Commit | Line | Data |
---|---|---|
7217e0ca ML |
1 | From 4ab40b2b60f4f841f75250e1e60c1624d8212cd4 Mon Sep 17 00:00:00 2001 |
2 | From: Adam Jackson <ajax@redhat.com> | |
3 | Date: Mon, 10 Nov 2014 12:13:47 -0500 | |
4 | Subject: [PATCH 31/33] glx: Length checking for non-generated single requests | |
5 | (v2) [CVE-2014-8098 7/8] | |
6 | ||
7 | v2: | |
8 | Fix single versus vendor-private length checking for ARB_imaging subset | |
9 | extensions. (Julien Cristau) | |
10 | ||
11 | v3: | |
12 | Fix single versus vendor-private length checking for ARB_imaging subset | |
13 | extensions. (Julien Cristau) | |
14 | ||
15 | Reviewed-by: Michal Srb <msrb@suse.com> | |
16 | Reviewed-by: Andy Ritger <aritger@nvidia.com> | |
17 | Signed-off-by: Adam Jackson <ajax@redhat.com> | |
18 | Signed-off-by: Julien Cristau <jcristau@debian.org> | |
19 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | |
20 | --- | |
21 | glx/indirect_texture_compression.c | 4 ++++ | |
22 | glx/single2.c | 23 +++++++++++++++---- | |
23 | glx/single2swap.c | 19 ++++++++++++---- | |
24 | glx/singlepix.c | 44 ++++++++++++++++++++++++------------ | |
25 | glx/singlepixswap.c | 34 ++++++++++++++++++++++++---- | |
26 | 5 files changed, 95 insertions(+), 29 deletions(-) | |
27 | ||
4db25562 JB |
28 | --- a/glx/indirect_texture_compression.c |
29 | +++ b/glx/indirect_texture_compression.c | |
30 | @@ -43,6 +43,8 @@ __glXDisp_GetCompressedTexImage(struct _ | |
7217e0ca ML |
31 | __GLXcontext *const cx = __glXForceCurrent(cl, req->contextTag, &error); |
32 | ClientPtr client = cl->client; | |
33 | ||
34 | + REQUEST_FIXED_SIZE(xGLXSingleReq, 8); | |
35 | + | |
36 | pc += __GLX_SINGLE_HDR_SIZE; | |
37 | if (cx != NULL) { | |
38 | const GLenum target = *(GLenum *) (pc + 0); | |
4db25562 | 39 | @@ -85,6 +87,8 @@ __glXDispSwap_GetCompressedTexImage(stru |
7217e0ca ML |
40 | __glXForceCurrent(cl, bswap_32(req->contextTag), &error); |
41 | ClientPtr client = cl->client; | |
42 | ||
43 | + REQUEST_FIXED_SIZE(xGLXSingleReq, 8); | |
44 | + | |
45 | pc += __GLX_SINGLE_HDR_SIZE; | |
46 | if (cx != NULL) { | |
47 | const GLenum target = (GLenum) bswap_32(*(int *) (pc + 0)); | |
4db25562 JB |
48 | --- a/glx/single2.c |
49 | +++ b/glx/single2.c | |
7217e0ca ML |
50 | @@ -45,11 +45,14 @@ |
51 | int | |
52 | __glXDisp_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc) | |
53 | { | |
54 | + ClientPtr client = cl->client; | |
55 | GLsizei size; | |
56 | GLenum type; | |
57 | __GLXcontext *cx; | |
58 | int error; | |
59 | ||
60 | + REQUEST_FIXED_SIZE(xGLXSingleReq, 8); | |
61 | + | |
62 | cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); | |
63 | if (!cx) { | |
64 | return error; | |
4db25562 | 65 | @@ -76,10 +79,13 @@ __glXDisp_FeedbackBuffer(__GLXclientStat |
7217e0ca ML |
66 | int |
67 | __glXDisp_SelectBuffer(__GLXclientState * cl, GLbyte * pc) | |
68 | { | |
69 | + ClientPtr client = cl->client; | |
70 | __GLXcontext *cx; | |
71 | GLsizei size; | |
72 | int error; | |
73 | ||
74 | + REQUEST_FIXED_SIZE(xGLXSingleReq, 4); | |
75 | + | |
76 | cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); | |
77 | if (!cx) { | |
78 | return error; | |
4db25562 | 79 | @@ -104,7 +110,7 @@ __glXDisp_SelectBuffer(__GLXclientState |
7217e0ca ML |
80 | int |
81 | __glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc) | |
82 | { | |
83 | - ClientPtr client; | |
84 | + ClientPtr client = cl->client; | |
85 | xGLXRenderModeReply reply; | |
86 | __GLXcontext *cx; | |
87 | GLint nitems = 0, retBytes = 0, retval, newModeCheck; | |
4db25562 | 88 | @@ -112,6 +118,8 @@ __glXDisp_RenderMode(__GLXclientState * |
7217e0ca ML |
89 | GLenum newMode; |
90 | int error; | |
91 | ||
92 | + REQUEST_FIXED_SIZE(xGLXSingleReq, 4); | |
93 | + | |
94 | cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); | |
95 | if (!cx) { | |
96 | return error; | |
