From 1ea1cd8c4f93b0c03e5b34fe174b3fc9f27c7dfa Mon Sep 17 00:00:00 2001 From: Adam Jackson Date: Mon, 10 Nov 2014 12:13:48 -0500 Subject: [PATCH 40/40] glx: Pass remaining request length into ->varsize (v2) [CVE-2014-8098 8/8] (V3) v2: Handle more multiplies in indirect_reqsize.c (Julien Cristau) v3: RHEL5 backport v4: backport to nx-libs 3.6.x (Mike DePaulo) Reviewed-by: Julien Cristau Reviewed-by: Michal Srb Reviewed-by: Andy Ritger Signed-off-by: Adam Jackson Signed-off-by: Alan Coopersmith Signed-off-by: Fedora X Ninjas Signed-off-by: Dave Airlie --- nx-X11/programs/Xserver/GL/glx/glxcmds.c | 6 +- nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c | 7 +- nx-X11/programs/Xserver/GL/glx/glxserver.h | 90 +++++++++---------- nx-X11/programs/Xserver/GL/glx/rensize.c | 125 ++++++++++++++------------- 4 files changed, 121 insertions(+), 107 deletions(-) diff --git a/nx-X11/programs/Xserver/GL/glx/glxcmds.c b/nx-X11/programs/Xserver/GL/glx/glxcmds.c index 20c12f3..a1bb259 100644 --- a/nx-X11/programs/Xserver/GL/glx/glxcmds.c +++ b/nx-X11/programs/Xserver/GL/glx/glxcmds.c @@ -1490,7 +1490,7 @@ int __glXRender(__GLXclientState *cl, GLbyte *pc) if (entry->varsize) { /* variable size command */ - extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, False); + extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, False, left - __GLX_RENDER_HDR_SIZE); if (extra < 0) { return BadLength; } @@ -1563,6 +1563,7 @@ int __glXRenderLarge(__GLXclientState *cl, GLbyte *pc) if (cl->largeCmdRequestsSoFar == 0) { __GLXrenderSizeData *entry; int extra = 0, cmdlen; + int left = (req->length << 2) - sz_xGLXRenderLargeReq; /* ** This is the first request of a multi request command. ** Make enough space in the buffer, then copy the entire request. @@ -1608,7 +1609,8 @@ int __glXRenderLarge(__GLXclientState *cl, GLbyte *pc) ** be computed from its parameters), all the parameters needed ** will be in the 1st request, so it's okay to do this. */ - extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, False); + extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, False, + left - __GLX_RENDER_LARGE_HDR_SIZE); if (extra < 0) { return BadLength; } diff --git a/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c b/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c index 2e228c0..33a748a 100644 --- a/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c +++ b/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c @@ -541,7 +541,8 @@ int __glXSwapRender(__GLXclientState *cl, GLbyte *pc) if (entry->varsize) { /* variable size command */ - extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, True); + extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, True, + left - __GLX_RENDER_HDR_SIZE); if (extra < 0) { return BadLength; } @@ -620,6 +621,7 @@ int __glXSwapRenderLarge(__GLXclientState *cl, GLbyte *pc) if (cl->largeCmdRequestsSoFar == 0) { __GLXrenderSizeData *entry; int extra = 0; + int left = (req->length << 2) - sz_xGLXRenderLargeReq; size_t cmdlen; /* ** This is the first request of a multi request command. @@ -667,7 +669,8 @@ int __glXSwapRenderLarge(__GLXclientState *cl, GLbyte *pc) ** be computed from its parameters), all the parameters needed ** will be in the 1st request, so it's okay to do this. */ - extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, True); + extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, True, + left - __GLX_RENDER_LARGE_HDR_SIZE); if (extra < 0) { return BadLength; } diff --git a/nx-X11/programs/Xserver/GL/glx/glxserver.h b/nx-X11/programs/Xserver/GL/glx/glxserver.h index 4047574..193ebcb 100644 --- a/nx-X11/programs/Xserver/GL/glx/glxserver.h +++ b/nx-X11/programs/Xserver/GL/glx/glxserver.h @@ -179,7 +179,7 @@ extern __GLXprocPtr __glXProcTable[]; */ typedef struct { int bytes; - int (*varsize)(GLbyte *pc, Bool swap); + int (*varsize)(GLbyte *pc, Bool swap, int left); } __GLXrenderSizeData; extern __GLXrenderSizeData __glXRenderSizeTable[]; extern __GLXrenderSizeData __glXRenderSizeTable_EXT[]; @@ -271,48 +271,48 @@ extern int __glXImageSize(GLenum format, GLenum type, GLint imageHeight, GLint rowLength, GLint skipImages, GLint skipRows, GLint alignment); -extern int __glXCallListsReqSize(GLbyte *pc, Bool swap); -extern int __glXBitmapReqSize(GLbyte *pc, Bool swap); -extern int __glXFogfvReqSize(GLbyte *pc, Bool swap); -extern int __glXFogivReqSize(GLbyte *pc, Bool swap); -extern int __glXLightfvReqSize(GLbyte *pc, Bool swap); -extern int __glXLightivReqSize(GLbyte *pc, Bool swap); -extern int __glXLightModelfvReqSize(GLbyte *pc, Bool swap); -extern int __glXLightModelivReqSize(GLbyte *pc, Bool swap); -extern int __glXMaterialfvReqSize(GLbyte *pc, Bool swap); -extern int __glXMaterialivReqSize(GLbyte *pc, Bool swap); -extern int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap); -extern int __glXTexParameterivReqSize(GLbyte *pc, Bool swap); -extern int __glXTexImage1DReqSize(GLbyte *pc, Bool swap); -extern int __glXTexImage2DReqSize(GLbyte *pc, Bool swap); -extern int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap); -extern int __glXTexEnvivReqSize(GLbyte *pc, Bool swap); -extern int __glXTexGendvReqSize(GLbyte *pc, Bool swap); -extern int __glXTexGenfvReqSize(GLbyte *pc, Bool swap); -extern int __glXTexGenivReqSize(GLbyte *pc, Bool swap); -extern int __glXMap1dReqSize(GLbyte *pc, Bool swap); -extern int __glXMap1fReqSize(GLbyte *pc, Bool swap); -extern int __glXMap2dReqSize(GLbyte *pc, Bool swap); -extern int __glXMap2fReqSize(GLbyte *pc, Bool swap); -extern int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap); -extern int __glXPixelMapuivReqSize(GLbyte *pc, Bool swap); -extern int __glXPixelMapusvReqSize(GLbyte *pc, Bool swap); -extern int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap); -extern int __glXDrawArraysSize(GLbyte *pc, Bool swap); -extern int __glXPrioritizeTexturesReqSize(GLbyte *pc, Bool swap); -extern int __glXTexSubImage1DReqSize(GLbyte *pc, Bool swap); -extern int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap); -extern int __glXTexImage3DReqSize(GLbyte *pc, Bool swap ); -extern int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap); -extern int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap); -extern int __glXConvolutionFilter2DReqSize(GLbyte *pc, Bool swap); -extern int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap); -extern int __glXConvolutionParameterfvReqSize(GLbyte *pc, Bool swap); -extern int __glXSeparableFilter2DReqSize(GLbyte *pc, Bool swap); -extern int __glXColorTableReqSize(GLbyte *pc, Bool swap); -extern int __glXColorSubTableReqSize(GLbyte *pc, Bool swap); -extern int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap); -extern int __glXColorTableParameterivReqSize(GLbyte *pc, Bool swap); +extern int __glXCallListsReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXBitmapReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXFogfvReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXFogivReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXLightfvReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXLightivReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXLightModelfvReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXLightModelivReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXMaterialfvReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXMaterialivReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXTexParameterivReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXTexImage1DReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXTexImage2DReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXTexEnvivReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXTexGendvReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXTexGenfvReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXTexGenivReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXMap1dReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXMap1fReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXMap2dReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXMap2fReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXPixelMapuivReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXPixelMapusvReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXDrawArraysSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXPrioritizeTexturesReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXTexSubImage1DReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXTexImage3DReqSize(GLbyte *pc, Bool swap, int reqlen ); +extern int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXConvolutionFilter2DReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXConvolutionParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXSeparableFilter2DReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXColorTableReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXColorSubTableReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXColorTableParameterivReqSize(GLbyte *pc, Bool swap, int reqlen); /* * Routines for computing the size of returned data. @@ -322,7 +322,7 @@ extern int __glXConvolutionParameterfvSize(GLenum pname); extern int __glXColorTableParameterfvSize(GLenum pname); extern int __glXColorTableParameterivSize(GLenum pname); -extern int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap); -extern int __glXPointParameterivReqSize(GLbyte *pc, Bool swap); +extern int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap, int reqlen); +extern int __glXPointParameterivReqSize(GLbyte *pc, Bool swap, int reqlen); #endif /* !__GLX_server_h__ */ diff --git a/nx-X11/programs/Xserver/GL/glx/rensize.c b/nx-X11/programs/Xserver/GL/glx/rensize.c index 9bf0d00..dc3475e 100644 --- a/nx-X11/programs/Xserver/GL/glx/rensize.c +++ b/nx-X11/programs/Xserver/GL/glx/rensize.c @@ -48,7 +48,7 @@ (((a & 0xff000000U)>>24) | ((a & 0xff0000U)>>8) | \ ((a & 0xff00U)<<8) | ((a & 0xffU)<<24)) -int __glXCallListsReqSize(GLbyte *pc, Bool swap ) +int __glXCallListsReqSize(GLbyte *pc, Bool swap, int reqlen) { GLsizei n = *(GLsizei *)(pc + 0); GLenum type = *(GLenum *)(pc + 4); @@ -60,7 +60,7 @@ int __glXCallListsReqSize(GLbyte *pc, Bool swap ) return n * __glCallLists_size( type ); } -int __glXFogivReqSize(GLbyte *pc, Bool swap ) +int __glXFogivReqSize(GLbyte *pc, Bool swap, int reqlen) { GLenum pname = *(GLenum *)(pc + 0); if (swap) { @@ -69,12 +69,12 @@ int __glXFogivReqSize(GLbyte *pc, Bool swap ) return 4 * __glFogiv_size( pname ); /* defined in samplegl lib */ } -int __glXFogfvReqSize(GLbyte *pc, Bool swap ) +int __glXFogfvReqSize(GLbyte *pc, Bool swap, int reqlen) { - return __glXFogivReqSize( pc, swap ); + return __glXFogivReqSize( pc, swap, reqlen); } -int __glXLightfvReqSize(GLbyte *pc, Bool swap ) +int __glXLightfvReqSize(GLbyte *pc, Bool swap, int reqlen) { GLenum pname = *(GLenum *)(pc + 4); if (swap) { @@ -83,12 +83,12 @@ int __glXLightfvReqSize(GLbyte *pc, Bool swap ) return 4 * __glLightfv_size( pname ); /* defined in samplegl lib */ } -int __glXLightivReqSize(GLbyte *pc, Bool swap ) +int __glXLightivReqSize(GLbyte *pc, Bool swap, int reqlen) { - return __glXLightfvReqSize( pc, swap ); + return __glXLightfvReqSize( pc, swap, reqlen); } -int __glXLightModelfvReqSize(GLbyte *pc, Bool swap ) +int __glXLightModelfvReqSize(GLbyte *pc, Bool swap, int reqlen) { GLenum