repositories / deb_xorg-server.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Imported Debian patch 2:1.15.1-0ubuntu2.6
[deb_xorg-server.git] / debian / patches / CVE-2014-8xxx / 0032-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch
CommitLineData
7217e0ca
ML		 1From d303d79450436a1ef04252c2a7e36870c2506f38 Mon Sep 17 00:00:00 2001
2From: Adam Jackson <ajax@redhat.com>
3Date: Mon, 10 Nov 2014 12:13:48 -0500
4Subject: [PATCH 32/33] glx: Pass remaining request length into ->varsize (v2)
5 [CVE-2014-8098 8/8]
6
7v2: Handle more multiplies in indirect_reqsize.c (Julien Cristau)
8
9Reviewed-by: Julien Cristau <jcristau@debian.org>
10Reviewed-by: Michal Srb <msrb@suse.com>
11Reviewed-by: Andy Ritger <aritger@nvidia.com>
12Signed-off-by: Adam Jackson <ajax@redhat.com>
13Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
14---
15 glx/glxcmds.c | 7 +-
16 glx/glxserver.h | 2 +-
17 glx/indirect_reqsize.c | 142 +++++++++++++++++++------------------
18 glx/indirect_reqsize.h | 181 +++++++++++++++++++++++++++++-------------------
19 glx/rensize.c | 27 +++++---
20 5 files changed, 205 insertions(+), 154 deletions(-)
21
22Index: xorg-server-1.15.1/glx/glxcmds.c
23===================================================================
24--- xorg-server-1.15.1.orig/glx/glxcmds.c 2014-12-04 11:57:06.345650678 -0500
25+++ xorg-server-1.15.1/glx/glxcmds.c 2014-12-04 11:57:06.337650627 -0500
26@@ -2057,7 +2057,8 @@
27 if (entry.varsize) {
28 /* variable size command */
29 extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE,
30- client->swapped);
31+ client->swapped,
32+ left - __GLX_RENDER_HDR_SIZE);
33 if (extra < 0) {
34 return BadLength;
35 }
36@@ -2134,6 +2135,7 @@
37 if (cl->largeCmdRequestsSoFar == 0) {
38 __GLXrenderSizeData entry;
39 int extra = 0;
40+ int left = (req->length << 2) - sz_xGLXRenderLargeReq;
41 size_t cmdlen;
42 int err;
43
44@@ -2174,7 +2176,8 @@
45 ** will be in the 1st request, so it's okay to do this.
46 */
47 extra = (*entry.varsize) (pc + __GLX_RENDER_LARGE_HDR_SIZE,
48- client->swapped);
49+ client->swapped,
50+ left - __GLX_RENDER_LARGE_HDR_SIZE);
51 if (extra < 0) {
52 return BadLength;
53 }
54Index: xorg-server-1.15.1/glx/glxserver.h
55===================================================================
56--- xorg-server-1.15.1.orig/glx/glxserver.h 2014-12-04 11:57:06.345650678 -0500
57+++ xorg-server-1.15.1/glx/glxserver.h 2014-12-04 11:57:06.337650627 -0500
58@@ -179,7 +179,7 @@
59 /*
60 * Tables for computing the size of each rendering command.
61 */
62-typedef int (*gl_proto_size_func) (const GLbyte *, Bool);
63+typedef int (*gl_proto_size_func) (const GLbyte *, Bool, int);
64
65 typedef struct {
66 int bytes;
67Index: xorg-server-1.15.1/glx/indirect_reqsize.c
68===================================================================
69--- xorg-server-1.15.1.orig/glx/indirect_reqsize.c 2014-12-04 11:57:06.345650678 -0500
70+++ xorg-server-1.15.1/glx/indirect_reqsize.c 2014-12-04 11:57:06.337650627 -0500
71@@ -31,24 +31,22 @@
72 #include "indirect_size.h"
73 #include "indirect_reqsize.h"
74
75-#define __GLX_PAD(x) (((x) + 3) & ~3)
76-
77 #if defined(__CYGWIN__) || defined(__MINGW32__)
78 #undef HAVE_ALIAS
79 #endif
80 #ifdef HAVE_ALIAS
81 #define ALIAS2(from,to) \
82- GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap ) \
83+ GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap, int reqlen ) \
84 __attribute__ ((alias( # to )));
85 #define ALIAS(from,to) ALIAS2( from, __glX ## to ## ReqSize )
86 #else
87 #define ALIAS(from,to) \
88- GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap ) \
89- { return __glX ## to ## ReqSize( pc, swap ); }
90+ GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap, int reqlen ) \
91+ { return __glX ## to ## ReqSize( pc, swap, reqlen ); }
92 #endif
93
