repositories / deb_xorg-server.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
ODROID-U3 xorg-server debian package fork :
[deb_xorg-server.git] / debian / patches / CVE-2014-8xxx / 0032-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch
1 From d303d79450436a1ef04252c2a7e36870c2506f38 Mon Sep 17 00:00:00 2001
2 From: Adam Jackson <ajax@redhat.com>
3 Date: Mon, 10 Nov 2014 12:13:48 -0500
4 Subject: [PATCH 32/33] glx: Pass remaining request length into ->varsize (v2)
5 [CVE-2014-8098 8/8]
6
7 v2: Handle more multiplies in indirect_reqsize.c (Julien Cristau)
8
9 Reviewed-by: Julien Cristau <jcristau@debian.org>
10 Reviewed-by: Michal Srb <msrb@suse.com>
11 Reviewed-by: Andy Ritger <aritger@nvidia.com>
12 Signed-off-by: Adam Jackson <ajax@redhat.com>
13 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
14 ---
15 glx/glxcmds.c | 7 +-
16 glx/glxserver.h | 2 +-
17 glx/indirect_reqsize.c | 142 +++++++++++++++++++------------------
18 glx/indirect_reqsize.h | 181 +++++++++++++++++++++++++++++-------------------
19 glx/rensize.c | 27 +++++---
20 5 files changed, 205 insertions(+), 154 deletions(-)
21
22 --- a/glx/glxcmds.c
23 +++ b/glx/glxcmds.c
24 @@ -2057,7 +2057,8 @@ __glXDisp_Render(__GLXclientState * cl,
25 if (entry.varsize) {
26 /* variable size command */
27 extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE,
28 - client->swapped);
29 + client->swapped,
30 + left - __GLX_RENDER_HDR_SIZE);
31 if (extra < 0) {
32 return BadLength;
33 }
34 @@ -2134,6 +2135,7 @@ __glXDisp_RenderLarge(__GLXclientState *
35 if (cl->largeCmdRequestsSoFar == 0) {
36 __GLXrenderSizeData entry;
37 int extra = 0;
38 + int left = (req->length << 2) - sz_xGLXRenderLargeReq;
39 size_t cmdlen;
40 int err;
41
42 @@ -2174,7 +2176,8 @@ __glXDisp_RenderLarge(__GLXclientState *
43 ** will be in the 1st request, so it's okay to do this.
44 */
45 extra = (*entry.varsize) (pc + __GLX_RENDER_LARGE_HDR_SIZE,
46 - client->swapped);
47 + client->swapped,
48 + left - __GLX_RENDER_LARGE_HDR_SIZE);
49 if (extra < 0) {
50 return BadLength;
51 }
52 --- a/glx/glxserver.h
53 +++ b/glx/glxserver.h
54 @@ -179,7 +179,7 @@ typedef int (*__GLXprocPtr) (__GLXclient
55 /*
56 * Tables for computing the size of each rendering command.
57 */
58 -typedef int (*gl_proto_size_func) (const GLbyte *, Bool);
59 +typedef int (*gl_proto_size_func) (const GLbyte *, Bool, int);
60
61 typedef struct {
62 int bytes;
63 --- a/glx/indirect_reqsize.c
64 +++ b/glx/indirect_reqsize.c
65 @@ -31,24 +31,22 @@
66 #include "indirect_size.h"
67 #include "indirect_reqsize.h"
68
69 -#define __GLX_PAD(x) (((x) + 3) & ~3)
70 -
71 #if defined(__CYGWIN__) || defined(__MINGW32__)
72 #undef HAVE_ALIAS
73 #endif
74 #ifdef HAVE_ALIAS
75 #define ALIAS2(from,to) \
76 - GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap ) \
77 + GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap, int reqlen ) \
78 __attribute__ ((alias( # to )));
79 #define ALIAS(from,to) ALIAS2( from, __glX ## to ## ReqSize )
80 #else
81 #define ALIAS(from,to) \
82 - GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap ) \
83 - { return __glX ## to ## ReqSize( pc, swap ); }
84 + GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap, int reqlen ) \
85 + { return __glX ## to ## ReqSize( pc, swap, reqlen ); }
86 #endif
87
88 int
89 -__glXCallListsReqSize(const GLbyte * pc, Bool swap)
90 +__glXCallListsReqSize(const GLbyte * pc, Bool swap, int reqlen)
91 {
92 GLsizei n = *(GLsizei *) (pc + 0);
93 GLenum type = *(GLenum *) (pc + 4);
94 @@ -60,11 +58,11 @@ __glXCallListsReqSize(const GLbyte * pc,
95 }
96
97 compsize = __glCallLists_size(type);
98 - return __GLX_PAD((compsize * n));
99 + return safe_pad(safe_mul(compsize, n));
100 }
101
102 int
103 -__glXBitmapReqSize(const GLbyte * pc, Bool swap)
104 +__glXBitmapReqSize(const GLbyte * pc, Bool swap, int reqlen)
105 {
106 GLint row_length = *(GLint *) (pc + 4);
107 GLint image_height = 0;
108 @@ -88,7 +86,7 @@ __glXBitmapReqSize(const GLbyte * pc, Bo