pname = *(GLenum *)(pc + 0); if (swap) { @@ -97,12 +97,12 @@ int __glXLightModelfvReqSize(GLbyte *pc, Bool swap ) return 4 * __glLightModelfv_size( pname ); /* defined in samplegl lib */ } -int __glXLightModelivReqSize(GLbyte *pc, Bool swap ) +int __glXLightModelivReqSize(GLbyte *pc, Bool swap, int reqlen) { - return __glXLightModelfvReqSize( pc, swap ); + return __glXLightModelfvReqSize( pc, swap, reqlen); } -int __glXMaterialfvReqSize(GLbyte *pc, Bool swap ) +int __glXMaterialfvReqSize(GLbyte *pc, Bool swap, int reqlen) { GLenum pname = *(GLenum *)(pc + 4); if (swap) { @@ -111,12 +111,12 @@ int __glXMaterialfvReqSize(GLbyte *pc, Bool swap ) return 4 * __glMaterialfv_size( pname ); /* defined in samplegl lib */ } -int __glXMaterialivReqSize(GLbyte *pc, Bool swap ) +int __glXMaterialivReqSize(GLbyte *pc, Bool swap, int reqlen) { - return __glXMaterialfvReqSize( pc, swap ); + return __glXMaterialfvReqSize( pc, swap, reqlen); } -int __glXTexGendvReqSize(GLbyte *pc, Bool swap ) +int __glXTexGendvReqSize(GLbyte *pc, Bool swap, int reqlen) { GLenum pname = *(GLenum *)(pc + 4); if (swap) { @@ -125,7 +125,7 @@ int __glXTexGendvReqSize(GLbyte *pc, Bool swap ) return 8 * __glTexGendv_size( pname ); /* defined in samplegl lib */ } -int __glXTexGenfvReqSize(GLbyte *pc, Bool swap ) +int __glXTexGenfvReqSize(GLbyte *pc, Bool swap, int reqlen) { GLenum pname = *(GLenum *)(pc + 4); if (swap) { @@ -134,12 +134,12 @@ int __glXTexGenfvReqSize(GLbyte *pc, Bool swap ) return 4 * __glTexGenfv_size( pname ); /* defined in samplegl lib */ } -int __glXTexGenivReqSize(GLbyte *pc, Bool swap ) +int __glXTexGenivReqSize(GLbyte *pc, Bool swap, int reqlen) { - return __glXTexGenfvReqSize( pc, swap ); + return __glXTexGenfvReqSize( pc, swap, reqlen); } -int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap ) +int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen) { GLenum pname = *(GLenum *)(pc + 4); if (swap) { @@ -148,12 +148,12 @@ int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap ) return 4 * __glTexParameterfv_size( pname ); /* defined in samplegl lib */ } -int __glXTexParameterivReqSize(GLbyte *pc, Bool swap ) +int __glXTexParameterivReqSize(GLbyte *pc, Bool swap, int reqlen) { - return __glXTexParameterfvReqSize( pc, swap ); + return __glXTexParameterfvReqSize( pc, swap, reqlen); } -int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap ) +int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap, int reqlen) { GLenum pname = *(GLenum *)(pc + 4); if (swap) { @@ -162,12 +162,12 @@ int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap ) return 4 * __glTexEnvfv_size( pname ); /* defined in samplegl lib */ } -int __glXTexEnvivReqSize(GLbyte *pc, Bool swap ) +int __glXTexEnvivReqSize(GLbyte *pc, Bool swap, int reqlen ) { - return __glXTexEnvfvReqSize( pc, swap ); + return __glXTexEnvfvReqSize( pc, swap, reqlen); } -int __glXMap1dReqSize(GLbyte *pc, Bool swap ) +int __glXMap1dReqSize(GLbyte *pc, Bool swap, int reqlen ) { GLenum target; GLint order; @@ -183,7 +183,7 @@ int __glXMap1dReqSize(GLbyte *pc, Bool swap ) return safe_mul(8, safe_mul(__glMap1d_size(target), order)); } -int __glXMap1fReqSize(GLbyte *pc, Bool swap ) +int __glXMap1fReqSize(GLbyte *pc, Bool swap, int reqlen ) { GLenum target; GLint order; @@ -205,7 +205,7 @@ static int Map2Size(int k, int majorOrder, int minorOrder) return safe_mul(k, safe_mul(majorOrder, minorOrder)); } -int __glXMap2dReqSize(GLbyte *pc, Bool swap ) +int __glXMap2dReqSize(GLbyte *pc, Bool swap, int reqlen) { GLenum target; GLint uorder, vorder; @@ -221,7 +221,7 @@ int __glXMap2dReqSize(GLbyte *pc, Bool swap ) return safe_mul(8, Map2Size(__glMap2d_size(target), uorder, vorder)); } -int __glXMap2fReqSize(GLbyte *pc, Bool swap ) +int __glXMap2fReqSize(GLbyte *pc, Bool