94 int
95-__glXCallListsReqSize(const GLbyte * pc, Bool swap)
96+__glXCallListsReqSize(const GLbyte * pc, Bool swap, int reqlen)
97 {
98 GLsizei n = *(GLsizei *) (pc + 0);
99 GLenum type = *(GLenum *) (pc + 4);
100@@ -60,11 +58,11 @@
101 }
102
103 compsize = __glCallLists_size(type);
104- return __GLX_PAD((compsize * n));
105+ return safe_pad(safe_mul(compsize, n));
106 }
107
108 int
109-__glXBitmapReqSize(const GLbyte * pc, Bool swap)
110+__glXBitmapReqSize(const GLbyte * pc, Bool swap, int reqlen)
111 {
112 GLint row_length = *(GLint *) (pc + 4);
113 GLint image_height = 0;
114@@ -88,7 +86,7 @@
115 }
116
117 int
118-__glXFogfvReqSize(const GLbyte * pc, Bool swap)
119+__glXFogfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
120 {
121 GLenum pname = *(GLenum *) (pc + 0);
122 GLsizei compsize;
123@@ -98,11 +96,11 @@
124 }
125
126 compsize = __glFogfv_size(pname);
127- return __GLX_PAD((compsize * 4));
128+ return safe_pad(safe_mul(compsize, 4));
129 }
130
131 int
132-__glXLightfvReqSize(const GLbyte * pc, Bool swap)
133+__glXLightfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
134 {
135 GLenum pname = *(GLenum *) (pc + 4);
136 GLsizei compsize;
137@@ -112,11 +110,11 @@
138 }
139
140 compsize = __glLightfv_size(pname);
141- return __GLX_PAD((compsize * 4));
142+ return safe_pad(safe_mul(compsize, 4));
143 }
144
145 int
146-__glXLightModelfvReqSize(const GLbyte * pc, Bool swap)
147+__glXLightModelfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
148 {
149 GLenum pname = *(GLenum *) (pc + 0);
150 GLsizei compsize;
151@@ -126,11 +124,11 @@
152 }
153
154 compsize = __glLightModelfv_size(pname);
155- return __GLX_PAD((compsize * 4));
156+ return safe_pad(safe_mul(compsize, 4));
157 }
158
159 int
160-__glXMaterialfvReqSize(const GLbyte * pc, Bool swap)
161+__glXMaterialfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
162 {
163 GLenum pname = *(GLenum *) (pc + 4);
164 GLsizei compsize;
165@@ -140,11 +138,11 @@
166 }
167
168 compsize = __glMaterialfv_size(pname);
169- return __GLX_PAD((compsize * 4));
170+ return safe_pad(safe_mul(compsize, 4));
171 }
172
173 int
174-__glXPolygonStippleReqSize(const GLbyte * pc, Bool swap)
175+__glXPolygonStippleReqSize(const GLbyte * pc, Bool swap, int reqlen)
176 {
177 GLint row_length = *(GLint *) (pc + 4);
178 GLint image_height = 0;
179@@ -164,7 +162,7 @@
180 }
181
182 int
183-__glXTexParameterfvReqSize(const GLbyte * pc, Bool swap)
184+__glXTexParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
185 {
186 GLenum pname = *(GLenum *) (pc + 4);
187 GLsizei compsize;
188@@ -174,11 +172,11 @@
189 }
190
191 compsize = __glTexParameterfv_size(pname);
192- return __GLX_PAD((compsize * 4));
193+ return safe_pad(safe_mul(compsize, 4));
194 }
195
196 int
197-__glXTexImage1DReqSize(const GLbyte * pc, Bool swap)
198+__glXTexImage1DReqSize(const GLbyte * pc, Bool swap, int reqlen)
199 {
200 GLint row_length = *(GLint *) (pc + 4);
201 GLint image_height = 0;
202@@ -206,7 +204,7 @@
203 }
204
205 int
206-__glXTexImage2DReqSize(const GLbyte * pc, Bool swap)
207+__glXTexImage2DReqSize(const GLbyte * pc, Bool swap, int reqlen)
208 {
209 GLint row_length = *(GLint *) (pc + 4);
210 GLint image_height = 0;
211@@ -236,7 +234,7 @@
212 }
213
214 int
215-__glXTexEnvfvReqSize(const GLbyte * pc, Bool swap)
216+__glXTexEnvfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
217 {
218 GLenum pname = *(GLenum *) (pc + 4);
219 GLsizei compsize;
220@@ -246,11 +244,11 @@
221 }
222
223 compsize = __glTexEnvfv_size(pname);
224- return __GLX_PAD((compsize * 4));
225+ return safe_pad(safe_mul(compsize, 4));
226 }
227
228 int
229-__glXTexGendvReqSize(const GLbyte * pc, Bool swap)
230+__glXTexGendvReqSize(const GLbyte * pc, Bool swap, int reqlen)
231 {
232 GLenum pname = *(GLenum *) (pc + 4);
233 GLsizei compsize;