4db25562 | 97 | @@ -188,7 +196,6 @@ __glXDisp_RenderMode(__GLXclientState * |
7217e0ca ML |
98 | ** selection array, as per the API for glRenderMode itself. |
99 | */ | |
100 | noChangeAllowed:; | |
101 | - client = cl->client; | |
102 | reply = (xGLXRenderModeReply) { | |
103 | .type = X_Reply, | |
104 | .sequenceNumber = client->sequence, | |
4db25562 | 105 | @@ -207,9 +214,12 @@ __glXDisp_RenderMode(__GLXclientState * |
7217e0ca ML |
106 | int |
107 | __glXDisp_Flush(__GLXclientState * cl, GLbyte * pc) | |
108 | { | |
109 | + ClientPtr client = cl->client; | |
110 | __GLXcontext *cx; | |
111 | int error; | |
112 | ||
113 | + REQUEST_SIZE_MATCH(xGLXSingleReq); | |
114 | + | |
115 | cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); | |
116 | if (!cx) { | |
117 | return error; | |
4db25562 | 118 | @@ -223,10 +233,12 @@ __glXDisp_Flush(__GLXclientState * cl, G |
7217e0ca ML |
119 | int |
120 | __glXDisp_Finish(__GLXclientState * cl, GLbyte * pc) | |
121 | { | |
122 | + ClientPtr client = cl->client; | |
123 | __GLXcontext *cx; | |
124 | - ClientPtr client; | |
125 | int error; | |
126 | ||
127 | + REQUEST_SIZE_MATCH(xGLXSingleReq); | |
128 | + | |
129 | cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); | |
130 | if (!cx) { | |
131 | return error; | |
4db25562 | 132 | @@ -317,7 +329,7 @@ __glXcombine_strings(const char *cext_st |
7217e0ca ML |
133 | int |
134 | DoGetString(__GLXclientState * cl, GLbyte * pc, GLboolean need_swap) | |
135 | { | |
136 | - ClientPtr client; | |
137 | + ClientPtr client = cl->client; | |
138 | __GLXcontext *cx; | |
139 | GLenum name; | |
140 | const char *string; | |
4db25562 | 141 | @@ -327,6 +339,8 @@ DoGetString(__GLXclientState * cl, GLbyt |
7217e0ca ML |
142 | char *buf = NULL, *buf1 = NULL; |
143 | GLint length = 0; | |
144 | ||
145 | + REQUEST_FIXED_SIZE(xGLXSingleReq, 4); | |
146 | + | |
147 | /* If the client has the opposite byte order, swap the contextTag and | |
148 | * the name. | |
149 | */ | |
4db25562 | 150 | @@ -343,7 +357,6 @@ DoGetString(__GLXclientState * cl, GLbyt |
7217e0ca ML |
151 | pc += __GLX_SINGLE_HDR_SIZE; |
152 | name = *(GLenum *) (pc + 0); | |
153 | string = (const char *) glGetString(name); | |
154 | - client = cl->client; | |
155 | ||
156 | if (string == NULL) | |
157 | string = ""; | |
4db25562 JB |
158 | --- a/glx/single2swap.c |
159 | +++ b/glx/single2swap.c | |
7217e0ca ML |
160 | @@ -41,6 +41,7 @@ |
161 | int | |
162 | __glXDispSwap_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc) | |
163 | { | |
164 | + ClientPtr client = cl->client; | |
165 | GLsizei size; | |
166 | GLenum type; | |
167 | ||
4db25562 | 168 | @@ -48,6 +49,8 @@ __glXDispSwap_FeedbackBuffer(__GLXclient |
7217e0ca ML |
169 | __GLXcontext *cx; |
170 | int error; | |
171 | ||
172 | + REQUEST_FIXED_SIZE(xGLXSingleReq, 8); | |
173 | + | |
174 | __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); | |
175 | cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); | |
176 | if (!cx) { | |
4db25562 | 177 | @@ -77,12 +80,15 @@ __glXDispSwap_FeedbackBuffer(__GLXclient |
7217e0ca ML |
178 | int |
179 | __glXDispSwap_SelectBuffer(__GLXclientState * cl, GLbyte * pc) | |
180 | { | |
181 | + ClientPtr client = cl->client; | |
182 | __GLXcontext *cx; | |
183 | GLsizei size; | |
184 | ||
185 | __GLX_DECLARE_SWAP_VARIABLES; | |
186 | int error; | |
187 | ||
188 | + REQUEST_FIXED_SIZE(xGLXSingleReq, 4); | |
189 | + | |
190 | __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); | |
191 | cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); | |
192 | if (!cx) { | |
4db25562 | 193 | @@ -109,7 +115,7 @@ __glXDispSwap_SelectBuffer(__GLXclientSt |
7217e0ca ML |
194 | int |
195 | __glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc) | |
196 | { | |
197 | - ClientPtr client; | |
198 | + ClientPtr client = cl->client; | |
199 | __GLXcontext *cx; | |
