From 4587881130db36125c6b800e8f7e3fa0a3c5c9fb Mon Sep 17 00:00:00 2001
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Date: Sat, 14 Feb 2015 16:40:07 +0100
Subject: 40 patches, fixing several X.Org CVEs in NX.

* Security fixes:
  - Rebase loads of X.Org patches (mainly from RHEL-5) against NX. If not
    all patches from a CVE patch series appear here, then it means that
    the affected file/code is not used in NX at build time.
  - X.Org CVE-2011-2895:
      1001-LZW-decompress-fix-for-CVE-2011-2895-From-xorg-lib-X.patch
  - X.Org CVE-2011-4028:
      1002-Fix-CVE-2011-4028-File-disclosure-vulnerability.-ups.patch
  - X.Org CVE-2013-4396:
      1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageText-C.patch
  - X.Org CVE-2013-6462:
      1004-CVE-2013-6462-unlimited-sscanf-overflows-stack-buffe.patch
  - X.Org CVE-2014-0209:
      1005-CVE-2014-0209-integer-overflow-of-realloc-size-in-Fo.patch
      1006-CVE-2014-0209-integer-overflow-of-realloc-size-in-le.patch
  - X.Org CVE-2014-0210:
      1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_conn_se.patch
      1009-CVE-2014-0210-unvalidated-lengths-when-reading-repli.patch
      1011-CVE-2014-0210-unvalidated-length-fields-in-fs_read_q.patch
      1014-CVE-2014-0210-unvalidated-length-fields-in-fs_read_e.patch
      1015-CVE-2014-0210-unvalidated-length-fields-in-fs_read_g.patch
      1016-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch
      1017-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch
  - X.Org CVE-2014-0211:
      1010-CVE-2014-0211-Integer-overflow-in-fs_get_reply-_fs_s.patch
      1012-CVE-2014-0211-integer-overflow-in-fs_read_extent_inf.patch
      1013-CVE-2014-0211-integer-overflow-in-fs_alloc_glyphs-fr.patch
      1018-unchecked-malloc-may-allow-unauthed-client-to-crash-.patch
  - X.Org CVE-2014-8092:
      1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8092-1.patch
      1020-dix-integer-overflow-in-GetHosts-CVE-2014-8092-2-4.patch
      1021-dix-integer-overflow-in-RegionSizeof-CVE-2014-8092-3.patch
      1022-dix-integer-overflow-in-REQUEST_FIXED_SIZE-CVE-2014-.patch
  - X.Org CVE-2014-8097:
      1023-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls-CVE-.patch
  - X.Org CVE-2014-8095:
      1024-Xi-unvalidated-lengths-in-Xinput-extension-CVE-2014-.patch
  - X.Org CVE-2014-8096:
      1025-xcmisc-unvalidated-length-in-SProcXCMiscGetXIDList-C.patch
  - X.Org CVE-2014-8099:
      1026-Xv-unvalidated-lengths-in-XVideo-extension-swapped-p.patch
  - X.Org CVE-2014-8100:
      1027-render-check-request-size-before-reading-it-CVE-2014.patch
      1028-render-unvalidated-lengths-in-Render-extn.-swapped-p.patch
  - X.Org CVE-2014-8102:
      1029-xfixes-unvalidated-length-in-SProcXFixesSelectSelect.patch
  - X.Org CVE-2014-8101:
      1030-randr-unvalidated-lengths-in-RandR-extension-swapped.patch
  - X.Org CVE-2014-8093:
      1031-glx-Be-more-paranoid-about-variable-length-requests-.patch
      1032-glx-Be-more-strict-about-rejecting-invalid-image-siz.patch
      1033-glx-Additional-paranoia-in-__glXGetAnswerBuffer-__GL.patch
      1034-glx-Add-safe_-add-mul-pad-v3-CVE-2014-8093-4-6-v4.patch
      1036-glx-Integer-overflow-protection-for-non-generated-re.patch
  - X.Org CVE-2014-8098:
