aboutsummaryrefslogtreecommitdiff
path: root/xorg-server/glx
diff options
context:
space:
mode:
authorMike DePaulo <mikedep333@gmail.com>2015-01-10 12:03:47 -0500
committerMike DePaulo <mikedep333@gmail.com>2015-01-10 12:06:49 -0500
commit7e1c3b94f42dfc5e52f0f724b6bf7d03e3b743e3 (patch)
treef2a4bfed7809a8e0bf4d06ec56a80191badba48b /xorg-server/glx
parent212ca5c6023b6b7455ad64b2c29aeff82f301a03 (diff)
downloadvcxsrv-7e1c3b94f42dfc5e52f0f724b6bf7d03e3b743e3.tar.gz
vcxsrv-7e1c3b94f42dfc5e52f0f724b6bf7d03e3b743e3.tar.bz2
vcxsrv-7e1c3b94f42dfc5e52f0f724b6bf7d03e3b743e3.zip
Fix CVE-2014-8091..8103. Patches were ported from Ubuntu 14.04 (xorg-server 1.15.1)
Diffstat (limited to 'xorg-server/glx')
-rw-r--r--xorg-server/glx/clientinfo.c20
-rw-r--r--xorg-server/glx/glxcmds.c85
-rw-r--r--xorg-server/glx/glxcmdsswap.c4
-rw-r--r--xorg-server/glx/glxserver.h43
-rw-r--r--xorg-server/glx/indirect_dispatch.c25
-rw-r--r--xorg-server/glx/indirect_dispatch_swap.c26
-rw-r--r--xorg-server/glx/indirect_program.c2
-rw-r--r--xorg-server/glx/indirect_reqsize.c152
-rw-r--r--xorg-server/glx/indirect_reqsize.h148
-rw-r--r--xorg-server/glx/indirect_texture_compression.c4
-rw-r--r--xorg-server/glx/indirect_util.c9
-rw-r--r--xorg-server/glx/rensize.c114
-rw-r--r--xorg-server/glx/single2.c23
-rw-r--r--xorg-server/glx/single2swap.c19
-rw-r--r--xorg-server/glx/singlepix.c60
-rw-r--r--xorg-server/glx/singlepixswap.c50
-rw-r--r--xorg-server/glx/swap_interval.c2
-rw-r--r--xorg-server/glx/unpack.h3
18 files changed, 503 insertions, 286 deletions
diff --git a/xorg-server/glx/clientinfo.c b/xorg-server/glx/clientinfo.c
index 4aaa4c967..74ad91991 100644
--- a/xorg-server/glx/clientinfo.c
+++ b/xorg-server/glx/clientinfo.c
@@ -33,18 +33,22 @@ static int
set_client_info(__GLXclientState * cl, xGLXSetClientInfoARBReq * req,
unsigned bytes_per_version)
{
+ ClientPtr client = cl->client;
char *gl_extensions;
char *glx_extensions;
+ int size;
+
+ REQUEST_AT_LEAST_SIZE(xGLXSetClientInfoARBReq);
/* Verify that the size of the packet matches the size inferred from the
* sizes specified for the various fields.
*/
- const unsigned expected_size = sz_xGLXSetClientInfoARBReq
- + (req->numVersions * bytes_per_version)
- + __GLX_PAD(req->numGLExtensionBytes)
- + __GLX_PAD(req->numGLXExtensionBytes);
+ size = sz_xGLXSetClientInfoARBReq;
+ size = safe_add(size, safe_mul(req->numVersions, bytes_per_version));
+ size = safe_add(size, safe_pad(req->numGLExtensionBytes));
+ size = safe_add(size, safe_pad(req->numGLXExtensionBytes));
- if (req->length != (expected_size / 4))
+ if (size < 0 || req->length != (size / 4))
return BadLength;
/* Verify that the actual length of the GL extension string matches what's
@@ -80,8 +84,11 @@ __glXDisp_SetClientInfoARB(__GLXclientState * cl, GLbyte * pc)
int
__glXDispSwap_SetClientInfoARB(__GLXclientState * cl, GLbyte * pc)
{
+ ClientPtr client = cl->client;
xGLXSetClientInfoARBReq *req = (xGLXSetClientInfoARBReq *) pc;
+ REQUEST_AT_LEAST_SIZE(xGLXSetClientInfoARBReq);
+
req->length = bswap_16(req->length);
req->numVersions = bswap_32(req->numVersions);
req->numGLExtensionBytes = bswap_32(req->numGLExtensionBytes);
@@ -99,8 +106,11 @@ __glXDisp_SetClientInfo2ARB(__GLXclientState * cl, GLbyte * pc)
int
__glXDispSwap_SetClientInfo2ARB(__GLXclientState * cl, GLbyte * pc)
{
+ ClientPtr client = cl->client;
xGLXSetClientInfoARBReq *req = (xGLXSetClientInfoARBReq *) pc;
+ REQUEST_AT_LEAST_SIZE(xGLXSetClientInfoARBReq);
+
req->length = bswap_16(req->length);
req->numVersions = bswap_32(req->numVersions);
req->numGLExtensionBytes = bswap_32(req->numGLExtensionBytes);
diff --git a/xorg-server/glx/glxcmds.c b/xorg-server/glx/glxcmds.c
index c39a3f461..88093da49 100644
--- a/xorg-server/glx/glxcmds.c
+++ b/xorg-server/glx/glxcmds.c
@@ -2028,7 +2028,7 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
left = (req->length << 2) - sz_xGLXRenderReq;
while (left > 0) {
__GLXrenderSizeData entry;
- int extra;
+ int extra = 0;
__GLXdispatchRenderProcPtr proc;
int err;
@@ -2047,6 +2047,9 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
cmdlen = hdr->length;
opcode = hdr->opcode;
+ if (left < cmdlen)
+ return BadLength;
+
/*
** Check for core opcodes and grab entry data.
*/
@@ -2060,24 +2063,21 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
return __glXError(GLXBadRenderRequest);
}
+ if (cmdlen < entry.bytes) {
+ return BadLength;
+ }
+
if (entry.varsize) {
/* variable size command */
extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE,
- client->swapped);
+ client->swapped,
+ left - __GLX_RENDER_HDR_SIZE);
if (extra < 0) {
- extra = 0;
- }
- if (cmdlen != __GLX_PAD(entry.bytes + extra)) {
return BadLength;
}
}
- else {
- /* constant size command */
- if (cmdlen != __GLX_PAD(entry.bytes)) {
- return BadLength;
- }
- }
- if (left < cmdlen) {
+
+ if (cmdlen != safe_pad(safe_add(entry.bytes, extra))) {
return BadLength;
}
@@ -2113,6 +2113,8 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_AT_LEAST_SIZE(xGLXRenderLargeReq);
+
req = (xGLXRenderLargeReq *) pc;
if (client->swapped) {
__GLX_SWAP_SHORT(&req->length);
@@ -2128,12 +2130,14 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
__glXResetLargeCommandStatus(cl);
return error;
}
+ if (safe_pad(req->dataBytes) < 0)
+ return BadLength;
dataBytes = req->dataBytes;
/*
** Check the request length.
*/
- if ((req->length << 2) != __GLX_PAD(dataBytes) + sz_xGLXRenderLargeReq) {
+ if ((req->length << 2) != safe_pad(dataBytes) + sz_xGLXRenderLargeReq) {
client->errorValue = req->length;
/* Reset in case this isn't 1st request. */
__glXResetLargeCommandStatus(cl);
@@ -2143,7 +2147,8 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
if (cl->largeCmdRequestsSoFar == 0) {
__GLXrenderSizeData entry;
- int extra;
+ int extra = 0;
+ int left = (req->length << 2) - sz_xGLXRenderLargeReq;
size_t cmdlen;
int err;
@@ -2156,13 +2161,17 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
return __glXError(GLXBadLargeRequest);
}
+ if (dataBytes < __GLX_RENDER_LARGE_HDR_SIZE)
+ return BadLength;
+
hdr = (__GLXrenderLargeHeader *) pc;
if (client->swapped) {
__GLX_SWAP_INT(&hdr->length);
__GLX_SWAP_INT(&hdr->opcode);
}
- cmdlen = hdr->length;
opcode = hdr->opcode;
+ if ((cmdlen = safe_pad(hdr->length)) < 0)
+ return BadLength;
/*
** Check for core opcodes and grab entry data.
@@ -2180,21 +2189,18 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
** will be in the 1st request, so it's okay to do this.
*/
extra = (*entry.varsize) (pc + __GLX_RENDER_LARGE_HDR_SIZE,
- client->swapped);
+ client->swapped,
+ left - __GLX_RENDER_LARGE_HDR_SIZE);
if (extra < 0) {
- extra = 0;
- }
- /* large command's header is 4 bytes longer, so add 4 */
- if (cmdlen != __GLX_PAD(entry.bytes + 4 + extra)) {
return BadLength;
}
}
- else {
- /* constant size command */
- if (cmdlen != __GLX_PAD(entry.bytes + 4)) {
- return BadLength;
- }
+
+ /* the +4 is safe because we know entry.bytes is small */
+ if (cmdlen != safe_pad(safe_add(entry.bytes + 4, extra))) {
+ return BadLength;
