1 From 02f91446a5446d7287a0fc30aa8b15a1cd29c2cf Mon Sep 17 00:00:00 2001
2 From: Julien Cristau <jcristau@debian.org>
3 Date: Mon, 10 Nov 2014 12:13:41 -0500
4 Subject: [PATCH 25/33] glx: Length checking for GLXRender requests (v2)
8 Remove can't-happen comparison for cmdlen < 0 (Michal Srb)
10 Reviewed-by: Adam Jackson <ajax@redhat.com>
11 Reviewed-by: Michal Srb <msrb@suse.com>
12 Reviewed-by: Andy Ritger <aritger@nvidia.com>
13 Signed-off-by: Julien Cristau <jcristau@debian.org>
14 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
16 glx/glxcmds.c | 21 ++++++++++-----------
17 1 file changed, 10 insertions(+), 11 deletions(-)
19 Index: xorg-server-1.15.1/glx/glxcmds.c
20 ===================================================================
21 --- xorg-server-1.15.1.orig/glx/glxcmds.c 2014-12-04 11:56:07.897284200 -0500
22 +++ xorg-server-1.15.1/glx/glxcmds.c 2014-12-04 11:56:07.893284176 -0500
24 left = (req->length << 2) - sz_xGLXRenderReq;
26 __GLXrenderSizeData entry;
29 __GLXdispatchRenderProcPtr proc;
40 ** Check for core opcodes and grab entry data.
42 @@ -2047,6 +2050,10 @@
43 return __glXError(GLXBadRenderRequest);
46 + if (cmdlen < entry.bytes) {
51 /* variable size command */
52 extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE,
53 @@ -2054,17 +2061,9 @@
57 - if (cmdlen != __GLX_PAD(entry.bytes + extra)) {
62 - /* constant size command */
63 - if (cmdlen != __GLX_PAD(entry.bytes)) {
67 - if (left < cmdlen) {
69 + if (cmdlen != safe_pad(safe_add(entry.bytes, extra))) {