From 5e5a48ff8cd08f123601cd0625ca62a86675aac9 Mon Sep 17 00:00:00 2001
From: marha <marha@users.sourceforge.net>
Date: Sun, 4 Jan 2015 16:25:32 +0100
Subject: fontconfig libX11 mesa xserver git update 4 Jan 2015

xserver          commit dc777c346d5d452a53b13b917c45f6a1bad2f20b
libX11           commit 446f5f7f41317a85a0cd0efa5e6a1b37bc99fba2
fontconfig       commit 4420b27c074821a1d1f9d6ebe822a610176a417d
mesa             commit 48094d0e6554a9df36bf00fc2793ade46cf92406
---
 xorg-server/glx/clientinfo.c | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

(limited to 'xorg-server/glx/clientinfo.c')

diff --git a/xorg-server/glx/clientinfo.c b/xorg-server/glx/clientinfo.c
index 4aaa4c967..74ad91991 100644
--- a/xorg-server/glx/clientinfo.c
+++ b/xorg-server/glx/clientinfo.c
@@ -33,18 +33,22 @@ static int
 set_client_info(__GLXclientState * cl, xGLXSetClientInfoARBReq * req,
                 unsigned bytes_per_version)
 {
+    ClientPtr client = cl->client;
     char *gl_extensions;
     char *glx_extensions;
+    int size;
+
+    REQUEST_AT_LEAST_SIZE(xGLXSetClientInfoARBReq);
 
     /* Verify that the size of the packet matches the size inferred from the
      * sizes specified for the various fields.
      */
-    const unsigned expected_size = sz_xGLXSetClientInfoARBReq
-        + (req->numVersions * bytes_per_version)
-        + __GLX_PAD(req->numGLExtensionBytes)
-        + __GLX_PAD(req->numGLXExtensionBytes);
+    size = sz_xGLXSetClientInfoARBReq;
+    size = safe_add(size, safe_mul(req->numVersions, bytes_per_version));
+    size = safe_add(size, safe_pad(req->numGLExtensionBytes));
+    size = safe_add(size, safe_pad(req->numGLXExtensionBytes));
 
-    if (req->length != (expected_size / 4))
+    if (size < 0 || req->length != (size / 4))
         return BadLength;
 
     /* Verify that the actual length of the GL extension string matches what's
@@ -80,8 +84,11 @@ __glXDisp_SetClientInfoARB(__GLXclientState * cl, GLbyte * pc)
 int
 __glXDispSwap_SetClientInfoARB(__GLXclientState * cl, GLbyte * pc)
 {
+    ClientPtr client = cl->client;
     xGLXSetClientInfoARBReq *req = (xGLXSetClientInfoARBReq *) pc;
 
+    REQUEST_AT_LEAST_SIZE(xGLXSetClientInfoARBReq);
+
     req->length = bswap_16(req->length);
     req->numVersions = bswap_32(req->numVersions);
     req->numGLExtensionBytes = bswap_32(req->numGLExtensionBytes);
@@ -99,8 +106,11 @@ __glXDisp_SetClientInfo2ARB(__GLXclientState * cl, GLbyte * pc)
 int
 __glXDispSwap_SetClientInfo2ARB(__GLXclientState * cl, GLbyte * pc)
 {
+    ClientPtr client = cl->client;
     xGLXSetClientInfoARBReq *req = (xGLXSetClientInfoARBReq *) pc;
 
+    REQUEST_AT_LEAST_SIZE(xGLXSetClientInfoARBReq);
+
     req->length = bswap_16(req->length);
     req->numVersions = bswap_32(req->numVersions);
     req->numGLExtensionBytes = bswap_32(req->numGLExtensionBytes);
-- 
cgit v1.2.3