repositories / deb_xorg-server.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Imported Debian patch 2:1.15.1-0ubuntu2.6
[deb_xorg-server.git] / debian / patches / CVE-2014-8xxx / 0032-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch
1 From d303d79450436a1ef04252c2a7e36870c2506f38 Mon Sep 17 00:00:00 2001
2 From: Adam Jackson <ajax@redhat.com>
3 Date: Mon, 10 Nov 2014 12:13:48 -0500
4 Subject: [PATCH 32/33] glx: Pass remaining request length into ->varsize (v2)
5 [CVE-2014-8098 8/8]
6
7 v2: Handle more multiplies in indirect_reqsize.c (Julien Cristau)
8
9 Reviewed-by: Julien Cristau <jcristau@debian.org>
10 Reviewed-by: Michal Srb <msrb@suse.com>
11 Reviewed-by: Andy Ritger <aritger@nvidia.com>
12 Signed-off-by: Adam Jackson <ajax@redhat.com>
13 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
14 ---
15 glx/glxcmds.c | 7 +-
16 glx/glxserver.h | 2 +-
17 glx/indirect_reqsize.c | 142 +++++++++++++++++++------------------
18 glx/indirect_reqsize.h | 181 +++++++++++++++++++++++++++++-------------------
19 glx/rensize.c | 27 +++++---
20 5 files changed, 205 insertions(+), 154 deletions(-)
21
22 Index: xorg-server-1.15.1/glx/glxcmds.c
23 ===================================================================
24 --- xorg-server-1.15.1.orig/glx/glxcmds.c 2014-12-04 11:57:06.345650678 -0500
25 +++ xorg-server-1.15.1/glx/glxcmds.c 2014-12-04 11:57:06.337650627 -0500
26 @@ -2057,7 +2057,8 @@
27 if (entry.varsize) {
28 /* variable size command */
29 extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE,
30 - client->swapped);
31 + client->swapped,
32 + left - __GLX_RENDER_HDR_SIZE);
33 if (extra < 0) {
34 return BadLength;
35 }
36 @@ -2134,6 +2135,7 @@
37 if (cl->largeCmdRequestsSoFar == 0) {
38 __GLXrenderSizeData entry;
39 int extra = 0;
40 + int left = (req->length << 2) - sz_xGLXRenderLargeReq;
41 size_t cmdlen;
42 int err;
43
44 @@ -2174,7 +2176,8 @@
45 ** will be in the 1st request, so it's okay to do this.
46 */
47 extra = (*entry.varsize) (pc + __GLX_RENDER_LARGE_HDR_SIZE,
48 - client->swapped);
49 + client->swapped,
50 + left - __GLX_RENDER_LARGE_HDR_SIZE);
51 if (extra < 0) {
52 return BadLength;
53 }
54 Index: xorg-server-1.15.1/glx/glxserver.h
55 ===================================================================
56 --- xorg-server-1.15.1.orig/glx/glxserver.h 2014-12-04 11:57:06.345650678 -0500
57 +++ xorg-server-1.15.1/glx/glxserver.h 2014-12-04 11:57:06.337650627 -0500
58 @@ -179,7 +179,7 @@
59 /*
60 * Tables for computing the size of each rendering command.
61 */
62 -typedef int (*gl_proto_size_func) (const GLbyte *, Bool);
63 +typedef int (*gl_proto_size_func) (const GLbyte *, Bool, int);
64
65 typedef struct {
66 int bytes;
67 Index: xorg-server-1.15.1/glx/indirect_reqsize.c
68 ===================================================================
69 --- xorg-server-1.15.1.orig/glx/indirect_reqsize.c 2014-12-04 11:57:06.345650678 -0500
70 +++ xorg-server-1.15.1/glx/indirect_reqsize.c 2014-12-04 11:57:06.337650627 -0500
71 @@ -31,24 +31,22 @@
72 #include "indirect_size.h"
73 #include "indirect_reqsize.h"
74
75 -#define __GLX_PAD(x) (((x) + 3) & ~3)
76 -
77 #if defined(__CYGWIN__) || defined(__MINGW32__)
78 #undef HAVE_ALIAS
79 #endif
80 #ifdef HAVE_ALIAS
81 #define ALIAS2(from,to) \
82 - GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap ) \
83 + GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap, int reqlen ) \
84 __attribute__ ((alias( # to )));
85 #define ALIAS(from,to) ALIAS2( from, __glX ## to ## ReqSize )
86 #else
87 #define ALIAS(from,to) \
88 - GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap ) \
89 - { return __glX ## to ## ReqSize( pc, swap ); }
90 + GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap, int reqlen ) \
91 + { return __glX ## to ## ReqSize( pc, swap, reqlen ); }
92 #endif
93
94 int
95 -__glXCallListsReqSize(const GLbyte * pc, Bool swap)