swap, int reqlen) { GLenum target; GLint uorder, vorder; @@ -237,7 +237,7 @@ int __glXMap2fReqSize(GLbyte *pc, Bool swap ) return safe_mul(4, Map2Size(__glMap2f_size(target), uorder, vorder)); } -int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap ) +int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap, int reqlen) { GLint mapsize; mapsize = *(GLint *)(pc + 4); @@ -247,12 +247,12 @@ int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap ) return 4 * mapsize; } -int __glXPixelMapuivReqSize(GLbyte *pc, Bool swap ) +int __glXPixelMapuivReqSize(GLbyte *pc, Bool swap, int reqlen) { - return __glXPixelMapfvReqSize( pc, swap ); + return __glXPixelMapfvReqSize( pc, swap, reqlen); } -int __glXPixelMapusvReqSize(GLbyte *pc, Bool swap ) +int __glXPixelMapusvReqSize(GLbyte *pc, Bool swap, int reqlen) { GLint mapsize; mapsize = *(GLint *)(pc + 4); @@ -458,7 +458,7 @@ int __glXImageSize( GLenum format, GLenum type, GLenum target, } -int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap ) +int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap, int reqlen) { __GLXdispatchDrawPixelsHeader *hdr = (__GLXdispatchDrawPixelsHeader *) pc; GLenum format = hdr->format; @@ -482,7 +482,7 @@ int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap ) 0, rowLength, 0, skipRows, alignment ); } -int __glXBitmapReqSize(GLbyte *pc, Bool swap ) +int __glXBitmapReqSize(GLbyte *pc, Bool swap, int reqlen) { __GLXdispatchBitmapHeader *hdr = (__GLXdispatchBitmapHeader *) pc; GLint w = hdr->width; @@ -502,7 +502,7 @@ int __glXBitmapReqSize(GLbyte *pc, Bool swap ) 0, rowLength, 0, skipRows, alignment ); } -int __glXTexImage1DReqSize(GLbyte *pc, Bool swap ) +int __glXTexImage1DReqSize(GLbyte *pc, Bool swap, int reqlen) { __GLXdispatchTexImageHeader *hdr = (__GLXdispatchTexImageHeader *) pc; GLenum target = hdr->target; @@ -531,7 +531,7 @@ int __glXTexImage1DReqSize(GLbyte *pc, Bool swap ) 0, rowLength, 0, skipRows, alignment ); } -int __glXTexImage2DReqSize(GLbyte *pc, Bool swap ) +int __glXTexImage2DReqSize(GLbyte *pc, Bool swap, int reqlen) { __GLXdispatchTexImageHeader *hdr = (__GLXdispatchTexImageHeader *) pc; GLenum target = hdr->target; @@ -578,13 +578,14 @@ int __glXTypeSize(GLenum enm) } } -int __glXDrawArraysSize( GLbyte *pc, Bool swap ) +int __glXDrawArraysSize( GLbyte *pc, Bool swap, int reqlen) { __GLXdispatchDrawArraysHeader *hdr = (__GLXdispatchDrawArraysHeader *) pc; __GLXdispatchDrawArraysComponentHeader *compHeader; GLint numVertexes = hdr->numVertexes; GLint numComponents = hdr->numComponents; GLint arrayElementSize = 0; + GLint x, size; int i; if (swap) { @@ -593,6 +594,13 @@ int __glXDrawArraysSize( GLbyte *pc, Bool swap ) } pc += sizeof(__GLXdispatchDrawArraysHeader); + reqlen -= sizeof(__GLXdispatchDrawArraysHeader); + + size = safe_mul(sizeof(__GLXdispatchDrawArraysComponentHeader), + numComponents); + if (size < 0 || reqlen < 0 || reqlen < size) + return -1; + compHeader = (__GLXdispatchDrawArraysComponentHeader *) pc; for (i=0; iformat; @@ -674,7 +683,7 @@ int __glXTexSubImage1DReqSize(GLbyte *pc, Bool swap ) 0, rowLength, 0, skipRows, alignment ); } -int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap ) +int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap, int reqlen) { __GLXdispatchTexSubImageHeader *hdr = (__GLXdispatchTexSubImageHeader *) pc; GLenum format = hdr->format; @@ -698,7 +707,7 @@ int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap ) 0, rowLength, 0, skipRows, alignment ); } -int __glXTexImage3DReqSize(GLbyte *pc, Bool swap ) +int __glXTexImage3DReqSize(GLbyte *pc, Bool swap, int reqlen) { __GLXdispatchTexImage3DHeader *hdr = (__GLXdispatchTexImage3DHeader *) pc; GLenum target = hdr->target; @@ -735,7 +744,7 @@ int __glXTexImage3DReqSize(GLbyte *pc, Bool