1 From 554e382ba7aae961ca88c75edb1caffb5d00e9f6 Mon Sep 17 00:00:00 2001
2 From: Adam Jackson <ajax@redhat.com>
3 Date: Mon, 10 Nov 2014 12:13:45 -0500
4 Subject: [PATCH 29/33] glx: Request length checks for SetClientInfoARB
7 Reviewed-by: Keith Packard <keithp@keithp.com>
8 Reviewed-by: Julien Cristau <jcristau@debian.org>
9 Reviewed-by: Michal Srb <msrb@suse.com>
10 Reviewed-by: Andy Ritger <aritger@nvidia.com>
11 Signed-off-by: Adam Jackson <ajax@redhat.com>
12 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
14 glx/clientinfo.c | 19 ++++++++++++++-----
15 1 file changed, 14 insertions(+), 5 deletions(-)
17 diff --git a/glx/clientinfo.c b/glx/clientinfo.c
18 index 4aaa4c9..c5fef30 100644
19 --- a/glx/clientinfo.c
20 +++ b/glx/clientinfo.c
21 @@ -33,18 +33,21 @@ static int
22 set_client_info(__GLXclientState * cl, xGLXSetClientInfoARBReq * req,
23 unsigned bytes_per_version)
25 + ClientPtr client = cl->client;
29 + REQUEST_AT_LEAST_SIZE(xGLXSetClientInfoARBReq);
31 /* Verify that the size of the packet matches the size inferred from the
32 * sizes specified for the various fields.
34 - const unsigned expected_size = sz_xGLXSetClientInfoARBReq
35 - + (req->numVersions * bytes_per_version)
36 - + __GLX_PAD(req->numGLExtensionBytes)
37 - + __GLX_PAD(req->numGLXExtensionBytes);
38 + int size = sz_xGLXSetClientInfoARBReq;
39 + size = safe_add(size, safe_mul(req->numVersions, bytes_per_version));
40 + size = safe_add(size, safe_pad(req->numGLExtensionBytes));
41 + size = safe_add(size, safe_pad(req->numGLXExtensionBytes));
43 - if (req->length != (expected_size / 4))
44 + if (size < 0 || req->length != (size / 4))
47 /* Verify that the actual length of the GL extension string matches what's
48 @@ -80,8 +83,11 @@ __glXDisp_SetClientInfoARB(__GLXclientState * cl, GLbyte * pc)
50 __glXDispSwap_SetClientInfoARB(__GLXclientState * cl, GLbyte * pc)
52 + ClientPtr client = cl->client;
53 xGLXSetClientInfoARBReq *req = (xGLXSetClientInfoARBReq *) pc;
55 + REQUEST_AT_LEAST_SIZE(xGLXSetClientInfoARBReq);
57 req->length = bswap_16(req->length);
58 req->numVersions = bswap_32(req->numVersions);
59 req->numGLExtensionBytes = bswap_32(req->numGLExtensionBytes);
60 @@ -99,8 +105,11 @@ __glXDisp_SetClientInfo2ARB(__GLXclientState * cl, GLbyte * pc)
62 __glXDispSwap_SetClientInfo2ARB(__GLXclientState * cl, GLbyte * pc)
64 + ClientPtr client = cl->client;
65 xGLXSetClientInfoARBReq *req = (xGLXSetClientInfoARBReq *) pc;
67 + REQUEST_AT_LEAST_SIZE(xGLXSetClientInfoARBReq);
69 req->length = bswap_16(req->length);
70 req->numVersions = bswap_32(req->numVersions);
71 req->numGLExtensionBytes = bswap_32(req->numGLExtensionBytes);