234@@ -260,11 +258,11 @@
235 }
236
237 compsize = __glTexGendv_size(pname);
238- return __GLX_PAD((compsize * 8));
239+ return safe_pad(safe_mul(compsize, 8));
240 }
241
242 int
243-__glXTexGenfvReqSize(const GLbyte * pc, Bool swap)
244+__glXTexGenfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
245 {
246 GLenum pname = *(GLenum *) (pc + 4);
247 GLsizei compsize;
248@@ -274,11 +272,11 @@
249 }
250
251 compsize = __glTexGenfv_size(pname);
252- return __GLX_PAD((compsize * 4));
253+ return safe_pad(safe_mul(compsize, 4));
254 }
255
256 int
257-__glXPixelMapfvReqSize(const GLbyte * pc, Bool swap)
258+__glXPixelMapfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
259 {
260 GLsizei mapsize = *(GLsizei *) (pc + 4);
261
262@@ -286,11 +284,11 @@
263 mapsize = bswap_32(mapsize);
264 }
265
266- return __GLX_PAD((mapsize * 4));
267+ return safe_pad(safe_mul(mapsize, 4));
268 }
269
270 int
271-__glXPixelMapusvReqSize(const GLbyte * pc, Bool swap)
272+__glXPixelMapusvReqSize(const GLbyte * pc, Bool swap, int reqlen)
273 {
274 GLsizei mapsize = *(GLsizei *) (pc + 4);
275
276@@ -298,11 +296,11 @@
277 mapsize = bswap_32(mapsize);
278 }
279
280- return __GLX_PAD((mapsize * 2));
281+ return safe_pad(safe_mul(mapsize, 2));
282 }
283
284 int
285-__glXDrawPixelsReqSize(const GLbyte * pc, Bool swap)
286+__glXDrawPixelsReqSize(const GLbyte * pc, Bool swap, int reqlen)
287 {
288 GLint row_length = *(GLint *) (pc + 4);
289 GLint image_height = 0;
290@@ -330,7 +328,7 @@
291 }
292
293 int
294-__glXPrioritizeTexturesReqSize(const GLbyte * pc, Bool swap)
295+__glXPrioritizeTexturesReqSize(const GLbyte * pc, Bool swap, int reqlen)
296 {
297 GLsizei n = *(GLsizei *) (pc + 0);
298
299@@ -338,11 +336,11 @@
300 n = bswap_32(n);
301 }
302
303- return __GLX_PAD((n * 4) + (n * 4));
304+ return safe_pad(safe_add(safe_mul(n, 4), safe_mul(n, 4)));
305 }
306
307 int
308-__glXTexSubImage1DReqSize(const GLbyte * pc, Bool swap)
309+__glXTexSubImage1DReqSize(const GLbyte * pc, Bool swap, int reqlen)
310 {
311 GLint row_length = *(GLint *) (pc + 4);
312 GLint image_height = 0;
313@@ -370,7 +368,7 @@
314 }
315
316 int
317-__glXTexSubImage2DReqSize(const GLbyte * pc, Bool swap)
318+__glXTexSubImage2DReqSize(const GLbyte * pc, Bool swap, int reqlen)
319 {
320 GLint row_length = *(GLint *) (pc + 4);
321 GLint image_height = 0;
322@@ -400,7 +398,7 @@
323 }
324
325 int
326-__glXColorTableReqSize(const GLbyte * pc, Bool swap)
327+__glXColorTableReqSize(const GLbyte * pc, Bool swap, int reqlen)
328 {
329 GLint row_length = *(GLint *) (pc + 4);
330 GLint image_height = 0;
331@@ -428,7 +426,7 @@
332 }
333
334 int
335-__glXColorTableParameterfvReqSize(const GLbyte * pc, Bool swap)
336+__glXColorTableParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
337 {
338 GLenum pname = *(GLenum *) (pc + 4);
339 GLsizei compsize;
340@@ -438,11 +436,11 @@
341 }
342
343 compsize = __glColorTableParameterfv_size(pname);
344- return __GLX_PAD((compsize * 4));
345+ return safe_pad(safe_mul(compsize, 4));
346 }
347
348 int
349-__glXColorSubTableReqSize(const GLbyte * pc, Bool swap)
350+__glXColorSubTableReqSize(const GLbyte * pc, Bool swap, int reqlen)
351 {
352 GLint row_length = *(GLint *) (pc + 4);
353 GLint image_height = 0;
354@@ -470,7 +468,7 @@
355 }
356
357 int
358-__glXConvolutionFilter1DReqSize(const GLbyte * pc, Bool swap)
359+__glXConvolutionFilter1DReqSize(const GLbyte * pc, Bool swap, int reqlen)
360 {
361 GLint row_length = *(GLint *) (pc + 4);
362 GLint image_height = 0;
363@@ -498,7 +496,7 @@
364 }
365
366 int
367-__glXConvolutionFilter2DReqSize(const GLbyte * pc, Bool swap)
368+__glXConvolutionFilter2DReqSize(const GLbyte * pc, Bool swap, int reqlen)
369 {
370 GLint row_length = *(GLint *) (pc + 4);
371 GLint image_height = 0;
372@@ -528,7 +526,7 @@
373 }
374
