[deb_xorg-server.git] / debian / patches / CVE-2014-8xxx / 0031-glx-Length-checking-for-non-generated-single-request.patch

From 4ab40b2b60f4f841f75250e1e60c1624d8212cd4 Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Mon, 10 Nov 2014 12:13:47 -0500
Subject: [PATCH 31/33] glx: Length checking for non-generated single requests
 (v2) [CVE-2014-8098 7/8]

v2:
Fix single versus vendor-private length checking for ARB_imaging subset
extensions. (Julien Cristau)

v3:
Fix single versus vendor-private length checking for ARB_imaging subset
extensions. (Julien Cristau)

Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
 glx/indirect_texture_compression.c |    4 ++++
 glx/single2.c                      |   23 +++++++++++++++----
 glx/single2swap.c                  |   19 ++++++++++++----
 glx/singlepix.c                    |   44 ++++++++++++++++++++++++------------
 glx/singlepixswap.c                |   34 ++++++++++++++++++++++++----
 5 files changed, 95 insertions(+), 29 deletions(-)

Index: xorg-server-1.15.1/glx/indirect_texture_compression.c
===================================================================
--- xorg-server-1.15.1.orig/glx/indirect_texture_compression.c	2014-12-04 11:56:48.021535287 -0500
+++ xorg-server-1.15.1/glx/indirect_texture_compression.c	2014-12-04 11:56:48.017535262 -0500
@@ -43,6 +43,8 @@
     __GLXcontext *const cx = __glXForceCurrent(cl, req->contextTag, &error);
     ClientPtr client = cl->client;
 
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
+
     pc += __GLX_SINGLE_HDR_SIZE;
     if (cx != NULL) {
         const GLenum target = *(GLenum *) (pc + 0);
@@ -85,6 +87,8 @@
         __glXForceCurrent(cl, bswap_32(req->contextTag), &error);
     ClientPtr client = cl->client;
 
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
+
     pc += __GLX_SINGLE_HDR_SIZE;
     if (cx != NULL) {
         const GLenum target = (GLenum) bswap_32(*(int *) (pc + 0));
Index: xorg-server-1.15.1/glx/single2.c
===================================================================
--- xorg-server-1.15.1.orig/glx/single2.c	2014-12-04 11:56:48.021535287 -0500
+++ xorg-server-1.15.1/glx/single2.c	2014-12-04 11:56:48.017535262 -0500
@@ -45,11 +45,14 @@
 int
 __glXDisp_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
 {
+    ClientPtr client = cl->client;
     GLsizei size;
     GLenum type;
     __GLXcontext *cx;
     int error;
 
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
+
     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
     if (!cx) {
         return error;
@@ -76,10 +79,13 @@
 int
 __glXDisp_SelectBuffer(__GLXclientState * cl, GLbyte * pc)
 {
+    ClientPtr client = cl->client;
     __GLXcontext *cx;
     GLsizei size;
     int error;
 
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
     if (!cx) {
         return error;
@@ -104,7 +110,7 @@
 int
 __glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc)
 {
-    ClientPtr client;
+    ClientPtr client = cl->client;
     xGLXRenderModeReply reply;
     __GLXcontext *cx;
     GLint nitems = 0, retBytes = 0, retval, newModeCheck;
@@ -112,6 +118,8 @@
     GLenum newMode;
     int error;
 
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
     if (!cx) {
         return error;
@@ -188,7 +196,6 @@
      ** selection array, as per the API for glRenderMode itself.
      */
  noChangeAllowed:;
-    client = cl->client;
     reply = (xGLXRenderModeReply) {
         .type = X_Reply,
         .sequenceNumber = client->sequence,
@@ -207,9 +214,12 @@
 int
 __glXDisp_Flush(__GLXclientState * cl, GLbyte * pc)
 {
+    ClientPtr client = cl->client;
     __GLXcontext *cx;
     int error;
 
+    REQUEST_SIZE_MATCH(xGLXSingleReq);
+
     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
     if (!cx) {
         return error;
@@ -223,10 +233,12 @@
 int
 __glXDisp_Finish(__GLXclientState * cl, GLbyte * pc)
 {
+    ClientPtr client = cl->client;
     __GLXcontext *cx;
-    ClientPtr client;
     int error;
 