      1035-glx-Length-checking-for-GLXRender-requests-v2-CVE-20.patch
      1037-glx-Top-level-length-checking-for-swapped-VendorPriv.patch
      1038-glx-Length-checking-for-non-generated-single-request.patch
      1039-glx-Length-checking-for-RenderLarge-requests-v2-CVE-.patch
      1040-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch
  - Security fixes with no assigned CVE:
      1008-Don-t-crash-when-we-receive-an-FS_Error-from-the-fon.patch
---
 ...maining-request-length-into-varsize-v2-CV.patch | 622 +++++++++++++++++++++
 1 file changed, 622 insertions(+)
 create mode 100644 debian/patches/1040-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch

(limited to 'debian/patches/1040-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch')

diff --git a/debian/patches/1040-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch b/debian/patches/1040-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch
new file mode 100644
index 000000000..85181f071
--- /dev/null
+++ b/debian/patches/1040-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch
@@ -0,0 +1,622 @@
+From 1ea1cd8c4f93b0c03e5b34fe174b3fc9f27c7dfa Mon Sep 17 00:00:00 2001
+From: Adam Jackson <ajax@redhat.com>
+Date: Mon, 10 Nov 2014 12:13:48 -0500
+Subject: [PATCH 40/40] glx: Pass remaining request length into ->varsize (v2)
+ [CVE-2014-8098 8/8] (V3)
+
+v2: Handle more multiplies in indirect_reqsize.c (Julien Cristau)
+
+v3: RHEL5 backport
+
+v4: backport to nx-libs 3.6.x (Mike DePaulo)
+
+Reviewed-by: Julien Cristau <jcristau@debian.org>
+Reviewed-by: Michal Srb <msrb@suse.com>
+Reviewed-by: Andy Ritger <aritger@nvidia.com>
+Signed-off-by: Adam Jackson <ajax@redhat.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+---
+ nx-X11/programs/Xserver/GL/glx/glxcmds.c     |   6 +-
+ nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c |   7 +-
+ nx-X11/programs/Xserver/GL/glx/glxserver.h   |  90 +++++++++----------
+ nx-X11/programs/Xserver/GL/glx/rensize.c     | 125 ++++++++++++++-------------
+ 4 files changed, 121 insertions(+), 107 deletions(-)
+
+diff --git a/nx-X11/programs/Xserver/GL/glx/glxcmds.c b/nx-X11/programs/Xserver/GL/glx/glxcmds.c
+index 20c12f3..a1bb259 100644
+--- a/nx-X11/programs/Xserver/GL/glx/glxcmds.c
++++ b/nx-X11/programs/Xserver/GL/glx/glxcmds.c
+@@ -1490,7 +1490,7 @@ int __glXRender(__GLXclientState *cl, GLbyte *pc)
+ 
+         if (entry->varsize) {
+             /* variable size command */
+-            extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, False);
++	    extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, False, left - __GLX_RENDER_HDR_SIZE);
+             if (extra < 0) {
+                 return BadLength;
+             }
+@@ -1563,6 +1563,7 @@ int __glXRenderLarge(__GLXclientState *cl, GLbyte *pc)
+     if (cl->largeCmdRequestsSoFar == 0) {
+ 	__GLXrenderSizeData *entry;
+ 	int extra = 0, cmdlen;
++	int left = (req->length << 2) - sz_xGLXRenderLargeReq;
+ 	/*
+ 	** This is the first request of a multi request command.
+ 	** Make enough space in the buffer, then copy the entire request.
+@@ -1608,7 +1609,8 @@ int __glXRenderLarge(__GLXclientState *cl, GLbyte *pc)
+ 	    ** be computed from its parameters), all the parameters needed
+ 	    ** will be in the 1st request, so it's okay to do this.