200 | xGLXRenderModeReply reply; | |
201 | GLint nitems = 0, retBytes = 0, retval, newModeCheck; | |
4db25562 | 202 | @@ -120,6 +126,8 @@ __glXDispSwap_RenderMode(__GLXclientStat |
7217e0ca ML |
203 | __GLX_DECLARE_SWAP_ARRAY_VARIABLES; |
204 | int error; | |
205 | ||
206 | + REQUEST_FIXED_SIZE(xGLXSingleReq, 4); | |
207 | + | |
208 | __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); | |
209 | cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); | |
210 | if (!cx) { | |
4db25562 | 211 | @@ -200,7 +208,6 @@ __glXDispSwap_RenderMode(__GLXclientStat |
7217e0ca ML |
212 | ** selection array, as per the API for glRenderMode itself. |
213 | */ | |
214 | noChangeAllowed:; | |
215 | - client = cl->client; | |
216 | reply = (xGLXRenderModeReply) { | |
217 | .type = X_Reply, | |
218 | .sequenceNumber = client->sequence, | |
4db25562 | 219 | @@ -224,11 +231,14 @@ __glXDispSwap_RenderMode(__GLXclientStat |
7217e0ca ML |
220 | int |
221 | __glXDispSwap_Flush(__GLXclientState * cl, GLbyte * pc) | |
222 | { | |
223 | + ClientPtr client = cl->client; | |
224 | __GLXcontext *cx; | |
225 | int error; | |
226 | ||
227 | __GLX_DECLARE_SWAP_VARIABLES; | |
228 | ||
229 | + REQUEST_SIZE_MATCH(xGLXSingleReq); | |
230 | + | |
231 | __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); | |
232 | cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); | |
233 | if (!cx) { | |
4db25562 | 234 | @@ -243,12 +253,14 @@ __glXDispSwap_Flush(__GLXclientState * c |
7217e0ca ML |
235 | int |
236 | __glXDispSwap_Finish(__GLXclientState * cl, GLbyte * pc) | |
237 | { | |
238 | + ClientPtr client = cl->client; | |
239 | __GLXcontext *cx; | |
240 | - ClientPtr client; | |
241 | int error; | |
242 | ||
243 | __GLX_DECLARE_SWAP_VARIABLES; | |
244 | ||
245 | + REQUEST_SIZE_MATCH(xGLXSingleReq); | |
246 | + | |
247 | __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); | |
248 | cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); | |
249 | if (!cx) { | |
4db25562 | 250 | @@ -260,7 +272,6 @@ __glXDispSwap_Finish(__GLXclientState * |
7217e0ca ML |
251 | cx->hasUnflushedCommands = GL_FALSE; |
252 | ||
253 | /* Send empty reply packet to indicate finish is finished */ | |
254 | - client = cl->client; | |
255 | __GLX_BEGIN_REPLY(0); | |
256 | __GLX_PUT_RETVAL(0); | |
257 | __GLX_SWAP_REPLY_HEADER(); | |
4db25562 JB |
258 | --- a/glx/singlepix.c |
259 | +++ b/glx/singlepix.c | |
260 | @@ -51,6 +51,8 @@ __glXDisp_ReadPixels(__GLXclientState * | |
7217e0ca ML |
261 | int error; |
262 | char *answer, answerBuffer[200]; | |
263 | ||
264 | + REQUEST_FIXED_SIZE(xGLXSingleReq, 28); | |
265 | + | |
266 | cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); | |
267 | if (!cx) { | |
268 | return error; | |
4db25562 | 269 | @@ -100,6 +102,8 @@ __glXDisp_GetTexImage(__GLXclientState * |
7217e0ca ML |
270 | char *answer, answerBuffer[200]; |
271 | GLint width = 0, height = 0, depth = 1; | |
272 | ||
273 | + REQUEST_FIXED_SIZE(xGLXSingleReq, 20); | |
274 | + | |
275 | cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); | |
276 | if (!cx) { | |
277 | return error; | |
4db25562 | 278 | @@ -157,6 +161,8 @@ __glXDisp_GetPolygonStipple(__GLXclientS |
7217e0ca ML |
279 | GLubyte answerBuffer[200]; |
280 | char *answer; | |
281 | ||
282 | + REQUEST_FIXED_SIZE(xGLXSingleReq, 4); | |
283 | + | |
284 | cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); | |
285 | if (!cx) { | |
286 | return error; | |
4db25562 | 287 | @@ -217,15 +223,13 @@ GetSeparableFilter(__GLXclientState * cl |
7217e0ca ML |
288 | compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1); |
289 | compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1); | |
290 | ||
291 | - if (compsize < 0) | |
292 | + if ((compsize = safe_pad(compsize)) < 0) | |
293 | return BadLength; | |
294 | - if (compsize2 < 0) | |