109 }
110
111 int
112 -__glXFogfvReqSize(const GLbyte * pc, Bool swap)
113 +__glXFogfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
114 {
115 GLenum pname = *(GLenum *) (pc + 0);
116 GLsizei compsize;
117 @@ -98,11 +96,11 @@ __glXFogfvReqSize(const GLbyte * pc, Boo
118 }
119
120 compsize = __glFogfv_size(pname);
121 - return __GLX_PAD((compsize * 4));
122 + return safe_pad(safe_mul(compsize, 4));
123 }
124
125 int
126 -__glXLightfvReqSize(const GLbyte * pc, Bool swap)
127 +__glXLightfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
128 {
129 GLenum pname = *(GLenum *) (pc + 4);
130 GLsizei compsize;
131 @@ -112,11 +110,11 @@ __glXLightfvReqSize(const GLbyte * pc, B
132 }
133
134 compsize = __glLightfv_size(pname);
135 - return __GLX_PAD((compsize * 4));
136 + return safe_pad(safe_mul(compsize, 4));
137 }
138
139 int
140 -__glXLightModelfvReqSize(const GLbyte * pc, Bool swap)
141 +__glXLightModelfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
142 {
143 GLenum pname = *(GLenum *) (pc + 0);
144 GLsizei compsize;
145 @@ -126,11 +124,11 @@ __glXLightModelfvReqSize(const GLbyte *
146 }
147
148 compsize = __glLightModelfv_size(pname);
149 - return __GLX_PAD((compsize * 4));
150 + return safe_pad(safe_mul(compsize, 4));
151 }
152
153 int
154 -__glXMaterialfvReqSize(const GLbyte * pc, Bool swap)
155 +__glXMaterialfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
156 {
157 GLenum pname = *(GLenum *) (pc + 4);
158 GLsizei compsize;
159 @@ -140,11 +138,11 @@ __glXMaterialfvReqSize(const GLbyte * pc
160 }
161
162 compsize = __glMaterialfv_size(pname);
163 - return __GLX_PAD((compsize * 4));
164 + return safe_pad(safe_mul(compsize, 4));
165 }
166
167 int
168 -__glXPolygonStippleReqSize(const GLbyte * pc, Bool swap)
169 +__glXPolygonStippleReqSize(const GLbyte * pc, Bool swap, int reqlen)
170 {
171 GLint row_length = *(GLint *) (pc + 4);
172 GLint image_height = 0;
173 @@ -164,7 +162,7 @@ __glXPolygonStippleReqSize(const GLbyte
174 }
175
176 int
177 -__glXTexParameterfvReqSize(const GLbyte * pc, Bool swap)
178 +__glXTexParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
179 {
180 GLenum pname = *(GLenum *) (pc + 4);
181 GLsizei compsize;
182 @@ -174,11 +172,11 @@ __glXTexParameterfvReqSize(const GLbyte
183 }
184
185 compsize = __glTexParameterfv_size(pname);
186 - return __GLX_PAD((compsize * 4));
187 + return safe_pad(safe_mul(compsize, 4));
188 }
189
190 int
191 -__glXTexImage1DReqSize(const GLbyte * pc, Bool swap)
192 +__glXTexImage1DReqSize(const GLbyte * pc, Bool swap, int reqlen)
193 {
194 GLint row_length = *(GLint *) (pc + 4);
195 GLint image_height = 0;
196 @@ -206,7 +204,7 @@ __glXTexImage1DReqSize(const GLbyte * pc
197 }
198
199 int
200 -__glXTexImage2DReqSize(const GLbyte * pc, Bool swap)
201 +__glXTexImage2DReqSize(const GLbyte * pc, Bool swap, int reqlen)
202 {
203 GLint row_length = *(GLint *) (pc + 4);
204 GLint image_height = 0;
205 @@ -236,7 +234,7 @@ __glXTexImage2DReqSize(const GLbyte * pc
206 }
207
208 int
209 -__glXTexEnvfvReqSize(const GLbyte * pc, Bool swap)
210 +__glXTexEnvfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
211 {
212 GLenum pname = *(GLenum *) (pc + 4);
213 GLsizei compsize;
214 @@ -246,11 +244,11 @@ __glXTexEnvfvReqSize(const GLbyte * pc,
215 }
216
217 compsize = __glTexEnvfv_size(pname);
218 - return __GLX_PAD((compsize * 4));
219 + return safe_pad(safe_mul(compsize, 4));
220 }
221
222 int
223 -__glXTexGendvReqSize(const GLbyte * pc, Bool swap)
224 +__glXTexGendvReqSize(const GLbyte * pc, Bool swap, int reqlen)
225 {
226 GLenum pname = *(GLenum *) (pc + 4);
227 GLsizei compsize;
228 @@ -260,11 +258,11 @@ __glXTexGendvReqSize(const GLbyte * pc,
229 }
230
231 compsize = __glTexGendv_size(pname);
232 - return __GLX_PAD((compsize * 8));
233 + return safe_pad(safe_mul(compsize, 8));
234 }
235
236 int
237 -__glXTexGenfvReqSize(const GLbyte * pc, Bool swap)
238 +__glXTexGenfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