}
+
/*
** Make enough space in the buffer, then copy the entire request.
*/
@@ -2221,6 +2227,7 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
** We are receiving subsequent (i.e. not the first) requests of a
** multi request command.
*/
+ int bytesSoFar; /* including this packet */
/*
** Check the request number and the total request count.
@@ -2239,11 +2246,18 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
/*
** Check that we didn't get too much data.
*/
- if ((cl->largeCmdBytesSoFar + dataBytes) > cl->largeCmdBytesTotal) {
+ if ((bytesSoFar = safe_add(cl->largeCmdBytesSoFar, dataBytes)) < 0) {
client->errorValue = dataBytes;
__glXResetLargeCommandStatus(cl);
return __glXError(GLXBadLargeRequest);
}
+
+ if (bytesSoFar > cl->largeCmdBytesTotal) {
+ client->errorValue = dataBytes;
+ __glXResetLargeCommandStatus(cl);
+ return __glXError(GLXBadLargeRequest);
+ }
+
memcpy(cl->largeCmdBuf + cl->largeCmdBytesSoFar, pc, dataBytes);
cl->largeCmdBytesSoFar += dataBytes;
cl->largeCmdRequestsSoFar++;
@@ -2255,17 +2269,16 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
** This is the last request; it must have enough bytes to complete
** the command.
*/
- /* NOTE: the two pad macros have been added below; they are needed
- ** because the client library pads the total byte count, but not
- ** the per-request byte counts. The Protocol Encoding says the
- ** total byte count should not be padded, so a proposal will be
- ** made to the ARB to relax the padding constraint on the total
- ** byte count, thus preserving backward compatibility. Meanwhile,
- ** the padding done below fixes a bug that did not allow
- ** large commands of odd sizes to be accepted by the server.
+ /* NOTE: the pad macro below is needed because the client library
+ ** pads the total byte count, but not the per-request byte counts.
+ ** The Protocol Encoding says the total byte count should not be
+ ** padded, so a proposal will be made to the ARB to relax the
+ ** padding constraint on the total byte count, thus preserving
+ ** backward compatibility. Meanwhile, the padding done below
+ ** fixes a bug that did not allow large commands of odd sizes to
+ ** be accepted by the server.
*/
- if (__GLX_PAD(cl->largeCmdBytesSoFar) !=
- __GLX_PAD(cl->largeCmdBytesTotal)) {
+ if (safe_pad(cl->largeCmdBytesSoFar) != cl->largeCmdBytesTotal) {
client->errorValue = dataBytes;
__glXResetLargeCommandStatus(cl);
return __glXError(GLXBadLargeRequest);
diff --git a/xorg-server/glx/glxcmdsswap.c b/xorg-server/glx/glxcmdsswap.c
index fd1fd7006..eca700944 100644
--- a/xorg-server/glx/glxcmdsswap.c
+++ b/xorg-server/glx/glxcmdsswap.c
@@ -960,11 +960,13 @@ __glXDispSwap_RenderLarge(__GLXclientState * cl, GLbyte * pc)
int
__glXDispSwap_VendorPrivate(__GLXclientState * cl, GLbyte * pc)
{
+ ClientPtr client = cl->client;
xGLXVendorPrivateReq *req;
GLint vendorcode;
__GLXdispatchVendorPrivProcPtr proc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateReq);
req = (xGLXVendorPrivateReq *) pc;
__GLX_SWAP_SHORT(&req->length);
@@ -987,11 +989,13 @@ __glXDispSwap_VendorPrivate(__GLXclientState * cl, GLbyte * pc)
int
__glXDispSwap_VendorPrivateWithReply(__GLXclientState * cl, GLbyte * pc)
{
+ ClientPtr client = cl->client;
xGLXVendorPrivateWithReplyReq *req;
GLint vendorcode;
__GLXdispatchVendorPrivProcPtr proc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateWithReplyReq);
req = (xGLXVendorPrivateWithReplyReq *) pc;
__GLX_SWAP_SHORT(&req->length);
diff --git a/xorg-server/glx/glxserver.h b/xorg-server/glx/glxserver.h
index a324b290f..9088ec478 100644
--- a/xorg-server/glx/glxserver.h
+++ b/xorg-server/glx/glxserver.h
@@ -177,7 +177,7 @@ typedef int (*__GLXprocPtr) (__GLXclientState *, char *pc);
/*
* Tables for computing the size of each rendering command.
*/
-typedef int (*gl_proto_size_func) (const GLbyte *, Bool);
+typedef int (*gl_proto_size_func) (const GLbyte *, Bool, int);
typedef struct {
int bytes;
@@ -228,6 +228,47 @@ extern void glxSwapQueryServerStringReply(ClientPtr client,
* Routines for computing the size of variably-sized rendering commands.
*/
+static _X_INLINE int
+safe_add(int a, int b)
+{
+ if (a < 0 || b < 0)
+ return -1;
+
+ if (INT_MAX - a < b)
+ return -1;
+
+ return a + b;
+}
+
+static _X_INLINE int
+safe_mul(int a, int b)
+{
+ if (a < 0 || b < 0)
+ return -1;
+
+ if (a == 0 || b == 0)
+ return 0;
+
+ if (a > INT_MAX / b)
+ return -1;
+
+ return a * b;
+}
+
+static _X_INLINE int
+safe_pad(int a)
+{
+ int ret;
+
+ if (a < 0)
+ return -1;
+
+ if ((ret = safe_add(a, 3)) < 0)
+ return -1;
+
+ return ret & (GLuint)~3;
+}
+
extern int __glXTypeSize(GLenum enm);
extern int __glXImageSize(GLenum format, GLenum type,
GLenum target, GLsizei w, GLsizei h, GLsizei d,
diff --git a/xorg-server/glx/indirect_dispatch.c b/xorg-server/glx/indirect_dispatch.c
index 67e5280c3..80b49644a 100644
--- a/xorg-server/glx/indirect_dispatch.c
+++ b/xorg-server/glx/indirect_dispatch.c
@@ -2747,6 +2747,9 @@ int __glXDisp_AreTexturesResident(__GLXclientState *cl, GLbyte *pc)
GLboolean retval;
GLboolean answerBuffer[200];
GLboolean * residences = __glXGetAnswerBuffer(cl, n, answerBuffer, sizeof(answerBuffer), 1);
+
+ if (residences == NULL)
+ return BadAlloc;
retval = CALL_AreTexturesResident( GET_DISPATCH(), (
n,
(const GLuint *)(pc + 4),
@@ -2772,6 +2775,9 @@ int __glXDisp_AreTexturesResidentEXT(__GLXclientState *cl, GLbyte *pc)
GLboolean retval;
GLboolean answerBuffer[200];
GLboolean * residences = __glXGetAnswerBuffer(cl, n, answerBuffer, sizeof(answerBuffer), 1);
+
+ if (residences == NULL)
+ return BadAlloc;
retval = CALL_AreTexturesResident( GET_DISPATCH(), (
n,
(const GLuint *)(pc + 4),
@@ -2889,6 +2895,9 @@ int __glXDisp_GenTextures(__GLXclientState *cl, GLbyte *pc)
GLuint answerBuffer[200];
GLuint * textures = __glXGetAnswerBuffer(cl, n * 4, answerBuffer, sizeof(answerBuffer), 4);
+
+ if (textures == NULL)
+ return BadAlloc;
CALL_GenTextures( GET_DISPATCH(), (
n,
textures
@@ -2912,6 +2921,9 @@ int __glXDisp_GenTexturesEXT(__GLXclientState *cl, GLbyte *pc)
GLuint answerBuffer[200];
GLuint * textures = __glXGetAnswerBuffer(cl, n * 4, answerBuffer, sizeof(answerBuffer), 4);
+
+ if (textures == NULL)
+ return BadAlloc;
CALL_GenTextures( GET_DISPATCH(), (
n,
textures
@@ -4261,6 +4273,9 @@ int __glXDisp_GenQueries(__GLXclientState *cl, GLbyte *pc)
GLuint answerBuffer[200];
GLuint * ids = __glXGetAnswerBuffer(cl, n * 4, answerBuffer, sizeof(answerBuffer), 4);
+
+ if (ids == NULL)
+ return BadAlloc;
CALL_GenQueries( GET_DISPATCH(), (
n,
ids
@@ -4711,6 +4726,9 @@ int __glXDisp_GenProgramsARB(__GLXclientState *cl, GLbyte *pc)
GLuint answerBuffer[200];
GLuint * programs = __glXGetAnswerBuffer(cl, n * 4, answerBuffer, sizeof(answerBuffer), 4);
+
+ if (programs == NULL)
+ return BadAlloc;
CALL_GenProgramsARB( GET_DISPATCH(), (
n,
programs
@@ -5086,6 +5104,10 @@ int __glXDisp_GenFramebuffers(__GLXclientState *cl, GLbyte *pc)
GLuint answerBuffer[200];
GLuint * framebuffers = __glXGetAnswerBuffer(cl, n * 4, answerBuffer, sizeof(answerBuffer), 4);
+
+ if (framebuffers == NULL)
+ return BadAlloc;
+
CALL_GenFramebuffers( GET_DISPATCH(), (
n,
framebuffers
@@ -5109,6 +5131,9 @@ int __glXDisp_GenRenderbuffers(__GLXclientState *cl, GLbyte *pc)
GLuint answerBuffer[200];
GLuint * renderbuffers = __glXGetAnswerBuffer(cl, n * 4, answerBuffer, sizeof(answerBuffer), 4);
+
+ if (renderbuffers == NULL)
+ return BadAlloc;
CALL_GenRenderbuffers( GET_DISPATCH(), (
n,
renderbuffers
diff --git a/xorg-server/glx/indirect_dispatch_swap.c b/xorg-server/glx/indirect_dispatch_swap.c
index 4096023a7..d1118d666 100644
--- a/xorg-server/glx/indirect_dispatch_swap.c
+++ b/xorg-server/glx/indirect_dispatch_swap.c
@@ -2875,6 +2875,9 @@ int __glXDispSwap_AreTexturesResident(__GLXclientState *cl, GLbyte *pc)
GLboolean retval;
GLboolean answerBuffer[200];
GLboolean * residences = __glXGetAnswerBuffer(cl, n, answerBuffer, sizeof(answerBuffer), 1);
+
+ if (residences == NULL)
+ return BadAlloc;
retval = CALL_AreTexturesResident( GET_DISPATCH(), (
n,
(const GLuint *)bswap_32_array( (uint32_t *) (pc + 4), 0 ),
@@ -2900,6 +2903,9 @@ int __glXDispSwap_AreTexturesResidentEXT(__GLXclientState *cl, GLbyte *pc)
GLboolean retval;
GLboolean answerBuffer[200];
GLboolean * residences = __glXGetAnswerBuffer(cl, n, answerBuffer, sizeof(answerBuffer), 1);