96 +__glXCallListsReqSize(const GLbyte * pc, Bool swap, int reqlen)
97 {
98 GLsizei n = *(GLsizei *) (pc + 0);
99 GLenum type = *(GLenum *) (pc + 4);
100 @@ -60,11 +58,11 @@
101 }
102
103 compsize = __glCallLists_size(type);
104 - return __GLX_PAD((compsize * n));
105 + return safe_pad(safe_mul(compsize, n));
106 }
107
108 int
109 -__glXBitmapReqSize(const GLbyte * pc, Bool swap)
110 +__glXBitmapReqSize(const GLbyte * pc, Bool swap, int reqlen)
111 {
112 GLint row_length = *(GLint *) (pc + 4);
113 GLint image_height = 0;
114 @@ -88,7 +86,7 @@
115 }
116
117 int
118 -__glXFogfvReqSize(const GLbyte * pc, Bool swap)
119 +__glXFogfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
120 {
121 GLenum pname = *(GLenum *) (pc + 0);
122 GLsizei compsize;
123 @@ -98,11 +96,11 @@
124 }
125
126 compsize = __glFogfv_size(pname);
127 - return __GLX_PAD((compsize * 4));
128 + return safe_pad(safe_mul(compsize, 4));
129 }
130
131 int
132 -__glXLightfvReqSize(const GLbyte * pc, Bool swap)
133 +__glXLightfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
134 {
135 GLenum pname = *(GLenum *) (pc + 4);
136 GLsizei compsize;
137 @@ -112,11 +110,11 @@
138 }
139
140 compsize = __glLightfv_size(pname);
141 - return __GLX_PAD((compsize * 4));
142 + return safe_pad(safe_mul(compsize, 4));
143 }
144
145 int
146 -__glXLightModelfvReqSize(const GLbyte * pc, Bool swap)
147 +__glXLightModelfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
148 {
149 GLenum pname = *(GLenum *) (pc + 0);
150 GLsizei compsize;
151 @@ -126,11 +124,11 @@
152 }
153
154 compsize = __glLightModelfv_size(pname);
155 - return __GLX_PAD((compsize * 4));
156 + return safe_pad(safe_mul(compsize, 4));
157 }
158
159 int
160 -__glXMaterialfvReqSize(const GLbyte * pc, Bool swap)
161 +__glXMaterialfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
162 {
163 GLenum pname = *(GLenum *) (pc + 4);
164 GLsizei compsize;
165 @@ -140,11 +138,11 @@
166 }
167
168 compsize = __glMaterialfv_size(pname);
169 - return __GLX_PAD((compsize * 4));
170 + return safe_pad(safe_mul(compsize, 4));
171 }
172
173 int
174 -__glXPolygonStippleReqSize(const GLbyte * pc, Bool swap)
175 +__glXPolygonStippleReqSize(const GLbyte * pc, Bool swap, int reqlen)
176 {
177 GLint row_length = *(GLint *) (pc + 4);
178 GLint image_height = 0;
179 @@ -164,7 +162,7 @@
180 }
181
182 int
183 -__glXTexParameterfvReqSize(const GLbyte * pc, Bool swap)
184 +__glXTexParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
185 {
186 GLenum pname = *(GLenum *) (pc + 4);
187 GLsizei compsize;
188 @@ -174,11 +172,11 @@
189 }
190
191 compsize = __glTexParameterfv_size(pname);
192 - return __GLX_PAD((compsize * 4));
193 + return safe_pad(safe_mul(compsize, 4));
194 }
195
196 int
197 -__glXTexImage1DReqSize(const GLbyte * pc, Bool swap)
198 +__glXTexImage1DReqSize(const GLbyte * pc, Bool swap, int reqlen)
199 {
200 GLint row_length = *(GLint *) (pc + 4);
201 GLint image_height = 0;
202 @@ -206,7 +204,7 @@
203 }
204
205 int
206 -__glXTexImage2DReqSize(const GLbyte * pc, Bool swap)
207 +__glXTexImage2DReqSize(const GLbyte * pc, Bool swap, int reqlen)
208 {
209 GLint row_length = *(GLint *) (pc + 4);
210 GLint image_height = 0;
211 @@ -236,7 +234,7 @@
212 }
213
214 int
215 -__glXTexEnvfvReqSize(const GLbyte * pc, Bool swap)
216 +__glXTexEnvfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
217 {
218 GLenum pname = *(GLenum *) (pc + 4);
219 GLsizei compsize;
220 @@ -246,11 +244,11 @@
221 }
222
223 compsize = __glTexEnvfv_size(pname);
224 - return __GLX_PAD((compsize * 4));
225 + return safe_pad(safe_mul(compsize, 4));
226 }
227
228 int
229 -__glXTexGendvReqSize(const GLbyte * pc, Bool swap)
230 +__glXTexGendvReqSize(const GLbyte * pc, Bool swap, int reqlen)
231 {
232 GLenum pname = *(GLenum *) (pc + 4);
233 GLsizei compsize;
234 @@ -260,11 +258,11 @@
235 }
