aboutsummaryrefslogtreecommitdiff
path: root/debian/patches/1040-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches/1040-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch')
-rw-r--r--debian/patches/1040-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch622
1 files changed, 622 insertions, 0 deletions
diff --git a/debian/patches/1040-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch b/debian/patches/1040-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch
new file mode 100644
index 000000000..85181f071
--- /dev/null
+++ b/debian/patches/1040-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch
@@ -0,0 +1,622 @@
+From 1ea1cd8c4f93b0c03e5b34fe174b3fc9f27c7dfa Mon Sep 17 00:00:00 2001
+From: Adam Jackson <ajax@redhat.com>
+Date: Mon, 10 Nov 2014 12:13:48 -0500
+Subject: [PATCH 40/40] glx: Pass remaining request length into ->varsize (v2)
+ [CVE-2014-8098 8/8] (V3)
+
+v2: Handle more multiplies in indirect_reqsize.c (Julien Cristau)
+
+v3: RHEL5 backport
+
+v4: backport to nx-libs 3.6.x (Mike DePaulo)
+
+Reviewed-by: Julien Cristau <jcristau@debian.org>
+Reviewed-by: Michal Srb <msrb@suse.com>
+Reviewed-by: Andy Ritger <aritger@nvidia.com>
+Signed-off-by: Adam Jackson <ajax@redhat.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+---
+ nx-X11/programs/Xserver/GL/glx/glxcmds.c | 6 +-
+ nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c | 7 +-
+ nx-X11/programs/Xserver/GL/glx/glxserver.h | 90 +++++++++----------
+ nx-X11/programs/Xserver/GL/glx/rensize.c | 125 ++++++++++++++-------------
+ 4 files changed, 121 insertions(+), 107 deletions(-)
+
+diff --git a/nx-X11/programs/Xserver/GL/glx/glxcmds.c b/nx-X11/programs/Xserver/GL/glx/glxcmds.c
+index 20c12f3..a1bb259 100644
+--- a/nx-X11/programs/Xserver/GL/glx/glxcmds.c
++++ b/nx-X11/programs/Xserver/GL/glx/glxcmds.c
+@@ -1490,7 +1490,7 @@ int __glXRender(__GLXclientState *cl, GLbyte *pc)
+
+ if (entry->varsize) {
+ /* variable size command */
+- extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, False);
++ extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, False, left - __GLX_RENDER_HDR_SIZE);
+ if (extra < 0) {
+ return BadLength;
+ }
+@@ -1563,6 +1563,7 @@ int __glXRenderLarge(__GLXclientState *cl, GLbyte *pc)
+ if (cl->largeCmdRequestsSoFar == 0) {
+ __GLXrenderSizeData *entry;
+ int extra = 0, cmdlen;
++ int left = (req->length << 2) - sz_xGLXRenderLargeReq;
+ /*
+ ** This is the first request of a multi request command.
+ ** Make enough space in the buffer, then copy the entire request.
+@@ -1608,7 +1609,8 @@ int __glXRenderLarge(__GLXclientState *cl, GLbyte *pc)
+ ** be computed from its parameters), all the parameters needed
+ ** will be in the 1st request, so it's okay to do this.
+ */
+- extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, False);
++ extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, False,
++ left - __GLX_RENDER_LARGE_HDR_SIZE);
+ if (extra < 0) {
+ return BadLength;
+ }
+diff --git a/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c b/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c
+index 2e228c0..33a748a 100644
+--- a/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c
++++ b/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c
+@@ -541,7 +541,8 @@ int __glXSwapRender(__GLXclientState *cl, GLbyte *pc)
+
+ if (entry->varsize) {
+ /* variable size command */
+- extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, True);
++ extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, True,
++ left - __GLX_RENDER_HDR_SIZE);
+ if (extra < 0) {
+ return BadLength;
+ }
+@@ -620,6 +621,7 @@ int __glXSwapRenderLarge(__GLXclientState *cl, GLbyte *pc)
+ if (cl->largeCmdRequestsSoFar == 0) {
+ __GLXrenderSizeData *entry;
+ int extra = 0;
++ int left = (req->length << 2) - sz_xGLXRenderLargeReq;
+ size_t cmdlen;
+ /*
+ ** This is the first request of a multi request command.