+
+ if (residences == NULL)
+ return BadAlloc;
retval = CALL_AreTexturesResident( GET_DISPATCH(), (
n,
(const GLuint *)bswap_32_array( (uint32_t *) (pc + 4), 0 ),
@@ -3017,6 +3023,9 @@ int __glXDispSwap_GenTextures(__GLXclientState *cl, GLbyte *pc)
GLuint answerBuffer[200];
GLuint * textures = __glXGetAnswerBuffer(cl, n * 4, answerBuffer, sizeof(answerBuffer), 4);
+
+ if (textures == NULL)
+ return BadAlloc;
CALL_GenTextures( GET_DISPATCH(), (
n,
textures
@@ -3041,6 +3050,9 @@ int __glXDispSwap_GenTexturesEXT(__GLXclientState *cl, GLbyte *pc)
GLuint answerBuffer[200];
GLuint * textures = __glXGetAnswerBuffer(cl, n * 4, answerBuffer, sizeof(answerBuffer), 4);
+
+ if (textures == NULL)
+ return BadAlloc;
CALL_GenTextures( GET_DISPATCH(), (
n,
textures
@@ -4407,6 +4419,9 @@ int __glXDispSwap_GenQueries(__GLXclientState *cl, GLbyte *pc)
GLuint answerBuffer[200];
GLuint * ids = __glXGetAnswerBuffer(cl, n * 4, answerBuffer, sizeof(answerBuffer), 4);
+ if (ids == NULL)
+ return BadAlloc;
+
CALL_GenQueries( GET_DISPATCH(), (
n,
ids
@@ -4864,6 +4879,9 @@ int __glXDispSwap_GenProgramsARB(__GLXclientState *cl, GLbyte *pc)
GLuint answerBuffer[200];
GLuint * programs = __glXGetAnswerBuffer(cl, n * 4, answerBuffer, sizeof(answerBuffer), 4);
+ if (programs == NULL)
+ return BadAlloc;
+
CALL_GenProgramsARB( GET_DISPATCH(), (
n,
programs
@@ -5245,6 +5263,10 @@ int __glXDispSwap_GenFramebuffers(__GLXclientState *cl, GLbyte *pc)
GLuint answerBuffer[200];
GLuint * framebuffers = __glXGetAnswerBuffer(cl, n * 4, answerBuffer, sizeof(answerBuffer), 4);
+
+ if (framebuffers == NULL)
+ return BadAlloc;
+
CALL_GenFramebuffers( GET_DISPATCH(), (
n,
framebuffers
@@ -5269,6 +5291,10 @@ int __glXDispSwap_GenRenderbuffers(__GLXclientState *cl, GLbyte *pc)
GLuint answerBuffer[200];
GLuint * renderbuffers = __glXGetAnswerBuffer(cl, n * 4, answerBuffer, sizeof(answerBuffer), 4);
+
+ if (renderbuffers == NULL)
+ return BadAlloc;
+
CALL_GenRenderbuffers( GET_DISPATCH(), (
n,
renderbuffers
diff --git a/xorg-server/glx/indirect_program.c b/xorg-server/glx/indirect_program.c
index c5e562a89..8f2d6a89c 100644
--- a/xorg-server/glx/indirect_program.c
+++ b/xorg-server/glx/indirect_program.c
@@ -57,6 +57,8 @@ DoGetProgramString(struct __GLXclientStateRec *cl, GLbyte * pc,
__GLXcontext *const cx = __glXForceCurrent(cl, req->contextTag, &error);
ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateWithReplyReq, 8);
+
pc += __GLX_VENDPRIV_HDR_SIZE;
if (cx != NULL) {
GLenum target;
diff --git a/xorg-server/glx/indirect_reqsize.c b/xorg-server/glx/indirect_reqsize.c
index a87f7d230..e67c84722 100644
--- a/xorg-server/glx/indirect_reqsize.c
+++ b/xorg-server/glx/indirect_reqsize.c
@@ -40,25 +40,23 @@
#include "indirect_size.h"
#include "indirect_reqsize.h"
-#define __GLX_PAD(x) (((x) + 3) & ~3)
-
#if defined(__CYGWIN__) || defined(__MINGW32__)
# undef HAVE_ALIAS
#endif
#ifdef HAVE_ALIAS
# define ALIAS2(from,to) \
- GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap ) \
+ GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap, int reqlen ) \
__attribute__ ((alias( # to )));
# define ALIAS(from,to) ALIAS2( from, __glX ## to ## ReqSize )
#else
# define ALIAS(from,to) \
- GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap ) \
- { return __glX ## to ## ReqSize( pc, swap ); }
+ GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap, int reqlen ) \
+ { return __glX ## to ## ReqSize( pc, swap, reqlen ); }
#endif
int
-__glXCallListsReqSize( const GLbyte * pc, Bool swap )
+__glXCallListsReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLsizei n = *(GLsizei *)(pc + 0);
GLenum type = * (GLenum *)(pc + 4);
@@ -70,11 +68,11 @@ GLenum type = * (GLenum *)(pc + 4);
}
compsize = __glCallLists_size(type);
- return __GLX_PAD((compsize * n));
+ return safe_pad(safe_mul(compsize, n));
}
int
-__glXBitmapReqSize( const GLbyte * pc, Bool swap )
+__glXBitmapReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLint row_length = * (GLint *)(pc + 4);
GLint image_height = 0;
@@ -98,7 +96,7 @@ GLsizei height = *(GLsizei *)(pc + 24);
}
int
-__glXFogfvReqSize( const GLbyte * pc, Bool swap )
+__glXFogfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLenum pname = * (GLenum *)(pc + 0);
GLsizei compsize;
@@ -108,11 +106,11 @@ GLenum pname = * (GLenum *)(pc + 0);
}
compsize = __glFogfv_size(pname);
- return __GLX_PAD((compsize * 4));
+ return safe_pad(safe_mul(compsize, 4));
}
int
-__glXLightfvReqSize( const GLbyte * pc, Bool swap )
+__glXLightfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLenum pname = * (GLenum *)(pc + 4);
GLsizei compsize;
@@ -122,11 +120,11 @@ GLenum pname = * (GLenum *)(pc + 4);
}
compsize = __glLightfv_size(pname);
- return __GLX_PAD((compsize * 4));
+ return safe_pad(safe_mul(compsize, 4));
}
int
-__glXLightModelfvReqSize( const GLbyte * pc, Bool swap )
+__glXLightModelfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLenum pname = * (GLenum *)(pc + 0);
GLsizei compsize;
@@ -136,11 +134,11 @@ GLenum pname = * (GLenum *)(pc + 0);
}
compsize = __glLightModelfv_size(pname);
- return __GLX_PAD((compsize * 4));
+ return safe_pad(safe_mul(compsize, 4));
}
int
-__glXMaterialfvReqSize( const GLbyte * pc, Bool swap )
+__glXMaterialfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLenum pname = * (GLenum *)(pc + 4);
GLsizei compsize;
@@ -150,11 +148,11 @@ GLenum pname = * (GLenum *)(pc + 4);
}
compsize = __glMaterialfv_size(pname);
- return __GLX_PAD((compsize * 4));
+ return safe_pad(safe_mul(compsize, 4));
}
int
-__glXPolygonStippleReqSize( const GLbyte * pc, Bool swap )
+__glXPolygonStippleReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLint row_length = * (GLint *)(pc + 4);
GLint image_height = 0;
@@ -174,7 +172,7 @@ __glXPolygonStippleReqSize( const GLbyte * pc, Bool swap )
}
int
-__glXTexParameterfvReqSize( const GLbyte * pc, Bool swap )
+__glXTexParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLenum pname = * (GLenum *)(pc + 4);
GLsizei compsize;
@@ -184,11 +182,11 @@ GLenum pname = * (GLenum *)(pc + 4);
}
compsize = __glTexParameterfv_size(pname);
- return __GLX_PAD((compsize * 4));
+ return safe_pad(safe_mul(compsize, 4));
}
int
-__glXTexImage1DReqSize( const GLbyte * pc, Bool swap )
+__glXTexImage1DReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLint row_length = * (GLint *)(pc + 4);
GLint image_height = 0;
@@ -216,7 +214,7 @@ GLenum type = * (GLenum *)(pc + 48);
}
int
-__glXTexImage2DReqSize( const GLbyte * pc, Bool swap )
+__glXTexImage2DReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLint row_length = * (GLint *)(pc + 4);
GLint image_height = 0;
@@ -246,7 +244,7 @@ GLenum type = * (GLenum *)(pc + 48);
}
int
-__glXTexEnvfvReqSize( const GLbyte * pc, Bool swap )
+__glXTexEnvfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLenum pname = * (GLenum *)(pc + 4);
GLsizei compsize;
@@ -256,11 +254,11 @@ GLenum pname = * (GLenum *)(pc + 4);
}
compsize = __glTexEnvfv_size(pname);
- return __GLX_PAD((compsize * 4));
+ return safe_pad(safe_mul(compsize, 4));
}
int
-__glXTexGendvReqSize( const GLbyte * pc, Bool swap )
+__glXTexGendvReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLenum pname = * (GLenum *)(pc + 4);
GLsizei compsize;
@@ -270,11 +268,11 @@ GLenum pname = * (GLenum *)(pc + 4);
}
compsize = __glTexGendv_size(pname);
- return __GLX_PAD((compsize * 8));
+ return safe_pad(safe_mul(compsize, 8));
}
int
-__glXTexGenfvReqSize( const GLbyte * pc, Bool swap )
+__glXTexGenfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLenum pname = * (GLenum *)(pc + 4);
GLsizei compsize;
@@ -284,11 +282,11 @@ GLenum pname = * (GLenum *)(pc + 4);
}
compsize = __glTexGenfv_size(pname);
- return __GLX_PAD((compsize * 4));
+ return safe_pad(safe_mul(compsize, 4));
}
int
-__glXPixelMapfvReqSize( const GLbyte * pc, Bool swap )
+__glXPixelMapfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLsizei mapsize = *(GLsizei *)(pc + 4);
@@ -296,11 +294,11 @@ GLsizei mapsize = *(GLsizei *)(pc + 4);
mapsize = bswap_32(mapsize);
}
- return __GLX_PAD((mapsize * 4));
+ return safe_pad(safe_mul(mapsize, 4));
}
int
-__glXPixelMapusvReqSize( const GLbyte * pc, Bool swap )
+__glXPixelMapusvReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLsizei mapsize = *(GLsizei *)(pc + 4);
@@ -308,11 +306,11 @@ GLsizei mapsize = *(GLsizei *)(pc + 4);