239 {
240 GLenum pname = *(GLenum *) (pc + 4);
241 GLsizei compsize;
242 @@ -274,11 +272,11 @@ __glXTexGenfvReqSize(const GLbyte * pc,
243 }
244
245 compsize = __glTexGenfv_size(pname);
246 - return __GLX_PAD((compsize * 4));
247 + return safe_pad(safe_mul(compsize, 4));
248 }
249
250 int
251 -__glXPixelMapfvReqSize(const GLbyte * pc, Bool swap)
252 +__glXPixelMapfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
253 {
254 GLsizei mapsize = *(GLsizei *) (pc + 4);
255
256 @@ -286,11 +284,11 @@ __glXPixelMapfvReqSize(const GLbyte * pc
257 mapsize = bswap_32(mapsize);
258 }
259
260 - return __GLX_PAD((mapsize * 4));
261 + return safe_pad(safe_mul(mapsize, 4));
262 }
263
264 int
265 -__glXPixelMapusvReqSize(const GLbyte * pc, Bool swap)
266 +__glXPixelMapusvReqSize(const GLbyte * pc, Bool swap, int reqlen)
267 {
268 GLsizei mapsize = *(GLsizei *) (pc + 4);
269
270 @@ -298,11 +296,11 @@ __glXPixelMapusvReqSize(const GLbyte * p
271 mapsize = bswap_32(mapsize);
272 }
273
274 - return __GLX_PAD((mapsize * 2));
275 + return safe_pad(safe_mul(mapsize, 2));
276 }
277
278 int
279 -__glXDrawPixelsReqSize(const GLbyte * pc, Bool swap)
280 +__glXDrawPixelsReqSize(const GLbyte * pc, Bool swap, int reqlen)
281 {
282 GLint row_length = *(GLint *) (pc + 4);
283 GLint image_height = 0;
284 @@ -330,7 +328,7 @@ __glXDrawPixelsReqSize(const GLbyte * pc
285 }
286
287 int
288 -__glXPrioritizeTexturesReqSize(const GLbyte * pc, Bool swap)
289 +__glXPrioritizeTexturesReqSize(const GLbyte * pc, Bool swap, int reqlen)
290 {
291 GLsizei n = *(GLsizei *) (pc + 0);
292
293 @@ -338,11 +336,11 @@ __glXPrioritizeTexturesReqSize(const GLb
294 n = bswap_32(n);
295 }
296
297 - return __GLX_PAD((n * 4) + (n * 4));
298 + return safe_pad(safe_add(safe_mul(n, 4), safe_mul(n, 4)));
299 }
300
301 int
302 -__glXTexSubImage1DReqSize(const GLbyte * pc, Bool swap)
303 +__glXTexSubImage1DReqSize(const GLbyte * pc, Bool swap, int reqlen)
304 {
305 GLint row_length = *(GLint *) (pc + 4);
306 GLint image_height = 0;
307 @@ -370,7 +368,7 @@ __glXTexSubImage1DReqSize(const GLbyte *
308 }
309
310 int
311 -__glXTexSubImage2DReqSize(const GLbyte * pc, Bool swap)
312 +__glXTexSubImage2DReqSize(const GLbyte * pc, Bool swap, int reqlen)
313 {
314 GLint row_length = *(GLint *) (pc + 4);
315 GLint image_height = 0;
316 @@ -400,7 +398,7 @@ __glXTexSubImage2DReqSize(const GLbyte *
317 }
318
319 int
320 -__glXColorTableReqSize(const GLbyte * pc, Bool swap)
321 +__glXColorTableReqSize(const GLbyte * pc, Bool swap, int reqlen)
322 {
323 GLint row_length = *(GLint *) (pc + 4);
324 GLint image_height = 0;
325 @@ -428,7 +426,7 @@ __glXColorTableReqSize(const GLbyte * pc
326 }
327
328 int
329 -__glXColorTableParameterfvReqSize(const GLbyte * pc, Bool swap)
330 +__glXColorTableParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
331 {
332 GLenum pname = *(GLenum *) (pc + 4);
333 GLsizei compsize;
334 @@ -438,11 +436,11 @@ __glXColorTableParameterfvReqSize(const
335 }
336
337 compsize = __glColorTableParameterfv_size(pname);
338 - return __GLX_PAD((compsize * 4));
339 + return safe_pad(safe_mul(compsize, 4));
340 }
341
342 int
343 -__glXColorSubTableReqSize(const GLbyte * pc, Bool swap)
344 +__glXColorSubTableReqSize(const GLbyte * pc, Bool swap, int reqlen)
345 {
346 GLint row_length = *(GLint *) (pc + 4);
347 GLint image_height = 0;
348 @@ -470,7 +468,7 @@ __glXColorSubTableReqSize(const GLbyte *
349 }
350
351 int
352 -__glXConvolutionFilter1DReqSize(const GLbyte * pc, Bool swap)
353 +__glXConvolutionFilter1DReqSize(const GLbyte * pc, Bool swap, int reqlen)
354 {
355 GLint row_length = *(GLint *) (pc + 4);
356 GLint image_height = 0;
357 @@ -498,7 +496,7 @@ __glXConvolutionFilter1DReqSize(const GL
358 }
359
360 int
361 -__glXConvolutionFilter2DReqSize(const GLbyte * pc, Bool swap)
362 +__glXConvolutionFilter2DReqSize(const GLbyte * pc, Bool swap, int reqlen)
363 {
364 GLint row_length = *(GLint *) (pc + 4);
365 GLint image_height = 0;