+    REQUEST_SIZE_MATCH(xGLXSingleReq);
+
     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
     if (!cx) {
         return error;
@@ -317,7 +329,7 @@
 int
 DoGetString(__GLXclientState * cl, GLbyte * pc, GLboolean need_swap)
 {
-    ClientPtr client;
+    ClientPtr client = cl->client;
     __GLXcontext *cx;
     GLenum name;
     const char *string;
@@ -327,6 +339,8 @@
     char *buf = NULL, *buf1 = NULL;
     GLint length = 0;
 
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
     /* If the client has the opposite byte order, swap the contextTag and
      * the name.
      */
@@ -343,7 +357,6 @@
     pc += __GLX_SINGLE_HDR_SIZE;
     name = *(GLenum *) (pc + 0);
     string = (const char *) glGetString(name);
-    client = cl->client;
 
     if (string == NULL)
         string = "";
Index: xorg-server-1.15.1/glx/single2swap.c
===================================================================
--- xorg-server-1.15.1.orig/glx/single2swap.c	2014-12-04 11:56:48.021535287 -0500
+++ xorg-server-1.15.1/glx/single2swap.c	2014-12-04 11:56:48.017535262 -0500
@@ -41,6 +41,7 @@
 int
 __glXDispSwap_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
 {
+    ClientPtr client = cl->client;
     GLsizei size;
     GLenum type;
 
@@ -48,6 +49,8 @@
     __GLXcontext *cx;
     int error;
 
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
+
     __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
     if (!cx) {
@@ -77,12 +80,15 @@
 int
 __glXDispSwap_SelectBuffer(__GLXclientState * cl, GLbyte * pc)
 {
+    ClientPtr client = cl->client;
     __GLXcontext *cx;
     GLsizei size;
 
     __GLX_DECLARE_SWAP_VARIABLES;
     int error;
 
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
     __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
     if (!cx) {
@@ -109,7 +115,7 @@
 int
 __glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc)
 {
-    ClientPtr client;
+    ClientPtr client = cl->client;
     __GLXcontext *cx;
     xGLXRenderModeReply reply;
     GLint nitems = 0, retBytes = 0, retval, newModeCheck;
@@ -120,6 +126,8 @@
     __GLX_DECLARE_SWAP_ARRAY_VARIABLES;
     int error;
 
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
     __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
     if (!cx) {
@@ -200,7 +208,6 @@
      ** selection array, as per the API for glRenderMode itself.
      */
  noChangeAllowed:;
-    client = cl->client;
     reply = (xGLXRenderModeReply) {
         .type = X_Reply,
         .sequenceNumber = client->sequence,
@@ -224,11 +231,14 @@
 int
 __glXDispSwap_Flush(__GLXclientState * cl, GLbyte * pc)
 {
+    ClientPtr client = cl->client;
     __GLXcontext *cx;
     int error;
 
     __GLX_DECLARE_SWAP_VARIABLES;
 
+    REQUEST_SIZE_MATCH(xGLXSingleReq);
+
     __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
     if (!cx) {
@@ -243,12 +253,14 @@
 int
 __glXDispSwap_Finish(__GLXclientState * cl, GLbyte * pc)
 {
+    ClientPtr client = cl->client;
     __GLXcontext *cx;
-    ClientPtr client;
     int error;
 
     __GLX_DECLARE_SWAP_VARIABLES;
 
+    REQUEST_SIZE_MATCH(xGLXSingleReq);
+
     __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
     if (!cx) {
@@ -260,7 +272,6 @@
     cx->hasUnflushedCommands = GL_FALSE;
 
     /* Send empty reply packet to indicate finish is finished */
-    client = cl->client;
     __GLX_BEGIN_REPLY(0);
     __GLX_PUT_RETVAL(0);
     __GLX_SWAP_REPLY_HEADER();
Index: xorg-server-1.15.1/glx/singlepix.c
===================================================================
--- xorg-server-1.15.1.orig/glx/singlepix.c	2014-12-04 11:56:48.021535287 -0500
+++ xorg-server-1.15.1/glx/singlepix.c	2014-12-04 11:56:48.017535262 -0500
@@ -51,6 +51,8 @@
     int error;
     char *answer, answerBuffer[200];
 
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 28);
+
     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
     if (!cx) {
         return error;
@@ -100,6 +102,8 @@
     char *answer, answerBuffer[200];
     GLint width = 0, height = 0, depth = 1;
 