375 int
376-__glXConvolutionParameterfvReqSize(const GLbyte * pc, Bool swap)
377+__glXConvolutionParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
378 {
379 GLenum pname = *(GLenum *) (pc + 4);
380 GLsizei compsize;
381@@ -538,11 +536,11 @@
382 }
383
384 compsize = __glConvolutionParameterfv_size(pname);
385- return __GLX_PAD((compsize * 4));
386+ return safe_pad(safe_mul(compsize, 4));
387 }
388
389 int
390-__glXTexImage3DReqSize(const GLbyte * pc, Bool swap)
391+__glXTexImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen)
392 {
393 GLint row_length = *(GLint *) (pc + 4);
394 GLint image_height = *(GLint *) (pc + 8);
395@@ -579,7 +577,7 @@
396 }
397
398 int
399-__glXTexSubImage3DReqSize(const GLbyte * pc, Bool swap)
400+__glXTexSubImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen)
401 {
402 GLint row_length = *(GLint *) (pc + 4);
403 GLint image_height = *(GLint *) (pc + 8);
404@@ -613,7 +611,7 @@
405 }
406
407 int
408-__glXCompressedTexImage1DReqSize(const GLbyte * pc, Bool swap)
409+__glXCompressedTexImage1DReqSize(const GLbyte * pc, Bool swap, int reqlen)
410 {
411 GLsizei imageSize = *(GLsizei *) (pc + 20);
412
413@@ -621,11 +619,11 @@
414 imageSize = bswap_32(imageSize);
415 }
416
417- return __GLX_PAD(imageSize);
418+ return safe_pad(imageSize);
419 }
420
421 int
422-__glXCompressedTexImage2DReqSize(const GLbyte * pc, Bool swap)
423+__glXCompressedTexImage2DReqSize(const GLbyte * pc, Bool swap, int reqlen)
424 {
425 GLsizei imageSize = *(GLsizei *) (pc + 24);
426
427@@ -633,11 +631,11 @@
428 imageSize = bswap_32(imageSize);
429 }
430
431- return __GLX_PAD(imageSize);
432+ return safe_pad(imageSize);
433 }
434
435 int
436-__glXCompressedTexImage3DReqSize(const GLbyte * pc, Bool swap)
437+__glXCompressedTexImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen)
438 {
439 GLsizei imageSize = *(GLsizei *) (pc + 28);
440
441@@ -645,11 +643,11 @@
442 imageSize = bswap_32(imageSize);
443 }
444
445- return __GLX_PAD(imageSize);
446+ return safe_pad(imageSize);
447 }
448
449 int
450-__glXCompressedTexSubImage3DReqSize(const GLbyte * pc, Bool swap)
451+__glXCompressedTexSubImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen)
452 {
453 GLsizei imageSize = *(GLsizei *) (pc + 36);
454
455@@ -657,11 +655,11 @@
456 imageSize = bswap_32(imageSize);
457 }
458
459- return __GLX_PAD(imageSize);
460+ return safe_pad(imageSize);
461 }
462
463 int
464-__glXPointParameterfvReqSize(const GLbyte * pc, Bool swap)
465+__glXPointParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
466 {
467 GLenum pname = *(GLenum *) (pc + 0);
468 GLsizei compsize;
469@@ -671,11 +669,11 @@
470 }
471
472 compsize = __glPointParameterfv_size(pname);
473- return __GLX_PAD((compsize * 4));
474+ return safe_pad(safe_mul(compsize, 4));
475 }
476
477 int
478-__glXDrawBuffersReqSize(const GLbyte * pc, Bool swap)
479+__glXDrawBuffersReqSize(const GLbyte * pc, Bool swap, int reqlen)
480 {
481 GLsizei n = *(GLsizei *) (pc + 0);
482
483@@ -683,11 +681,11 @@
484 n = bswap_32(n);
485 }
486
487- return __GLX_PAD((n * 4));
488+ return safe_pad(safe_mul(n, 4));
489 }
490
491 int
492-__glXProgramStringARBReqSize(const GLbyte * pc, Bool swap)
493+__glXProgramStringARBReqSize(const GLbyte * pc, Bool swap, int reqlen)
494 {
495 GLsizei len = *(GLsizei *) (pc + 8);
496
497@@ -695,11 +693,11 @@
498 len = bswap_32(len);
499 }
500
501- return __GLX_PAD(len);
502+ return safe_pad(len);
503 }
504
505 int
506-__glXVertexAttribs1dvNVReqSize(const GLbyte * pc, Bool swap)
507+__glXVertexAttribs1dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
508 {
509 GLsizei n = *(GLsizei *) (pc + 4);
510
511@@ -707,11 +705,11 @@
512 n = bswap_32(n);
513 }
514
515- return __GLX_PAD((n * 8));
516+ return safe_pad(safe_mul(n, 8));
517 }
518
519 int
