { + GLenum target; + GLint order; +@@ -183,7 +183,7 @@ int __glXMap1dReqSize(GLbyte *pc, Bool swap ) + return safe_mul(8, safe_mul(__glMap1d_size(target), order)); + } + +-int __glXMap1fReqSize(GLbyte *pc, Bool swap ) ++int __glXMap1fReqSize(GLbyte *pc, Bool swap, int reqlen ) + { + GLenum target; + GLint order; +@@ -205,7 +205,7 @@ static int Map2Size(int k, int majorOrder, int minorOrder) + return safe_mul(k, safe_mul(majorOrder, minorOrder)); + } + +-int __glXMap2dReqSize(GLbyte *pc, Bool swap ) ++int __glXMap2dReqSize(GLbyte *pc, Bool swap, int reqlen) + { + GLenum target; + GLint uorder, vorder; +@@ -221,7 +221,7 @@ int __glXMap2dReqSize(GLbyte *pc, Bool swap ) + return safe_mul(8, Map2Size(__glMap2d_size(target), uorder, vorder)); + } + +-int __glXMap2fReqSize(GLbyte *pc, Bool swap ) ++int __glXMap2fReqSize(GLbyte *pc, Bool swap, int reqlen) + { + GLenum target; + GLint uorder, vorder; +@@ -237,7 +237,7 @@ int __glXMap2fReqSize(GLbyte *pc, Bool swap ) + return safe_mul(4, Map2Size(__glMap2f_size(target), uorder, vorder)); + } + +-int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap ) ++int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap, int reqlen) + { + GLint mapsize; + mapsize = *(GLint *)(pc + 4); +@@ -247,12 +247,12 @@ int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap ) + return 4 * mapsize; + } + +-int __glXPixelMapuivReqSize(GLbyte *pc, Bool swap ) ++int __glXPixelMapuivReqSize(GLbyte *pc, Bool swap, int reqlen) + { +- return __glXPixelMapfvReqSize( pc, swap ); ++ return __glXPixelMapfvReqSize( pc, swap, reqlen); + } + +-int __glXPixelMapusvReqSize(GLbyte *pc, Bool swap ) ++int __glXPixelMapusvReqSize(GLbyte *pc, Bool swap, int reqlen) + { + GLint mapsize; + mapsize = *(GLint *)(pc + 4); +@@ -458,7 +458,7 @@ int __glXImageSize( GLenum format, GLenum type, GLenum target, + } + + +-int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap ) ++int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap, int reqlen) + { + __GLXdispatchDrawPixelsHeader *hdr = (__GLXdispatchDrawPixelsHeader *) pc; + GLenum format = hdr->format; +@@ -482,7 +482,7 @@ int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap ) + 0, rowLength, 0, skipRows, alignment ); + } + +-int __glXBitmapReqSize(GLbyte *pc, Bool swap ) ++int __glXBitmapReqSize(GLbyte *pc, Bool swap, int reqlen) + { + __GLXdispatchBitmapHeader *hdr = (__GLXdispatchBitmapHeader *) pc; + GLint w = hdr->width; +@@ -502,7 +502,7 @@ int __glXBitmapReqSize(GLbyte *pc, Bool swap ) + 0, rowLength, 0, skipRows, alignment ); + } + +-int __glXTexImage1DReqSize(GLbyte *pc, Bool swap ) ++int __glXTexImage1DReqSize(GLbyte *pc, Bool swap, int reqlen) + { + __GLXdispatchTexImageHeader *hdr = (__GLXdispatchTexImageHeader *) pc; + GLenum target = hdr->target; +@@ -531,7 +531,7 @@ int __glXTexImage1DReqSize(GLbyte *pc, Bool swap ) + 0, rowLength, 0, skipRows, alignment ); + } + +-int __glXTexImage2DReqSize(GLbyte *pc, Bool swap ) ++int __glXTexImage2DReqSize(GLbyte *pc, Bool swap, int reqlen) + { + __GLXdispatchTexImageHeader *hdr = (__GLXdispatchTexImageHeader *) pc; + GLenum target = hdr->target; +@@ -578,13 +578,14 @@ int __glXTypeSize(GLenum enm) + } + } + +-int __glXDrawArraysSize( GLbyte *pc, Bool swap ) ++int __glXDrawArraysSize( GLbyte *pc, Bool swap, int reqlen) + { + __GLXdispatchDrawArraysHeader *hdr = (__GLXdispatchDrawArraysHeader *) pc; + __GLXdispatchDrawArraysComponentHeader *compHeader; + GLint numVertexes = hdr->numVertexes; + GLint numComponents = hdr->numComponents; + GLint arrayElementSize = 0; ++ GLint x, size; + int i; + + if (swap) { +@@ -593,6 +594,13 @@ int __glXDrawArraysSize( GLbyte *pc, Bool swap ) + } + + pc += sizeof(__GLXdispatchDrawArraysHeader); ++ reqlen -= sizeof(__GLXdispatchDrawArraysHeader); ++ ++ size = safe_mul(sizeof(__GLXdispatchDrawArraysComponentHeader), ++ numComponents); ++ if (size < 0 || reqlen < 0 || reqlen < size) ++ return -1; ++ + compHeader = (__GLXdispatchDrawArraysComponentHeader *) pc; + + for (i=0; i<numComponents; i++) { +@@ -636,23 +644,24 @@ int __glXDrawArraysSize( GLbyte *pc, Bool swap ) + return -1; + } + +- arrayElementSize += __GLX_PAD(numVals * __glXTypeSize(datatype)); ++ x = safe_pad(safe_mul(numVals, __glXTypeSize(datatype))); ++ if ((arrayElementSize = safe_add(arrayElementSize, x)) < 0) ++ return -1; + + pc += sizeof(__GLXdispatchDrawArraysComponentHeader); + } + +- return ((numComponents * sizeof(__GLXdispatchDrawArraysComponentHeader)) + +- (numVertexes * arrayElementSize)); ++ return safe_add(size, safe_mul(numVertexes, arrayElementSize)); + } + +-int __glXPrioritizeTexturesReqSize(GLbyte *pc, Bool swap ) ++int __glXPrioritizeTexturesReqSize(GLbyte *pc, Bool swap, int reqlen) + { + GLint n = *(GLsizei *)(pc + 0); + if (swap) n = SWAPL(n); + return(8*n); /* 4*n for textures, 4*n for priorities */ + } + +-int __glXTexSubImage1DReqSize(GLbyte *pc, Bool swap ) ++int __glXTexSubImage1DReqSize(GLbyte *pc, Bool swap, int reqlen) + { + __GLXdispatchTexSubImageHeader *hdr = (__GLXdispatchTexSubImageHeader *) pc; + GLenum format = hdr->format; +@@ -674,7 +683,7 @@ int __glXTexSubImage1DReqSize(GLbyte *pc, Bool swap ) + 0, rowLength, 0, skipRows, alignment ); + } + +-int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap ) ++int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap, int reqlen) + { + __GLXdispatchTexSubImageHeader *hdr = (__GLXdispatchTexSubImageHeader *) pc; + GLenum format = hdr->format; +@@ -698,7 +707,7 @@ int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap ) + 0, rowLength, 0, skipRows, alignment ); + } + +-int __glXTexImage3DReqSize(GLbyte *pc, Bool swap ) ++int __glXTexImage3DReqSize(GLbyte *pc, Bool swap, int reqlen) + { + __GLXdispatchTexImage3DHeader *hdr = (__GLXdispatchTexImage3DHeader *) pc; + GLenum target = hdr->target; +@@ -735,7 +744,7 @@ int __glXTexImage3DReqSize(GLbyte *pc, Bool swap ) + } + } + +-int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap ) ++int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap, int reqlen) + { + __GLXdispatchTexSubImage3DHeader *hdr = + (__GLXdispatchTexSubImage3DHeader *) pc; +@@ -772,7 +781,7 @@ int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap ) + } + } + +-int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap ) ++int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap, int reqlen) + { + __GLXdispatchConvolutionFilterHeader *hdr = + (__GLXdispatchConvolutionFilterHeader *) pc; +@@ -795,7 +804,7 @@ int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap ) + 0, rowLength, 0, 0, alignment ); + } + +-int __glXConvolutionFilter2DReqSize(GLbyte *pc, Bool swap ) ++int __glXConvolutionFilter2DReqSize(GLbyte *pc, Bool swap, int reqlen) + { + __GLXdispatchConvolutionFilterHeader *hdr = + (__GLXdispatchConvolutionFilterHeader *) pc; +@@ -841,7 +850,7 @@ int __glXConvolutionParameterfvSize(GLenum pname) + return __glXConvolutionParameterivSize(pname); + } + +-int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap ) ++int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *)(pc + 4); + if (swap) { +@@ -850,12 +859,12 @@ int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap ) + return 4 * __glXConvolutionParameterivSize( pname ); + } + +-int __glXConvolutionParameterfvReqSize(GLbyte *pc, Bool swap ) ++int __glXConvolutionParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen) + { +- return __glXConvolutionParameterivReqSize( pc, swap ); ++ return __glXConvolutionParameterivReqSize( pc, swap, reqlen); + } + +-int __glXSeparableFilter2DReqSize(GLbyte *pc, Bool swap ) ++int __glXSeparableFilter2DReqSize(GLbyte *pc, Bool swap, int reqlen) + { + __GLXdispatchConvolutionFilterHeader *hdr = + (__GLXdispatchConvolutionFilterHeader *) pc; +@@ -904,7 +913,7 @@ int __glXColorTableParameterivSize(GLenum pname) + return __glXColorTableParameterfvSize(pname); + } + +-int __glXColorTableReqSize(GLbyte *pc, Bool swap ) ++int __glXColorTableReqSize(GLbyte *pc, Bool swap, int reqlen) + { + __GLXdispatchColorTableHeader *hdr = + (__GLXdispatchColorTableHeader *) pc; +@@ -939,7 +948,7 @@ int __glXColorTableReqSize(GLbyte *pc, Bool swap ) + 0, rowLength, 0, 0, alignment ); + } + +-int __glXColorSubTableReqSize(GLbyte *pc, Bool swap ) ++int __glXColorSubTableReqSize(GLbyte *pc, Bool swap, int reqlen) + { + __GLXdispatchColorSubTableHeader *hdr = + (__GLXdispatchColorSubTableHeader *) pc; +@@ -962,7 +971,7 @@ int __glXColorSubTableReqSize(GLbyte *pc, Bool swap ) + 0, rowLength, 0, 0, alignment ); + } + +-int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap ) ++int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *)(pc + 4); + if (swap) { +@@ -971,13 +980,13 @@ int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap ) + return 4 * __glXColorTableParameterfvSize(pname); + } + +-int __glXColorTableParameterivReqSize(GLbyte *pc, Bool swap ) ++int __glXColorTableParameterivReqSize(GLbyte *pc, Bool swap, int reqlen) + { + /* no difference between fv and iv versions */ +- return __glXColorTableParameterfvReqSize(pc, swap); ++ return __glXColorTableParameterfvReqSize(pc, swap, reqlen); + } + +-int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap ) ++int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *)(pc + 0); + if (swap) { +@@ -986,8 +995,8 @@ int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap ) + return 4 * __glPointParameterfvEXT_size( pname ); + } + +-int __glXPointParameterivReqSize(GLbyte *pc, Bool swap ) ++int __glXPointParameterivReqSize(GLbyte *pc, Bool swap, int reqlen) + { + /* no difference between fv and iv versions */ +- return __glXPointParameterfvARBReqSize(pc, swap); ++ return __glXPointParameterfvARBReqSize(pc, swap, reqlen); + } +-- +2.1.4 + |