+ 	    */
+-	    extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, False);
++	    extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, False,
++				      left - __GLX_RENDER_LARGE_HDR_SIZE);
+ 	    if (extra < 0) {
+ 	        return BadLength;
+ 	    }
+diff --git a/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c b/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c
+index 2e228c0..33a748a 100644
+--- a/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c
++++ b/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c
+@@ -541,7 +541,8 @@ int __glXSwapRender(__GLXclientState *cl, GLbyte *pc)
+ 
+         if (entry->varsize) {
+             /* variable size command */
+-            extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, True);
++	    extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, True,
++				      left - __GLX_RENDER_HDR_SIZE);
+             if (extra < 0) {
+                 return BadLength;
+             }
+@@ -620,6 +621,7 @@ int __glXSwapRenderLarge(__GLXclientState *cl, GLbyte *pc)
+     if (cl->largeCmdRequestsSoFar == 0) {
+ 	__GLXrenderSizeData *entry;
+ 	int extra = 0;
++        int left = (req->length << 2) - sz_xGLXRenderLargeReq;
+ 	size_t cmdlen;
+ 	/*
+ 	** This is the first request of a multi request command.
+@@ -667,7 +669,8 @@ int __glXSwapRenderLarge(__GLXclientState *cl, GLbyte *pc)
+ 	    ** be computed from its parameters), all the parameters needed
+ 	    ** will be in the 1st request, so it's okay to do this.
+ 	    */
+-	    extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, True);
++	    extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, True,
++				      left - __GLX_RENDER_LARGE_HDR_SIZE);
+ 	    if (extra < 0) {
+ 		return BadLength;
+ 	    }
+diff --git a/nx-X11/programs/Xserver/GL/glx/glxserver.h b/nx-X11/programs/Xserver/GL/glx/glxserver.h
+index 4047574..193ebcb 100644
+--- a/nx-X11/programs/Xserver/GL/glx/glxserver.h
++++ b/nx-X11/programs/Xserver/GL/glx/glxserver.h
+@@ -179,7 +179,7 @@ extern __GLXprocPtr __glXProcTable[];
+  */
+ typedef struct {
+     int bytes;
+-    int (*varsize)(GLbyte *pc, Bool swap);
++    int (*varsize)(GLbyte *pc, Bool swap, int left);
+ } __GLXrenderSizeData;
+ extern __GLXrenderSizeData __glXRenderSizeTable[];
+ extern __GLXrenderSizeData __glXRenderSizeTable_EXT[];
+@@ -271,48 +271,48 @@ extern int __glXImageSize(GLenum format, GLenum type,
+     GLint imageHeight, GLint rowLength, GLint skipImages, GLint skipRows,
+     GLint alignment);
+ 
+-extern int __glXCallListsReqSize(GLbyte *pc, Bool swap);
+-extern int __glXBitmapReqSize(GLbyte *pc, Bool swap);
+-extern int __glXFogfvReqSize(GLbyte *pc, Bool swap);
+-extern int __glXFogivReqSize(GLbyte *pc, Bool swap);
+-extern int __glXLightfvReqSize(GLbyte *pc, Bool swap);
+-extern int __glXLightivReqSize(GLbyte *pc, Bool swap);
+-extern int __glXLightModelfvReqSize(GLbyte *pc, Bool swap);
+-extern int __glXLightModelivReqSize(GLbyte *pc, Bool swap);
+-extern int __glXMaterialfvReqSize(GLbyte *pc, Bool swap);
+-extern int __glXMaterialivReqSize(GLbyte *pc, Bool swap);
+-extern int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap);
+-extern int __glXTexParameterivReqSize(GLbyte *pc, Bool swap);
+-extern int __glXTexImage1DReqSize(GLbyte *pc, Bool swap);
+-extern int __glXTexImage2DReqSize(GLbyte *pc, Bool swap);
+-extern int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap);
+-extern int __glXTexEnvivReqSize(GLbyte *pc, Bool swap);
+-extern int __glXTexGendvReqSize(GLbyte *pc, Bool swap);
+-extern int __glXTexGenfvReqSize(GLbyte *pc, Bool swap);
+-extern int __glXTexGenivReqSize(GLbyte *pc, Bool swap);
+-extern int __glXMap1dReqSize(GLbyte *pc, Bool swap);
+-extern int __glXMap1fReqSize(GLbyte *pc, Bool swap);
+-extern int __glXMap2dReqSize(GLbyte *pc, Bool swap);
+-extern int __glXMap2fReqSize(GLbyte *pc, Bool swap);