295 | + if ((compsize2 = safe_pad(compsize2)) < 0) | |
296 | return BadLength; | |
297 | - compsize = __GLX_PAD(compsize); | |
298 | - compsize2 = __GLX_PAD(compsize2); | |
299 | ||
300 | glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes); | |
301 | - __GLX_GET_ANSWER_BUFFER(answer, cl, compsize + compsize2, 1); | |
302 | + __GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1); | |
303 | __glXClearErrorOccured(); | |
304 | glGetSeparableFilter(*(GLenum *) (pc + 0), *(GLenum *) (pc + 4), | |
305 | *(GLenum *) (pc + 8), answer, answer + compsize, NULL); | |
4db25562 | 306 | @@ -249,7 +253,8 @@ int |
7217e0ca ML |
307 | __glXDisp_GetSeparableFilter(__GLXclientState * cl, GLbyte * pc) |
308 | { | |
309 | const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); | |
310 | - | |
311 | + ClientPtr client = cl->client; | |
312 | + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); | |
313 | return GetSeparableFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); | |
314 | } | |
315 | ||
4db25562 | 316 | @@ -257,7 +262,8 @@ int |
7217e0ca ML |
317 | __glXDisp_GetSeparableFilterEXT(__GLXclientState * cl, GLbyte * pc) |
318 | { | |
319 | const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); | |
320 | - | |
321 | + ClientPtr client = cl->client; | |
322 | + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); | |
323 | return GetSeparableFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); | |
324 | } | |
325 | ||
4db25562 | 326 | @@ -323,7 +329,8 @@ int |
7217e0ca ML |
327 | __glXDisp_GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc) |
328 | { | |
329 | const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); | |
330 | - | |
331 | + ClientPtr client = cl->client; | |
332 | + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); | |
333 | return GetConvolutionFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); | |
334 | } | |
335 | ||
4db25562 | 336 | @@ -331,7 +338,8 @@ int |
7217e0ca ML |
337 | __glXDisp_GetConvolutionFilterEXT(__GLXclientState * cl, GLbyte * pc) |
338 | { | |
339 | const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); | |
340 | - | |
341 | + ClientPtr client = cl->client; | |
342 | + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); | |
343 | return GetConvolutionFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); | |
344 | } | |
345 | ||
4db25562 | 346 | @@ -390,7 +398,8 @@ int |
7217e0ca ML |
347 | __glXDisp_GetHistogram(__GLXclientState * cl, GLbyte * pc) |
348 | { | |
349 | const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); | |
350 | - | |
351 | + ClientPtr client = cl->client; | |
352 | + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); | |
353 | return GetHistogram(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); | |
354 | } | |
355 | ||
4db25562 | 356 | @@ -398,7 +407,8 @@ int |
7217e0ca ML |
357 | __glXDisp_GetHistogramEXT(__GLXclientState * cl, GLbyte * pc) |
358 | { | |
359 | const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); | |
360 | - | |
361 | + ClientPtr client = cl->client; | |
362 | + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); | |
363 | return GetHistogram(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); | |
364 | } | |
365 | ||
4db25562 | 366 | @@ -450,7 +460,8 @@ int |
7217e0ca ML |
367 | __glXDisp_GetMinmax(__GLXclientState * cl, GLbyte * pc) |
368 | { | |
369 | const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); | |
370 | - | |
371 | + ClientPtr client = cl->client; | |
372 | + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); | |
373 | return GetMinmax(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); | |
374 | } | |
375 | ||
4db25562 | 376 | @@ -458,7 +469,8 @@ int |
7217e0ca ML |
377 | __glXDisp_GetMinmaxEXT(__GLXclientState * cl, GLbyte * pc) |
378 | { | |
379 | const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); | |