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 20);
+
     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
     if (!cx) {
         return error;
@@ -157,6 +161,8 @@
     GLubyte answerBuffer[200];
     char *answer;
 
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
     if (!cx) {
         return error;
@@ -217,15 +223,13 @@
     compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
     compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1);
 
-    if (compsize < 0)
+    if ((compsize = safe_pad(compsize)) < 0)
         return BadLength;
-    if (compsize2 < 0)
+    if ((compsize2 = safe_pad(compsize2)) < 0)
         return BadLength;
-    compsize = __GLX_PAD(compsize);
-    compsize2 = __GLX_PAD(compsize2);
 
     glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
-    __GLX_GET_ANSWER_BUFFER(answer, cl, compsize + compsize2, 1);
+    __GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1);
     __glXClearErrorOccured();
     glGetSeparableFilter(*(GLenum *) (pc + 0), *(GLenum *) (pc + 4),
                          *(GLenum *) (pc + 8), answer, answer + compsize, NULL);
@@ -249,7 +253,8 @@
 __glXDisp_GetSeparableFilter(__GLXclientState * cl, GLbyte * pc)
 {
     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
-
+    ClientPtr client = cl->client;
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
     return GetSeparableFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
 }
 
@@ -257,7 +262,8 @@
 __glXDisp_GetSeparableFilterEXT(__GLXclientState * cl, GLbyte * pc)
 {
     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
-
+    ClientPtr client = cl->client;
+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
     return GetSeparableFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
 }
 
@@ -323,7 +329,8 @@
 __glXDisp_GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc)
 {
     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
-
+    ClientPtr client = cl->client;
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
     return GetConvolutionFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
 }
 
@@ -331,7 +338,8 @@
 __glXDisp_GetConvolutionFilterEXT(__GLXclientState * cl, GLbyte * pc)
 {
     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
-
+    ClientPtr client = cl->client;
+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
     return GetConvolutionFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
 }
 
@@ -390,7 +398,8 @@
 __glXDisp_GetHistogram(__GLXclientState * cl, GLbyte * pc)
 {
     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
-
+    ClientPtr client = cl->client;
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
     return GetHistogram(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
 }
 
@@ -398,7 +407,8 @@
 __glXDisp_GetHistogramEXT(__GLXclientState * cl, GLbyte * pc)
 {
     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
-
+    ClientPtr client = cl->client;
+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
     return GetHistogram(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
 }
 
@@ -450,7 +460,8 @@
 __glXDisp_GetMinmax(__GLXclientState * cl, GLbyte * pc)
 {
     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
-
+    ClientPtr client = cl->client;
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
     return GetMinmax(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
 }
 
@@ -458,7 +469,8 @@
 __glXDisp_GetMinmaxEXT(__GLXclientState * cl, GLbyte * pc)
 {
     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
-
+    ClientPtr client = cl->client;
+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
     return GetMinmax(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
 }
 
@@ -517,7 +529,8 @@
 __glXDisp_GetColorTable(__GLXclientState * cl, GLbyte * pc)
 {
     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
-
+    ClientPtr client = cl->client;
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
     return GetColorTable(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
 }
 
@@ -525,6 +538,7 @@
 __glXDisp_GetColorTableSGI(__GLXclientState * cl, GLbyte * pc)
 {
     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
-
+    ClientPtr client = cl->client;
+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
     return GetColorTable(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
 }
Index: xorg-server-1.15.1/glx/singlepixswap.c
===================================================================
--- xorg-server-1.15.1.orig/glx/singlepixswap.c	2014-12-04 11:56:48.021535287 -0500
+++ xorg-server-1.15.1/glx/singlepixswap.c	2014-12-04 11:56:48.017535262 -0500
@@ -53,6 +53,8 @@
     int error;
     char *answer, answerBuffer[200];
 
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 28);
+
     __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
     if (!cx) {
@@ -114,6 +116,8 @@
     char *answer, answerBuffer[200];
     GLint width = 0, height = 0, depth = 1;
 
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 20);
+
     __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
     if (!cx) {
@@ -184,6 +188,8 @@
 
     __GLX_DECLARE_SWAP_VARIABLES;
 
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
     __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
     if (!cx) {
@@ -251,15 +257,13 @@
     compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
     compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1);
 
