1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
|
From 1ea1cd8c4f93b0c03e5b34fe174b3fc9f27c7dfa Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Mon, 10 Nov 2014 12:13:48 -0500
Subject: [PATCH 40/40] glx: Pass remaining request length into ->varsize (v2)
[CVE-2014-8098 8/8] (V3)
v2: Handle more multiplies in indirect_reqsize.c (Julien Cristau)
v3: RHEL5 backport
v4: backport to nx-libs 3.6.x (Mike DePaulo)
Reviewed-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>
---
nx-X11/programs/Xserver/GL/glx/glxcmds.c | 6 +-
nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c | 7 +-
nx-X11/programs/Xserver/GL/glx/glxserver.h | 90 +++++++++----------
nx-X11/programs/Xserver/GL/glx/rensize.c | 125 ++++++++++++++-------------
4 files changed, 121 insertions(+), 107 deletions(-)
diff --git a/nx-X11/programs/Xserver/GL/glx/glxcmds.c b/nx-X11/programs/Xserver/GL/glx/glxcmds.c
index 20c12f3..a1bb259 100644
--- a/nx-X11/programs/Xserver/GL/glx/glxcmds.c
+++ b/nx-X11/programs/Xserver/GL/glx/glxcmds.c
@@ -1490,7 +1490,7 @@ int __glXRender(__GLXclientState *cl, GLbyte *pc)
if (entry->varsize) {
/* variable size command */
- extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, False);
+ extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, False, left - __GLX_RENDER_HDR_SIZE);
if (extra < 0) {
return BadLength;
}
@@ -1563,6 +1563,7 @@ int __glXRenderLarge(__GLXclientState *cl, GLbyte *pc)
if (cl->largeCmdRequestsSoFar == 0) {
__GLXrenderSizeData *entry;
int extra = 0, cmdlen;
+ int left = (req->length << 2) - sz_xGLXRenderLargeReq;
/*
** This is the first request of a multi request command.
** Make enough space in the buffer, then copy the entire request.
@@ -1608,7 +1609,8 @@ int __glXRenderLarge(__GLXclientState *cl, GLbyte *pc)
** be computed from its parameters), all the parameters needed
** will be in the 1st request, so it's okay to do this.
*/
- extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, False);
+ extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, False,
+ left - __GLX_RENDER_LARGE_HDR_SIZE);
if (extra < 0) {
return BadLength;
}
diff --git a/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c b/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c
index 2e228c0..33a748a 100644
--- a/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c
+++ b/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c
@@ -541,7 +541,8 @@ int __glXSwapRender(__GLXclientState *cl, GLbyte *pc)
if (entry->varsize) {
/* variable size command */
- extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, True);
+ extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, True,
+ left - __GLX_RENDER_HDR_SIZE);
if (extra < 0) {
return BadLength;
}
@@ -620,6 +621,7 @@ int __glXSwapRenderLarge(__GLXclientState *cl, GLbyte *pc)
if (cl->largeCmdRequestsSoFar == 0) {
__GLXrenderSizeData *entry;
int extra = 0;
+ int left = (req->length << 2) - sz_xGLXRenderLargeReq;
size_t cmdlen;
/*
** This is the first request of a multi request command.
@@ -667,7 +669,8 @@ int __glXSwapRenderLarge(__GLXclientState *cl, GLbyte *pc)