366 @@ -528,7 +526,7 @@ __glXConvolutionFilter2DReqSize(const GL
367 }
368
369 int
370 -__glXConvolutionParameterfvReqSize(const GLbyte * pc, Bool swap)
371 +__glXConvolutionParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
372 {
373 GLenum pname = *(GLenum *) (pc + 4);
374 GLsizei compsize;
375 @@ -538,11 +536,11 @@ __glXConvolutionParameterfvReqSize(const
376 }
377
378 compsize = __glConvolutionParameterfv_size(pname);
379 - return __GLX_PAD((compsize * 4));
380 + return safe_pad(safe_mul(compsize, 4));
381 }
382
383 int
384 -__glXTexImage3DReqSize(const GLbyte * pc, Bool swap)
385 +__glXTexImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen)
386 {
387 GLint row_length = *(GLint *) (pc + 4);
388 GLint image_height = *(GLint *) (pc + 8);
389 @@ -579,7 +577,7 @@ __glXTexImage3DReqSize(const GLbyte * pc
390 }
391
392 int
393 -__glXTexSubImage3DReqSize(const GLbyte * pc, Bool swap)
394 +__glXTexSubImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen)
395 {
396 GLint row_length = *(GLint *) (pc + 4);
397 GLint image_height = *(GLint *) (pc + 8);
398 @@ -613,7 +611,7 @@ __glXTexSubImage3DReqSize(const GLbyte *
399 }
400
401 int
402 -__glXCompressedTexImage1DReqSize(const GLbyte * pc, Bool swap)
403 +__glXCompressedTexImage1DReqSize(const GLbyte * pc, Bool swap, int reqlen)
404 {
405 GLsizei imageSize = *(GLsizei *) (pc + 20);
406
407 @@ -621,11 +619,11 @@ __glXCompressedTexImage1DReqSize(const G
408 imageSize = bswap_32(imageSize);
409 }
410
411 - return __GLX_PAD(imageSize);
412 + return safe_pad(imageSize);
413 }
414
415 int
416 -__glXCompressedTexImage2DReqSize(const GLbyte * pc, Bool swap)
417 +__glXCompressedTexImage2DReqSize(const GLbyte * pc, Bool swap, int reqlen)
418 {
419 GLsizei imageSize = *(GLsizei *) (pc + 24);
420
421 @@ -633,11 +631,11 @@ __glXCompressedTexImage2DReqSize(const G
422 imageSize = bswap_32(imageSize);
423 }
424
425 - return __GLX_PAD(imageSize);
426 + return safe_pad(imageSize);
427 }
428
429 int
430 -__glXCompressedTexImage3DReqSize(const GLbyte * pc, Bool swap)
431 +__glXCompressedTexImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen)
432 {
433 GLsizei imageSize = *(GLsizei *) (pc + 28);
434
435 @@ -645,11 +643,11 @@ __glXCompressedTexImage3DReqSize(const G
436 imageSize = bswap_32(imageSize);
437 }
438
439 - return __GLX_PAD(imageSize);
440 + return safe_pad(imageSize);
441 }
442
443 int
444 -__glXCompressedTexSubImage3DReqSize(const GLbyte * pc, Bool swap)
445 +__glXCompressedTexSubImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen)
446 {
447 GLsizei imageSize = *(GLsizei *) (pc + 36);
448
449 @@ -657,11 +655,11 @@ __glXCompressedTexSubImage3DReqSize(cons
450 imageSize = bswap_32(imageSize);
451 }
452
453 - return __GLX_PAD(imageSize);
454 + return safe_pad(imageSize);
455 }
456
457 int
458 -__glXPointParameterfvReqSize(const GLbyte * pc, Bool swap)
459 +__glXPointParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
460 {
461 GLenum pname = *(GLenum *) (pc + 0);
462 GLsizei compsize;
463 @@ -671,11 +669,11 @@ __glXPointParameterfvReqSize(const GLbyt
464 }
465
466 compsize = __glPointParameterfv_size(pname);
467 - return __GLX_PAD((compsize * 4));
468 + return safe_pad(safe_mul(compsize, 4));
469 }
470
471 int
472 -__glXDrawBuffersReqSize(const GLbyte * pc, Bool swap)
473 +__glXDrawBuffersReqSize(const GLbyte * pc, Bool swap, int reqlen)
474 {
475 GLsizei n = *(GLsizei *) (pc + 0);
476
477 @@ -683,11 +681,11 @@ __glXDrawBuffersReqSize(const GLbyte * p
478 n = bswap_32(n);
479 }
480
481 - return __GLX_PAD((n * 4));
482 + return safe_pad(safe_mul(n, 4));
483 }
484
485 int
486 -__glXProgramStringARBReqSize(const GLbyte * pc, Bool swap)
487 +__glXProgramStringARBReqSize(const GLbyte * pc, Bool swap, int reqlen)
488 {
489 GLsizei len = *(GLsizei *) (pc + 8);
490
491 @@ -695,11 +693,11 @@ __glXProgramStringARBReqSize(const GLbyt
492 len = bswap_32(len);
493 }
494
495 - return __GLX_PAD(len);
496 + return safe_pad(len);