-    if (compsize < 0)
+    if ((compsize = safe_pad(compsize)) < 0)
         return BadLength;
-    if (compsize2 < 0)
+    if ((compsize2 = safe_pad(compsize2)) < 0)
         return BadLength;
-    compsize = __GLX_PAD(compsize);
-    compsize2 = __GLX_PAD(compsize2);
 
     glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
-    __GLX_GET_ANSWER_BUFFER(answer, cl, compsize + compsize2, 1);
+    __GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1);
     __glXClearErrorOccured();
     glGetSeparableFilter(*(GLenum *) (pc + 0), *(GLenum *) (pc + 4),
                          *(GLenum *) (pc + 8), answer, answer + compsize, NULL);
@@ -285,7 +289,9 @@
 __glXDispSwap_GetSeparableFilter(__GLXclientState * cl, GLbyte * pc)
 {
     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
+    ClientPtr client = cl->client;
 
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
     return GetSeparableFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
 }
 
@@ -293,7 +299,9 @@
 __glXDispSwap_GetSeparableFilterEXT(__GLXclientState * cl, GLbyte * pc)
 {
     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
+    ClientPtr client = cl->client;
 
+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
     return GetSeparableFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
 }
 
@@ -367,7 +375,9 @@
 __glXDispSwap_GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc)
 {
     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
+    ClientPtr client = cl->client;
 
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
     return GetConvolutionFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
 }
 
@@ -375,7 +385,9 @@
 __glXDispSwap_GetConvolutionFilterEXT(__GLXclientState * cl, GLbyte * pc)
 {
     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
+    ClientPtr client = cl->client;
 
+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
     return GetConvolutionFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
 }
 
@@ -441,7 +453,9 @@
 __glXDispSwap_GetHistogram(__GLXclientState * cl, GLbyte * pc)
 {
     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
+    ClientPtr client = cl->client;
 
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
     return GetHistogram(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
 }
 
@@ -449,7 +463,9 @@
 __glXDispSwap_GetHistogramEXT(__GLXclientState * cl, GLbyte * pc)
 {
     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
+    ClientPtr client = cl->client;
 
+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
     return GetHistogram(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
 }
 
@@ -507,7 +523,9 @@
 __glXDispSwap_GetMinmax(__GLXclientState * cl, GLbyte * pc)
 {
     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
+    ClientPtr client = cl->client;
 
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
     return GetMinmax(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
 }
 
@@ -515,7 +533,9 @@
 __glXDispSwap_GetMinmaxEXT(__GLXclientState * cl, GLbyte * pc)
 {
     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
+    ClientPtr client = cl->client;
 
+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
     return GetMinmax(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
 }
 
@@ -581,7 +601,9 @@
 __glXDispSwap_GetColorTable(__GLXclientState * cl, GLbyte * pc)
 {
     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
+    ClientPtr client = cl->client;
 
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
     return GetColorTable(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
 }
 
@@ -589,6 +611,8 @@
 __glXDispSwap_GetColorTableSGI(__GLXclientState * cl, GLbyte * pc)
 {
     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
+    ClientPtr client = cl->client;
 