mapsize = bswap_32(mapsize);
}
- return __GLX_PAD((mapsize * 2));
+ return safe_pad(safe_mul(mapsize, 2));
}
int
-__glXDrawPixelsReqSize( const GLbyte * pc, Bool swap )
+__glXDrawPixelsReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLint row_length = * (GLint *)(pc + 4);
GLint image_height = 0;
@@ -340,7 +338,7 @@ GLenum type = * (GLenum *)(pc + 32);
}
int
-__glXPrioritizeTexturesReqSize( const GLbyte * pc, Bool swap )
+__glXPrioritizeTexturesReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLsizei n = *(GLsizei *)(pc + 0);
@@ -348,11 +346,11 @@ GLsizei n = *(GLsizei *)(pc + 0);
n = bswap_32(n);
}
- return __GLX_PAD((n * 4) + (n * 4));
+ return safe_pad(safe_add(safe_mul(n, 4), safe_mul(n, 4)));
}
int
-__glXTexSubImage1DReqSize( const GLbyte * pc, Bool swap )
+__glXTexSubImage1DReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLint row_length = * (GLint *)(pc + 4);
GLint image_height = 0;
@@ -380,7 +378,7 @@ GLenum type = * (GLenum *)(pc + 48);
}
int
-__glXTexSubImage2DReqSize( const GLbyte * pc, Bool swap )
+__glXTexSubImage2DReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLint row_length = * (GLint *)(pc + 4);
GLint image_height = 0;
@@ -410,7 +408,7 @@ GLenum type = * (GLenum *)(pc + 48);
}
int
-__glXColorTableReqSize( const GLbyte * pc, Bool swap )
+__glXColorTableReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLint row_length = * (GLint *)(pc + 4);
GLint image_height = 0;
@@ -438,7 +436,7 @@ GLenum type = * (GLenum *)(pc + 36);
}
int
-__glXColorTableParameterfvReqSize( const GLbyte * pc, Bool swap )
+__glXColorTableParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLenum pname = * (GLenum *)(pc + 4);
GLsizei compsize;
@@ -448,11 +446,11 @@ GLenum pname = * (GLenum *)(pc + 4);
}
compsize = __glColorTableParameterfv_size(pname);
- return __GLX_PAD((compsize * 4));
+ return safe_pad(safe_mul(compsize, 4));
}
int
-__glXColorSubTableReqSize( const GLbyte * pc, Bool swap )
+__glXColorSubTableReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLint row_length = * (GLint *)(pc + 4);
GLint image_height = 0;
@@ -480,7 +478,7 @@ GLenum type = * (GLenum *)(pc + 36);
}
int
-__glXConvolutionFilter1DReqSize( const GLbyte * pc, Bool swap )
+__glXConvolutionFilter1DReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLint row_length = * (GLint *)(pc + 4);
GLint image_height = 0;
@@ -508,7 +506,7 @@ GLenum type = * (GLenum *)(pc + 40);
}
int
-__glXConvolutionFilter2DReqSize( const GLbyte * pc, Bool swap )
+__glXConvolutionFilter2DReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLint row_length = * (GLint *)(pc + 4);
GLint image_height = 0;
@@ -538,7 +536,7 @@ GLenum type = * (GLenum *)(pc + 40);
}
int
-__glXConvolutionParameterfvReqSize( const GLbyte * pc, Bool swap )
+__glXConvolutionParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLenum pname = * (GLenum *)(pc + 4);
GLsizei compsize;
@@ -548,7 +546,7 @@ GLenum pname = * (GLenum *)(pc + 4);
}
compsize = __glConvolutionParameterfv_size(pname);
- return __GLX_PAD((compsize * 4));
+ return safe_pad(safe_mul(compsize, 4));
}
int
@@ -589,7 +587,7 @@ GLenum type = * (GLenum *)(pc + 72);
}
int
-__glXTexSubImage3DReqSize( const GLbyte * pc, Bool swap )
+__glXTexSubImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLint row_length = * (GLint *)(pc + 4);
GLint image_height = * (GLint *)(pc + 8);
@@ -623,7 +621,7 @@ GLenum type = * (GLenum *)(pc + 80);
}
int
-__glXCompressedTexImage1DReqSize( const GLbyte * pc, Bool swap )
+__glXCompressedTexImage1DReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLsizei imageSize = *(GLsizei *)(pc + 20);
@@ -631,11 +629,11 @@ GLsizei imageSize = *(GLsizei *)(pc + 20);
imageSize = bswap_32(imageSize);
}
- return __GLX_PAD(imageSize);
+ return safe_pad(imageSize);
}
int
-__glXCompressedTexImage2DReqSize( const GLbyte * pc, Bool swap )
+__glXCompressedTexImage2DReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLsizei imageSize = *(GLsizei *)(pc + 24);
@@ -643,11 +641,11 @@ GLsizei imageSize = *(GLsizei *)(pc + 24);
imageSize = bswap_32(imageSize);
}
- return __GLX_PAD(imageSize);
+ return safe_pad(imageSize);
}
int
-__glXCompressedTexImage3DReqSize( const GLbyte * pc, Bool swap )
+__glXCompressedTexImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLsizei imageSize = *(GLsizei *)(pc + 28);
@@ -655,11 +653,11 @@ GLsizei imageSize = *(GLsizei *)(pc + 28);
imageSize = bswap_32(imageSize);
}
- return __GLX_PAD(imageSize);
+ return safe_pad(imageSize);
}
int
-__glXCompressedTexSubImage3DReqSize( const GLbyte * pc, Bool swap )
+__glXCompressedTexSubImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLsizei imageSize = *(GLsizei *)(pc + 36);
@@ -667,11 +665,11 @@ GLsizei imageSize = *(GLsizei *)(pc + 36);
imageSize = bswap_32(imageSize);
}
- return __GLX_PAD(imageSize);
+ return safe_pad(imageSize);
}
int
-__glXPointParameterfvReqSize( const GLbyte * pc, Bool swap )
+__glXPointParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLenum pname = * (GLenum *)(pc + 0);
GLsizei compsize;
@@ -681,11 +679,11 @@ GLenum pname = * (GLenum *)(pc + 0);
}
compsize = __glPointParameterfv_size(pname);
- return __GLX_PAD((compsize * 4));
+ return safe_pad(safe_mul(compsize, 4));
}
int
-__glXDrawBuffersReqSize( const GLbyte * pc, Bool swap )
+__glXDrawBuffersReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLsizei n = *(GLsizei *)(pc + 0);
@@ -693,11 +691,11 @@ GLsizei n = *(GLsizei *)(pc + 0);
n = bswap_32(n);
}
- return __GLX_PAD((n * 4));
+ return safe_pad(safe_mul(n, 4));
}
int
-__glXProgramStringARBReqSize( const GLbyte * pc, Bool swap )
+__glXProgramStringARBReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLsizei len = *(GLsizei *)(pc + 8);
@@ -705,11 +703,11 @@ GLsizei len = *(GLsizei *)(pc + 8);
len = bswap_32(len);
}
- return __GLX_PAD(len);
+ return safe_pad(len);
}
int
-__glXProgramParameters4dvNVReqSize( const GLbyte * pc, Bool swap )
+__glXProgramParameters4dvNVReqSize( const GLbyte * pc, Bool swap, int reqlen)
{
GLsizei num = *(GLsizei *)(pc + 8);
@@ -717,11 +715,11 @@ GLsizei num = *(GLsizei *)(pc + 8);
num = bswap_32(num);
}
- return __GLX_PAD((num * 32));
+ return safe_pad(safe_mul(num, 32));
}
int
-__glXProgramParameters4fvNVReqSize( const GLbyte * pc, Bool swap )
+__glXProgramParameters4fvNVReqSize( const GLbyte * pc, Bool swap, int reqlen)
{
GLsizei num = *(GLsizei *)(pc + 8);
@@ -729,11 +727,11 @@ GLsizei num = *(GLsizei *)(pc + 8);
num = bswap_32(num);
}
- return __GLX_PAD((num * 16));
+ return safe_pad(safe_mul(num, 16));
}
int
-__glXVertexAttribs1dvNVReqSize( const GLbyte * pc, Bool swap )
+__glXVertexAttribs1dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLsizei n = *(GLsizei *)(pc + 4);
@@ -741,11 +739,11 @@ GLsizei n = *(GLsizei *)(pc + 4);
n = bswap_32(n);
}
- return __GLX_PAD((n * 8));
+ return safe_pad(safe_mul(n, 8));
}
int
-__glXVertexAttribs2dvNVReqSize( const GLbyte * pc, Bool swap )
+__glXVertexAttribs2dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLsizei n = *(GLsizei *)(pc + 4);
@@ -753,11 +751,11 @@ GLsizei n = *(GLsizei *)(pc + 4);
n = bswap_32(n);
}
- return __GLX_PAD((n * 16));
+ return safe_pad(safe_mul(n, 16));
}
int
-__glXVertexAttribs3dvNVReqSize( const GLbyte * pc, Bool swap )
+__glXVertexAttribs3dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLsizei n = *(GLsizei *)(pc + 4);
@@ -765,11 +763,11 @@ GLsizei n = *(GLsizei *)(pc + 4);
n = bswap_32(n);
}
- return __GLX_PAD((n * 24));
+ return safe_pad(safe_mul(n, 24));
}
int
-__glXVertexAttribs3fvNVReqSize( const GLbyte * pc, Bool swap )
+__glXVertexAttribs3fvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLsizei n = *(GLsizei *)(pc + 4);
@@ -777,11 +775,11 @@ GLsizei n = *(GLsizei *)(pc + 4);
n = bswap_32(n);
}
- return __GLX_PAD((n * 12));
+ return safe_pad(safe_mul(n, 12));
}
int
-__glXVertexAttribs3svNVReqSize( const GLbyte * pc, Bool swap )
+__glXVertexAttribs3svNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLsizei n = *(GLsizei *)(pc + 4);
@@ -789,11 +787,11 @@ GLsizei n = *(GLsizei *)(pc + 4);
n = bswap_32(n);
}
- return __GLX_PAD((n * 6));
+ return safe_pad(safe_mul(n, 6));
}
int
-__glXVertexAttribs4dvNVReqSize( const GLbyte * pc, Bool swap )
+__glXVertexAttribs4dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLsizei n = *(GLsizei *)(pc + 4);
@@ -801,11 +799,11 @@ GLsizei n = *(GLsizei *)(pc + 4);