236
237 compsize = __glTexGendv_size(pname);
238 - return __GLX_PAD((compsize * 8));
239 + return safe_pad(safe_mul(compsize, 8));
240 }
241
242 int
243 -__glXTexGenfvReqSize(const GLbyte * pc, Bool swap)
244 +__glXTexGenfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
245 {
246 GLenum pname = *(GLenum *) (pc + 4);
247 GLsizei compsize;
248 @@ -274,11 +272,11 @@
249 }
250
251 compsize = __glTexGenfv_size(pname);
252 - return __GLX_PAD((compsize * 4));
253 + return safe_pad(safe_mul(compsize, 4));
254 }
255
256 int
257 -__glXPixelMapfvReqSize(const GLbyte * pc, Bool swap)
258 +__glXPixelMapfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
259 {
260 GLsizei mapsize = *(GLsizei *) (pc + 4);
261
262 @@ -286,11 +284,11 @@
263 mapsize = bswap_32(mapsize);
264 }
265
266 - return __GLX_PAD((mapsize * 4));
267 + return safe_pad(safe_mul(mapsize, 4));
268 }
269
270 int
271 -__glXPixelMapusvReqSize(const GLbyte * pc, Bool swap)
272 +__glXPixelMapusvReqSize(const GLbyte * pc, Bool swap, int reqlen)
273 {
274 GLsizei mapsize = *(GLsizei *) (pc + 4);
275
276 @@ -298,11 +296,11 @@
277 mapsize = bswap_32(mapsize);
278 }
279
280 - return __GLX_PAD((mapsize * 2));
281 + return safe_pad(safe_mul(mapsize, 2));
282 }
283
284 int
285 -__glXDrawPixelsReqSize(const GLbyte * pc, Bool swap)
286 +__glXDrawPixelsReqSize(const GLbyte * pc, Bool swap, int reqlen)
287 {
288 GLint row_length = *(GLint *) (pc + 4);
289 GLint image_height = 0;
290 @@ -330,7 +328,7 @@
291 }
292
293 int
294 -__glXPrioritizeTexturesReqSize(const GLbyte * pc, Bool swap)
295 +__glXPrioritizeTexturesReqSize(const GLbyte * pc, Bool swap, int reqlen)
296 {
297 GLsizei n = *(GLsizei *) (pc + 0);
298
299 @@ -338,11 +336,11 @@
300 n = bswap_32(n);
301 }
302
303 - return __GLX_PAD((n * 4) + (n * 4));
304 + return safe_pad(safe_add(safe_mul(n, 4), safe_mul(n, 4)));
305 }
306
307 int
308 -__glXTexSubImage1DReqSize(const GLbyte * pc, Bool swap)
309 +__glXTexSubImage1DReqSize(const GLbyte * pc, Bool swap, int reqlen)
310 {
311 GLint row_length = *(GLint *) (pc + 4);
312 GLint image_height = 0;
313 @@ -370,7 +368,7 @@
314 }
315
316 int
317 -__glXTexSubImage2DReqSize(const GLbyte * pc, Bool swap)
318 +__glXTexSubImage2DReqSize(const GLbyte * pc, Bool swap, int reqlen)
319 {
320 GLint row_length = *(GLint *) (pc + 4);
321 GLint image_height = 0;
322 @@ -400,7 +398,7 @@
323 }
324
325 int
326 -__glXColorTableReqSize(const GLbyte * pc, Bool swap)
327 +__glXColorTableReqSize(const GLbyte * pc, Bool swap, int reqlen)
328 {
329 GLint row_length = *(GLint *) (pc + 4);
330 GLint image_height = 0;
331 @@ -428,7 +426,7 @@
332 }
333
334 int
335 -__glXColorTableParameterfvReqSize(const GLbyte * pc, Bool swap)
336 +__glXColorTableParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
337 {
338 GLenum pname = *(GLenum *) (pc + 4);
339 GLsizei compsize;
340 @@ -438,11 +436,11 @@
341 }
342
343 compsize = __glColorTableParameterfv_size(pname);
344 - return __GLX_PAD((compsize * 4));
345 + return safe_pad(safe_mul(compsize, 4));
346 }
347
348 int
349 -__glXColorSubTableReqSize(const GLbyte * pc, Bool swap)
350 +__glXColorSubTableReqSize(const GLbyte * pc, Bool swap, int reqlen)
351 {
352 GLint row_length = *(GLint *) (pc + 4);
353 GLint image_height = 0;
354 @@ -470,7 +468,7 @@
355 }
356
357 int
358 -__glXConvolutionFilter1DReqSize(const GLbyte * pc, Bool swap)
359 +__glXConvolutionFilter1DReqSize(const GLbyte * pc, Bool swap, int reqlen)
360 {
361 GLint row_length = *(GLint *) (pc + 4);
362 GLint image_height = 0;
363 @@ -498,7 +496,7 @@
364 }
365
366 int
367 -__glXConvolutionFilter2DReqSize(const GLbyte * pc, Bool swap)
368 +__glXConvolutionFilter2DReqSize(const GLbyte * pc, Bool swap, int reqlen)
369 {
370 GLint row_length = *(GLint *) (pc + 4);
371 GLint image_height = 0;
372 @@ -528,7 +526,7 @@
373 }
374
375 int