+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
     return GetColorTable(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
 }
Commit	Line	Data
7217e0ca ML	1	From 4ab40b2b60f4f841f75250e1e60c1624d8212cd4 Mon Sep 17 00:00:00 2001
	2	From: Adam Jackson <ajax@redhat.com>
	3	Date: Mon, 10 Nov 2014 12:13:47 -0500
	4	Subject: [PATCH 31/33] glx: Length checking for non-generated single requests
	5	(v2) [CVE-2014-8098 7/8]
	6
	7	v2:
	8	Fix single versus vendor-private length checking for ARB_imaging subset
	9	extensions. (Julien Cristau)
	10
	11	v3:
	12	Fix single versus vendor-private length checking for ARB_imaging subset
	13	extensions. (Julien Cristau)
	14
	15	Reviewed-by: Michal Srb <msrb@suse.com>
	16	Reviewed-by: Andy Ritger <aritger@nvidia.com>
	17	Signed-off-by: Adam Jackson <ajax@redhat.com>
	18	Signed-off-by: Julien Cristau <jcristau@debian.org>
	19	Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
	20	---
	21	glx/indirect_texture_compression.c \| 4 ++++
	22	glx/single2.c \| 23 +++++++++++++++----
	23	glx/single2swap.c \| 19 ++++++++++++----
	24	glx/singlepix.c \| 44 ++++++++++++++++++++++++------------
	25	glx/singlepixswap.c \| 34 ++++++++++++++++++++++++----
	26	5 files changed, 95 insertions(+), 29 deletions(-)
	27
	28	Index: xorg-server-1.15.1/glx/indirect_texture_compression.c
	29	===================================================================
	30	--- xorg-server-1.15.1.orig/glx/indirect_texture_compression.c 2014-12-04 11:56:48.021535287 -0500
	31	+++ xorg-server-1.15.1/glx/indirect_texture_compression.c 2014-12-04 11:56:48.017535262 -0500
	32	@@ -43,6 +43,8 @@
	33	__GLXcontext *const cx = __glXForceCurrent(cl, req->contextTag, &error);
	34	ClientPtr client = cl->client;
	35
	36	+ REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
	37	+
	38	pc += __GLX_SINGLE_HDR_SIZE;
	39	if (cx != NULL) {
	40	const GLenum target = (GLenum ) (pc + 0);
	41	@@ -85,6 +87,8 @@
	42	__glXForceCurrent(cl, bswap_32(req->contextTag), &error);
	43	ClientPtr client = cl->client;
	44
	45	+ REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
	46	+
	47	pc += __GLX_SINGLE_HDR_SIZE;
	48	if (cx != NULL) {
	49	const GLenum target = (GLenum) bswap_32((int ) (pc + 0));
	50	Index: xorg-server-1.15.1/glx/single2.c
	51	===================================================================
	52	--- xorg-server-1.15.1.orig/glx/single2.c 2014-12-04 11:56:48.021535287 -0500
	53	+++ xorg-server-1.15.1/glx/single2.c 2014-12-04 11:56:48.017535262 -0500
	54	@@ -45,11 +45,14 @@
	55	int
	56	__glXDisp_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
	57	{
	58	+ ClientPtr client = cl->client;
	59	GLsizei size;
	60	GLenum type;
	61	__GLXcontext *cx;
	62	int error;
	63
	64	+ REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
65	+
66	cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
67	if (!cx) {
68	return error;
69	@@ -76,10 +79,13 @@
70	int
71	__glXDisp_SelectBuffer(__GLXclientState * cl, GLbyte * pc)
72	{
73	+ ClientPtr client = cl->client;
74	__GLXcontext *cx;
75	GLsizei size;
76	int error;
77
78	+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
79	+
80	cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
81	if (!cx) {
82	return error;
83	@@ -104,7 +110,7 @@
84	int
85	__glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc)
86	{
87	- ClientPtr client;
88	+ ClientPtr client = cl->client;
89	xGLXRenderModeReply reply;
90	__GLXcontext *cx;
91	GLint nitems = 0, retBytes = 0, retval, newModeCheck;
92	@@ -112,6 +118,8 @@
93	GLenum newMode;
94	int error;
95
96	+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
97	+
98	cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
99	if (!cx) {
100	return error;
101	@@ -188,7 +196,6 @@
102	** selection array, as per the API for glRenderMode itself.
103	*/
104	noChangeAllowed:;
105	- client = cl->client;
106	reply = (xGLXRenderModeReply) {
107	.type = X_Reply,
108	.sequenceNumber = client->sequence,
109	@@ -207,9 +214,12 @@
110	int
111	__glXDisp_Flush(__GLXclientState * cl, GLbyte * pc)
112	{
113	+ ClientPtr client = cl->client;
114	__GLXcontext *cx;
115	int error;
116
117	+ REQUEST_SIZE_MATCH(xGLXSingleReq);
118	+
119	cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
120	if (!cx) {
121	return error;
122	@@ -223,10 +233,12 @@
123	int
124	__glXDisp_Finish(__GLXclientState * cl, GLbyte * pc)
125	{
126	+ ClientPtr client = cl->client;
127	__GLXcontext *cx;
128	- ClientPtr client;
129	int error;
130
131	+ REQUEST_SIZE_MATCH(xGLXSingleReq);
132	+
133	cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
134	if (!cx) {
135	return error;
136	@@ -317,7 +329,7 @@
137	int
138	DoGetString(__GLXclientState * cl, GLbyte * pc, GLboolean need_swap)
139	{
140	- ClientPtr client;
141	+ ClientPtr client = cl->client;