** be computed from its parameters), all the parameters needed
** will be in the 1st request, so it's okay to do this.
*/
- extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, True);
+ extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, True,
+ left - __GLX_RENDER_LARGE_HDR_SIZE);
if (extra < 0) {
return BadLength;
}
diff --git a/nx-X11/programs/Xserver/GL/glx/glxserver.h b/nx-X11/programs/Xserver/GL/glx/glxserver.h
index 4047574..193ebcb 100644
--- a/nx-X11/programs/Xserver/GL/glx/glxserver.h
+++ b/nx-X11/programs/Xserver/GL/glx/glxserver.h
@@ -179,7 +179,7 @@ extern __GLXprocPtr __glXProcTable[];
*/
typedef struct {
int bytes;
- int (*varsize)(GLbyte *pc, Bool swap);
+ int (*varsize)(GLbyte *pc, Bool swap, int left);
} __GLXrenderSizeData;
extern __GLXrenderSizeData __glXRenderSizeTable[];
extern __GLXrenderSizeData __glXRenderSizeTable_EXT[];
@@ -271,48 +271,48 @@ extern int __glXImageSize(GLenum format, GLenum type,
GLint imageHeight, GLint rowLength, GLint skipImages, GLint skipRows,
GLint alignment);
-extern int __glXCallListsReqSize(GLbyte *pc, Bool swap);
-extern int __glXBitmapReqSize(GLbyte *pc, Bool swap);
-extern int __glXFogfvReqSize(GLbyte *pc, Bool swap);
-extern int __glXFogivReqSize(GLbyte *pc, Bool swap);
-extern int __glXLightfvReqSize(GLbyte *pc, Bool swap);
-extern int __glXLightivReqSize(GLbyte *pc, Bool swap);
-extern int __glXLightModelfvReqSize(GLbyte *pc, Bool swap);
-extern int __glXLightModelivReqSize(GLbyte *pc, Bool swap);
-extern int __glXMaterialfvReqSize(GLbyte *pc, Bool swap);
-extern int __glXMaterialivReqSize(GLbyte *pc, Bool swap);
-extern int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap);
-extern int __glXTexParameterivReqSize(GLbyte *pc, Bool swap);
-extern int __glXTexImage1DReqSize(GLbyte *pc, Bool swap);
-extern int __glXTexImage2DReqSize(GLbyte *pc, Bool swap);
-extern int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap);
-extern int __glXTexEnvivReqSize(GLbyte *pc, Bool swap);
-extern int __glXTexGendvReqSize(GLbyte *pc, Bool swap);
-extern int __glXTexGenfvReqSize(GLbyte *pc, Bool swap);
-extern int __glXTexGenivReqSize(GLbyte *pc, Bool swap);
-extern int __glXMap1dReqSize(GLbyte *pc, Bool swap);
-extern int __glXMap1fReqSize(GLbyte *pc, Bool swap);
-extern int __glXMap2dReqSize(GLbyte *pc, Bool swap);
-extern int __glXMap2fReqSize(GLbyte *pc, Bool swap);
-extern int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap);
-extern int __glXPixelMapuivReqSize(GLbyte *pc, Bool swap);
-extern int __glXPixelMapusvReqSize(GLbyte *pc, Bool swap);
-extern int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap);
-extern int __glXDrawArraysSize(GLbyte *pc, Bool swap);
-extern int __glXPrioritizeTexturesReqSize(GLbyte *pc, Bool swap);
-extern int __glXTexSubImage1DReqSize(GLbyte *pc, Bool swap);
-extern int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap);
-extern int __glXTexImage3DReqSize(GLbyte *pc, Bool swap );
-extern int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap);
-extern int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap);
-extern int __glXConvolutionFilter2DReqSize(GLbyte *pc, Bool swap);
-extern int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap);
-extern int __glXConvolutionParameterfvReqSize(GLbyte *pc, Bool swap);
-extern int __glXSeparableFilter2DReqSize(GLbyte *pc, Bool swap);
-extern int __glXColorTableReqSize(GLbyte *pc, Bool swap);
-extern int __glXColorSubTableReqSize(GLbyte *pc, Bool swap);
-extern int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap);
-extern int __glXColorTableParameterivReqSize(GLbyte *pc, Bool swap);
+extern int __glXCallListsReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXBitmapReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXFogfvReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXFogivReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXLightfvReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXLightivReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXLightModelfvReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXLightModelivReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXMaterialfvReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXMaterialivReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXTexParameterivReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXTexImage1DReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXTexImage2DReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXTexEnvivReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXTexGendvReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXTexGenfvReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXTexGenivReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXMap1dReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXMap1fReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXMap2dReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXMap2fReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXPixelMapuivReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXPixelMapusvReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXDrawArraysSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXPrioritizeTexturesReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXTexSubImage1DReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXTexImage3DReqSize(GLbyte *pc, Bool swap, int reqlen );
+extern int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXConvolutionFilter2DReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXConvolutionParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXSeparableFilter2DReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXColorTableReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXColorSubTableReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXColorTableParameterivReqSize(GLbyte *pc, Bool swap, int reqlen);
/*
* Routines for computing the size of returned data.