+-extern int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap);
+-extern int __glXPixelMapuivReqSize(GLbyte *pc, Bool swap);
+-extern int __glXPixelMapusvReqSize(GLbyte *pc, Bool swap);
+-extern int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap);
+-extern int __glXDrawArraysSize(GLbyte *pc, Bool swap);
+-extern int __glXPrioritizeTexturesReqSize(GLbyte *pc, Bool swap);
+-extern int __glXTexSubImage1DReqSize(GLbyte *pc, Bool swap);
+-extern int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap);
+-extern int __glXTexImage3DReqSize(GLbyte *pc, Bool swap );
+-extern int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap);
+-extern int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap);
+-extern int __glXConvolutionFilter2DReqSize(GLbyte *pc, Bool swap);
+-extern int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap);
+-extern int __glXConvolutionParameterfvReqSize(GLbyte *pc, Bool swap);
+-extern int __glXSeparableFilter2DReqSize(GLbyte *pc, Bool swap);
+-extern int __glXColorTableReqSize(GLbyte *pc, Bool swap);
+-extern int __glXColorSubTableReqSize(GLbyte *pc, Bool swap);
+-extern int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap);
+-extern int __glXColorTableParameterivReqSize(GLbyte *pc, Bool swap);
++extern int __glXCallListsReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXBitmapReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXFogfvReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXFogivReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXLightfvReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXLightivReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXLightModelfvReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXLightModelivReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXMaterialfvReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXMaterialivReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXTexParameterivReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXTexImage1DReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXTexImage2DReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXTexEnvivReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXTexGendvReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXTexGenfvReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXTexGenivReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXMap1dReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXMap1fReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXMap2dReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXMap2fReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXPixelMapuivReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXPixelMapusvReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXDrawArraysSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXPrioritizeTexturesReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXTexSubImage1DReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXTexImage3DReqSize(GLbyte *pc, Bool swap, int reqlen );
++extern int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXConvolutionFilter2DReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXConvolutionParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXSeparableFilter2DReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXColorTableReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXColorSubTableReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXColorTableParameterivReqSize(GLbyte *pc, Bool swap, int reqlen);
+ 
+ /*
+  * Routines for computing the size of returned data.
+@@ -322,7 +322,7 @@ extern int __glXConvolutionParameterfvSize(GLenum pname);
+ extern int __glXColorTableParameterfvSize(GLenum pname);
+ extern int __glXColorTableParameterivSize(GLenum pname);
+ 
+-extern int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap);
+-extern int __glXPointParameterivReqSize(GLbyte *pc, Bool swap);