497 }
498
499 int
500 -__glXVertexAttribs1dvNVReqSize(const GLbyte * pc, Bool swap)
501 +__glXVertexAttribs1dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
502 {
503 GLsizei n = *(GLsizei *) (pc + 4);
504
505 @@ -707,11 +705,11 @@ __glXVertexAttribs1dvNVReqSize(const GLb
506 n = bswap_32(n);
507 }
508
509 - return __GLX_PAD((n * 8));
510 + return safe_pad(safe_mul(n, 8));
511 }
512
513 int
514 -__glXVertexAttribs2dvNVReqSize(const GLbyte * pc, Bool swap)
515 +__glXVertexAttribs2dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
516 {
517 GLsizei n = *(GLsizei *) (pc + 4);
518
519 @@ -719,11 +717,11 @@ __glXVertexAttribs2dvNVReqSize(const GLb
520 n = bswap_32(n);
521 }
522
523 - return __GLX_PAD((n * 16));
524 + return safe_pad(safe_mul(n, 16));
525 }
526
527 int
528 -__glXVertexAttribs3dvNVReqSize(const GLbyte * pc, Bool swap)
529 +__glXVertexAttribs3dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
530 {
531 GLsizei n = *(GLsizei *) (pc + 4);
532
533 @@ -731,11 +729,11 @@ __glXVertexAttribs3dvNVReqSize(const GLb
534 n = bswap_32(n);
535 }
536
537 - return __GLX_PAD((n * 24));
538 + return safe_pad(safe_mul(n, 24));
539 }
540
541 int
542 -__glXVertexAttribs3fvNVReqSize(const GLbyte * pc, Bool swap)
543 +__glXVertexAttribs3fvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
544 {
545 GLsizei n = *(GLsizei *) (pc + 4);
546
547 @@ -743,11 +741,11 @@ __glXVertexAttribs3fvNVReqSize(const GLb
548 n = bswap_32(n);
549 }
550
551 - return __GLX_PAD((n * 12));
552 + return safe_pad(safe_mul(n, 12));
553 }
554
555 int
556 -__glXVertexAttribs3svNVReqSize(const GLbyte * pc, Bool swap)
557 +__glXVertexAttribs3svNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
558 {
559 GLsizei n = *(GLsizei *) (pc + 4);
560
561 @@ -755,11 +753,11 @@ __glXVertexAttribs3svNVReqSize(const GLb
562 n = bswap_32(n);
563 }
564
565 - return __GLX_PAD((n * 6));
566 + return safe_pad(safe_mul(n, 6));
567 }
568
569 int
570 -__glXVertexAttribs4dvNVReqSize(const GLbyte * pc, Bool swap)
571 +__glXVertexAttribs4dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
572 {
573 GLsizei n = *(GLsizei *) (pc + 4);
574
575 @@ -767,7 +765,7 @@ __glXVertexAttribs4dvNVReqSize(const GLb
576 n = bswap_32(n);
577 }
578
579 - return __GLX_PAD((n * 32));
580 + return safe_pad(safe_mul(n, 32));
581 }
582
583 ALIAS(Fogiv, Fogfv)
584 --- a/glx/indirect_reqsize.h
585 +++ b/glx/indirect_reqsize.h
586 @@ -36,115 +36,156 @@
587 #define PURE
588 #endif
589
590 -extern PURE _X_HIDDEN int __glXCallListsReqSize(const GLbyte * pc, Bool swap);
591 -extern PURE _X_HIDDEN int __glXBitmapReqSize(const GLbyte * pc, Bool swap);
592 -extern PURE _X_HIDDEN int __glXFogfvReqSize(const GLbyte * pc, Bool swap);
593 -extern PURE _X_HIDDEN int __glXFogivReqSize(const GLbyte * pc, Bool swap);
594 -extern PURE _X_HIDDEN int __glXLightfvReqSize(const GLbyte * pc, Bool swap);
595 -extern PURE _X_HIDDEN int __glXLightivReqSize(const GLbyte * pc, Bool swap);
596 -extern PURE _X_HIDDEN int __glXLightModelfvReqSize(const GLbyte * pc,
597 - Bool swap);
598 -extern PURE _X_HIDDEN int __glXLightModelivReqSize(const GLbyte * pc,
599 - Bool swap);
600 -extern PURE _X_HIDDEN int __glXMaterialfvReqSize(const GLbyte * pc, Bool swap);
601 -extern PURE _X_HIDDEN int __glXMaterialivReqSize(const GLbyte * pc, Bool swap);
602 +extern PURE _X_HIDDEN int __glXCallListsReqSize(const GLbyte * pc, Bool swap,
603 + int reqlen);
604 +extern PURE _X_HIDDEN int __glXBitmapReqSize(const GLbyte * pc, Bool swap,
605 + int reqlen);
606 +extern PURE _X_HIDDEN int __glXFogfvReqSize(const GLbyte * pc, Bool swap,
607 + int reqlen);
608 +extern PURE _X_HIDDEN int __glXFogivReqSize(const GLbyte * pc, Bool swap,
609 + int reqlen);
610 +extern PURE _X_HIDDEN int __glXLightfvReqSize(const GLbyte * pc, Bool swap,
611 + int reqlen);
612 +extern PURE _X_HIDDEN int __glXLightivReqSize(const GLbyte * pc, Bool swap,
613 + int reqlen);
614 +extern PURE _X_HIDDEN int __glXLightModelfvReqSize(const GLbyte * pc, Bool swap,