+@@ -667,7 +669,8 @@ int __glXSwapRenderLarge(__GLXclientState *cl, GLbyte *pc)
+ ** be computed from its parameters), all the parameters needed
+ ** will be in the 1st request, so it's okay to do this.
+ */
+- extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, True);
++ extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, True,
++ left - __GLX_RENDER_LARGE_HDR_SIZE);
+ if (extra < 0) {
+ return BadLength;
+ }
+diff --git a/nx-X11/programs/Xserver/GL/glx/glxserver.h b/nx-X11/programs/Xserver/GL/glx/glxserver.h
+index 4047574..193ebcb 100644
+--- a/nx-X11/programs/Xserver/GL/glx/glxserver.h
++++ b/nx-X11/programs/Xserver/GL/glx/glxserver.h
+@@ -179,7 +179,7 @@ extern __GLXprocPtr __glXProcTable[];
+ */
+ typedef struct {
+ int bytes;
+- int (*varsize)(GLbyte *pc, Bool swap);
++ int (*varsize)(GLbyte *pc, Bool swap, int left);
+ } __GLXrenderSizeData;
+ extern __GLXrenderSizeData __glXRenderSizeTable[];
+ extern __GLXrenderSizeData __glXRenderSizeTable_EXT[];
+@@ -271,48 +271,48 @@ extern int __glXImageSize(GLenum format, GLenum type,
+ GLint imageHeight, GLint rowLength, GLint skipImages, GLint skipRows,
+ GLint alignment);
+
+-extern int __glXCallListsReqSize(GLbyte *pc, Bool swap);
+-extern int __glXBitmapReqSize(GLbyte *pc, Bool swap);
+-extern int __glXFogfvReqSize(GLbyte *pc, Bool swap);
+-extern int __glXFogivReqSize(GLbyte *pc, Bool swap);
+-extern int __glXLightfvReqSize(GLbyte *pc, Bool swap);
+-extern int __glXLightivReqSize(GLbyte *pc, Bool swap);
+-extern int __glXLightModelfvReqSize(GLbyte *pc, Bool swap);
+-extern int __glXLightModelivReqSize(GLbyte *pc, Bool swap);
+-extern int __glXMaterialfvReqSize(GLbyte *pc, Bool swap);
+-extern int __glXMaterialivReqSize(GLbyte *pc, Bool swap);
+-extern int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap);
+-extern int __glXTexParameterivReqSize(GLbyte *pc, Bool swap);
+-extern int __glXTexImage1DReqSize(GLbyte *pc, Bool swap);
+-extern int __glXTexImage2DReqSize(GLbyte *pc, Bool swap);
+-extern int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap);
+-extern int __glXTexEnvivReqSize(GLbyte *pc, Bool swap);
+-extern int __glXTexGendvReqSize(GLbyte *pc, Bool swap);
+-extern int __glXTexGenfvReqSize(GLbyte *pc, Bool swap);
+-extern int __glXTexGenivReqSize(GLbyte *pc, Bool swap);
+-extern int __glXMap1dReqSize(GLbyte *pc, Bool swap);
+-extern int __glXMap1fReqSize(GLbyte *pc, Bool swap);
+-extern int __glXMap2dReqSize(GLbyte *pc, Bool swap);
+-extern int __glXMap2fReqSize(GLbyte *pc, Bool swap);
+-extern int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap);
+-extern int __glXPixelMapuivReqSize(GLbyte *pc, Bool swap);
+-extern int __glXPixelMapusvReqSize(GLbyte *pc, Bool swap);
+-extern int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap);
+-extern int __glXDrawArraysSize(GLbyte *pc, Bool swap);
+-extern int __glXPrioritizeTexturesReqSize(GLbyte *pc, Bool swap);
+-extern int __glXTexSubImage1DReqSize(GLbyte *pc, Bool swap);
+-extern int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap);
+-extern int __glXTexImage3DReqSize(GLbyte *pc, Bool swap );
+-extern int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap);
+-extern int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap);
+-extern int __glXConvolutionFilter2DReqSize(GLbyte *pc, Bool swap);
+-extern int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap);
+-extern int __glXConvolutionParameterfvReqSize(GLbyte *pc, Bool swap);
+-extern int __glXSeparableFilter2DReqSize(GLbyte *pc, Bool swap);
+-extern int __glXColorTableReqSize(GLbyte *pc, Bool swap);