++extern int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXPointParameterivReqSize(GLbyte *pc, Bool swap, int reqlen);
+ 
+ #endif /* !__GLX_server_h__ */
+diff --git a/nx-X11/programs/Xserver/GL/glx/rensize.c b/nx-X11/programs/Xserver/GL/glx/rensize.c
+index 9bf0d00..dc3475e 100644
+--- a/nx-X11/programs/Xserver/GL/glx/rensize.c
++++ b/nx-X11/programs/Xserver/GL/glx/rensize.c
+@@ -48,7 +48,7 @@
+   (((a & 0xff000000U)>>24) | ((a & 0xff0000U)>>8) | \
+    ((a & 0xff00U)<<8) | ((a & 0xffU)<<24))
+ 
+-int __glXCallListsReqSize(GLbyte *pc, Bool swap )
++int __glXCallListsReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+     GLsizei n = *(GLsizei *)(pc + 0);
+     GLenum type = *(GLenum *)(pc + 4);
+@@ -60,7 +60,7 @@ int __glXCallListsReqSize(GLbyte *pc, Bool swap )
+     return n * __glCallLists_size( type );
+ }
+ 
+-int __glXFogivReqSize(GLbyte *pc, Bool swap )
++int __glXFogivReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+     GLenum pname = *(GLenum *)(pc + 0);
+     if (swap) {
+@@ -69,12 +69,12 @@ int __glXFogivReqSize(GLbyte *pc, Bool swap )
+     return 4 * __glFogiv_size( pname );		/* defined in samplegl lib */
+ }
+ 
+-int __glXFogfvReqSize(GLbyte *pc, Bool swap )
++int __glXFogfvReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+-    return __glXFogivReqSize( pc, swap );
++    return __glXFogivReqSize( pc, swap, reqlen);
+ }
+ 
+-int __glXLightfvReqSize(GLbyte *pc, Bool swap )
++int __glXLightfvReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+     GLenum pname = *(GLenum *)(pc + 4);
+     if (swap) {
+@@ -83,12 +83,12 @@ int __glXLightfvReqSize(GLbyte *pc, Bool swap )
+     return 4 * __glLightfv_size( pname );	/* defined in samplegl lib */
+ }
+ 
+-int __glXLightivReqSize(GLbyte *pc, Bool swap )
++int __glXLightivReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+-    return __glXLightfvReqSize( pc, swap );
++    return __glXLightfvReqSize( pc, swap, reqlen);
+ }
+ 
+-int __glXLightModelfvReqSize(GLbyte *pc, Bool swap )
++int __glXLightModelfvReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+     GLenum pname = *(GLenum *)(pc + 0);
+     if (swap) {
+@@ -97,12 +97,12 @@ int __glXLightModelfvReqSize(GLbyte *pc, Bool swap )
+     return 4 * __glLightModelfv_size( pname );	/* defined in samplegl lib */
+ }
+ 
+-int __glXLightModelivReqSize(GLbyte *pc, Bool swap )
++int __glXLightModelivReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+-    return __glXLightModelfvReqSize( pc, swap );
++    return __glXLightModelfvReqSize( pc, swap, reqlen);
+ }
+ 
+-int __glXMaterialfvReqSize(GLbyte *pc, Bool swap )
++int __glXMaterialfvReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+     GLenum pname = *(GLenum *)(pc + 4);
+     if (swap) {
+@@ -111,12 +111,12 @@ int __glXMaterialfvReqSize(GLbyte *pc, Bool swap )
+     return 4 * __glMaterialfv_size( pname );	/* defined in samplegl lib */
+ }
+ 
+-int __glXMaterialivReqSize(GLbyte *pc, Bool swap )
++int __glXMaterialivReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+-    return __glXMaterialfvReqSize( pc, swap );
++    return __glXMaterialfvReqSize( pc, swap, reqlen);
+ }
+ 
+-int __glXTexGendvReqSize(GLbyte *pc, Bool swap )
++int __glXTexGendvReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+     GLenum pname = *(GLenum *)(pc + 4);
+     if (swap) {
+@@ -125,7 +125,7 @@ int __glXTexGendvReqSize(GLbyte *pc, Bool swap )
+     return 8 * __glTexGendv_size( pname );	/* defined in samplegl lib */
+ }
+ 
+-int __glXTexGenfvReqSize(GLbyte *pc, Bool swap )
++int __glXTexGenfvReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+     GLenum pname = *(GLenum *)(pc + 4);
+     if (swap) {
+@@ -134,12 +134,12 @@ int __glXTexGenfvReqSize(GLbyte *pc, Bool swap )
+     return 4 * __glTexGenfv_size( pname );	/* defined in samplegl lib */
+ }
+ 
+-int __glXTexGenivReqSize(GLbyte *pc, Bool swap )