520-__glXVertexAttribs2dvNVReqSize(const GLbyte * pc, Bool swap)
521+__glXVertexAttribs2dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
522 {
523 GLsizei n = *(GLsizei *) (pc + 4);
524
525@@ -719,11 +717,11 @@
526 n = bswap_32(n);
527 }
528
529- return __GLX_PAD((n * 16));
530+ return safe_pad(safe_mul(n, 16));
531 }
532
533 int
534-__glXVertexAttribs3dvNVReqSize(const GLbyte * pc, Bool swap)
535+__glXVertexAttribs3dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
536 {
537 GLsizei n = *(GLsizei *) (pc + 4);
538
539@@ -731,11 +729,11 @@
540 n = bswap_32(n);
541 }
542
543- return __GLX_PAD((n * 24));
544+ return safe_pad(safe_mul(n, 24));
545 }
546
547 int
548-__glXVertexAttribs3fvNVReqSize(const GLbyte * pc, Bool swap)
549+__glXVertexAttribs3fvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
550 {
551 GLsizei n = *(GLsizei *) (pc + 4);
552
553@@ -743,11 +741,11 @@
554 n = bswap_32(n);
555 }
556
557- return __GLX_PAD((n * 12));
558+ return safe_pad(safe_mul(n, 12));
559 }
560
561 int
562-__glXVertexAttribs3svNVReqSize(const GLbyte * pc, Bool swap)
563+__glXVertexAttribs3svNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
564 {
565 GLsizei n = *(GLsizei *) (pc + 4);
566
567@@ -755,11 +753,11 @@
568 n = bswap_32(n);
569 }
570
571- return __GLX_PAD((n * 6));
572+ return safe_pad(safe_mul(n, 6));
573 }
574
575 int
576-__glXVertexAttribs4dvNVReqSize(const GLbyte * pc, Bool swap)
577+__glXVertexAttribs4dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
578 {
579 GLsizei n = *(GLsizei *) (pc + 4);
580
581@@ -767,7 +765,7 @@
582 n = bswap_32(n);
583 }
584
585- return __GLX_PAD((n * 32));
586+ return safe_pad(safe_mul(n, 32));
587 }
588
589 ALIAS(Fogiv, Fogfv)
590Index: xorg-server-1.15.1/glx/indirect_reqsize.h
591===================================================================
592--- xorg-server-1.15.1.orig/glx/indirect_reqsize.h 2014-12-04 11:57:06.345650678 -0500
593+++ xorg-server-1.15.1/glx/indirect_reqsize.h 2014-12-04 11:57:06.337650627 -0500
594@@ -36,115 +36,156 @@
595 #define PURE
596 #endif
597
598-extern PURE _X_HIDDEN int __glXCallListsReqSize(const GLbyte * pc, Bool swap);
599-extern PURE _X_HIDDEN int __glXBitmapReqSize(const GLbyte * pc, Bool swap);
600-extern PURE _X_HIDDEN int __glXFogfvReqSize(const GLbyte * pc, Bool swap);
601-extern PURE _X_HIDDEN int __glXFogivReqSize(const GLbyte * pc, Bool swap);
602-extern PURE _X_HIDDEN int __glXLightfvReqSize(const GLbyte * pc, Bool swap);
603-extern PURE _X_HIDDEN int __glXLightivReqSize(const GLbyte * pc, Bool swap);
604-extern PURE _X_HIDDEN int __glXLightModelfvReqSize(const GLbyte * pc,
605- Bool swap);
606-extern PURE _X_HIDDEN int __glXLightModelivReqSize(const GLbyte * pc,
607- Bool swap);
608-extern PURE _X_HIDDEN int __glXMaterialfvReqSize(const GLbyte * pc, Bool swap);
609-extern PURE _X_HIDDEN int __glXMaterialivReqSize(const GLbyte * pc, Bool swap);
610+extern PURE _X_HIDDEN int __glXCallListsReqSize(const GLbyte * pc, Bool swap,
611+ int reqlen);
612+extern PURE _X_HIDDEN int __glXBitmapReqSize(const GLbyte * pc, Bool swap,
613+ int reqlen);
614+extern PURE _X_HIDDEN int __glXFogfvReqSize(const GLbyte * pc, Bool swap,
615+ int reqlen);
616+extern PURE _X_HIDDEN int __glXFogivReqSize(const GLbyte * pc, Bool swap,
617+ int reqlen);
618+extern PURE _X_HIDDEN int __glXLightfvReqSize(const GLbyte * pc, Bool swap,
619+ int reqlen);
620+extern PURE _X_HIDDEN int __glXLightivReqSize(const GLbyte * pc, Bool swap,
621+ int reqlen);
622+extern PURE _X_HIDDEN int __glXLightModelfvReqSize(const GLbyte * pc, Bool swap,
623+ int reqlen);
624+extern PURE _X_HIDDEN int __glXLightModelivReqSize(const GLbyte * pc, Bool swap,
625+ int reqlen);
626+extern PURE _X_HIDDEN int __glXMaterialfvReqSize(const GLbyte * pc, Bool swap,
627+ int reqlen);