142	__GLXcontext *cx;
143	GLenum name;
144	const char *string;
145	@@ -327,6 +339,8 @@
146	char buf = NULL, buf1 = NULL;
147	GLint length = 0;
148
149	+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
150	+
151	/* If the client has the opposite byte order, swap the contextTag and
152	* the name.
153	*/
154	@@ -343,7 +357,6 @@
155	pc += __GLX_SINGLE_HDR_SIZE;
156	name = (GLenum ) (pc + 0);
157	string = (const char *) glGetString(name);
158	- client = cl->client;
159
160	if (string == NULL)
161	string = "";
162	Index: xorg-server-1.15.1/glx/single2swap.c
163	===================================================================
164	--- xorg-server-1.15.1.orig/glx/single2swap.c 2014-12-04 11:56:48.021535287 -0500
165	+++ xorg-server-1.15.1/glx/single2swap.c 2014-12-04 11:56:48.017535262 -0500
166	@@ -41,6 +41,7 @@
167	int
168	__glXDispSwap_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
169	{
170	+ ClientPtr client = cl->client;
171	GLsizei size;
172	GLenum type;
173
174	@@ -48,6 +49,8 @@
175	__GLXcontext *cx;
176	int error;
177
178	+ REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
179	+
180	__GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
181	cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
182	if (!cx) {
183	@@ -77,12 +80,15 @@
184	int
185	__glXDispSwap_SelectBuffer(__GLXclientState * cl, GLbyte * pc)
186	{
187	+ ClientPtr client = cl->client;
188	__GLXcontext *cx;
189	GLsizei size;
190
191	__GLX_DECLARE_SWAP_VARIABLES;
192	int error;
193
194	+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
195	+
196	__GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
197	cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
198	if (!cx) {
199	@@ -109,7 +115,7 @@
200	int
201	__glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc)
202	{
203	- ClientPtr client;
204	+ ClientPtr client = cl->client;
205	__GLXcontext *cx;
206	xGLXRenderModeReply reply;
207	GLint nitems = 0, retBytes = 0, retval, newModeCheck;
208	@@ -120,6 +126,8 @@
209	__GLX_DECLARE_SWAP_ARRAY_VARIABLES;
210	int error;
211
212	+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
213	+
214	__GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
215	cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
216	if (!cx) {
217	@@ -200,7 +208,6 @@
218	** selection array, as per the API for glRenderMode itself.
219	*/
220	noChangeAllowed:;
221	- client = cl->client;
222	reply = (xGLXRenderModeReply) {
223	.type = X_Reply,
224	.sequenceNumber = client->sequence,
225	@@ -224,11 +231,14 @@
226	int
227	__glXDispSwap_Flush(__GLXclientState * cl, GLbyte * pc)
228	{
229	+ ClientPtr client = cl->client;
230	__GLXcontext *cx;
231	int error;
232
233	__GLX_DECLARE_SWAP_VARIABLES;
234
235	+ REQUEST_SIZE_MATCH(xGLXSingleReq);
236	+
237	__GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
238	cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
239	if (!cx) {
240	@@ -243,12 +253,14 @@
241	int
242	__glXDispSwap_Finish(__GLXclientState * cl, GLbyte * pc)
243	{
244	+ ClientPtr client = cl->client;
245	__GLXcontext *cx;
246	- ClientPtr client;
247	int error;
248
249	__GLX_DECLARE_SWAP_VARIABLES;
250
251	+ REQUEST_SIZE_MATCH(xGLXSingleReq);
252	+
253	__GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
254	cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
255	if (!cx) {
256	@@ -260,7 +272,6 @@
257	cx->hasUnflushedCommands = GL_FALSE;
258
259	/* Send empty reply packet to indicate finish is finished */
260	- client = cl->client;
261	__GLX_BEGIN_REPLY(0);
262	__GLX_PUT_RETVAL(0);
263	__GLX_SWAP_REPLY_HEADER();
264	Index: xorg-server-1.15.1/glx/singlepix.c
265	===================================================================
266	--- xorg-server-1.15.1.orig/glx/singlepix.c 2014-12-04 11:56:48.021535287 -0500
267	+++ xorg-server-1.15.1/glx/singlepix.c 2014-12-04 11:56:48.017535262 -0500
268	@@ -51,6 +51,8 @@
269	int error;
270	char *answer, answerBuffer[200];
271
272	+ REQUEST_FIXED_SIZE(xGLXSingleReq, 28);
273	+
274	cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
275	if (!cx) {
276	return error;
277	@@ -100,6 +102,8 @@
278	char *answer, answerBuffer[200];
279	GLint width = 0, height = 0, depth = 1;
280
281	+ REQUEST_FIXED_SIZE(xGLXSingleReq, 20);
282	+
283	cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
284	if (!cx) {
285	return error;
286	@@ -157,6 +161,8 @@
287	GLubyte answerBuffer[200];
288	char *answer;
289
290	+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
291	+
292	cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
293	if (!cx) {
294	return error;
295	@@ -217,15 +223,13 @@
296	compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
297	compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1);
298
299	- if (compsize < 0)