++int __glXTexGenivReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+-    return __glXTexGenfvReqSize( pc, swap );
++    return __glXTexGenfvReqSize( pc, swap, reqlen);
+ }
+ 
+-int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap )
++int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+     GLenum pname = *(GLenum *)(pc + 4);
+     if (swap) {
+@@ -148,12 +148,12 @@ int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap )
+     return 4 * __glTexParameterfv_size( pname ); /* defined in samplegl lib */
+ }
+ 
+-int __glXTexParameterivReqSize(GLbyte *pc, Bool swap )
++int __glXTexParameterivReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+-    return __glXTexParameterfvReqSize( pc, swap );
++    return __glXTexParameterfvReqSize( pc, swap, reqlen);
+ }
+ 
+-int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap )
++int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+     GLenum pname = *(GLenum *)(pc + 4);
+     if (swap) {
+@@ -162,12 +162,12 @@ int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap )
+     return 4 * __glTexEnvfv_size( pname );	/* defined in samplegl lib */
+ }
+ 
+-int __glXTexEnvivReqSize(GLbyte *pc, Bool swap )
++int __glXTexEnvivReqSize(GLbyte *pc, Bool swap, int reqlen )
+ {
+-    return __glXTexEnvfvReqSize( pc, swap );
++    return __glXTexEnvfvReqSize( pc, swap, reqlen);
+ }
+ 
+-int __glXMap1dReqSize(GLbyte *pc, Bool swap )
++int __glXMap1dReqSize(GLbyte *pc, Bool swap, int reqlen )
+ {
+     GLenum target;
+     GLint order;
+@@ -183,7 +183,7 @@ int __glXMap1dReqSize(GLbyte *pc, Bool swap )
+     return safe_mul(8, safe_mul(__glMap1d_size(target), order));
+ }
+ 
+-int __glXMap1fReqSize(GLbyte *pc, Bool swap )
++int __glXMap1fReqSize(GLbyte *pc, Bool swap, int reqlen )
+ {
+     GLenum target;
+     GLint order;
+@@ -205,7 +205,7 @@ static int Map2Size(int k, int majorOrder, int minorOrder)
+     return safe_mul(k, safe_mul(majorOrder, minorOrder));
+ }
+ 
+-int __glXMap2dReqSize(GLbyte *pc, Bool swap )
++int __glXMap2dReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+     GLenum target;
+     GLint uorder, vorder;
+@@ -221,7 +221,7 @@ int __glXMap2dReqSize(GLbyte *pc, Bool swap )
+     return safe_mul(8, Map2Size(__glMap2d_size(target), uorder, vorder));
+ }
+ 
+-int __glXMap2fReqSize(GLbyte *pc, Bool swap )
++int __glXMap2fReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+     GLenum target;
+     GLint uorder, vorder;
+@@ -237,7 +237,7 @@ int __glXMap2fReqSize(GLbyte *pc, Bool swap )
+     return safe_mul(4, Map2Size(__glMap2f_size(target), uorder, vorder));
+ }
+ 
+-int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap )
++int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+     GLint mapsize;
+     mapsize = *(GLint *)(pc + 4);
+@@ -247,12 +247,12 @@ int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap )
+     return 4 * mapsize;
+ }
+ 
+-int __glXPixelMapuivReqSize(GLbyte *pc, Bool swap )
++int __glXPixelMapuivReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+-    return __glXPixelMapfvReqSize( pc, swap );
++    return __glXPixelMapfvReqSize( pc, swap, reqlen);
+ }
+ 
+-int __glXPixelMapusvReqSize(GLbyte *pc, Bool swap )
++int __glXPixelMapusvReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+     GLint mapsize;
+     mapsize = *(GLint *)(pc + 4);
+@@ -458,7 +458,7 @@ int __glXImageSize( GLenum format, GLenum type, GLenum target,
+ }
+ 
+ 
+-int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap )
++int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+     __GLXdispatchDrawPixelsHeader *hdr = (__GLXdispatchDrawPixelsHeader *) pc;
+     GLenum format = hdr->format;
+@@ -482,7 +482,7 @@ int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap )
+ 			   0, rowLength, 0, skipRows, alignment );
+ }
+ 
+-int __glXBitmapReqSize(GLbyte *pc, Bool swap )
++int __glXBitmapReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+     __GLXdispatchBitmapHeader *hdr = (__GLXdispatchBitmapHeader *) pc;