628+extern PURE _X_HIDDEN int __glXMaterialivReqSize(const GLbyte * pc, Bool swap,
629+ int reqlen);
630 extern PURE _X_HIDDEN int __glXPolygonStippleReqSize(const GLbyte * pc,
631- Bool swap);
632+ Bool swap, int reqlen);
633 extern PURE _X_HIDDEN int __glXTexParameterfvReqSize(const GLbyte * pc,
634- Bool swap);
635+ Bool swap, int reqlen);
636 extern PURE _X_HIDDEN int __glXTexParameterivReqSize(const GLbyte * pc,
637- Bool swap);
638-extern PURE _X_HIDDEN int __glXTexImage1DReqSize(const GLbyte * pc, Bool swap);
639-extern PURE _X_HIDDEN int __glXTexImage2DReqSize(const GLbyte * pc, Bool swap);
640-extern PURE _X_HIDDEN int __glXTexEnvfvReqSize(const GLbyte * pc, Bool swap);
641-extern PURE _X_HIDDEN int __glXTexEnvivReqSize(const GLbyte * pc, Bool swap);
642-extern PURE _X_HIDDEN int __glXTexGendvReqSize(const GLbyte * pc, Bool swap);
643-extern PURE _X_HIDDEN int __glXTexGenfvReqSize(const GLbyte * pc, Bool swap);
644-extern PURE _X_HIDDEN int __glXTexGenivReqSize(const GLbyte * pc, Bool swap);
645-extern PURE _X_HIDDEN int __glXMap1dReqSize(const GLbyte * pc, Bool swap);
646-extern PURE _X_HIDDEN int __glXMap1fReqSize(const GLbyte * pc, Bool swap);
647-extern PURE _X_HIDDEN int __glXMap2dReqSize(const GLbyte * pc, Bool swap);
648-extern PURE _X_HIDDEN int __glXMap2fReqSize(const GLbyte * pc, Bool swap);
649-extern PURE _X_HIDDEN int __glXPixelMapfvReqSize(const GLbyte * pc, Bool swap);
650-extern PURE _X_HIDDEN int __glXPixelMapuivReqSize(const GLbyte * pc, Bool swap);
651-extern PURE _X_HIDDEN int __glXPixelMapusvReqSize(const GLbyte * pc, Bool swap);
652-extern PURE _X_HIDDEN int __glXDrawPixelsReqSize(const GLbyte * pc, Bool swap);
653-extern PURE _X_HIDDEN int __glXDrawArraysReqSize(const GLbyte * pc, Bool swap);
654+ Bool swap, int reqlen);
655+extern PURE _X_HIDDEN int __glXTexImage1DReqSize(const GLbyte * pc, Bool swap,
656+ int reqlen);
657+extern PURE _X_HIDDEN int __glXTexImage2DReqSize(const GLbyte * pc, Bool swap,
658+ int reqlen);
659+extern PURE _X_HIDDEN int __glXTexEnvfvReqSize(const GLbyte * pc, Bool swap,
660+ int reqlen);
661+extern PURE _X_HIDDEN int __glXTexEnvivReqSize(const GLbyte * pc, Bool swap,
662+ int reqlen);
663+extern PURE _X_HIDDEN int __glXTexGendvReqSize(const GLbyte * pc, Bool swap,
664+ int reqlen);
665+extern PURE _X_HIDDEN int __glXTexGenfvReqSize(const GLbyte * pc, Bool swap,
666+ int reqlen);
667+extern PURE _X_HIDDEN int __glXTexGenivReqSize(const GLbyte * pc, Bool swap,
668+ int reqlen);
669+extern PURE _X_HIDDEN int __glXMap1dReqSize(const GLbyte * pc, Bool swap,
670+ int reqlen);
671+extern PURE _X_HIDDEN int __glXMap1fReqSize(const GLbyte * pc, Bool swap,
672+ int reqlen);
673+extern PURE _X_HIDDEN int __glXMap2dReqSize(const GLbyte * pc, Bool swap,
674+ int reqlen);
675+extern PURE _X_HIDDEN int __glXMap2fReqSize(const GLbyte * pc, Bool swap,
676+ int reqlen);
677+extern PURE _X_HIDDEN int __glXPixelMapfvReqSize(const GLbyte * pc, Bool swap,
678+ int reqlen);
679+extern PURE _X_HIDDEN int __glXPixelMapuivReqSize(const GLbyte * pc, Bool swap,
680+ int reqlen);
681+extern PURE _X_HIDDEN int __glXPixelMapusvReqSize(const GLbyte * pc, Bool swap,
682+ int reqlen);
683+extern PURE _X_HIDDEN int __glXDrawPixelsReqSize(const GLbyte * pc, Bool swap,
684+ int reqlen);
685+extern PURE _X_HIDDEN int __glXDrawArraysReqSize(const GLbyte * pc, Bool swap,
686+ int reqlen);
687 extern PURE _X_HIDDEN int __glXPrioritizeTexturesReqSize(const GLbyte * pc,
688- Bool swap);
689+ Bool swap, int reqlen);
690 extern PURE _X_HIDDEN int __glXTexSubImage1DReqSize(const GLbyte * pc,
691- Bool swap);
692+ Bool swap, int reqlen);
693 extern PURE _X_HIDDEN int __glXTexSubImage2DReqSize(const GLbyte * pc,
694- Bool swap);
695-extern PURE _X_HIDDEN int __glXColorTableReqSize(const GLbyte * pc, Bool swap);
696+ Bool swap, int reqlen);