300	+ if ((compsize = safe_pad(compsize)) < 0)
301	return BadLength;
302	- if (compsize2 < 0)
303	+ if ((compsize2 = safe_pad(compsize2)) < 0)
304	return BadLength;
305	- compsize = __GLX_PAD(compsize);
306	- compsize2 = __GLX_PAD(compsize2);
307
308	glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
309	- __GLX_GET_ANSWER_BUFFER(answer, cl, compsize + compsize2, 1);
310	+ __GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1);
311	__glXClearErrorOccured();
312	glGetSeparableFilter((GLenum ) (pc + 0), (GLenum ) (pc + 4),
313	(GLenum ) (pc + 8), answer, answer + compsize, NULL);
314	@@ -249,7 +253,8 @@
315	__glXDisp_GetSeparableFilter(__GLXclientState * cl, GLbyte * pc)
316	{
317	const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
318	-
319	+ ClientPtr client = cl->client;
320	+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
321	return GetSeparableFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
322	}
323
324	@@ -257,7 +262,8 @@
325	__glXDisp_GetSeparableFilterEXT(__GLXclientState * cl, GLbyte * pc)
326	{
327	const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
328	-
329	+ ClientPtr client = cl->client;
330	+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
331	return GetSeparableFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
332	}
333
334	@@ -323,7 +329,8 @@
335	__glXDisp_GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc)
336	{
337	const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
338	-
339	+ ClientPtr client = cl->client;
340	+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
341	return GetConvolutionFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
342	}
343
344	@@ -331,7 +338,8 @@
345	__glXDisp_GetConvolutionFilterEXT(__GLXclientState * cl, GLbyte * pc)
346	{
347	const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
348	-
349	+ ClientPtr client = cl->client;
350	+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
351	return GetConvolutionFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
352	}
353
354	@@ -390,7 +398,8 @@
355	__glXDisp_GetHistogram(__GLXclientState * cl, GLbyte * pc)
356	{
357	const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
358	-
359	+ ClientPtr client = cl->client;
360	+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
361	return GetHistogram(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
362	}
363
364	@@ -398,7 +407,8 @@
365	__glXDisp_GetHistogramEXT(__GLXclientState * cl, GLbyte * pc)
366	{
367	const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
368	-
369	+ ClientPtr client = cl->client;
370	+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
371	return GetHistogram(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
372	}
373
374	@@ -450,7 +460,8 @@
375	__glXDisp_GetMinmax(__GLXclientState * cl, GLbyte * pc)
376	{
377	const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
378	-
379	+ ClientPtr client = cl->client;
380	+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
381	return GetMinmax(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
382	}
383
384	@@ -458,7 +469,8 @@
385	__glXDisp_GetMinmaxEXT(__GLXclientState * cl, GLbyte * pc)
386	{
387	const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
388	-
389	+ ClientPtr client = cl->client;
390	+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
391	return GetMinmax(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
392	}
393
394	@@ -517,7 +529,8 @@
395	__glXDisp_GetColorTable(__GLXclientState * cl, GLbyte * pc)
396	{
397	const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
398	-
399	+ ClientPtr client = cl->client;
400	+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
401	return GetColorTable(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
402	}
403
404	@@ -525,6 +538,7 @@
405	__glXDisp_GetColorTableSGI(__GLXclientState * cl, GLbyte * pc)
406	{
407	const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
408	-
409	+ ClientPtr client = cl->client;
410	+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
411	return GetColorTable(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
412	}
413	Index: xorg-server-1.15.1/glx/singlepixswap.c
414	===================================================================
415	--- xorg-server-1.15.1.orig/glx/singlepixswap.c 2014-12-04 11:56:48.021535287 -0500
416	+++ xorg-server-1.15.1/glx/singlepixswap.c 2014-12-04 11:56:48.017535262 -0500
417	@@ -53,6 +53,8 @@
418	int error;
419	char *answer, answerBuffer[200];
420
421	+ REQUEST_FIXED_SIZE(xGLXSingleReq, 28);
422	+
423	__GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
424	cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
425	if (!cx) {
426	@@ -114,6 +116,8 @@
427	char *answer, answerBuffer[200];
428	GLint width = 0, height = 0, depth = 1;
429