376 -__glXConvolutionParameterfvReqSize(const GLbyte * pc, Bool swap)
377 +__glXConvolutionParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
378 {
379 GLenum pname = *(GLenum *) (pc + 4);
380 GLsizei compsize;
381 @@ -538,11 +536,11 @@
382 }
383
384 compsize = __glConvolutionParameterfv_size(pname);
385 - return __GLX_PAD((compsize * 4));
386 + return safe_pad(safe_mul(compsize, 4));
387 }
388
389 int
390 -__glXTexImage3DReqSize(const GLbyte * pc, Bool swap)
391 +__glXTexImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen)
392 {
393 GLint row_length = *(GLint *) (pc + 4);
394 GLint image_height = *(GLint *) (pc + 8);
395 @@ -579,7 +577,7 @@
396 }
397
398 int
399 -__glXTexSubImage3DReqSize(const GLbyte * pc, Bool swap)
400 +__glXTexSubImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen)
401 {
402 GLint row_length = *(GLint *) (pc + 4);
403 GLint image_height = *(GLint *) (pc + 8);
404 @@ -613,7 +611,7 @@
405 }
406
407 int
408 -__glXCompressedTexImage1DReqSize(const GLbyte * pc, Bool swap)
409 +__glXCompressedTexImage1DReqSize(const GLbyte * pc, Bool swap, int reqlen)
410 {
411 GLsizei imageSize = *(GLsizei *) (pc + 20);
412
413 @@ -621,11 +619,11 @@
414 imageSize = bswap_32(imageSize);
415 }
416
417 - return __GLX_PAD(imageSize);
418 + return safe_pad(imageSize);
419 }
420
421 int
422 -__glXCompressedTexImage2DReqSize(const GLbyte * pc, Bool swap)
423 +__glXCompressedTexImage2DReqSize(const GLbyte * pc, Bool swap, int reqlen)
424 {
425 GLsizei imageSize = *(GLsizei *) (pc + 24);
426
427 @@ -633,11 +631,11 @@
428 imageSize = bswap_32(imageSize);
429 }
430
431 - return __GLX_PAD(imageSize);
432 + return safe_pad(imageSize);
433 }
434
435 int
436 -__glXCompressedTexImage3DReqSize(const GLbyte * pc, Bool swap)
437 +__glXCompressedTexImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen)
438 {
439 GLsizei imageSize = *(GLsizei *) (pc + 28);
440
441 @@ -645,11 +643,11 @@
442 imageSize = bswap_32(imageSize);
443 }
444
445 - return __GLX_PAD(imageSize);
446 + return safe_pad(imageSize);
447 }
448
449 int
450 -__glXCompressedTexSubImage3DReqSize(const GLbyte * pc, Bool swap)
451 +__glXCompressedTexSubImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen)
452 {
453 GLsizei imageSize = *(GLsizei *) (pc + 36);
454
455 @@ -657,11 +655,11 @@
456 imageSize = bswap_32(imageSize);
457 }
458
459 - return __GLX_PAD(imageSize);
460 + return safe_pad(imageSize);
461 }
462
463 int
464 -__glXPointParameterfvReqSize(const GLbyte * pc, Bool swap)
465 +__glXPointParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
466 {
467 GLenum pname = *(GLenum *) (pc + 0);
468 GLsizei compsize;
469 @@ -671,11 +669,11 @@
470 }
471
472 compsize = __glPointParameterfv_size(pname);
473 - return __GLX_PAD((compsize * 4));
474 + return safe_pad(safe_mul(compsize, 4));
475 }
476
477 int
478 -__glXDrawBuffersReqSize(const GLbyte * pc, Bool swap)
479 +__glXDrawBuffersReqSize(const GLbyte * pc, Bool swap, int reqlen)
480 {
481 GLsizei n = *(GLsizei *) (pc + 0);
482
483 @@ -683,11 +681,11 @@
484 n = bswap_32(n);
485 }
486
487 - return __GLX_PAD((n * 4));
488 + return safe_pad(safe_mul(n, 4));
489 }
490
491 int
492 -__glXProgramStringARBReqSize(const GLbyte * pc, Bool swap)
493 +__glXProgramStringARBReqSize(const GLbyte * pc, Bool swap, int reqlen)
494 {
495 GLsizei len = *(GLsizei *) (pc + 8);
496
497 @@ -695,11 +693,11 @@
498 len = bswap_32(len);
499 }
500
501 - return __GLX_PAD(len);
502 + return safe_pad(len);
503 }
504
505 int
506 -__glXVertexAttribs1dvNVReqSize(const GLbyte * pc, Bool swap)
507 +__glXVertexAttribs1dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
508 {
509 GLsizei n = *(GLsizei *) (pc + 4);
510
511 @@ -707,11 +705,11 @@
512 n = bswap_32(n);
513 }
514
515 - return __GLX_PAD((n * 8));
516 + return safe_pad(safe_mul(n, 8));
517 }
518
519 int
520 -__glXVertexAttribs2dvNVReqSize(const GLbyte * pc, Bool swap)