615 + int reqlen);
616 +extern PURE _X_HIDDEN int __glXLightModelivReqSize(const GLbyte * pc, Bool swap,
617 + int reqlen);
618 +extern PURE _X_HIDDEN int __glXMaterialfvReqSize(const GLbyte * pc, Bool swap,
619 + int reqlen);
620 +extern PURE _X_HIDDEN int __glXMaterialivReqSize(const GLbyte * pc, Bool swap,
621 + int reqlen);
622 extern PURE _X_HIDDEN int __glXPolygonStippleReqSize(const GLbyte * pc,
623 - Bool swap);
624 + Bool swap, int reqlen);
625 extern PURE _X_HIDDEN int __glXTexParameterfvReqSize(const GLbyte * pc,
626 - Bool swap);
627 + Bool swap, int reqlen);
628 extern PURE _X_HIDDEN int __glXTexParameterivReqSize(const GLbyte * pc,
629 - Bool swap);
630 -extern PURE _X_HIDDEN int __glXTexImage1DReqSize(const GLbyte * pc, Bool swap);
631 -extern PURE _X_HIDDEN int __glXTexImage2DReqSize(const GLbyte * pc, Bool swap);
632 -extern PURE _X_HIDDEN int __glXTexEnvfvReqSize(const GLbyte * pc, Bool swap);
633 -extern PURE _X_HIDDEN int __glXTexEnvivReqSize(const GLbyte * pc, Bool swap);
634 -extern PURE _X_HIDDEN int __glXTexGendvReqSize(const GLbyte * pc, Bool swap);
635 -extern PURE _X_HIDDEN int __glXTexGenfvReqSize(const GLbyte * pc, Bool swap);
636 -extern PURE _X_HIDDEN int __glXTexGenivReqSize(const GLbyte * pc, Bool swap);
637 -extern PURE _X_HIDDEN int __glXMap1dReqSize(const GLbyte * pc, Bool swap);
638 -extern PURE _X_HIDDEN int __glXMap1fReqSize(const GLbyte * pc, Bool swap);
639 -extern PURE _X_HIDDEN int __glXMap2dReqSize(const GLbyte * pc, Bool swap);
640 -extern PURE _X_HIDDEN int __glXMap2fReqSize(const GLbyte * pc, Bool swap);
641 -extern PURE _X_HIDDEN int __glXPixelMapfvReqSize(const GLbyte * pc, Bool swap);
642 -extern PURE _X_HIDDEN int __glXPixelMapuivReqSize(const GLbyte * pc, Bool swap);
643 -extern PURE _X_HIDDEN int __glXPixelMapusvReqSize(const GLbyte * pc, Bool swap);
644 -extern PURE _X_HIDDEN int __glXDrawPixelsReqSize(const GLbyte * pc, Bool swap);
645 -extern PURE _X_HIDDEN int __glXDrawArraysReqSize(const GLbyte * pc, Bool swap);
646 + Bool swap, int reqlen);
647 +extern PURE _X_HIDDEN int __glXTexImage1DReqSize(const GLbyte * pc, Bool swap,
648 + int reqlen);
649 +extern PURE _X_HIDDEN int __glXTexImage2DReqSize(const GLbyte * pc, Bool swap,
650 + int reqlen);
651 +extern PURE _X_HIDDEN int __glXTexEnvfvReqSize(const GLbyte * pc, Bool swap,
652 + int reqlen);
653 +extern PURE _X_HIDDEN int __glXTexEnvivReqSize(const GLbyte * pc, Bool swap,
654 + int reqlen);
655 +extern PURE _X_HIDDEN int __glXTexGendvReqSize(const GLbyte * pc, Bool swap,
656 + int reqlen);
657 +extern PURE _X_HIDDEN int __glXTexGenfvReqSize(const GLbyte * pc, Bool swap,
658 + int reqlen);
659 +extern PURE _X_HIDDEN int __glXTexGenivReqSize(const GLbyte * pc, Bool swap,
660 + int reqlen);
661 +extern PURE _X_HIDDEN int __glXMap1dReqSize(const GLbyte * pc, Bool swap,
662 + int reqlen);
663 +extern PURE _X_HIDDEN int __glXMap1fReqSize(const GLbyte * pc, Bool swap,
664 + int reqlen);
665 +extern PURE _X_HIDDEN int __glXMap2dReqSize(const GLbyte * pc, Bool swap,
666 + int reqlen);
667 +extern PURE _X_HIDDEN int __glXMap2fReqSize(const GLbyte * pc, Bool swap,
668 + int reqlen);
669 +extern PURE _X_HIDDEN int __glXPixelMapfvReqSize(const GLbyte * pc, Bool swap,
670 + int reqlen);
671 +extern PURE _X_HIDDEN int __glXPixelMapuivReqSize(const GLbyte * pc, Bool swap,
672 + int reqlen);
673 +extern PURE _X_HIDDEN int __glXPixelMapusvReqSize(const GLbyte * pc, Bool swap,
674 + int reqlen);
675 +extern PURE _X_HIDDEN int __glXDrawPixelsReqSize(const GLbyte * pc, Bool swap,
676 + int reqlen);
677 +extern PURE _X_HIDDEN int __glXDrawArraysReqSize(const GLbyte * pc, Bool swap,
678 + int reqlen);
679 extern PURE _X_HIDDEN int __glXPrioritizeTexturesReqSize(const GLbyte * pc,
680 - Bool swap);
681 + Bool swap, int reqlen);
682 extern PURE _X_HIDDEN int __glXTexSubImage1DReqSize(const GLbyte * pc,
683 - Bool swap);
684 + Bool swap, int reqlen);