+     GLint w = hdr->width;
+@@ -502,7 +502,7 @@ int __glXBitmapReqSize(GLbyte *pc, Bool swap )
+ 		      0, rowLength, 0, skipRows, alignment );
+ }
+ 
+-int __glXTexImage1DReqSize(GLbyte *pc, Bool swap )
++int __glXTexImage1DReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+     __GLXdispatchTexImageHeader *hdr = (__GLXdispatchTexImageHeader *) pc;
+     GLenum target = hdr->target;
+@@ -531,7 +531,7 @@ int __glXTexImage1DReqSize(GLbyte *pc, Bool swap )
+ 			   0, rowLength, 0, skipRows, alignment );
+ }
+ 
+-int __glXTexImage2DReqSize(GLbyte *pc, Bool swap )
++int __glXTexImage2DReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+     __GLXdispatchTexImageHeader *hdr = (__GLXdispatchTexImageHeader *) pc;
+     GLenum target = hdr->target;
+@@ -578,13 +578,14 @@ int __glXTypeSize(GLenum enm)
+   }
+ }
+ 
+-int __glXDrawArraysSize( GLbyte *pc, Bool swap )
++int __glXDrawArraysSize( GLbyte *pc, Bool swap, int reqlen)
+ {
+     __GLXdispatchDrawArraysHeader *hdr = (__GLXdispatchDrawArraysHeader *) pc;
+     __GLXdispatchDrawArraysComponentHeader *compHeader;
+     GLint numVertexes = hdr->numVertexes;
+     GLint numComponents = hdr->numComponents;
+     GLint arrayElementSize = 0;
++	GLint x, size;
+     int i;
+ 
+     if (swap) {
+@@ -593,6 +594,13 @@ int __glXDrawArraysSize( GLbyte *pc, Bool swap )
+     }
+ 
+     pc += sizeof(__GLXdispatchDrawArraysHeader);
++    reqlen -= sizeof(__GLXdispatchDrawArraysHeader);
++
++    size = safe_mul(sizeof(__GLXdispatchDrawArraysComponentHeader),
++		    numComponents);
++    if (size < 0 || reqlen < 0 || reqlen < size)
++        return -1;
++    
+     compHeader = (__GLXdispatchDrawArraysComponentHeader *) pc;
+ 
+     for (i=0; i<numComponents; i++) {
+@@ -636,23 +644,24 @@ int __glXDrawArraysSize( GLbyte *pc, Bool swap )
+ 	    return -1;
+ 	}
+ 
+-	arrayElementSize += __GLX_PAD(numVals * __glXTypeSize(datatype));
++        x = safe_pad(safe_mul(numVals, __glXTypeSize(datatype)));
++        if ((arrayElementSize = safe_add(arrayElementSize, x)) < 0)
++            return -1;
+ 
+ 	pc += sizeof(__GLXdispatchDrawArraysComponentHeader);
+     }
+ 
+-    return ((numComponents * sizeof(__GLXdispatchDrawArraysComponentHeader)) +
+-	    (numVertexes * arrayElementSize));
++    return safe_add(size, safe_mul(numVertexes, arrayElementSize));
+ }
+ 
+-int __glXPrioritizeTexturesReqSize(GLbyte *pc, Bool swap )
++int __glXPrioritizeTexturesReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+     GLint n = *(GLsizei *)(pc + 0);
+     if (swap) n = SWAPL(n);
+     return(8*n); /* 4*n for textures, 4*n for priorities */
+ }
+ 
+-int __glXTexSubImage1DReqSize(GLbyte *pc, Bool swap )
++int __glXTexSubImage1DReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+     __GLXdispatchTexSubImageHeader *hdr = (__GLXdispatchTexSubImageHeader *) pc;
+     GLenum format = hdr->format;
+@@ -674,7 +683,7 @@ int __glXTexSubImage1DReqSize(GLbyte *pc, Bool swap )
+ 			   0, rowLength, 0, skipRows, alignment );
+ }
+ 
+-int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap )
++int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+     __GLXdispatchTexSubImageHeader *hdr = (__GLXdispatchTexSubImageHeader *) pc;
+     GLenum format = hdr->format;
+@@ -698,7 +707,7 @@ int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap )
+ 			   0, rowLength, 0, skipRows, alignment );
+ }
+ 
+-int __glXTexImage3DReqSize(GLbyte *pc, Bool swap )
++int __glXTexImage3DReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+     __GLXdispatchTexImage3DHeader *hdr = (__GLXdispatchTexImage3DHeader *) pc;
+     GLenum target = hdr->target;
+@@ -735,7 +744,7 @@ int __glXTexImage3DReqSize(GLbyte *pc, Bool swap )
+     }
+ }
+ 
+-int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap )
++int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+     __GLXdispatchTexSubImage3DHeader *hdr =