@@ -322,7 +322,7 @@ extern int __glXConvolutionParameterfvSize(GLenum pname);
extern int __glXColorTableParameterfvSize(GLenum pname);
extern int __glXColorTableParameterivSize(GLenum pname);
-extern int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap);
-extern int __glXPointParameterivReqSize(GLbyte *pc, Bool swap);
+extern int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap, int reqlen);
+extern int __glXPointParameterivReqSize(GLbyte *pc, Bool swap, int reqlen);
#endif /* !__GLX_server_h__ */
diff --git a/nx-X11/programs/Xserver/GL/glx/rensize.c b/nx-X11/programs/Xserver/GL/glx/rensize.c
index 9bf0d00..dc3475e 100644
--- a/nx-X11/programs/Xserver/GL/glx/rensize.c
+++ b/nx-X11/programs/Xserver/GL/glx/rensize.c
@@ -48,7 +48,7 @@
(((a & 0xff000000U)>>24) | ((a & 0xff0000U)>>8) | \
((a & 0xff00U)<<8) | ((a & 0xffU)<<24))
-int __glXCallListsReqSize(GLbyte *pc, Bool swap )
+int __glXCallListsReqSize(GLbyte *pc, Bool swap, int reqlen)
{
GLsizei n = *(GLsizei *)(pc + 0);
GLenum type = *(GLenum *)(pc + 4);
@@ -60,7 +60,7 @@ int __glXCallListsReqSize(GLbyte *pc, Bool swap )
return n * __glCallLists_size( type );
}
-int __glXFogivReqSize(GLbyte *pc, Bool swap )
+int __glXFogivReqSize(GLbyte *pc, Bool swap, int reqlen)
{
GLenum pname = *(GLenum *)(pc + 0);
if (swap) {
@@ -69,12 +69,12 @@ int __glXFogivReqSize(GLbyte *pc, Bool swap )
return 4 * __glFogiv_size( pname ); /* defined in samplegl lib */
}
-int __glXFogfvReqSize(GLbyte *pc, Bool swap )
+int __glXFogfvReqSize(GLbyte *pc, Bool swap, int reqlen)
{
- return __glXFogivReqSize( pc, swap );
+ return __glXFogivReqSize( pc, swap, reqlen);
}
-int __glXLightfvReqSize(GLbyte *pc, Bool swap )
+int __glXLightfvReqSize(GLbyte *pc, Bool swap, int reqlen)
{
GLenum pname = *(GLenum *)(pc + 4);
if (swap) {
@@ -83,12 +83,12 @@ int __glXLightfvReqSize(GLbyte *pc, Bool swap )
return 4 * __glLightfv_size( pname ); /* defined in samplegl lib */
}
-int __glXLightivReqSize(GLbyte *pc, Bool swap )
+int __glXLightivReqSize(GLbyte *pc, Bool swap, int reqlen)
{
- return __glXLightfvReqSize( pc, swap );
+ return __glXLightfvReqSize( pc, swap, reqlen);
}
-int __glXLightModelfvReqSize(GLbyte *pc, Bool swap )
+int __glXLightModelfvReqSize(GLbyte *pc, Bool swap, int reqlen)
{
GLenum pname = *(GLenum *)(pc + 0);
if (swap) {
@@ -97,12 +97,12 @@ int __glXLightModelfvReqSize(GLbyte *pc, Bool swap )
return 4 * __glLightModelfv_size( pname ); /* defined in samplegl lib */
}
-int __glXLightModelivReqSize(GLbyte *pc, Bool swap )
+int __glXLightModelivReqSize(GLbyte *pc, Bool swap, int reqlen)
{
- return __glXLightModelfvReqSize( pc, swap );
+ return __glXLightModelfvReqSize( pc, swap, reqlen);
}
-int __glXMaterialfvReqSize(GLbyte *pc, Bool swap )
+int __glXMaterialfvReqSize(GLbyte *pc, Bool swap, int reqlen)
{
GLenum pname = *(GLenum *)(pc + 4);
if (swap) {
@@ -111,12 +111,12 @@ int __glXMaterialfvReqSize(GLbyte *pc, Bool swap )