380 | - | |
381 | + ClientPtr client = cl->client; | |
382 | + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); | |
383 | return GetMinmax(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); | |
384 | } | |
385 | ||
4db25562 | 386 | @@ -517,7 +529,8 @@ int |
7217e0ca ML |
387 | __glXDisp_GetColorTable(__GLXclientState * cl, GLbyte * pc) |
388 | { | |
389 | const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); | |
390 | - | |
391 | + ClientPtr client = cl->client; | |
392 | + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); | |
393 | return GetColorTable(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); | |
394 | } | |
395 | ||
4db25562 | 396 | @@ -525,6 +538,7 @@ int |
7217e0ca ML |
397 | __glXDisp_GetColorTableSGI(__GLXclientState * cl, GLbyte * pc) |
398 | { | |
399 | const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); | |
400 | - | |
401 | + ClientPtr client = cl->client; | |
402 | + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); | |
403 | return GetColorTable(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); | |
404 | } | |
4db25562 JB |
405 | --- a/glx/singlepixswap.c |
406 | +++ b/glx/singlepixswap.c | |
407 | @@ -53,6 +53,8 @@ __glXDispSwap_ReadPixels(__GLXclientStat | |
7217e0ca ML |
408 | int error; |
409 | char *answer, answerBuffer[200]; | |
410 | ||
411 | + REQUEST_FIXED_SIZE(xGLXSingleReq, 28); | |
412 | + | |
413 | __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); | |
414 | cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); | |
415 | if (!cx) { | |
4db25562 | 416 | @@ -114,6 +116,8 @@ __glXDispSwap_GetTexImage(__GLXclientSta |
7217e0ca ML |
417 | char *answer, answerBuffer[200]; |
418 | GLint width = 0, height = 0, depth = 1; | |
419 | ||
420 | + REQUEST_FIXED_SIZE(xGLXSingleReq, 20); | |
421 | + | |
422 | __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); | |
423 | cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); | |
424 | if (!cx) { | |
4db25562 | 425 | @@ -184,6 +188,8 @@ __glXDispSwap_GetPolygonStipple(__GLXcli |
7217e0ca ML |
426 | |
427 | __GLX_DECLARE_SWAP_VARIABLES; | |
428 | ||
429 | + REQUEST_FIXED_SIZE(xGLXSingleReq, 4); | |
430 | + | |
431 | __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); | |
432 | cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); | |
433 | if (!cx) { | |
4db25562 | 434 | @@ -251,15 +257,13 @@ GetSeparableFilter(__GLXclientState * cl |
7217e0ca ML |
435 | compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1); |
436 | compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1); | |
437 | ||
438 | - if (compsize < 0) | |
439 | + if ((compsize = safe_pad(compsize)) < 0) | |
440 | return BadLength; | |
441 | - if (compsize2 < 0) | |
442 | + if ((compsize2 = safe_pad(compsize2)) < 0) | |
443 | return BadLength; | |
444 | - compsize = __GLX_PAD(compsize); | |
445 | - compsize2 = __GLX_PAD(compsize2); | |
446 | ||
447 | glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes); | |
448 | - __GLX_GET_ANSWER_BUFFER(answer, cl, compsize + compsize2, 1); | |
449 | + __GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1); | |
450 | __glXClearErrorOccured(); | |
451 | glGetSeparableFilter(*(GLenum *) (pc + 0), *(GLenum *) (pc + 4), | |
452 | *(GLenum *) (pc + 8), answer, answer + compsize, NULL); | |
4db25562 | 453 | @@ -285,7 +289,9 @@ int |
7217e0ca ML |
454 | __glXDispSwap_GetSeparableFilter(__GLXclientState * cl, GLbyte * pc) |
455 | { | |
456 | const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); | |
457 | + ClientPtr client = cl->client; | |
458 | ||
459 | + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); | |
460 | return GetSeparableFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); | |
461 | } | |
462 | ||
4db25562 | 463 | @@ -293,7 +299,9 @@ int |
7217e0ca ML |
464 | __glXDispSwap_GetSeparableFilterEXT(__GLXclientState * cl, GLbyte * pc) |