685 extern PURE _X_HIDDEN int __glXTexSubImage2DReqSize(const GLbyte * pc,
686 - Bool swap);
687 -extern PURE _X_HIDDEN int __glXColorTableReqSize(const GLbyte * pc, Bool swap);
688 + Bool swap, int reqlen);
689 +extern PURE _X_HIDDEN int __glXColorTableReqSize(const GLbyte * pc, Bool swap,
690 + int reqlen);
691 extern PURE _X_HIDDEN int __glXColorTableParameterfvReqSize(const GLbyte * pc,
692 - Bool swap);
693 + Bool swap,
694 + int reqlen);
695 extern PURE _X_HIDDEN int __glXColorTableParameterivReqSize(const GLbyte * pc,
696 - Bool swap);
697 + Bool swap,
698 + int reqlen);
699 extern PURE _X_HIDDEN int __glXColorSubTableReqSize(const GLbyte * pc,
700 - Bool swap);
701 + Bool swap, int reqlen);
702 extern PURE _X_HIDDEN int __glXConvolutionFilter1DReqSize(const GLbyte * pc,
703 - Bool swap);
704 + Bool swap,
705 + int reqlen);
706 extern PURE _X_HIDDEN int __glXConvolutionFilter2DReqSize(const GLbyte * pc,
707 - Bool swap);
708 + Bool swap,
709 + int reqlen);
710 extern PURE _X_HIDDEN int __glXConvolutionParameterfvReqSize(const GLbyte * pc,
711 - Bool swap);
712 + Bool swap,
713 + int reqlen);
714 extern PURE _X_HIDDEN int __glXConvolutionParameterivReqSize(const GLbyte * pc,
715 - Bool swap);
716 + Bool swap,
717 + int reqlen);
718 extern PURE _X_HIDDEN int __glXSeparableFilter2DReqSize(const GLbyte * pc,
719 - Bool swap);
720 -extern PURE _X_HIDDEN int __glXTexImage3DReqSize(const GLbyte * pc, Bool swap);
721 + Bool swap, int reqlen);
722 +extern PURE _X_HIDDEN int __glXTexImage3DReqSize(const GLbyte * pc, Bool swap,
723 + int reqlen);
724 extern PURE _X_HIDDEN int __glXTexSubImage3DReqSize(const GLbyte * pc,
725 - Bool swap);
726 + Bool swap, int reqlen);
727 extern PURE _X_HIDDEN int __glXCompressedTexImage1DReqSize(const GLbyte * pc,
728 - Bool swap);
729 + Bool swap,
730 + int reqlen);
731 extern PURE _X_HIDDEN int __glXCompressedTexImage2DReqSize(const GLbyte * pc,
732 - Bool swap);
733 + Bool swap,
734 + int reqlen);
735 extern PURE _X_HIDDEN int __glXCompressedTexImage3DReqSize(const GLbyte * pc,
736 - Bool swap);
737 + Bool swap,
738 + int reqlen);
739 extern PURE _X_HIDDEN int __glXCompressedTexSubImage1DReqSize(const GLbyte * pc,
740 - Bool swap);
741 + Bool swap,
742 + int reqlen);
743 extern PURE _X_HIDDEN int __glXCompressedTexSubImage2DReqSize(const GLbyte * pc,
744 - Bool swap);
745 + Bool swap,
746 + int reqlen);
747 extern PURE _X_HIDDEN int __glXCompressedTexSubImage3DReqSize(const GLbyte * pc,
748 - Bool swap);
749 + Bool swap,
750 + int reqlen);
751 extern PURE _X_HIDDEN int __glXPointParameterfvReqSize(const GLbyte * pc,
752 - Bool swap);
753 + Bool swap, int reqlen);
754 extern PURE _X_HIDDEN int __glXPointParameterivReqSize(const GLbyte * pc,
755 - Bool swap);
756 -extern PURE _X_HIDDEN int __glXDrawBuffersReqSize(const GLbyte * pc, Bool swap);
757 + Bool swap, int reqlen);
758 +extern PURE _X_HIDDEN int __glXDrawBuffersReqSize(const GLbyte * pc, Bool swap,
759 + int reqlen);
760 extern PURE _X_HIDDEN int __glXProgramStringARBReqSize(const GLbyte * pc,
761 - Bool swap);
762 + Bool swap, int reqlen);
763 extern PURE _X_HIDDEN int __glXDeleteFramebuffersReqSize(const GLbyte * pc,
764 - Bool swap);
765 + Bool swap, int reqlen);
766 extern PURE _X_HIDDEN int __glXDeleteRenderbuffersReqSize(const GLbyte * pc,
767 - Bool swap);
768 + Bool swap,
769 + int reqlen);
770 extern PURE _X_HIDDEN int __glXVertexAttribs1dvNVReqSize(const GLbyte * pc,
771 - Bool swap);
772 + Bool swap, int reqlen);
773 extern PURE _X_HIDDEN int __glXVertexAttribs1fvNVReqSize(const GLbyte * pc,
774 - Bool swap);
775 + Bool swap, int reqlen);
776 extern PURE _X_HIDDEN int __glXVertexAttribs1svNVReqSize(const GLbyte * pc,
777 - Bool swap);
778 + Bool swap, int reqlen);
779 extern PURE _X_HIDDEN int __glXVertexAttribs2dvNVReqSize(const GLbyte * pc,
780 - Bool swap);
781 + Bool swap, int reqlen);
782 extern PURE _X_HIDDEN int __glXVertexAttribs2fvNVReqSize(const GLbyte * pc,
783 - Bool swap);
784 + Bool swap, int reqlen);