521 +__glXVertexAttribs2dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
522 {
523 GLsizei n = *(GLsizei *) (pc + 4);
524
525 @@ -719,11 +717,11 @@
526 n = bswap_32(n);
527 }
528
529 - return __GLX_PAD((n * 16));
530 + return safe_pad(safe_mul(n, 16));
531 }
532
533 int
534 -__glXVertexAttribs3dvNVReqSize(const GLbyte * pc, Bool swap)
535 +__glXVertexAttribs3dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
536 {
537 GLsizei n = *(GLsizei *) (pc + 4);
538
539 @@ -731,11 +729,11 @@
540 n = bswap_32(n);
541 }
542
543 - return __GLX_PAD((n * 24));
544 + return safe_pad(safe_mul(n, 24));
545 }
546
547 int
548 -__glXVertexAttribs3fvNVReqSize(const GLbyte * pc, Bool swap)
549 +__glXVertexAttribs3fvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
550 {
551 GLsizei n = *(GLsizei *) (pc + 4);
552
553 @@ -743,11 +741,11 @@
554 n = bswap_32(n);
555 }
556
557 - return __GLX_PAD((n * 12));
558 + return safe_pad(safe_mul(n, 12));
559 }
560
561 int
562 -__glXVertexAttribs3svNVReqSize(const GLbyte * pc, Bool swap)
563 +__glXVertexAttribs3svNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
564 {
565 GLsizei n = *(GLsizei *) (pc + 4);
566
567 @@ -755,11 +753,11 @@
568 n = bswap_32(n);
569 }
570
571 - return __GLX_PAD((n * 6));
572 + return safe_pad(safe_mul(n, 6));
573 }
574
575 int
576 -__glXVertexAttribs4dvNVReqSize(const GLbyte * pc, Bool swap)
577 +__glXVertexAttribs4dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
578 {
579 GLsizei n = *(GLsizei *) (pc + 4);
580
581 @@ -767,7 +765,7 @@
582 n = bswap_32(n);
583 }
584
585 - return __GLX_PAD((n * 32));
586 + return safe_pad(safe_mul(n, 32));
587 }
588
589 ALIAS(Fogiv, Fogfv)
590 Index: xorg-server-1.15.1/glx/indirect_reqsize.h
591 ===================================================================
592 --- xorg-server-1.15.1.orig/glx/indirect_reqsize.h 2014-12-04 11:57:06.345650678 -0500
593 +++ xorg-server-1.15.1/glx/indirect_reqsize.h 2014-12-04 11:57:06.337650627 -0500
594 @@ -36,115 +36,156 @@
595 #define PURE
596 #endif
597
598 -extern PURE _X_HIDDEN int __glXCallListsReqSize(const GLbyte * pc, Bool swap);
599 -extern PURE _X_HIDDEN int __glXBitmapReqSize(const GLbyte * pc, Bool swap);
600 -extern PURE _X_HIDDEN int __glXFogfvReqSize(const GLbyte * pc, Bool swap);
601 -extern PURE _X_HIDDEN int __glXFogivReqSize(const GLbyte * pc, Bool swap);
602 -extern PURE _X_HIDDEN int __glXLightfvReqSize(const GLbyte * pc, Bool swap);
603 -extern PURE _X_HIDDEN int __glXLightivReqSize(const GLbyte * pc, Bool swap);
604 -extern PURE _X_HIDDEN int __glXLightModelfvReqSize(const GLbyte * pc,
605 - Bool swap);
606 -extern PURE _X_HIDDEN int __glXLightModelivReqSize(const GLbyte * pc,
607 - Bool swap);
608 -extern PURE _X_HIDDEN int __glXMaterialfvReqSize(const GLbyte * pc, Bool swap);
609 -extern PURE _X_HIDDEN int __glXMaterialivReqSize(const GLbyte * pc, Bool swap);
610 +extern PURE _X_HIDDEN int __glXCallListsReqSize(const GLbyte * pc, Bool swap,
611 + int reqlen);
612 +extern PURE _X_HIDDEN int __glXBitmapReqSize(const GLbyte * pc, Bool swap,
613 + int reqlen);
614 +extern PURE _X_HIDDEN int __glXFogfvReqSize(const GLbyte * pc, Bool swap,
615 + int reqlen);
616 +extern PURE _X_HIDDEN int __glXFogivReqSize(const GLbyte * pc, Bool swap,
617 + int reqlen);
618 +extern PURE _X_HIDDEN int __glXLightfvReqSize(const GLbyte * pc, Bool swap,
619 + int reqlen);
620 +extern PURE _X_HIDDEN int __glXLightivReqSize(const GLbyte * pc, Bool swap,
621 + int reqlen);
622 +extern PURE _X_HIDDEN int __glXLightModelfvReqSize(const GLbyte * pc, Bool swap,
623 + int reqlen);
624 +extern PURE _X_HIDDEN int __glXLightModelivReqSize(const GLbyte * pc, Bool swap,
625 + int reqlen);
626 +extern PURE _X_HIDDEN int __glXMaterialfvReqSize(const GLbyte * pc, Bool swap,
627 + int reqlen);
628 +extern PURE _X_HIDDEN int __glXMaterialivReqSize(const GLbyte * pc, Bool swap,