n = bswap_32(n);
}
- return __GLX_PAD((n * 32));
+ return safe_pad(safe_mul(n, 32));
}
int
-__glXProgramNamedParameter4fvNVReqSize( const GLbyte * pc, Bool swap )
+__glXProgramNamedParameter4fvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLsizei len = *(GLsizei *)(pc + 4);
@@ -813,7 +811,7 @@ GLsizei len = *(GLsizei *)(pc + 4);
len = bswap_32(len);
}
- return __GLX_PAD(len);
+ return safe_pad(len);
}
ALIAS( Fogiv, Fogfv )
diff --git a/xorg-server/glx/indirect_reqsize.h b/xorg-server/glx/indirect_reqsize.h
index 1b7bd6ebf..9adba492d 100644
--- a/xorg-server/glx/indirect_reqsize.h
+++ b/xorg-server/glx/indirect_reqsize.h
@@ -36,80 +36,80 @@
# define PURE
# endif
-extern PURE _X_HIDDEN int __glXCallListsReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXBitmapReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXFogfvReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXFogivReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXLightfvReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXLightivReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXLightModelfvReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXLightModelivReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXMaterialfvReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXMaterialivReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXPolygonStippleReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXTexParameterfvReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXTexParameterivReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXTexImage1DReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXTexImage2DReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXTexEnvfvReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXTexEnvivReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXTexGendvReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXTexGenfvReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXTexGenivReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXMap1dReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXMap1fReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXMap2dReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXMap2fReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXPixelMapfvReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXPixelMapuivReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXPixelMapusvReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXDrawPixelsReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXDrawArraysReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXPrioritizeTexturesReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXTexSubImage1DReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXTexSubImage2DReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXColorTableReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXColorTableParameterfvReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXColorTableParameterivReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXColorSubTableReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXConvolutionFilter1DReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXConvolutionFilter2DReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXConvolutionParameterfvReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXConvolutionParameterivReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXSeparableFilter2DReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXTexImage3DReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXTexSubImage3DReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXCompressedTexImage1DReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXCompressedTexImage2DReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXCompressedTexImage3DReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXCompressedTexSubImage1DReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXCompressedTexSubImage2DReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXCompressedTexSubImage3DReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXPointParameterfvReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXPointParameterivReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXDrawBuffersReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXProgramStringARBReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXDeleteFramebuffersReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXDeleteRenderbuffersReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXLoadProgramNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXProgramParameters4dvNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXProgramParameters4fvNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXRequestResidentProgramsNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXVertexAttribs1dvNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXVertexAttribs1fvNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXVertexAttribs1svNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXVertexAttribs2dvNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXVertexAttribs2fvNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXVertexAttribs2svNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXVertexAttribs3dvNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXVertexAttribs3fvNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXVertexAttribs3svNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXVertexAttribs4dvNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXVertexAttribs4fvNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXVertexAttribs4svNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXVertexAttribs4ubvNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXProgramNamedParameter4dvNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXProgramNamedParameter4fvNVReqSize(const GLbyte *pc, Bool swap);
+extern PURE _X_HIDDEN int __glXCallListsReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXBitmapReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXFogfvReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXFogivReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXLightfvReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXLightivReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXLightModelfvReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXLightModelivReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXMaterialfvReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXMaterialivReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXPolygonStippleReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXTexParameterfvReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXTexParameterivReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXTexImage1DReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXTexImage2DReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXTexEnvfvReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXTexEnvivReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXTexGendvReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXTexGenfvReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXTexGenivReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXMap1dReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXMap1fReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXMap2dReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXMap2fReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXPixelMapfvReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXPixelMapuivReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXPixelMapusvReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXDrawPixelsReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXDrawArraysReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXPrioritizeTexturesReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXTexSubImage1DReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXTexSubImage2DReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXColorTableReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXColorTableParameterfvReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXColorTableParameterivReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXColorSubTableReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXConvolutionFilter1DReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXConvolutionFilter2DReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXConvolutionParameterfvReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXConvolutionParameterivReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXSeparableFilter2DReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXTexImage3DReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXTexSubImage3DReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXCompressedTexImage1DReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXCompressedTexImage2DReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXCompressedTexImage3DReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXCompressedTexSubImage1DReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXCompressedTexSubImage2DReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXCompressedTexSubImage3DReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXPointParameterfvReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXPointParameterivReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXDrawBuffersReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXProgramStringARBReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXDeleteFramebuffersReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXDeleteRenderbuffersReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXLoadProgramNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXProgramParameters4dvNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXProgramParameters4fvNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXRequestResidentProgramsNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXVertexAttribs1dvNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXVertexAttribs1fvNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXVertexAttribs1svNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXVertexAttribs2dvNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXVertexAttribs2fvNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXVertexAttribs2svNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXVertexAttribs3dvNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXVertexAttribs3fvNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXVertexAttribs3svNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXVertexAttribs4dvNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXVertexAttribs4fvNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXVertexAttribs4svNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXVertexAttribs4ubvNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXProgramNamedParameter4dvNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXProgramNamedParameter4fvNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
# undef PURE
diff --git a/xorg-server/glx/indirect_texture_compression.c b/xorg-server/glx/indirect_texture_compression.c
index 112811e50..a39b15857 100644
--- a/xorg-server/glx/indirect_texture_compression.c
+++ b/xorg-server/glx/indirect_texture_compression.c
@@ -45,6 +45,8 @@ __glXDisp_GetCompressedTexImage(struct __GLXclientStateRec *cl, GLbyte * pc)
__GLXcontext *const cx = __glXForceCurrent(cl, req->contextTag, &error);
ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
+
pc += __GLX_SINGLE_HDR_SIZE;
if (cx != NULL) {
const GLenum target = *(GLenum *) (pc + 0);
@@ -89,6 +91,8 @@ __glXDispSwap_GetCompressedTexImage(struct __GLXclientStateRec *cl, GLbyte * pc)
__glXForceCurrent(cl, bswap_32(req->contextTag), &error);
ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
+
pc += __GLX_SINGLE_HDR_SIZE;
if (cx != NULL) {
const GLenum target = (GLenum) bswap_32(*(int *) (pc + 0));
diff --git a/xorg-server/glx/indirect_util.c b/xorg-server/glx/indirect_util.c
index e7f11fbad..96fa2e012 100644
--- a/xorg-server/glx/indirect_util.c
+++ b/xorg-server/glx/indirect_util.c
@@ -76,12 +76,17 @@ __glXGetAnswerBuffer(__GLXclientState * cl, size_t required_size,
void *local_buffer, size_t local_size, unsigned alignment)
{
void *buffer = local_buffer;
- const unsigned mask = alignment - 1;
+ const intptr_t mask = alignment - 1;
if (local_size < required_size) {
- const size_t worst_case_size = required_size + alignment;
+ size_t worst_case_size;
intptr_t temp_buf;
+ if (required_size < SIZE_MAX - alignment)
+ worst_case_size = required_size + alignment;
+ else
+ return NULL;
+
if (cl->returnBufSize < worst_case_size) {
void *temp = realloc(cl->returnBuf, worst_case_size);
diff --git a/xorg-server/glx/rensize.c b/xorg-server/glx/rensize.c
index 552293242..068e1ce23 100644
--- a/xorg-server/glx/rensize.c
+++ b/xorg-server/glx/rensize.c
@@ -47,19 +47,11 @@
(((a & 0xff000000U)>>24) | ((a & 0xff0000U)>>8) | \
((a & 0xff00U)<<8) | ((a & 0xffU)<<24))
-static int
-Map1Size(GLint k, GLint order)
-{
- if (order <= 0 || k < 0)
- return -1;
- return k * order;
-}
-
int
-__glXMap1dReqSize(const GLbyte * pc, Bool swap)
+__glXMap1dReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLenum target;
- GLint order, k;
+ GLint order;
target = *(GLenum *) (pc + 16);
order = *(GLint *) (pc + 20);
@@ -67,15 +59,16 @@ __glXMap1dReqSize(const GLbyte * pc, Bool swap)
target = SWAPL(target);
order = SWAPL(order);
}
- k = __glMap1d_size(target);
- return 8 * Map1Size(k, order);
+ if (order < 1)
+ return -1;
+ return safe_mul(8, safe_mul(__glMap1d_size(target), order));
}
int
-__glXMap1fReqSize(const GLbyte * pc, Bool swap)
+__glXMap1fReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLenum target;
- GLint order, k;
+ GLint order;
target = *(GLenum *) (pc + 0);
order = *(GLint *) (pc + 12);
@@ -83,23 +76,24 @@ __glXMap1fReqSize(const GLbyte * pc, Bool swap)
target = SWAPL(target);
order = SWAPL(order);
}
- k = __glMap1f_size(target);
- return 4 * Map1Size(k, order);
+ if (order < 1)
+ return -1;
+ return safe_mul(4, safe_mul(__glMap1f_size(target), order));
}
static int
Map2Size(int k, int majorOrder, int minorOrder)
{
- if (majorOrder <= 0 || minorOrder <= 0 || k < 0)
+ if (majorOrder < 1 || minorOrder < 1)
return -1;
- return k * majorOrder * minorOrder;
+ return safe_mul(k, safe_mul(majorOrder, minorOrder));
}
int
-__glXMap2dReqSize(const GLbyte * pc, Bool swap)
+__glXMap2dReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLenum target;
- GLint uorder, vorder, k;
+ GLint uorder, vorder;
target = *(GLenum *) (pc + 32);
uorder = *(GLint *) (pc + 36);
@@ -109,15 +103,14 @@ __glXMap2dReqSize(const GLbyte * pc, Bool swap)
uorder = SWAPL(uorder);
vorder = SWAPL(vorder);
}
- k = __glMap2d_size(target);
- return 8 * Map2Size(k, uorder, vorder);
+ return safe_mul(8, Map2Size(__glMap2d_size(target), uorder, vorder));
}
int
-__glXMap2fReqSize(const GLbyte * pc, Bool swap)
+__glXMap2fReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLenum target;
- GLint uorder, vorder, k;
+ GLint uorder, vorder;
target = *(GLenum *) (pc + 0);
uorder = *(GLint *) (pc + 12);
@@ -127,8 +120,7 @@ __glXMap2fReqSize(const GLbyte * pc, Bool swap)
uorder = SWAPL(uorder);
vorder = SWAPL(vorder);
}
- k = __glMap2f_size(target);
- return 4 * Map2Size(k, uorder, vorder);
+ return safe_mul(4, Map2Size(__glMap2f_size(target), uorder, vorder));
}
/**
@@ -179,14 +171,16 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
GLint bytesPerElement, elementsPerGroup, groupsPerRow;
GLint groupSize, rowSize, padding, imageSize;
+ if (w == 0 || h == 0 || d == 0)
+ return 0;
+
if (w < 0 || h < 0 || d < 0 ||
(type == GL_BITMAP &&
(format != GL_COLOR_INDEX && format != GL_STENCIL_INDEX))) {
return -1;
}
- if (w == 0 || h == 0 || d == 0)
- return 0;
+ /* proxy targets have no data */
switch (target) {
case GL_PROXY_TEXTURE_1D:
case GL_PROXY_TEXTURE_2D:
@@ -203,6 +197,12 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
return 0;
}
+ /* real data has to have real sizes */
+ if (imageHeight < 0 || rowLength < 0 || skipImages < 0 || skipRows < 0)
+ return -1;
+ if (alignment != 1 && alignment != 2 && alignment != 4 && alignment != 8)
+ return -1;
+
if (type == GL_BITMAP) {
if (rowLength > 0) {
groupsPerRow = rowLength;
@@ -211,11 +211,14 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
groupsPerRow = w;
}
rowSize = bits_to_bytes(groupsPerRow);
+ if (rowSize < 0)
+ return -1;
padding = (rowSize % alignment);
if (padding) {
rowSize += alignment - padding;
}