return 4 * __glMaterialfv_size( pname ); /* defined in samplegl lib */
}
-int __glXMaterialivReqSize(GLbyte *pc, Bool swap )
+int __glXMaterialivReqSize(GLbyte *pc, Bool swap, int reqlen)
{
- return __glXMaterialfvReqSize( pc, swap );
+ return __glXMaterialfvReqSize( pc, swap, reqlen);
}
-int __glXTexGendvReqSize(GLbyte *pc, Bool swap )
+int __glXTexGendvReqSize(GLbyte *pc, Bool swap, int reqlen)
{
GLenum pname = *(GLenum *)(pc + 4);
if (swap) {
@@ -125,7 +125,7 @@ int __glXTexGendvReqSize(GLbyte *pc, Bool swap )
return 8 * __glTexGendv_size( pname ); /* defined in samplegl lib */
}
-int __glXTexGenfvReqSize(GLbyte *pc, Bool swap )
+int __glXTexGenfvReqSize(GLbyte *pc, Bool swap, int reqlen)
{
GLenum pname = *(GLenum *)(pc + 4);
if (swap) {
@@ -134,12 +134,12 @@ int __glXTexGenfvReqSize(GLbyte *pc, Bool swap )
return 4 * __glTexGenfv_size( pname ); /* defined in samplegl lib */
}
-int __glXTexGenivReqSize(GLbyte *pc, Bool swap )
+int __glXTexGenivReqSize(GLbyte *pc, Bool swap, int reqlen)
{
- return __glXTexGenfvReqSize( pc, swap );
+ return __glXTexGenfvReqSize( pc, swap, reqlen);
}
-int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap )
+int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen)
{
GLenum pname = *(GLenum *)(pc + 4);
if (swap) {
@@ -148,12 +148,12 @@ int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap )
return 4 * __glTexParameterfv_size( pname ); /* defined in samplegl lib */
}
-int __glXTexParameterivReqSize(GLbyte *pc, Bool swap )
+int __glXTexParameterivReqSize(GLbyte *pc, Bool swap, int reqlen)
{
- return __glXTexParameterfvReqSize( pc, swap );
+ return __glXTexParameterfvReqSize( pc, swap, reqlen);
}
-int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap )
+int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap, int reqlen)
{
GLenum pname = *(GLenum *)(pc + 4);
if (swap) {
@@ -162,12 +162,12 @@ int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap )
return 4 * __glTexEnvfv_size( pname ); /* defined in samplegl lib */
}
-int __glXTexEnvivReqSize(GLbyte *pc, Bool swap )
+int __glXTexEnvivReqSize(GLbyte *pc, Bool swap, int reqlen )
{
- return __glXTexEnvfvReqSize( pc, swap );
+ return __glXTexEnvfvReqSize( pc, swap, reqlen);
}
-int __glXMap1dReqSize(GLbyte *pc, Bool swap )
+int __glXMap1dReqSize(GLbyte *pc, Bool swap, int reqlen )
{
GLenum target;
GLint order;
@@ -183,7 +183,7 @@ int __glXMap1dReqSize(GLbyte *pc, Bool swap )
return safe_mul(8, safe_mul(__glMap1d_size(target), order));
}
-int __glXMap1fReqSize(GLbyte *pc, Bool swap )
+int __glXMap1fReqSize(GLbyte *pc, Bool swap, int reqlen )
{
GLenum target;
GLint order;
@@ -205,7 +205,7 @@ static int Map2Size(int k, int majorOrder, int minorOrder)
return safe_mul(k, safe_mul(majorOrder, minorOrder));
}
-int __glXMap2dReqSize(GLbyte *pc, Bool swap )
+int __glXMap2dReqSize(GLbyte *pc, Bool swap, int reqlen)
{
GLenum target;
GLint uorder, vorder;
@@ -221,7 +221,7 @@ int __glXMap2dReqSize(GLbyte *pc, Bool swap )