629 + int reqlen);
630 extern PURE _X_HIDDEN int __glXPolygonStippleReqSize(const GLbyte * pc,
631 - Bool swap);
632 + Bool swap, int reqlen);
633 extern PURE _X_HIDDEN int __glXTexParameterfvReqSize(const GLbyte * pc,
634 - Bool swap);
635 + Bool swap, int reqlen);
636 extern PURE _X_HIDDEN int __glXTexParameterivReqSize(const GLbyte * pc,
637 - Bool swap);
638 -extern PURE _X_HIDDEN int __glXTexImage1DReqSize(const GLbyte * pc, Bool swap);
639 -extern PURE _X_HIDDEN int __glXTexImage2DReqSize(const GLbyte * pc, Bool swap);
640 -extern PURE _X_HIDDEN int __glXTexEnvfvReqSize(const GLbyte * pc, Bool swap);
641 -extern PURE _X_HIDDEN int __glXTexEnvivReqSize(const GLbyte * pc, Bool swap);
642 -extern PURE _X_HIDDEN int __glXTexGendvReqSize(const GLbyte * pc, Bool swap);
643 -extern PURE _X_HIDDEN int __glXTexGenfvReqSize(const GLbyte * pc, Bool swap);
644 -extern PURE _X_HIDDEN int __glXTexGenivReqSize(const GLbyte * pc, Bool swap);
645 -extern PURE _X_HIDDEN int __glXMap1dReqSize(const GLbyte * pc, Bool swap);
646 -extern PURE _X_HIDDEN int __glXMap1fReqSize(const GLbyte * pc, Bool swap);
647 -extern PURE _X_HIDDEN int __glXMap2dReqSize(const GLbyte * pc, Bool swap);
648 -extern PURE _X_HIDDEN int __glXMap2fReqSize(const GLbyte * pc, Bool swap);
649 -extern PURE _X_HIDDEN int __glXPixelMapfvReqSize(const GLbyte * pc, Bool swap);
650 -extern PURE _X_HIDDEN int __glXPixelMapuivReqSize(const GLbyte * pc, Bool swap);
651 -extern PURE _X_HIDDEN int __glXPixelMapusvReqSize(const GLbyte * pc, Bool swap);
652 -extern PURE _X_HIDDEN int __glXDrawPixelsReqSize(const GLbyte * pc, Bool swap);
653 -extern PURE _X_HIDDEN int __glXDrawArraysReqSize(const GLbyte * pc, Bool swap);
654 + Bool swap, int reqlen);
655 +extern PURE _X_HIDDEN int __glXTexImage1DReqSize(const GLbyte * pc, Bool swap,
656 + int reqlen);
657 +extern PURE _X_HIDDEN int __glXTexImage2DReqSize(const GLbyte * pc, Bool swap,
658 + int reqlen);
659 +extern PURE _X_HIDDEN int __glXTexEnvfvReqSize(const GLbyte * pc, Bool swap,
660 + int reqlen);
661 +extern PURE _X_HIDDEN int __glXTexEnvivReqSize(const GLbyte * pc, Bool swap,
662 + int reqlen);
663 +extern PURE _X_HIDDEN int __glXTexGendvReqSize(const GLbyte * pc, Bool swap,
664 + int reqlen);
665 +extern PURE _X_HIDDEN int __glXTexGenfvReqSize(const GLbyte * pc, Bool swap,
666 + int reqlen);
667 +extern PURE _X_HIDDEN int __glXTexGenivReqSize(const GLbyte * pc, Bool swap,
668 + int reqlen);
669 +extern PURE _X_HIDDEN int __glXMap1dReqSize(const GLbyte * pc, Bool swap,
670 + int reqlen);
671 +extern PURE _X_HIDDEN int __glXMap1fReqSize(const GLbyte * pc, Bool swap,
672 + int reqlen);
673 +extern PURE _X_HIDDEN int __glXMap2dReqSize(const GLbyte * pc, Bool swap,
674 + int reqlen);
675 +extern PURE _X_HIDDEN int __glXMap2fReqSize(const GLbyte * pc, Bool swap,
676 + int reqlen);
677 +extern PURE _X_HIDDEN int __glXPixelMapfvReqSize(const GLbyte * pc, Bool swap,
678 + int reqlen);
679 +extern PURE _X_HIDDEN int __glXPixelMapuivReqSize(const GLbyte * pc, Bool swap,
680 + int reqlen);
681 +extern PURE _X_HIDDEN int __glXPixelMapusvReqSize(const GLbyte * pc, Bool swap,
682 + int reqlen);
683 +extern PURE _X_HIDDEN int __glXDrawPixelsReqSize(const GLbyte * pc, Bool swap,
684 + int reqlen);
685 +extern PURE _X_HIDDEN int __glXDrawArraysReqSize(const GLbyte * pc, Bool swap,
686 + int reqlen);
687 extern PURE _X_HIDDEN int __glXPrioritizeTexturesReqSize(const GLbyte * pc,
688 - Bool swap);
689 + Bool swap, int reqlen);
690 extern PURE _X_HIDDEN int __glXTexSubImage1DReqSize(const GLbyte * pc,
691 - Bool swap);
692 + Bool swap, int reqlen);
693 extern PURE _X_HIDDEN int __glXTexSubImage2DReqSize(const GLbyte * pc,
694 - Bool swap);
695 -extern PURE _X_HIDDEN int __glXColorTableReqSize(const GLbyte * pc, Bool swap);
696 + Bool swap, int reqlen);