430	+ REQUEST_FIXED_SIZE(xGLXSingleReq, 20);
431	+
432	__GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
433	cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
434	if (!cx) {
435	@@ -184,6 +188,8 @@
436
437	__GLX_DECLARE_SWAP_VARIABLES;
438
439	+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
440	+
441	__GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
442	cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
443	if (!cx) {
444	@@ -251,15 +257,13 @@
445	compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
446	compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1);
447
448	- if (compsize < 0)
449	+ if ((compsize = safe_pad(compsize)) < 0)
450	return BadLength;
451	- if (compsize2 < 0)
452	+ if ((compsize2 = safe_pad(compsize2)) < 0)
453	return BadLength;
454	- compsize = __GLX_PAD(compsize);
455	- compsize2 = __GLX_PAD(compsize2);
456
457	glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
458	- __GLX_GET_ANSWER_BUFFER(answer, cl, compsize + compsize2, 1);
459	+ __GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1);
460	__glXClearErrorOccured();
461	glGetSeparableFilter((GLenum ) (pc + 0), (GLenum ) (pc + 4),
462	(GLenum ) (pc + 8), answer, answer + compsize, NULL);
463	@@ -285,7 +289,9 @@
464	__glXDispSwap_GetSeparableFilter(__GLXclientState * cl, GLbyte * pc)
465	{
466	const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
467	+ ClientPtr client = cl->client;
468
469	+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
470	return GetSeparableFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
471	}
472
473	@@ -293,7 +299,9 @@
474	__glXDispSwap_GetSeparableFilterEXT(__GLXclientState * cl, GLbyte * pc)
475	{
476	const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
477	+ ClientPtr client = cl->client;
478
479	+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
480	return GetSeparableFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
481	}
482
483	@@ -367,7 +375,9 @@
484	__glXDispSwap_GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc)
485	{
486	const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
487	+ ClientPtr client = cl->client;
488
489	+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
490	return GetConvolutionFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
491	}
492
493	@@ -375,7 +385,9 @@
494	__glXDispSwap_GetConvolutionFilterEXT(__GLXclientState * cl, GLbyte * pc)
495	{
496	const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
497	+ ClientPtr client = cl->client;
498
499	+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
500	return GetConvolutionFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
501	}
502
503	@@ -441,7 +453,9 @@
504	__glXDispSwap_GetHistogram(__GLXclientState * cl, GLbyte * pc)
505	{
506	const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
507	+ ClientPtr client = cl->client;
508
509	+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
510	return GetHistogram(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
511	}
512
513	@@ -449,7 +463,9 @@
514	__glXDispSwap_GetHistogramEXT(__GLXclientState * cl, GLbyte * pc)
515	{
516	const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
517	+ ClientPtr client = cl->client;
518
519	+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
520	return GetHistogram(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
521	}
522
523	@@ -507,7 +523,9 @@
524	__glXDispSwap_GetMinmax(__GLXclientState * cl, GLbyte * pc)
525	{
526	const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
527	+ ClientPtr client = cl->client;
528
529	+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
530	return GetMinmax(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
531	}
532
533	@@ -515,7 +533,9 @@
534	__glXDispSwap_GetMinmaxEXT(__GLXclientState * cl, GLbyte * pc)
535	{
536	const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
537	+ ClientPtr client = cl->client;
538
539	+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
540	return GetMinmax(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
541	}
542
543	@@ -581,7 +601,9 @@
544	__glXDispSwap_GetColorTable(__GLXclientState * cl, GLbyte * pc)
545	{
546	const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
547	+ ClientPtr client = cl->client;
548
549	+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
550	return GetColorTable(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
551	}
552
553	@@ -589,6 +611,8 @@
554	__glXDispSwap_GetColorTableSGI(__GLXclientState * cl, GLbyte * pc)
555	{
556	const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
557	+ ClientPtr client = cl->client;
558
559	+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
560	return GetColorTable(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
561	}