697+extern PURE _X_HIDDEN int __glXColorTableReqSize(const GLbyte * pc, Bool swap,
698+ int reqlen);
699 extern PURE _X_HIDDEN int __glXColorTableParameterfvReqSize(const GLbyte * pc,
700- Bool swap);
701+ Bool swap,
702+ int reqlen);
703 extern PURE _X_HIDDEN int __glXColorTableParameterivReqSize(const GLbyte * pc,
704- Bool swap);
705+ Bool swap,
706+ int reqlen);
707 extern PURE _X_HIDDEN int __glXColorSubTableReqSize(const GLbyte * pc,
708- Bool swap);
709+ Bool swap, int reqlen);
710 extern PURE _X_HIDDEN int __glXConvolutionFilter1DReqSize(const GLbyte * pc,
711- Bool swap);
712+ Bool swap,
713+ int reqlen);
714 extern PURE _X_HIDDEN int __glXConvolutionFilter2DReqSize(const GLbyte * pc,
715- Bool swap);
716+ Bool swap,
717+ int reqlen);
718 extern PURE _X_HIDDEN int __glXConvolutionParameterfvReqSize(const GLbyte * pc,
719- Bool swap);
720+ Bool swap,
721+ int reqlen);
722 extern PURE _X_HIDDEN int __glXConvolutionParameterivReqSize(const GLbyte * pc,
723- Bool swap);
724+ Bool swap,
725+ int reqlen);
726 extern PURE _X_HIDDEN int __glXSeparableFilter2DReqSize(const GLbyte * pc,
727- Bool swap);
728-extern PURE _X_HIDDEN int __glXTexImage3DReqSize(const GLbyte * pc, Bool swap);
729+ Bool swap, int reqlen);
730+extern PURE _X_HIDDEN int __glXTexImage3DReqSize(const GLbyte * pc, Bool swap,
731+ int reqlen);
732 extern PURE _X_HIDDEN int __glXTexSubImage3DReqSize(const GLbyte * pc,
733- Bool swap);
734+ Bool swap, int reqlen);
735 extern PURE _X_HIDDEN int __glXCompressedTexImage1DReqSize(const GLbyte * pc,
736- Bool swap);
737+ Bool swap,
738+ int reqlen);
739 extern PURE _X_HIDDEN int __glXCompressedTexImage2DReqSize(const GLbyte * pc,
740- Bool swap);
741+ Bool swap,
742+ int reqlen);
743 extern PURE _X_HIDDEN int __glXCompressedTexImage3DReqSize(const GLbyte * pc,
744- Bool swap);
745+ Bool swap,
746+ int reqlen);
747 extern PURE _X_HIDDEN int __glXCompressedTexSubImage1DReqSize(const GLbyte * pc,
748- Bool swap);
749+ Bool swap,
750+ int reqlen);
751 extern PURE _X_HIDDEN int __glXCompressedTexSubImage2DReqSize(const GLbyte * pc,
752- Bool swap);
753+ Bool swap,
754+ int reqlen);
755 extern PURE _X_HIDDEN int __glXCompressedTexSubImage3DReqSize(const GLbyte * pc,
756- Bool swap);
757+ Bool swap,
758+ int reqlen);
759 extern PURE _X_HIDDEN int __glXPointParameterfvReqSize(const GLbyte * pc,
760- Bool swap);
761+ Bool swap, int reqlen);
762 extern PURE _X_HIDDEN int __glXPointParameterivReqSize(const GLbyte * pc,
763- Bool swap);
764-extern PURE _X_HIDDEN int __glXDrawBuffersReqSize(const GLbyte * pc, Bool swap);
765+ Bool swap, int reqlen);
766+extern PURE _X_HIDDEN int __glXDrawBuffersReqSize(const GLbyte * pc, Bool swap,
767+ int reqlen);
768 extern PURE _X_HIDDEN int __glXProgramStringARBReqSize(const GLbyte * pc,
769- Bool swap);
770+ Bool swap, int reqlen);
771 extern PURE _X_HIDDEN int __glXDeleteFramebuffersReqSize(const GLbyte * pc,
772- Bool swap);
773+ Bool swap, int reqlen);
774 extern PURE _X_HIDDEN int __glXDeleteRenderbuffersReqSize(const GLbyte * pc,
775- Bool swap);
776+ Bool swap,
777+ int reqlen);
778 extern PURE _X_HIDDEN int __glXVertexAttribs1dvNVReqSize(const GLbyte * pc,
779- Bool swap);
780+ Bool swap, int reqlen);
781 extern PURE _X_HIDDEN int __glXVertexAttribs1fvNVReqSize(const GLbyte * pc,
782- Bool swap);
783+ Bool swap, int reqlen);
784 extern PURE _X_HIDDEN int __glXVertexAttribs1svNVReqSize(const GLbyte * pc,
785- Bool swap);
786+ Bool swap, int reqlen);
787 extern PURE _X_HIDDEN int __glXVertexAttribs2dvNVReqSize(const GLbyte * pc,
788- Bool swap);
789+ Bool swap, int reqlen);
790 extern PURE _X_HIDDEN int __glXVertexAttribs2fvNVReqSize(const GLbyte * pc,
791- Bool swap);
792+ Bool swap, int reqlen);
793 extern PURE _X_HIDDEN int __glXVertexAttribs2svNVReqSize(const GLbyte * pc,
794- Bool swap);