- return ((h + skipRows) * rowSize);
+
+ return safe_mul(safe_add(h, skipRows), rowSize);
}
else {
switch (format) {
@@ -228,6 +231,11 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
case GL_ALPHA:
case GL_LUMINANCE:
case GL_INTENSITY:
+ case GL_RED_INTEGER_EXT:
+ case GL_GREEN_INTEGER_EXT:
+ case GL_BLUE_INTEGER_EXT:
+ case GL_ALPHA_INTEGER_EXT:
+ case GL_LUMINANCE_INTEGER_EXT:
elementsPerGroup = 1;
break;
case GL_422_EXT:
@@ -238,14 +246,19 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
case GL_DEPTH_STENCIL_MESA:
case GL_YCBCR_MESA:
case GL_LUMINANCE_ALPHA:
+ case GL_LUMINANCE_ALPHA_INTEGER_EXT:
elementsPerGroup = 2;
break;
case GL_RGB:
case GL_BGR:
+ case GL_RGB_INTEGER_EXT:
+ case GL_BGR_INTEGER_EXT:
elementsPerGroup = 3;
break;
case GL_RGBA:
case GL_BGRA:
+ case GL_RGBA_INTEGER_EXT:
+ case GL_BGRA_INTEGER_EXT:
case GL_ABGR_EXT:
elementsPerGroup = 4;
break;
@@ -297,6 +310,7 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
default:
return -1;
}
+ /* known safe by the switches above, not checked */
groupSize = bytesPerElement * elementsPerGroup;
if (rowLength > 0) {
groupsPerRow = rowLength;
@@ -304,18 +318,21 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
else {
groupsPerRow = w;
}
- rowSize = groupsPerRow * groupSize;
+
+ if ((rowSize = safe_mul(groupsPerRow, groupSize)) < 0)
+ return -1;
padding = (rowSize % alignment);
if (padding) {
rowSize += alignment - padding;
}
- if (imageHeight > 0) {
- imageSize = (imageHeight + skipRows) * rowSize;
- }
- else {
- imageSize = (h + skipRows) * rowSize;
- }
- return ((d + skipImages) * imageSize);
+
+ if (imageHeight > 0)
+ h = imageHeight;
+ h = safe_add(h, skipRows);
+
+ imageSize = safe_mul(h, rowSize);
+
+ return safe_mul(safe_add(d, skipImages), imageSize);
}
}
@@ -346,13 +363,14 @@ __glXTypeSize(GLenum enm)
}
int
-__glXDrawArraysReqSize(const GLbyte * pc, Bool swap)
+__glXDrawArraysReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
__GLXdispatchDrawArraysHeader *hdr = (__GLXdispatchDrawArraysHeader *) pc;
__GLXdispatchDrawArraysComponentHeader *compHeader;
GLint numVertexes = hdr->numVertexes;
GLint numComponents = hdr->numComponents;
GLint arrayElementSize = 0;
+ GLint x, size;
int i;
if (swap) {
@@ -361,6 +379,13 @@ __glXDrawArraysReqSize(const GLbyte * pc, Bool swap)
}
pc += sizeof(__GLXdispatchDrawArraysHeader);
+ reqlen -= sizeof(__GLXdispatchDrawArraysHeader);
+
+ size = safe_mul(sizeof(__GLXdispatchDrawArraysComponentHeader),
+ numComponents);
+ if (size < 0 || reqlen < 0 || reqlen < size)
+ return -1;
+
compHeader = (__GLXdispatchDrawArraysComponentHeader *) pc;
for (i = 0; i < numComponents; i++) {
@@ -404,17 +429,18 @@ __glXDrawArraysReqSize(const GLbyte * pc, Bool swap)
return -1;
}
- arrayElementSize += __GLX_PAD(numVals * __glXTypeSize(datatype));
+ x = safe_pad(safe_mul(numVals, __glXTypeSize(datatype)));
+ if ((arrayElementSize = safe_add(arrayElementSize, x)) < 0)
+ return -1;
pc += sizeof(__GLXdispatchDrawArraysComponentHeader);
}
- return ((numComponents * sizeof(__GLXdispatchDrawArraysComponentHeader)) +
- (numVertexes * arrayElementSize));
+ return safe_add(size, safe_mul(numVertexes, arrayElementSize));
}
int
-__glXSeparableFilter2DReqSize(const GLbyte * pc, Bool swap)
+__glXSeparableFilter2DReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
__GLXdispatchConvolutionFilterHeader *hdr =
(__GLXdispatchConvolutionFilterHeader *) pc;
@@ -439,9 +465,7 @@ __glXSeparableFilter2DReqSize(const GLbyte * pc, Bool swap)
/* XXX Should rowLength be used for either or both image? */
image1size = __glXImageSize(format, type, 0, w, 1, 1,
0, rowLength, 0, 0, alignment);
- image1size = __GLX_PAD(image1size);
image2size = __glXImageSize(format, type, 0, h, 1, 1,
0, rowLength, 0, 0, alignment);
- return image1size + image2size;
-
+ return safe_add(safe_pad(image1size), image2size);
}
diff --git a/xorg-server/glx/single2.c b/xorg-server/glx/single2.c
index 8d4d1d061..cd3593295 100644
--- a/xorg-server/glx/single2.c
+++ b/xorg-server/glx/single2.c
@@ -48,11 +48,14 @@
int
__glXDisp_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
{
+ ClientPtr client = cl->client;
GLsizei size;
GLenum type;
__GLXcontext *cx;
int error;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
+
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
return error;
@@ -79,10 +82,13 @@ __glXDisp_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
int
__glXDisp_SelectBuffer(__GLXclientState * cl, GLbyte * pc)
{
+ ClientPtr client = cl->client;
__GLXcontext *cx;
GLsizei size;
int error;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
return error;
@@ -107,7 +113,7 @@ __glXDisp_SelectBuffer(__GLXclientState * cl, GLbyte * pc)
int
__glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc)
{
- ClientPtr client;
+ ClientPtr client = cl->client;
xGLXRenderModeReply reply;
__GLXcontext *cx;
GLint nitems = 0, retBytes = 0, retval, newModeCheck;
@@ -115,6 +121,8 @@ __glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc)
GLenum newMode;
int error;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
return error;
@@ -191,7 +199,6 @@ __glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc)
** selection array, as per the API for glRenderMode itself.
*/
noChangeAllowed:;
- client = cl->client;
reply = (xGLXRenderModeReply) {
.type = X_Reply,
.sequenceNumber = client->sequence,
@@ -210,9 +217,12 @@ __glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc)
int
__glXDisp_Flush(__GLXclientState * cl, GLbyte * pc)
{
+ ClientPtr client = cl->client;
__GLXcontext *cx;
int error;
+ REQUEST_SIZE_MATCH(xGLXSingleReq);
+
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
return error;
@@ -226,10 +236,12 @@ __glXDisp_Flush(__GLXclientState * cl, GLbyte * pc)
int
__glXDisp_Finish(__GLXclientState * cl, GLbyte * pc)
{
+ ClientPtr client = cl->client;
__GLXcontext *cx;
- ClientPtr client;
int error;
+ REQUEST_SIZE_MATCH(xGLXSingleReq);
+
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
return error;
@@ -320,7 +332,7 @@ __glXcombine_strings(const char *cext_string, const char *sext_string)
int
DoGetString(__GLXclientState * cl, GLbyte * pc, GLboolean need_swap)
{
- ClientPtr client;
+ ClientPtr client = cl->client;
__GLXcontext *cx;
GLenum name;
const char *string;
@@ -330,6 +342,8 @@ DoGetString(__GLXclientState * cl, GLbyte * pc, GLboolean need_swap)
char *buf = NULL, *buf1 = NULL;
GLint length = 0;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
/* If the client has the opposite byte order, swap the contextTag and
* the name.
*/
@@ -346,7 +360,6 @@ DoGetString(__GLXclientState * cl, GLbyte * pc, GLboolean need_swap)
pc += __GLX_SINGLE_HDR_SIZE;
name = *(GLenum *) (pc + 0);
string = (const char *) glGetString(name);
- client = cl->client;
if (string == NULL)
string = "";
diff --git a/xorg-server/glx/single2swap.c b/xorg-server/glx/single2swap.c
index 90387a2e8..a35767f0d 100644
--- a/xorg-server/glx/single2swap.c
+++ b/xorg-server/glx/single2swap.c
@@ -44,6 +44,7 @@
int
__glXDispSwap_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
{
+ ClientPtr client = cl->client;
GLsizei size;
GLenum type;
@@ -51,6 +52,8 @@ __glXDispSwap_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
__GLXcontext *cx;
int error;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
+
__GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@@ -80,12 +83,15 @@ __glXDispSwap_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
int
__glXDispSwap_SelectBuffer(__GLXclientState * cl, GLbyte * pc)
{
+ ClientPtr client = cl->client;
__GLXcontext *cx;
GLsizei size;
__GLX_DECLARE_SWAP_VARIABLES;
int error;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
__GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@@ -112,7 +118,7 @@ __glXDispSwap_SelectBuffer(__GLXclientState * cl, GLbyte * pc)
int
__glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc)
{
- ClientPtr client;
+ ClientPtr client = cl->client;
__GLXcontext *cx;
xGLXRenderModeReply reply;
GLint nitems = 0, retBytes = 0, retval, newModeCheck;
@@ -123,6 +129,8 @@ __glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc)
__GLX_DECLARE_SWAP_ARRAY_VARIABLES;
int error;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
__GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@@ -203,7 +211,6 @@ __glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc)