+-extern int __glXColorSubTableReqSize(GLbyte *pc, Bool swap);
+-extern int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap);
+-extern int __glXColorTableParameterivReqSize(GLbyte *pc, Bool swap);
++extern int __glXCallListsReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXBitmapReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXFogfvReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXFogivReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXLightfvReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXLightivReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXLightModelfvReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXLightModelivReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXMaterialfvReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXMaterialivReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXTexParameterivReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXTexImage1DReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXTexImage2DReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXTexEnvivReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXTexGendvReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXTexGenfvReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXTexGenivReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXMap1dReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXMap1fReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXMap2dReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXMap2fReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXPixelMapuivReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXPixelMapusvReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXDrawArraysSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXPrioritizeTexturesReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXTexSubImage1DReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXTexImage3DReqSize(GLbyte *pc, Bool swap, int reqlen );
++extern int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXConvolutionFilter2DReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXConvolutionParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXSeparableFilter2DReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXColorTableReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXColorSubTableReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXColorTableParameterivReqSize(GLbyte *pc, Bool swap, int reqlen);
+
+ /*
+ * Routines for computing the size of returned data.
+@@ -322,7 +322,7 @@ extern int __glXConvolutionParameterfvSize(GLenum pname);
+ extern int __glXColorTableParameterfvSize(GLenum pname);
+ extern int __glXColorTableParameterivSize(GLenum pname);
+
+-extern int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap);
+-extern int __glXPointParameterivReqSize(GLbyte *pc, Bool swap);
++extern int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXPointParameterivReqSize(GLbyte *pc, Bool swap, int reqlen);
+
+ #endif /* !__GLX_server_h__ */
+diff --git a/nx-X11/programs/Xserver/GL/glx/rensize.c b/nx-X11/programs/Xserver/GL/glx/rensize.c
+index 9bf0d00..dc3475e 100644
+--- a/nx-X11/programs/Xserver/GL/glx/rensize.c
++++ b/nx-X11/programs/Xserver/GL/glx/rensize.c
+@@ -48,7 +48,7 @@
+ (((a & 0xff000000U)>>24) | ((a & 0xff0000U)>>8) | \
+ ((a & 0xff00U)<<8) | ((a & 0xffU)<<24))
+
+-int __glXCallListsReqSize(GLbyte *pc, Bool swap )
++int __glXCallListsReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ GLsizei n = *(GLsizei *)(pc + 0);
+ GLenum type = *(GLenum *)(pc + 4);