795+ Bool swap, int reqlen);
796 extern PURE _X_HIDDEN int __glXVertexAttribs3dvNVReqSize(const GLbyte * pc,
797- Bool swap);
798+ Bool swap, int reqlen);
799 extern PURE _X_HIDDEN int __glXVertexAttribs3fvNVReqSize(const GLbyte * pc,
800- Bool swap);
801+ Bool swap, int reqlen);
802 extern PURE _X_HIDDEN int __glXVertexAttribs3svNVReqSize(const GLbyte * pc,
803- Bool swap);
804+ Bool swap, int reqlen);
805 extern PURE _X_HIDDEN int __glXVertexAttribs4dvNVReqSize(const GLbyte * pc,
806- Bool swap);
807+ Bool swap, int reqlen);
808 extern PURE _X_HIDDEN int __glXVertexAttribs4fvNVReqSize(const GLbyte * pc,
809- Bool swap);
810+ Bool swap, int reqlen);
811 extern PURE _X_HIDDEN int __glXVertexAttribs4svNVReqSize(const GLbyte * pc,
812- Bool swap);
813+ Bool swap, int reqlen);
814 extern PURE _X_HIDDEN int __glXVertexAttribs4ubvNVReqSize(const GLbyte * pc,
815- Bool swap);
816+ Bool swap,
817+ int reqlen);
818
819 #undef PURE
820
821Index: xorg-server-1.15.1/glx/rensize.c
822===================================================================
823--- xorg-server-1.15.1.orig/glx/rensize.c 2014-12-04 11:57:06.345650678 -0500
824+++ xorg-server-1.15.1/glx/rensize.c 2014-12-04 11:57:06.341650652 -0500
825@@ -44,7 +44,7 @@
826 ((a & 0xff00U)<<8) | ((a & 0xffU)<<24))
827
828 int
829-__glXMap1dReqSize(const GLbyte * pc, Bool swap)
830+__glXMap1dReqSize(const GLbyte * pc, Bool swap, int reqlen)
831 {
832 GLenum target;
833 GLint order;
834@@ -61,7 +61,7 @@
835 }
836
837 int
838-__glXMap1fReqSize(const GLbyte * pc, Bool swap)
839+__glXMap1fReqSize(const GLbyte * pc, Bool swap, int reqlen)
840 {
841 GLenum target;
842 GLint order;
843@@ -86,7 +86,7 @@
844 }
845
846 int
847-__glXMap2dReqSize(const GLbyte * pc, Bool swap)
848+__glXMap2dReqSize(const GLbyte * pc, Bool swap, int reqlen)
849 {
850 GLenum target;
851 GLint uorder, vorder;
852@@ -103,7 +103,7 @@
853 }
854
855 int
856-__glXMap2fReqSize(const GLbyte * pc, Bool swap)
857+__glXMap2fReqSize(const GLbyte * pc, Bool swap, int reqlen)
858 {
859 GLenum target;
860 GLint uorder, vorder;
861@@ -359,13 +359,14 @@
862 }
863
864 int
865-__glXDrawArraysReqSize(const GLbyte * pc, Bool swap)
866+__glXDrawArraysReqSize(const GLbyte * pc, Bool swap, int reqlen)
867 {
868 __GLXdispatchDrawArraysHeader *hdr = (__GLXdispatchDrawArraysHeader *) pc;
869 __GLXdispatchDrawArraysComponentHeader *compHeader;
870 GLint numVertexes = hdr->numVertexes;
871 GLint numComponents = hdr->numComponents;
872 GLint arrayElementSize = 0;
873+ GLint x, size;
874 int i;
875
876 if (swap) {
877@@ -374,6 +375,13 @@
878 }
879
880 pc += sizeof(__GLXdispatchDrawArraysHeader);
881+ reqlen -= sizeof(__GLXdispatchDrawArraysHeader);
882+
883+ size = safe_mul(sizeof(__GLXdispatchDrawArraysComponentHeader),
884+ numComponents);
885+ if (size < 0 || reqlen < 0 || reqlen < size)
886+ return -1;
887+
888 compHeader = (__GLXdispatchDrawArraysComponentHeader *) pc;
889
890 for (i = 0; i < numComponents; i++) {
891@@ -417,17 +425,18 @@
892 return -1;
893 }
894
895- arrayElementSize += __GLX_PAD(numVals * __glXTypeSize(datatype));
896+ x = safe_pad(safe_mul(numVals, __glXTypeSize(datatype)));
897+ if ((arrayElementSize = safe_add(arrayElementSize, x)) < 0)
898+ return -1;
899
900 pc += sizeof(__GLXdispatchDrawArraysComponentHeader);
901 }
902
903- return ((numComponents * sizeof(__GLXdispatchDrawArraysComponentHeader)) +
904- (numVertexes * arrayElementSize));
905+ return safe_add(size, safe_mul(numVertexes, arrayElementSize));
906 }
907
908 int
909-__glXSeparableFilter2DReqSize(const GLbyte * pc, Bool swap)
910+__glXSeparableFilter2DReqSize(const GLbyte * pc, Bool swap, int reqlen)
911 {
912 __GLXdispatchConvolutionFilterHeader *hdr =
913 (__GLXdispatchConvolutionFilterHeader *) pc;
xorg-server Piment Noir Debian package repository