** selection array, as per the API for glRenderMode itself.
*/
noChangeAllowed:;
- client = cl->client;
reply = (xGLXRenderModeReply) {
.type = X_Reply,
.sequenceNumber = client->sequence,
@@ -227,11 +234,14 @@ __glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc)
int
__glXDispSwap_Flush(__GLXclientState * cl, GLbyte * pc)
{
+ ClientPtr client = cl->client;
__GLXcontext *cx;
int error;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXSingleReq);
+
__GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@@ -246,12 +256,14 @@ __glXDispSwap_Flush(__GLXclientState * cl, GLbyte * pc)
int
__glXDispSwap_Finish(__GLXclientState * cl, GLbyte * pc)
{
+ ClientPtr client = cl->client;
__GLXcontext *cx;
- ClientPtr client;
int error;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXSingleReq);
+
__GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@@ -263,7 +275,6 @@ __glXDispSwap_Finish(__GLXclientState * cl, GLbyte * pc)
cx->hasUnflushedCommands = GL_FALSE;
/* Send empty reply packet to indicate finish is finished */
- client = cl->client;
__GLX_BEGIN_REPLY(0);
__GLX_PUT_RETVAL(0);
__GLX_SWAP_REPLY_HEADER();
diff --git a/xorg-server/glx/singlepix.c b/xorg-server/glx/singlepix.c
index 06c0ad66f..96c0e9f30 100644
--- a/xorg-server/glx/singlepix.c
+++ b/xorg-server/glx/singlepix.c
@@ -54,6 +54,8 @@ __glXDisp_ReadPixels(__GLXclientState * cl, GLbyte * pc)
int error;
char *answer, answerBuffer[200];
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 28);
+
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
return error;
@@ -68,7 +70,7 @@ __glXDisp_ReadPixels(__GLXclientState * cl, GLbyte * pc)
lsbFirst = *(GLboolean *) (pc + 25);
compsize = __glReadPixels_size(format, type, width, height);
if (compsize < 0)
- compsize = 0;
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
glPixelStorei(GL_PACK_LSB_FIRST, lsbFirst);
@@ -103,6 +105,8 @@ __glXDisp_GetTexImage(__GLXclientState * cl, GLbyte * pc)
char *answer, answerBuffer[200];
GLint width = 0, height = 0, depth = 1;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 20);
+
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
return error;
@@ -127,7 +131,7 @@ __glXDisp_GetTexImage(__GLXclientState * cl, GLbyte * pc)
compsize =
__glGetTexImage_size(target, level, format, type, width, height, depth);
if (compsize < 0)
- compsize = 0;
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
__GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
@@ -160,6 +164,8 @@ __glXDisp_GetPolygonStipple(__GLXclientState * cl, GLbyte * pc)
GLubyte answerBuffer[200];
char *answer;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
return error;
@@ -220,15 +226,13 @@ GetSeparableFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1);
- if (compsize < 0)
- compsize = 0;
- if (compsize2 < 0)
- compsize2 = 0;
- compsize = __GLX_PAD(compsize);
- compsize2 = __GLX_PAD(compsize2);
+ if ((compsize = safe_pad(compsize)) < 0)
+ return BadLength;
+ if ((compsize2 = safe_pad(compsize2)) < 0)
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
- __GLX_GET_ANSWER_BUFFER(answer, cl, compsize + compsize2, 1);
+ __GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1);
__glXClearErrorOccured();
glGetSeparableFilter(*(GLenum *) (pc + 0), *(GLenum *) (pc + 4),
*(GLenum *) (pc + 8), answer, answer + compsize, NULL);
@@ -252,7 +256,8 @@ int
__glXDisp_GetSeparableFilter(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
-
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
return GetSeparableFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
}
@@ -260,7 +265,8 @@ int
__glXDisp_GetSeparableFilterEXT(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
-
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
return GetSeparableFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
}
@@ -299,7 +305,7 @@ GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
*/
compsize = __glGetTexImage_size(target, 1, format, type, width, height, 1);
if (compsize < 0)
- compsize = 0;
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
__GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
@@ -326,7 +332,8 @@ int
__glXDisp_GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
-
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
return GetConvolutionFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
}
@@ -334,7 +341,8 @@ int
__glXDisp_GetConvolutionFilterEXT(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
-
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
return GetConvolutionFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
}
@@ -368,7 +376,7 @@ GetHistogram(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
*/
compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
if (compsize < 0)
- compsize = 0;
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
__GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
@@ -393,7 +401,8 @@ int
__glXDisp_GetHistogram(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
-
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
return GetHistogram(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
}
@@ -401,7 +410,8 @@ int
__glXDisp_GetHistogramEXT(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
-
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
return GetHistogram(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
}
@@ -429,7 +439,7 @@ GetMinmax(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
compsize = __glGetTexImage_size(target, 1, format, type, 2, 1, 1);
if (compsize < 0)
- compsize = 0;
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
__GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
@@ -453,7 +463,8 @@ int
__glXDisp_GetMinmax(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
-
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
return GetMinmax(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
}
@@ -461,7 +472,8 @@ int
__glXDisp_GetMinmaxEXT(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
-
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
return GetMinmax(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
}
@@ -494,7 +506,7 @@ GetColorTable(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
*/
compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
if (compsize < 0)
- compsize = 0;
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
__GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
@@ -520,7 +532,8 @@ int
__glXDisp_GetColorTable(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
-
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
return GetColorTable(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
}
@@ -528,6 +541,7 @@ int
__glXDisp_GetColorTableSGI(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
-
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
return GetColorTable(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
}
diff --git a/xorg-server/glx/singlepixswap.c b/xorg-server/glx/singlepixswap.c
index b1ed6cec7..fa373faad 100644
--- a/xorg-server/glx/singlepixswap.c
+++ b/xorg-server/glx/singlepixswap.c
@@ -56,6 +56,8 @@ __glXDispSwap_ReadPixels(__GLXclientState * cl, GLbyte * pc)
int error;
char *answer, answerBuffer[200];
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 28);
+
__GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@@ -78,7 +80,7 @@ __glXDispSwap_ReadPixels(__GLXclientState * cl, GLbyte * pc)
lsbFirst = *(GLboolean *) (pc + 25);
compsize = __glReadPixels_size(format, type, width, height);
if (compsize < 0)
- compsize = 0;
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
glPixelStorei(GL_PACK_LSB_FIRST, lsbFirst);
@@ -117,6 +119,8 @@ __glXDispSwap_GetTexImage(__GLXclientState * cl, GLbyte * pc)
char *answer, answerBuffer[200];
GLint width = 0, height = 0, depth = 1;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 20);
+
__GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@@ -147,7 +151,7 @@ __glXDispSwap_GetTexImage(__GLXclientState * cl, GLbyte * pc)
compsize =
__glGetTexImage_size(target, level, format, type, width, height, depth);
if (compsize < 0)
- compsize = 0;
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
__GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
@@ -187,6 +191,8 @@ __glXDispSwap_GetPolygonStipple(__GLXclientState * cl, GLbyte * pc)
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
__GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@@ -254,15 +260,13 @@ GetSeparableFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1);
- if (compsize < 0)
- compsize = 0;
- if (compsize2 < 0)
- compsize2 = 0;
- compsize = __GLX_PAD(compsize);
- compsize2 = __GLX_PAD(compsize2);
+ if ((compsize = safe_pad(compsize)) < 0)
+ return BadLength;
+ if ((compsize2 = safe_pad(compsize2)) < 0)
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
- __GLX_GET_ANSWER_BUFFER(answer, cl, compsize + compsize2, 1);
+ __GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1);
__glXClearErrorOccured();
glGetSeparableFilter(*(GLenum *) (pc + 0), *(GLenum *) (pc + 4),
*(GLenum *) (pc + 8), answer, answer + compsize, NULL);
@@ -288,7 +292,9 @@ int
__glXDispSwap_GetSeparableFilter(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
return GetSeparableFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
}
@@ -296,7 +302,9 @@ int
__glXDispSwap_GetSeparableFilterEXT(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
return GetSeparableFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
}
@@ -341,7 +349,7 @@ GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
*/
compsize = __glGetTexImage_size(target, 1, format, type, width, height, 1);
if (compsize < 0)
- compsize = 0;
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
__GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
@@ -370,7 +378,9 @@ int
__glXDispSwap_GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
return GetConvolutionFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
}
@@ -378,7 +388,9 @@ int
__glXDispSwap_GetConvolutionFilterEXT(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
return GetConvolutionFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
}
@@ -418,7 +430,7 @@ GetHistogram(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
*/
compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
if (compsize < 0)
- compsize = 0;
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
__GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
@@ -444,7 +456,9 @@ int
__glXDispSwap_GetHistogram(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
return GetHistogram(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
}
@@ -452,7 +466,9 @@ int
__glXDispSwap_GetHistogramEXT(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
return GetHistogram(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
}
@@ -486,7 +502,7 @@ GetMinmax(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
compsize = __glGetTexImage_size(target, 1, format, type, 2, 1, 1);
if (compsize < 0)
- compsize = 0;
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
__GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
@@ -510,7 +526,9 @@ int
__glXDispSwap_GetMinmax(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
return GetMinmax(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
}
@@ -518,7 +536,9 @@ int
__glXDispSwap_GetMinmaxEXT(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
return GetMinmax(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
}
@@ -557,7 +577,7 @@ GetColorTable(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
*/
compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
if (compsize < 0)
- compsize = 0;
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
__GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
@@ -584,7 +604,9 @@ int
__glXDispSwap_GetColorTable(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
return GetColorTable(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
}
@@ -592,6 +614,8 @@ int
__glXDispSwap_GetColorTableSGI(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
return GetColorTable(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
}
diff --git a/xorg-server/glx/swap_interval.c b/xorg-server/glx/swap_interval.c
index 80d8b9436..d82e63ff0 100644
--- a/xorg-server/glx/swap_interval.c
+++ b/xorg-server/glx/swap_interval.c
@@ -47,6 +47,8 @@ DoSwapInterval(__GLXclientState * cl, GLbyte * pc, int do_swap)
__GLXcontext *cx;
GLint interval;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 4);
+
cx = __glXLookupContextByTag(cl, tag);
if ((cx == NULL) || (cx->pGlxScreen == NULL)) {
diff --git a/xorg-server/glx/unpack.h b/xorg-server/glx/unpack.h
index 52fba74e1..2b1ebcf02 100644
--- a/xorg-server/glx/unpack.h
+++ b/xorg-server/glx/unpack.h
@@ -83,7 +83,8 @@ extern xGLXSingleReply __glXReply;
** pointer.
*/
#define __GLX_GET_ANSWER_BUFFER(res,cl,size,align) \
- if ((size) > sizeof(answerBuffer)) { \
+ if (size < 0) return BadLength; \
+ else if ((size) > sizeof(answerBuffer)) { \
int bump; \
if ((cl)->returnBufSize < (size)+(align)) { \
(cl)->returnBuf = (GLbyte*)realloc((cl)->returnBuf, \
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-09 06:12:59 +0000