return safe_mul(8, Map2Size(__glMap2d_size(target), uorder, vorder));
}
-int __glXMap2fReqSize(GLbyte *pc, Bool swap )
+int __glXMap2fReqSize(GLbyte *pc, Bool swap, int reqlen)
{
GLenum target;
GLint uorder, vorder;
@@ -237,7 +237,7 @@ int __glXMap2fReqSize(GLbyte *pc, Bool swap )
return safe_mul(4, Map2Size(__glMap2f_size(target), uorder, vorder));
}
-int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap )
+int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap, int reqlen)
{
GLint mapsize;
mapsize = *(GLint *)(pc + 4);
@@ -247,12 +247,12 @@ int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap )
return 4 * mapsize;
}
-int __glXPixelMapuivReqSize(GLbyte *pc, Bool swap )
+int __glXPixelMapuivReqSize(GLbyte *pc, Bool swap, int reqlen)
{
- return __glXPixelMapfvReqSize( pc, swap );
+ return __glXPixelMapfvReqSize( pc, swap, reqlen);
}
-int __glXPixelMapusvReqSize(GLbyte *pc, Bool swap )
+int __glXPixelMapusvReqSize(GLbyte *pc, Bool swap, int reqlen)
{
GLint mapsize;
mapsize = *(GLint *)(pc + 4);
@@ -458,7 +458,7 @@ int __glXImageSize( GLenum format, GLenum type, GLenum target,
}
-int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap )
+int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap, int reqlen)
{
__GLXdispatchDrawPixelsHeader *hdr = (__GLXdispatchDrawPixelsHeader *) pc;
GLenum format = hdr->format;
@@ -482,7 +482,7 @@ int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap )
0, rowLength, 0, skipRows, alignment );
}
-int __glXBitmapReqSize(GLbyte *pc, Bool swap )
+int __glXBitmapReqSize(GLbyte *pc, Bool swap, int reqlen)
{
__GLXdispatchBitmapHeader *hdr = (__GLXdispatchBitmapHeader *) pc;
GLint w = hdr->width;
@@ -502,7 +502,7 @@ int __glXBitmapReqSize(GLbyte *pc, Bool swap )
0, rowLength, 0, skipRows, alignment );
}
-int __glXTexImage1DReqSize(GLbyte *pc, Bool swap )
+int __glXTexImage1DReqSize(GLbyte *pc, Bool swap, int reqlen)
{
__GLXdispatchTexImageHeader *hdr = (__GLXdispatchTexImageHeader *) pc;
GLenum target = hdr->target;
@@ -531,7 +531,7 @@ int __glXTexImage1DReqSize(GLbyte *pc, Bool swap )
0, rowLength, 0, skipRows, alignment );
}
-int __glXTexImage2DReqSize(GLbyte *pc, Bool swap )
+int __glXTexImage2DReqSize(GLbyte *pc, Bool swap, int reqlen)
{
__GLXdispatchTexImageHeader *hdr = (__GLXdispatchTexImageHeader *) pc;
GLenum target = hdr->target;
@@ -578,13 +578,14 @@ int __glXTypeSize(GLenum enm)
}
}
-int __glXDrawArraysSize( GLbyte *pc, Bool swap )
+int __glXDrawArraysSize( GLbyte *pc, Bool swap, int reqlen)
{
__GLXdispatchDrawArraysHeader *hdr = (__GLXdispatchDrawArraysHeader *) pc;
__GLXdispatchDrawArraysComponentHeader *compHeader;
GLint numVertexes = hdr->numVertexes;
GLint numComponents = hdr->numComponents;
GLint arrayElementSize = 0;
+ GLint x, size;
int i;
if (swap) {
@@ -593,6 +594,13 @@ int __glXDrawArraysSize( GLbyte *pc, Bool swap )
}
pc += sizeof(__GLXdispatchDrawArraysHeader);