+@@ -60,7 +60,7 @@ int __glXCallListsReqSize(GLbyte *pc, Bool swap )
+ return n * __glCallLists_size( type );
+ }
+
+-int __glXFogivReqSize(GLbyte *pc, Bool swap )
++int __glXFogivReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ GLenum pname = *(GLenum *)(pc + 0);
+ if (swap) {
+@@ -69,12 +69,12 @@ int __glXFogivReqSize(GLbyte *pc, Bool swap )
+ return 4 * __glFogiv_size( pname ); /* defined in samplegl lib */
+ }
+
+-int __glXFogfvReqSize(GLbyte *pc, Bool swap )
++int __glXFogfvReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+- return __glXFogivReqSize( pc, swap );
++ return __glXFogivReqSize( pc, swap, reqlen);
+ }
+
+-int __glXLightfvReqSize(GLbyte *pc, Bool swap )
++int __glXLightfvReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ GLenum pname = *(GLenum *)(pc + 4);
+ if (swap) {
+@@ -83,12 +83,12 @@ int __glXLightfvReqSize(GLbyte *pc, Bool swap )
+ return 4 * __glLightfv_size( pname ); /* defined in samplegl lib */
+ }
+
+-int __glXLightivReqSize(GLbyte *pc, Bool swap )
++int __glXLightivReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+- return __glXLightfvReqSize( pc, swap );
++ return __glXLightfvReqSize( pc, swap, reqlen);
+ }
+
+-int __glXLightModelfvReqSize(GLbyte *pc, Bool swap )
++int __glXLightModelfvReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ GLenum pname = *(GLenum *)(pc + 0);
+ if (swap) {
+@@ -97,12 +97,12 @@ int __glXLightModelfvReqSize(GLbyte *pc, Bool swap )
+ return 4 * __glLightModelfv_size( pname ); /* defined in samplegl lib */
+ }
+
+-int __glXLightModelivReqSize(GLbyte *pc, Bool swap )
++int __glXLightModelivReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+- return __glXLightModelfvReqSize( pc, swap );
++ return __glXLightModelfvReqSize( pc, swap, reqlen);
+ }
+
+-int __glXMaterialfvReqSize(GLbyte *pc, Bool swap )
++int __glXMaterialfvReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ GLenum pname = *(GLenum *)(pc + 4);
+ if (swap) {
+@@ -111,12 +111,12 @@ int __glXMaterialfvReqSize(GLbyte *pc, Bool swap )
+ return 4 * __glMaterialfv_size( pname ); /* defined in samplegl lib */
+ }
+
+-int __glXMaterialivReqSize(GLbyte *pc, Bool swap )
++int __glXMaterialivReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+- return __glXMaterialfvReqSize( pc, swap );
++ return __glXMaterialfvReqSize( pc, swap, reqlen);
+ }
+
+-int __glXTexGendvReqSize(GLbyte *pc, Bool swap )
++int __glXTexGendvReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ GLenum pname = *(GLenum *)(pc + 4);
+ if (swap) {
+@@ -125,7 +125,7 @@ int __glXTexGendvReqSize(GLbyte *pc, Bool swap )
+ return 8 * __glTexGendv_size( pname ); /* defined in samplegl lib */
+ }
+
+-int __glXTexGenfvReqSize(GLbyte *pc, Bool swap )
++int __glXTexGenfvReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ GLenum pname = *(GLenum *)(pc + 4);
+ if (swap) {
+@@ -134,12 +134,12 @@ int __glXTexGenfvReqSize(GLbyte *pc, Bool swap )
+ return 4 * __glTexGenfv_size( pname ); /* defined in samplegl lib */
+ }
+
+-int __glXTexGenivReqSize(GLbyte *pc, Bool swap )
++int __glXTexGenivReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+- return __glXTexGenfvReqSize( pc, swap );
++ return __glXTexGenfvReqSize( pc, swap, reqlen);
+ }
+
+-int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap )
++int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ GLenum pname = *(GLenum *)(pc + 4);
+ if (swap) {
+@@ -148,12 +148,12 @@ int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap )
+ return 4 * __glTexParameterfv_size( pname ); /* defined in samplegl lib */
+ }
+