697 +extern PURE _X_HIDDEN int __glXColorTableReqSize(const GLbyte * pc, Bool swap,
698 + int reqlen);
699 extern PURE _X_HIDDEN int __glXColorTableParameterfvReqSize(const GLbyte * pc,
700 - Bool swap);
701 + Bool swap,
702 + int reqlen);
703 extern PURE _X_HIDDEN int __glXColorTableParameterivReqSize(const GLbyte * pc,
704 - Bool swap);
705 + Bool swap,
706 + int reqlen);
707 extern PURE _X_HIDDEN int __glXColorSubTableReqSize(const GLbyte * pc,
708 - Bool swap);
709 + Bool swap, int reqlen);
710 extern PURE _X_HIDDEN int __glXConvolutionFilter1DReqSize(const GLbyte * pc,
711 - Bool swap);
712 + Bool swap,
713 + int reqlen);
714 extern PURE _X_HIDDEN int __glXConvolutionFilter2DReqSize(const GLbyte * pc,
715 - Bool swap);
716 + Bool swap,
717 + int reqlen);
718 extern PURE _X_HIDDEN int __glXConvolutionParameterfvReqSize(const GLbyte * pc,
719 - Bool swap);
720 + Bool swap,
721 + int reqlen);
722 extern PURE _X_HIDDEN int __glXConvolutionParameterivReqSize(const GLbyte * pc,
723 - Bool swap);
724 + Bool swap,
725 + int reqlen);
726 extern PURE _X_HIDDEN int __glXSeparableFilter2DReqSize(const GLbyte * pc,
727 - Bool swap);
728 -extern PURE _X_HIDDEN int __glXTexImage3DReqSize(const GLbyte * pc, Bool swap);
729 + Bool swap, int reqlen);
730 +extern PURE _X_HIDDEN int __glXTexImage3DReqSize(const GLbyte * pc, Bool swap,
731 + int reqlen);
732 extern PURE _X_HIDDEN int __glXTexSubImage3DReqSize(const GLbyte * pc,
733 - Bool swap);
734 + Bool swap, int reqlen);
735 extern PURE _X_HIDDEN int __glXCompressedTexImage1DReqSize(const GLbyte * pc,
736 - Bool swap);
737 + Bool swap,
738 + int reqlen);
739 extern PURE _X_HIDDEN int __glXCompressedTexImage2DReqSize(const GLbyte * pc,
740 - Bool swap);
741 + Bool swap,
742 + int reqlen);
743 extern PURE _X_HIDDEN int __glXCompressedTexImage3DReqSize(const GLbyte * pc,
744 - Bool swap);
745 + Bool swap,
746 + int reqlen);
747 extern PURE _X_HIDDEN int __glXCompressedTexSubImage1DReqSize(const GLbyte * pc,
748 - Bool swap);
749 + Bool swap,
750 + int reqlen);
751 extern PURE _X_HIDDEN int __glXCompressedTexSubImage2DReqSize(const GLbyte * pc,
752 - Bool swap);
753 + Bool swap,
754 + int reqlen);
755 extern PURE _X_HIDDEN int __glXCompressedTexSubImage3DReqSize(const GLbyte * pc,
756 - Bool swap);
757 + Bool swap,
758 + int reqlen);
759 extern PURE _X_HIDDEN int __glXPointParameterfvReqSize(const GLbyte * pc,
760 - Bool swap);
761 + Bool swap, int reqlen);
762 extern PURE _X_HIDDEN int __glXPointParameterivReqSize(const GLbyte * pc,
763 - Bool swap);
764 -extern PURE _X_HIDDEN int __glXDrawBuffersReqSize(const GLbyte * pc, Bool swap);
765 + Bool swap, int reqlen);
766 +extern PURE _X_HIDDEN int __glXDrawBuffersReqSize(const GLbyte * pc, Bool swap,
767 + int reqlen);
768 extern PURE _X_HIDDEN int __glXProgramStringARBReqSize(const GLbyte * pc,
769 - Bool swap);
770 + Bool swap, int reqlen);
771 extern PURE _X_HIDDEN int __glXDeleteFramebuffersReqSize(const GLbyte * pc,
772 - Bool swap);
773 + Bool swap, int reqlen);
774 extern PURE _X_HIDDEN int __glXDeleteRenderbuffersReqSize(const GLbyte * pc,
775 - Bool swap);
776 + Bool swap,
777 + int reqlen);
778 extern PURE _X_HIDDEN int __glXVertexAttribs1dvNVReqSize(const GLbyte * pc,
779 - Bool swap);
780 + Bool swap, int reqlen);
781 extern PURE _X_HIDDEN int __glXVertexAttribs1fvNVReqSize(const GLbyte * pc,
782 - Bool swap);
783 + Bool swap, int reqlen);
784 extern PURE _X_HIDDEN int __glXVertexAttribs1svNVReqSize(const GLbyte * pc,
785 - Bool swap);
786 + Bool swap, int reqlen);
787 extern PURE _X_HIDDEN int __glXVertexAttribs2dvNVReqSize(const GLbyte * pc,
788 - Bool swap);
789 + Bool swap, int reqlen);
790 extern PURE _X_HIDDEN int __glXVertexAttribs2fvNVReqSize(const GLbyte * pc,
791 - Bool swap);
792 + Bool swap, int reqlen);
793 extern PURE _X_HIDDEN int __glXVertexAttribs2svNVReqSize(const GLbyte * pc,
794 - Bool swap);