785 extern PURE _X_HIDDEN int __glXVertexAttribs2svNVReqSize(const GLbyte * pc,
786 - Bool swap);
787 + Bool swap, int reqlen);
788 extern PURE _X_HIDDEN int __glXVertexAttribs3dvNVReqSize(const GLbyte * pc,
789 - Bool swap);
790 + Bool swap, int reqlen);
791 extern PURE _X_HIDDEN int __glXVertexAttribs3fvNVReqSize(const GLbyte * pc,
792 - Bool swap);
793 + Bool swap, int reqlen);
794 extern PURE _X_HIDDEN int __glXVertexAttribs3svNVReqSize(const GLbyte * pc,
795 - Bool swap);
796 + Bool swap, int reqlen);
797 extern PURE _X_HIDDEN int __glXVertexAttribs4dvNVReqSize(const GLbyte * pc,
798 - Bool swap);
799 + Bool swap, int reqlen);
800 extern PURE _X_HIDDEN int __glXVertexAttribs4fvNVReqSize(const GLbyte * pc,
801 - Bool swap);
802 + Bool swap, int reqlen);
803 extern PURE _X_HIDDEN int __glXVertexAttribs4svNVReqSize(const GLbyte * pc,
804 - Bool swap);
805 + Bool swap, int reqlen);
806 extern PURE _X_HIDDEN int __glXVertexAttribs4ubvNVReqSize(const GLbyte * pc,
807 - Bool swap);
808 + Bool swap,
809 + int reqlen);
810
811 #undef PURE
812
813 --- a/glx/rensize.c
814 +++ b/glx/rensize.c
815 @@ -44,7 +44,7 @@
816 ((a & 0xff00U)<<8) | ((a & 0xffU)<<24))
817
818 int
819 -__glXMap1dReqSize(const GLbyte * pc, Bool swap)
820 +__glXMap1dReqSize(const GLbyte * pc, Bool swap, int reqlen)
821 {
822 GLenum target;
823 GLint order;
824 @@ -61,7 +61,7 @@ __glXMap1dReqSize(const GLbyte * pc, Boo
825 }
826
827 int
828 -__glXMap1fReqSize(const GLbyte * pc, Bool swap)
829 +__glXMap1fReqSize(const GLbyte * pc, Bool swap, int reqlen)
830 {
831 GLenum target;
832 GLint order;
833 @@ -86,7 +86,7 @@ Map2Size(int k, int majorOrder, int mino
834 }
835
836 int
837 -__glXMap2dReqSize(const GLbyte * pc, Bool swap)
838 +__glXMap2dReqSize(const GLbyte * pc, Bool swap, int reqlen)
839 {
840 GLenum target;
841 GLint uorder, vorder;
842 @@ -103,7 +103,7 @@ __glXMap2dReqSize(const GLbyte * pc, Boo
843 }
844
845 int
846 -__glXMap2fReqSize(const GLbyte * pc, Bool swap)
847 +__glXMap2fReqSize(const GLbyte * pc, Bool swap, int reqlen)
848 {
849 GLenum target;
850 GLint uorder, vorder;
851 @@ -359,13 +359,14 @@ __glXTypeSize(GLenum enm)
852 }
853
854 int
855 -__glXDrawArraysReqSize(const GLbyte * pc, Bool swap)
856 +__glXDrawArraysReqSize(const GLbyte * pc, Bool swap, int reqlen)
857 {
858 __GLXdispatchDrawArraysHeader *hdr = (__GLXdispatchDrawArraysHeader *) pc;
859 __GLXdispatchDrawArraysComponentHeader *compHeader;
860 GLint numVertexes = hdr->numVertexes;
861 GLint numComponents = hdr->numComponents;
862 GLint arrayElementSize = 0;
863 + GLint x, size;
864 int i;
865
866 if (swap) {
867 @@ -374,6 +375,13 @@ __glXDrawArraysReqSize(const GLbyte * pc
868 }
869
870 pc += sizeof(__GLXdispatchDrawArraysHeader);
871 + reqlen -= sizeof(__GLXdispatchDrawArraysHeader);
872 +
873 + size = safe_mul(sizeof(__GLXdispatchDrawArraysComponentHeader),
874 + numComponents);
875 + if (size < 0 || reqlen < 0 || reqlen < size)
876 + return -1;
877 +
878 compHeader = (__GLXdispatchDrawArraysComponentHeader *) pc;
879
880 for (i = 0; i < numComponents; i++) {
881 @@ -417,17 +425,18 @@ __glXDrawArraysReqSize(const GLbyte * pc
882 return -1;
883 }
884
885 - arrayElementSize += __GLX_PAD(numVals * __glXTypeSize(datatype));
886 + x = safe_pad(safe_mul(numVals, __glXTypeSize(datatype)));
887 + if ((arrayElementSize = safe_add(arrayElementSize, x)) < 0)
888 + return -1;
889
890 pc += sizeof(__GLXdispatchDrawArraysComponentHeader);
891 }
892
893 - return ((numComponents * sizeof(__GLXdispatchDrawArraysComponentHeader)) +
894 - (numVertexes * arrayElementSize));
895 + return safe_add(size, safe_mul(numVertexes, arrayElementSize));
896 }
897
898 int
899 -__glXSeparableFilter2DReqSize(const GLbyte * pc, Bool swap)
900 +__glXSeparableFilter2DReqSize(const GLbyte * pc, Bool swap, int reqlen)
901 {
902 __GLXdispatchConvolutionFilterHeader *hdr =
903 (__GLXdispatchConvolutionFilterHeader *) pc;
xorg-server Piment Noir Debian package repository