+ reqlen -= sizeof(__GLXdispatchDrawArraysHeader);
+
+ size = safe_mul(sizeof(__GLXdispatchDrawArraysComponentHeader),
+ numComponents);
+ if (size < 0 || reqlen < 0 || reqlen < size)
+ return -1;
+
compHeader = (__GLXdispatchDrawArraysComponentHeader *) pc;
for (i=0; i<numComponents; i++) {
@@ -636,23 +644,24 @@ int __glXDrawArraysSize( GLbyte *pc, Bool swap )
return -1;
}
- arrayElementSize += __GLX_PAD(numVals * __glXTypeSize(datatype));
+ x = safe_pad(safe_mul(numVals, __glXTypeSize(datatype)));
+ if ((arrayElementSize = safe_add(arrayElementSize, x)) < 0)
+ return -1;
pc += sizeof(__GLXdispatchDrawArraysComponentHeader);
}
- return ((numComponents * sizeof(__GLXdispatchDrawArraysComponentHeader)) +
- (numVertexes * arrayElementSize));
+ return safe_add(size, safe_mul(numVertexes, arrayElementSize));
}
-int __glXPrioritizeTexturesReqSize(GLbyte *pc, Bool swap )
+int __glXPrioritizeTexturesReqSize(GLbyte *pc, Bool swap, int reqlen)
{
GLint n = *(GLsizei *)(pc + 0);
if (swap) n = SWAPL(n);
return(8*n); /* 4*n for textures, 4*n for priorities */
}
-int __glXTexSubImage1DReqSize(GLbyte *pc, Bool swap )
+int __glXTexSubImage1DReqSize(GLbyte *pc, Bool swap, int reqlen)
{
__GLXdispatchTexSubImageHeader *hdr = (__GLXdispatchTexSubImageHeader *) pc;
GLenum format = hdr->format;
@@ -674,7 +683,7 @@ int __glXTexSubImage1DReqSize(GLbyte *pc, Bool swap )
0, rowLength, 0, skipRows, alignment );
}
-int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap )
+int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap, int reqlen)
{
__GLXdispatchTexSubImageHeader *hdr = (__GLXdispatchTexSubImageHeader *) pc;
GLenum format = hdr->format;
@@ -698,7 +707,7 @@ int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap )
0, rowLength, 0, skipRows, alignment );
}
-int __glXTexImage3DReqSize(GLbyte *pc, Bool swap )
+int __glXTexImage3DReqSize(GLbyte *pc, Bool swap, int reqlen)
{
__GLXdispatchTexImage3DHeader *hdr = (__GLXdispatchTexImage3DHeader *) pc;
GLenum target = hdr->target;
@@ -735,7 +744,7 @@ int __glXTexImage3DReqSize(GLbyte *pc, Bool swap )
}
}
-int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap )
+int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap, int reqlen)
{
__GLXdispatchTexSubImage3DHeader *hdr =
(__GLXdispatchTexSubImage3DHeader *) pc;
@@ -772,7 +781,7 @@ int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap )
}
}
-int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap )
+int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap, int reqlen)
{
__GLXdispatchConvolutionFilterHeader *hdr =
(__GLXdispatchConvolutionFilterHeader *) pc;
@@ -795,7 +804,7 @@ int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap )
0, rowLength, 0, 0, alignment );
}
-int __glXConvolutionFilter2DReqSize(GLbyte *pc, Bool swap )
+int __glXConvolutionFilter2DReqSize(GLbyte *pc, Bool swap, int reqlen)
{
__GLXdispatchConvolutionFilterHeader *hdr =
(__GLXdispatchConvolutionFilterHeader *) pc;