795 + Bool swap, int reqlen);
796 extern PURE _X_HIDDEN int __glXVertexAttribs3dvNVReqSize(const GLbyte * pc,
797 - Bool swap);
798 + Bool swap, int reqlen);
799 extern PURE _X_HIDDEN int __glXVertexAttribs3fvNVReqSize(const GLbyte * pc,
800 - Bool swap);
801 + Bool swap, int reqlen);
802 extern PURE _X_HIDDEN int __glXVertexAttribs3svNVReqSize(const GLbyte * pc,
803 - Bool swap);
804 + Bool swap, int reqlen);
805 extern PURE _X_HIDDEN int __glXVertexAttribs4dvNVReqSize(const GLbyte * pc,
806 - Bool swap);
807 + Bool swap, int reqlen);
808 extern PURE _X_HIDDEN int __glXVertexAttribs4fvNVReqSize(const GLbyte * pc,
809 - Bool swap);
810 + Bool swap, int reqlen);
811 extern PURE _X_HIDDEN int __glXVertexAttribs4svNVReqSize(const GLbyte * pc,
812 - Bool swap);
813 + Bool swap, int reqlen);
814 extern PURE _X_HIDDEN int __glXVertexAttribs4ubvNVReqSize(const GLbyte * pc,
815 - Bool swap);
816 + Bool swap,
817 + int reqlen);
818
819 #undef PURE
820
821 Index: xorg-server-1.15.1/glx/rensize.c
822 ===================================================================
823 --- xorg-server-1.15.1.orig/glx/rensize.c 2014-12-04 11:57:06.345650678 -0500
824 +++ xorg-server-1.15.1/glx/rensize.c 2014-12-04 11:57:06.341650652 -0500
825 @@ -44,7 +44,7 @@
826 ((a & 0xff00U)<<8) | ((a & 0xffU)<<24))
827
828 int
829 -__glXMap1dReqSize(const GLbyte * pc, Bool swap)
830 +__glXMap1dReqSize(const GLbyte * pc, Bool swap, int reqlen)
831 {
832 GLenum target;
833 GLint order;
834 @@ -61,7 +61,7 @@
835 }
836
837 int
838 -__glXMap1fReqSize(const GLbyte * pc, Bool swap)
839 +__glXMap1fReqSize(const GLbyte * pc, Bool swap, int reqlen)
840 {
841 GLenum target;
842 GLint order;
843 @@ -86,7 +86,7 @@
844 }
845
846 int
847 -__glXMap2dReqSize(const GLbyte * pc, Bool swap)
848 +__glXMap2dReqSize(const GLbyte * pc, Bool swap, int reqlen)
849 {
850 GLenum target;
851 GLint uorder, vorder;
852 @@ -103,7 +103,7 @@
853 }
854
855 int
856 -__glXMap2fReqSize(const GLbyte * pc, Bool swap)
857 +__glXMap2fReqSize(const GLbyte * pc, Bool swap, int reqlen)
858 {
859 GLenum target;
860 GLint uorder, vorder;
861 @@ -359,13 +359,14 @@
862 }
863
864 int
865 -__glXDrawArraysReqSize(const GLbyte * pc, Bool swap)
866 +__glXDrawArraysReqSize(const GLbyte * pc, Bool swap, int reqlen)
867 {
868 __GLXdispatchDrawArraysHeader *hdr = (__GLXdispatchDrawArraysHeader *) pc;
869 __GLXdispatchDrawArraysComponentHeader *compHeader;
870 GLint numVertexes = hdr->numVertexes;
871 GLint numComponents = hdr->numComponents;
872 GLint arrayElementSize = 0;
873 + GLint x, size;
874 int i;
875
876 if (swap) {
877 @@ -374,6 +375,13 @@
878 }
879
880 pc += sizeof(__GLXdispatchDrawArraysHeader);
881 + reqlen -= sizeof(__GLXdispatchDrawArraysHeader);
882 +
883 + size = safe_mul(sizeof(__GLXdispatchDrawArraysComponentHeader),
884 + numComponents);
885 + if (size < 0 || reqlen < 0 || reqlen < size)
886 + return -1;
887 +
888 compHeader = (__GLXdispatchDrawArraysComponentHeader *) pc;
889
890 for (i = 0; i < numComponents; i++) {
891 @@ -417,17 +425,18 @@
892 return -1;
893 }
894
895 - arrayElementSize += __GLX_PAD(numVals * __glXTypeSize(datatype));
896 + x = safe_pad(safe_mul(numVals, __glXTypeSize(datatype)));
897 + if ((arrayElementSize = safe_add(arrayElementSize, x)) < 0)
898 + return -1;
899
900 pc += sizeof(__GLXdispatchDrawArraysComponentHeader);
901 }
902
903 - return ((numComponents * sizeof(__GLXdispatchDrawArraysComponentHeader)) +
904 - (numVertexes * arrayElementSize));
905 + return safe_add(size, safe_mul(numVertexes, arrayElementSize));
906 }
907
908 int
909 -__glXSeparableFilter2DReqSize(const GLbyte * pc, Bool swap)
910 +__glXSeparableFilter2DReqSize(const GLbyte * pc, Bool swap, int reqlen)
911 {
912 __GLXdispatchConvolutionFilterHeader *hdr =
913 (__GLXdispatchConvolutionFilterHeader *) pc;
xorg-server Piment Noir Debian package repository