+-int __glXTexParameterivReqSize(GLbyte *pc, Bool swap )
++int __glXTexParameterivReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+- return __glXTexParameterfvReqSize( pc, swap );
++ return __glXTexParameterfvReqSize( pc, swap, reqlen);
+ }
+
+-int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap )
++int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ GLenum pname = *(GLenum *)(pc + 4);
+ if (swap) {
+@@ -162,12 +162,12 @@ int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap )
+ return 4 * __glTexEnvfv_size( pname ); /* defined in samplegl lib */
+ }
+
+-int __glXTexEnvivReqSize(GLbyte *pc, Bool swap )
++int __glXTexEnvivReqSize(GLbyte *pc, Bool swap, int reqlen )
+ {
+- return __glXTexEnvfvReqSize( pc, swap );
++ return __glXTexEnvfvReqSize( pc, swap, reqlen);
+ }
+
+-int __glXMap1dReqSize(GLbyte *pc, Bool swap )
++int __glXMap1dReqSize(GLbyte *pc, Bool swap, int reqlen )
+ {
+ GLenum target;
+ GLint order;
+@@ -183,7 +183,7 @@ int __glXMap1dReqSize(GLbyte *pc, Bool swap )
+ return safe_mul(8, safe_mul(__glMap1d_size(target), order));
+ }
+
+-int __glXMap1fReqSize(GLbyte *pc, Bool swap )
++int __glXMap1fReqSize(GLbyte *pc, Bool swap, int reqlen )
+ {
+ GLenum target;
+ GLint order;
+@@ -205,7 +205,7 @@ static int Map2Size(int k, int majorOrder, int minorOrder)
+ return safe_mul(k, safe_mul(majorOrder, minorOrder));
+ }
+
+-int __glXMap2dReqSize(GLbyte *pc, Bool swap )
++int __glXMap2dReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ GLenum target;
+ GLint uorder, vorder;
+@@ -221,7 +221,7 @@ int __glXMap2dReqSize(GLbyte *pc, Bool swap )
+ return safe_mul(8, Map2Size(__glMap2d_size(target), uorder, vorder));
+ }
+
+-int __glXMap2fReqSize(GLbyte *pc, Bool swap )
++int __glXMap2fReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ GLenum target;
+ GLint uorder, vorder;
+@@ -237,7 +237,7 @@ int __glXMap2fReqSize(GLbyte *pc, Bool swap )
+ return safe_mul(4, Map2Size(__glMap2f_size(target), uorder, vorder));
+ }
+
+-int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap )
++int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ GLint mapsize;
+ mapsize = *(GLint *)(pc + 4);
+@@ -247,12 +247,12 @@ int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap )
+ return 4 * mapsize;
+ }
+
+-int __glXPixelMapuivReqSize(GLbyte *pc, Bool swap )
++int __glXPixelMapuivReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+- return __glXPixelMapfvReqSize( pc, swap );
++ return __glXPixelMapfvReqSize( pc, swap, reqlen);
+ }
+
+-int __glXPixelMapusvReqSize(GLbyte *pc, Bool swap )
++int __glXPixelMapusvReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ GLint mapsize;
+ mapsize = *(GLint *)(pc + 4);
+@@ -458,7 +458,7 @@ int __glXImageSize( GLenum format, GLenum type, GLenum target,
+ }
+
+
+-int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap )
++int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ __GLXdispatchDrawPixelsHeader *hdr = (__GLXdispatchDrawPixelsHeader *) pc;
+ GLenum format = hdr->format;
+@@ -482,7 +482,7 @@ int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap )
+ 0, rowLength, 0, skipRows, alignment );
+ }
+
+-int __glXBitmapReqSize(GLbyte *pc, Bool swap )
++int __glXBitmapReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ __GLXdispatchBitmapHeader *hdr = (__GLXdispatchBitmapHeader *) pc;
+ GLint w = hdr->width;
+@@ -502,7 +502,7 @@ int __glXBitmapReqSize(GLbyte *pc, Bool swap )
+ 0, rowLength, 0, skipRows, alignment );
+ }
+
+-int __glXTexImage1DReqSize(GLbyte *pc, Bool swap )