+ 					(__GLXdispatchTexSubImage3DHeader *) pc;
+@@ -772,7 +781,7 @@ int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap )
+     }
+ }
+ 
+-int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap )
++int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+     __GLXdispatchConvolutionFilterHeader *hdr =
+ 			(__GLXdispatchConvolutionFilterHeader *) pc;
+@@ -795,7 +804,7 @@ int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap )
+ 			   0, rowLength, 0, 0, alignment );
+ }
+ 
+-int __glXConvolutionFilter2DReqSize(GLbyte *pc, Bool swap )
++int __glXConvolutionFilter2DReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+     __GLXdispatchConvolutionFilterHeader *hdr =
+ 			(__GLXdispatchConvolutionFilterHeader *) pc;
+@@ -841,7 +850,7 @@ int __glXConvolutionParameterfvSize(GLenum pname)
+     return __glXConvolutionParameterivSize(pname);
+ }
+ 
+-int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap )
++int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+     GLenum pname = *(GLenum *)(pc + 4);
+     if (swap) {
+@@ -850,12 +859,12 @@ int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap )
+     return 4 * __glXConvolutionParameterivSize( pname );
+ }
+ 
+-int __glXConvolutionParameterfvReqSize(GLbyte *pc, Bool swap )
++int __glXConvolutionParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+-    return __glXConvolutionParameterivReqSize( pc, swap );
++    return __glXConvolutionParameterivReqSize( pc, swap, reqlen);
+ }
+ 
+-int __glXSeparableFilter2DReqSize(GLbyte *pc, Bool swap )
++int __glXSeparableFilter2DReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+     __GLXdispatchConvolutionFilterHeader *hdr =
+ 			(__GLXdispatchConvolutionFilterHeader *) pc;
+@@ -904,7 +913,7 @@ int __glXColorTableParameterivSize(GLenum pname)
+     return __glXColorTableParameterfvSize(pname);
+ }
+ 
+-int __glXColorTableReqSize(GLbyte *pc, Bool swap )
++int __glXColorTableReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+     __GLXdispatchColorTableHeader *hdr =
+ 			(__GLXdispatchColorTableHeader *) pc;
+@@ -939,7 +948,7 @@ int __glXColorTableReqSize(GLbyte *pc, Bool swap )
+ 			   0, rowLength, 0, 0, alignment );
+ }
+ 
+-int __glXColorSubTableReqSize(GLbyte *pc, Bool swap )
++int __glXColorSubTableReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+     __GLXdispatchColorSubTableHeader *hdr =
+ 			(__GLXdispatchColorSubTableHeader *) pc;
+@@ -962,7 +971,7 @@ int __glXColorSubTableReqSize(GLbyte *pc, Bool swap )
+ 			   0, rowLength, 0, 0, alignment );
+ }
+ 
+-int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap )
++int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+     GLenum pname = *(GLenum *)(pc + 4);
+     if (swap) {
+@@ -971,13 +980,13 @@ int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap )
+     return 4 * __glXColorTableParameterfvSize(pname);
+ }
+ 
+-int __glXColorTableParameterivReqSize(GLbyte *pc, Bool swap )
++int __glXColorTableParameterivReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+     /* no difference between fv and iv versions */
+-    return __glXColorTableParameterfvReqSize(pc, swap);
++    return __glXColorTableParameterfvReqSize(pc, swap, reqlen);
+ }
+ 
+-int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap )
++int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+     GLenum pname = *(GLenum *)(pc + 0);
+     if (swap) {
+@@ -986,8 +995,8 @@ int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap )
+     return 4 * __glPointParameterfvEXT_size( pname );
+ }
+ 
+-int __glXPointParameterivReqSize(GLbyte *pc, Bool swap )
++int __glXPointParameterivReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+     /* no difference between fv and iv versions */
+-    return __glXPointParameterfvARBReqSize(pc, swap);
++    return __glXPointParameterfvARBReqSize(pc, swap, reqlen);
+ }
+-- 
+2.1.4
+
-- 
cgit v1.2.3