465 | { | |
466 | const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); | |
467 | + ClientPtr client = cl->client; | |
468 | ||
469 | + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); | |
470 | return GetSeparableFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); | |
471 | } | |
472 | ||
4db25562 | 473 | @@ -367,7 +375,9 @@ int |
7217e0ca ML |
474 | __glXDispSwap_GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc) |
475 | { | |
476 | const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); | |
477 | + ClientPtr client = cl->client; | |
478 | ||
479 | + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); | |
480 | return GetConvolutionFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); | |
481 | } | |
482 | ||
4db25562 | 483 | @@ -375,7 +385,9 @@ int |
7217e0ca ML |
484 | __glXDispSwap_GetConvolutionFilterEXT(__GLXclientState * cl, GLbyte * pc) |
485 | { | |
486 | const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); | |
487 | + ClientPtr client = cl->client; | |
488 | ||
489 | + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); | |
490 | return GetConvolutionFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); | |
491 | } | |
492 | ||
4db25562 | 493 | @@ -441,7 +453,9 @@ int |
7217e0ca ML |
494 | __glXDispSwap_GetHistogram(__GLXclientState * cl, GLbyte * pc) |
495 | { | |
496 | const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); | |
497 | + ClientPtr client = cl->client; | |
498 | ||
499 | + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); | |
500 | return GetHistogram(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); | |
501 | } | |
502 | ||
4db25562 | 503 | @@ -449,7 +463,9 @@ int |
7217e0ca ML |
504 | __glXDispSwap_GetHistogramEXT(__GLXclientState * cl, GLbyte * pc) |
505 | { | |
506 | const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); | |
507 | + ClientPtr client = cl->client; | |
508 | ||
509 | + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); | |
510 | return GetHistogram(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); | |
511 | } | |
512 | ||
4db25562 | 513 | @@ -507,7 +523,9 @@ int |
7217e0ca ML |
514 | __glXDispSwap_GetMinmax(__GLXclientState * cl, GLbyte * pc) |
515 | { | |
516 | const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); | |
517 | + ClientPtr client = cl->client; | |
518 | ||
519 | + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); | |
520 | return GetMinmax(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); | |
521 | } | |
522 | ||
4db25562 | 523 | @@ -515,7 +533,9 @@ int |
7217e0ca ML |
524 | __glXDispSwap_GetMinmaxEXT(__GLXclientState * cl, GLbyte * pc) |
525 | { | |
526 | const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); | |
527 | + ClientPtr client = cl->client; | |
528 | ||
529 | + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); | |
530 | return GetMinmax(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); | |
531 | } | |
532 | ||
4db25562 | 533 | @@ -581,7 +601,9 @@ int |
7217e0ca ML |
534 | __glXDispSwap_GetColorTable(__GLXclientState * cl, GLbyte * pc) |
535 | { | |
536 | const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); | |
537 | + ClientPtr client = cl->client; | |
538 | ||
539 | + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); | |
540 | return GetColorTable(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); | |
541 | } | |
542 | ||
4db25562 | 543 | @@ -589,6 +611,8 @@ int |
7217e0ca ML |
544 | __glXDispSwap_GetColorTableSGI(__GLXclientState * cl, GLbyte * pc) |
545 | { | |
546 | const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); | |
547 | + ClientPtr client = cl->client; | |
548 | ||
549 | + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); | |
550 | return GetColorTable(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); | |
551 | } |