++int __glXTexImage1DReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ __GLXdispatchTexImageHeader *hdr = (__GLXdispatchTexImageHeader *) pc;
+ GLenum target = hdr->target;
+@@ -531,7 +531,7 @@ int __glXTexImage1DReqSize(GLbyte *pc, Bool swap )
+ 0, rowLength, 0, skipRows, alignment );
+ }
+
+-int __glXTexImage2DReqSize(GLbyte *pc, Bool swap )
++int __glXTexImage2DReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ __GLXdispatchTexImageHeader *hdr = (__GLXdispatchTexImageHeader *) pc;
+ GLenum target = hdr->target;
+@@ -578,13 +578,14 @@ int __glXTypeSize(GLenum enm)
+ }
+ }
+
+-int __glXDrawArraysSize( GLbyte *pc, Bool swap )
++int __glXDrawArraysSize( GLbyte *pc, Bool swap, int reqlen)
+ {
+ __GLXdispatchDrawArraysHeader *hdr = (__GLXdispatchDrawArraysHeader *) pc;
+ __GLXdispatchDrawArraysComponentHeader *compHeader;
+ GLint numVertexes = hdr->numVertexes;
+ GLint numComponents = hdr->numComponents;
+ GLint arrayElementSize = 0;
++ GLint x, size;
+ int i;
+
+ if (swap) {
+@@ -593,6 +594,13 @@ int __glXDrawArraysSize( GLbyte *pc, Bool swap )
+ }
+
+ pc += sizeof(__GLXdispatchDrawArraysHeader);
++ reqlen -= sizeof(__GLXdispatchDrawArraysHeader);
++
++ size = safe_mul(sizeof(__GLXdispatchDrawArraysComponentHeader),
++ numComponents);
++ if (size < 0 || reqlen < 0 || reqlen < size)
++ return -1;
++
+ compHeader = (__GLXdispatchDrawArraysComponentHeader *) pc;
+
+ for (i=0; i<numComponents; i++) {
+@@ -636,23 +644,24 @@ int __glXDrawArraysSize( GLbyte *pc, Bool swap )
+ return -1;
+ }
+
+- arrayElementSize += __GLX_PAD(numVals * __glXTypeSize(datatype));
++ x = safe_pad(safe_mul(numVals, __glXTypeSize(datatype)));
++ if ((arrayElementSize = safe_add(arrayElementSize, x)) < 0)
++ return -1;
+
+ pc += sizeof(__GLXdispatchDrawArraysComponentHeader);
+ }
+
+- return ((numComponents * sizeof(__GLXdispatchDrawArraysComponentHeader)) +
+- (numVertexes * arrayElementSize));
++ return safe_add(size, safe_mul(numVertexes, arrayElementSize));
+ }
+
+-int __glXPrioritizeTexturesReqSize(GLbyte *pc, Bool swap )
++int __glXPrioritizeTexturesReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ GLint n = *(GLsizei *)(pc + 0);
+ if (swap) n = SWAPL(n);
+ return(8*n); /* 4*n for textures, 4*n for priorities */
+ }
+
+-int __glXTexSubImage1DReqSize(GLbyte *pc, Bool swap )
++int __glXTexSubImage1DReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ __GLXdispatchTexSubImageHeader *hdr = (__GLXdispatchTexSubImageHeader *) pc;
+ GLenum format = hdr->format;
+@@ -674,7 +683,7 @@ int __glXTexSubImage1DReqSize(GLbyte *pc, Bool swap )
+ 0, rowLength, 0, skipRows, alignment );
+ }
+
+-int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap )
++int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ __GLXdispatchTexSubImageHeader *hdr = (__GLXdispatchTexSubImageHeader *) pc;
+ GLenum format = hdr->format;
+@@ -698,7 +707,7 @@ int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap )
+ 0, rowLength, 0, skipRows, alignment );
+ }
+
+-int __glXTexImage3DReqSize(GLbyte *pc, Bool swap )
++int __glXTexImage3DReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ __GLXdispatchTexImage3DHeader *hdr = (__GLXdispatchTexImage3DHeader *) pc;
+ GLenum target = hdr->target;
+@@ -735,7 +744,7 @@ int __glXTexImage3DReqSize(GLbyte *pc, Bool swap )
+ }
+ }
+
+-int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap )
++int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ __GLXdispatchTexSubImage3DHeader *hdr =
+ (__GLXdispatchTexSubImage3DHeader *) pc;
+@@ -772,7 +781,7 @@ int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap )
+ }
+ }
+