@@ -841,7 +850,7 @@ int __glXConvolutionParameterfvSize(GLenum pname)
return __glXConvolutionParameterivSize(pname);
}
-int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap )
+int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap, int reqlen)
{
GLenum pname = *(GLenum *)(pc + 4);
if (swap) {
@@ -850,12 +859,12 @@ int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap )
return 4 * __glXConvolutionParameterivSize( pname );
}
-int __glXConvolutionParameterfvReqSize(GLbyte *pc, Bool swap )
+int __glXConvolutionParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen)
{
- return __glXConvolutionParameterivReqSize( pc, swap );
+ return __glXConvolutionParameterivReqSize( pc, swap, reqlen);
}
-int __glXSeparableFilter2DReqSize(GLbyte *pc, Bool swap )
+int __glXSeparableFilter2DReqSize(GLbyte *pc, Bool swap, int reqlen)
{
__GLXdispatchConvolutionFilterHeader *hdr =
(__GLXdispatchConvolutionFilterHeader *) pc;
@@ -904,7 +913,7 @@ int __glXColorTableParameterivSize(GLenum pname)
return __glXColorTableParameterfvSize(pname);
}
-int __glXColorTableReqSize(GLbyte *pc, Bool swap )
+int __glXColorTableReqSize(GLbyte *pc, Bool swap, int reqlen)
{
__GLXdispatchColorTableHeader *hdr =
(__GLXdispatchColorTableHeader *) pc;
@@ -939,7 +948,7 @@ int __glXColorTableReqSize(GLbyte *pc, Bool swap )
0, rowLength, 0, 0, alignment );
}
-int __glXColorSubTableReqSize(GLbyte *pc, Bool swap )
+int __glXColorSubTableReqSize(GLbyte *pc, Bool swap, int reqlen)
{
__GLXdispatchColorSubTableHeader *hdr =
(__GLXdispatchColorSubTableHeader *) pc;
@@ -962,7 +971,7 @@ int __glXColorSubTableReqSize(GLbyte *pc, Bool swap )
0, rowLength, 0, 0, alignment );
}
-int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap )
+int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen)
{
GLenum pname = *(GLenum *)(pc + 4);
if (swap) {
@@ -971,13 +980,13 @@ int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap )
return 4 * __glXColorTableParameterfvSize(pname);
}
-int __glXColorTableParameterivReqSize(GLbyte *pc, Bool swap )
+int __glXColorTableParameterivReqSize(GLbyte *pc, Bool swap, int reqlen)
{
/* no difference between fv and iv versions */
- return __glXColorTableParameterfvReqSize(pc, swap);
+ return __glXColorTableParameterfvReqSize(pc, swap, reqlen);
}
-int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap )
+int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap, int reqlen)
{
GLenum pname = *(GLenum *)(pc + 0);
if (swap) {
@@ -986,8 +995,8 @@ int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap )
return 4 * __glPointParameterfvEXT_size( pname );
}
-int __glXPointParameterivReqSize(GLbyte *pc, Bool swap )
+int __glXPointParameterivReqSize(GLbyte *pc, Bool swap, int reqlen)
{
/* no difference between fv and iv versions */
- return __glXPointParameterfvARBReqSize(pc, swap);
+ return __glXPointParameterfvARBReqSize(pc, swap, reqlen);
}
--
2.1.4
|