swap ) } } -int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap ) +int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap, int reqlen) { __GLXdispatchTexSubImage3DHeader *hdr = (__GLXdispatchTexSubImage3DHeader *) pc; @@ -772,7 +781,7 @@ int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap ) } } -int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap ) +int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap, int reqlen) { __GLXdispatchConvolutionFilterHeader *hdr = (__GLXdispatchConvolutionFilterHeader *) pc; @@ -795,7 +804,7 @@ int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap ) 0, rowLength, 0, 0, alignment ); } -int __glXConvolutionFilter2DReqSize(GLbyte *pc, Bool swap ) +int __glXConvolutionFilter2DReqSize(GLbyte *pc, Bool swap, int reqlen) { __GLXdispatchConvolutionFilterHeader *hdr = (__GLXdispatchConvolutionFilterHeader *) pc; @@ -841,7 +850,7 @@ int __glXConvolutionParameterfvSize(GLenum pname) return __glXConvolutionParameterivSize(pname); } -int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap ) +int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap, int reqlen) { GLenum pname = *(GLenum *)(pc + 4); if (swap) { @@ -850,12 +859,12 @@ int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap ) return 4 * __glXConvolutionParameterivSize( pname ); } -int __glXConvolutionParameterfvReqSize(GLbyte *pc, Bool swap ) +int __glXConvolutionParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen) { - return __glXConvolutionParameterivReqSize( pc, swap ); + return __glXConvolutionParameterivReqSize( pc, swap, reqlen); } -int __glXSeparableFilter2DReqSize(GLbyte *pc, Bool swap ) +int __glXSeparableFilter2DReqSize(GLbyte *pc, Bool swap, int reqlen) { __GLXdispatchConvolutionFilterHeader *hdr = (__GLXdispatchConvolutionFilterHeader *) pc; @@ -904,7 +913,7 @@ int __glXColorTableParameterivSize(GLenum pname) return __glXColorTableParameterfvSize(pname); } -int __glXColorTableReqSize(GLbyte *pc, Bool swap ) +int __glXColorTableReqSize(GLbyte *pc, Bool swap, int reqlen) { __GLXdispatchColorTableHeader *hdr = (__GLXdispatchColorTableHeader *) pc; @@ -939,7 +948,7 @@ int __glXColorTableReqSize(GLbyte *pc, Bool swap ) 0, rowLength, 0, 0, alignment ); } -int __glXColorSubTableReqSize(GLbyte *pc, Bool swap ) +int __glXColorSubTableReqSize(GLbyte *pc, Bool swap, int reqlen) { __GLXdispatchColorSubTableHeader *hdr = (__GLXdispatchColorSubTableHeader *) pc; @@ -962,7 +971,7 @@ int __glXColorSubTableReqSize(GLbyte *pc, Bool swap ) 0, rowLength, 0, 0, alignment ); } -int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap ) +int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen) { GLenum pname = *(GLenum *)(pc + 4); if (swap) { @@ -971,13 +980,13 @@ int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap ) return 4 * __glXColorTableParameterfvSize(pname); } -int __glXColorTableParameterivReqSize(GLbyte *pc, Bool swap ) +int __glXColorTableParameterivReqSize(GLbyte *pc, Bool swap, int reqlen) { /* no difference between fv and iv versions */ - return __glXColorTableParameterfvReqSize(pc, swap); + return __glXColorTableParameterfvReqSize(pc, swap, reqlen); } -int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap ) +int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap, int reqlen) { GLenum pname = *(GLenum *)(pc + 0); if (swap) { @@ -986,8 +995,8 @@ int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap ) return 4 * __glPointParameterfvEXT_size( pname ); } -int __glXPointParameterivReqSize(GLbyte *pc, Bool swap ) +int __glXPointParameterivReqSize(GLbyte *pc, Bool swap, int reqlen) { /* no difference between fv and iv versions */ - return __glXPointParameterfvARBReqSize(pc, swap); + return __glXPointParameterfvARBReqSize(pc, swap, reqlen); } -- 2.1.4