+-int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap )
++int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ __GLXdispatchConvolutionFilterHeader *hdr =
+ (__GLXdispatchConvolutionFilterHeader *) pc;
+@@ -795,7 +804,7 @@ int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap )
+ 0, rowLength, 0, 0, alignment );
+ }
+
+-int __glXConvolutionFilter2DReqSize(GLbyte *pc, Bool swap )
++int __glXConvolutionFilter2DReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ __GLXdispatchConvolutionFilterHeader *hdr =
+ (__GLXdispatchConvolutionFilterHeader *) pc;
+@@ -841,7 +850,7 @@ int __glXConvolutionParameterfvSize(GLenum pname)
+ return __glXConvolutionParameterivSize(pname);
+ }
+
+-int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap )
++int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ GLenum pname = *(GLenum *)(pc + 4);
+ if (swap) {
+@@ -850,12 +859,12 @@ int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap )
+ return 4 * __glXConvolutionParameterivSize( pname );
+ }
+
+-int __glXConvolutionParameterfvReqSize(GLbyte *pc, Bool swap )
++int __glXConvolutionParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+- return __glXConvolutionParameterivReqSize( pc, swap );
++ return __glXConvolutionParameterivReqSize( pc, swap, reqlen);
+ }
+
+-int __glXSeparableFilter2DReqSize(GLbyte *pc, Bool swap )
++int __glXSeparableFilter2DReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ __GLXdispatchConvolutionFilterHeader *hdr =
+ (__GLXdispatchConvolutionFilterHeader *) pc;
+@@ -904,7 +913,7 @@ int __glXColorTableParameterivSize(GLenum pname)
+ return __glXColorTableParameterfvSize(pname);
+ }
+
+-int __glXColorTableReqSize(GLbyte *pc, Bool swap )
++int __glXColorTableReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ __GLXdispatchColorTableHeader *hdr =
+ (__GLXdispatchColorTableHeader *) pc;
+@@ -939,7 +948,7 @@ int __glXColorTableReqSize(GLbyte *pc, Bool swap )
+ 0, rowLength, 0, 0, alignment );
+ }
+
+-int __glXColorSubTableReqSize(GLbyte *pc, Bool swap )
++int __glXColorSubTableReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ __GLXdispatchColorSubTableHeader *hdr =
+ (__GLXdispatchColorSubTableHeader *) pc;
+@@ -962,7 +971,7 @@ int __glXColorSubTableReqSize(GLbyte *pc, Bool swap )
+ 0, rowLength, 0, 0, alignment );
+ }
+
+-int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap )
++int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ GLenum pname = *(GLenum *)(pc + 4);
+ if (swap) {
+@@ -971,13 +980,13 @@ int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap )
+ return 4 * __glXColorTableParameterfvSize(pname);
+ }
+
+-int __glXColorTableParameterivReqSize(GLbyte *pc, Bool swap )
++int __glXColorTableParameterivReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ /* no difference between fv and iv versions */
+- return __glXColorTableParameterfvReqSize(pc, swap);
++ return __glXColorTableParameterfvReqSize(pc, swap, reqlen);
+ }
+
+-int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap )
++int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ GLenum pname = *(GLenum *)(pc + 0);
+ if (swap) {
+@@ -986,8 +995,8 @@ int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap )
+ return 4 * __glPointParameterfvEXT_size( pname );
+ }
+
+-int __glXPointParameterivReqSize(GLbyte *pc, Bool swap )
++int __glXPointParameterivReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ /* no difference between fv and iv versions */
+- return __glXPointParameterfvARBReqSize(pc, swap);
++ return __glXPointParameterfvARBReqSize(pc, swap, reqlen);
+ }
+--
+2.1.4
+