diff options
Diffstat (limited to 'patches/source/xorg-server/patch/xorg-server/0031-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch')
| -rw-r--r-- | patches/source/xorg-server/patch/xorg-server/0031-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch | 935 |
1 files changed, 935 insertions, 0 deletions
diff --git a/patches/source/xorg-server/patch/xorg-server/0031-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch b/patches/source/xorg-server/patch/xorg-server/0031-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch new file mode 100644 index 000000000..e9a785f66 --- /dev/null +++ b/patches/source/xorg-server/patch/xorg-server/0031-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch @@ -0,0 +1,935 @@ +From 37a79fa54d3ddd1d4f6c9c0362dbe9616151ec9c Mon Sep 17 00:00:00 2001 +From: Adam Jackson <ajax@redhat.com> +Date: Mon, 10 Nov 2014 12:13:48 -0500 +Subject: [PATCH 31/31] glx: Pass remaining request length into ->varsize (v2) + [CVE-2014-8098 8/8] + +v2: Handle more multiplies in indirect_reqsize.c (Julien Cristau) + +Reviewed-by: Julien Cristau <jcristau@debian.org> +Reviewed-by: Michal Srb <msrb@suse.com> +Reviewed-by: Andy Ritger <aritger@nvidia.com> +Signed-off-by: Adam Jackson <ajax@redhat.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Signed-off-by: Fedora X Ninjas <x@fedoraproject.org> +--- + glx/glxcmds.c | 7 ++- + glx/glxserver.h | 2 +- + glx/indirect_reqsize.c | 154 ++++++++++++++++++++++++------------------------- + glx/indirect_reqsize.h | 148 +++++++++++++++++++++++------------------------ + glx/rensize.c | 27 ++++++--- + 5 files changed, 174 insertions(+), 164 deletions(-) + +diff --git a/glx/glxcmds.c b/glx/glxcmds.c +index 4715328..59b1de5 100644 +--- a/glx/glxcmds.c ++++ b/glx/glxcmds.c +@@ -2013,7 +2013,8 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc) + if (entry.varsize) { + /* variable size command */ + extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE, +- client->swapped); ++ client->swapped, ++ left - __GLX_RENDER_HDR_SIZE); + if (extra < 0) { + return BadLength; + } +@@ -2090,6 +2091,7 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc) + if (cl->largeCmdRequestsSoFar == 0) { + __GLXrenderSizeData entry; + int extra = 0; ++ int left = (req->length << 2) - sz_xGLXRenderLargeReq; + size_t cmdlen; + int err; + +@@ -2130,7 +2132,8 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc) + ** will be in the 1st request, so it's okay to do this. + */ + extra = (*entry.varsize) (pc + __GLX_RENDER_LARGE_HDR_SIZE, +- client->swapped); ++ client->swapped, ++ left - __GLX_RENDER_LARGE_HDR_SIZE); + if (extra < 0) { + return BadLength; + } +diff --git a/glx/glxserver.h b/glx/glxserver.h +index 1bc398b..9e660a5 100644 +--- a/glx/glxserver.h ++++ b/glx/glxserver.h +@@ -163,7 +163,7 @@ typedef int (*__GLXprocPtr) (__GLXclientState *, char *pc); + /* + * Tables for computing the size of each rendering command. + */ +-typedef int (*gl_proto_size_func) (const GLbyte *, Bool); ++typedef int (*gl_proto_size_func) (const GLbyte *, Bool, int); + + typedef struct { + int bytes; +diff --git a/glx/indirect_reqsize.c b/glx/indirect_reqsize.c +index 86ea970..ce58214 100644 +--- a/glx/indirect_reqsize.c ++++ b/glx/indirect_reqsize.c +@@ -31,24 +31,22 @@ + #include "indirect_size.h" + #include "indirect_reqsize.h" + +-#define __GLX_PAD(x) (((x) + 3) & ~3) +- + #if defined(__CYGWIN__) || defined(__MINGW32__) + #undef HAVE_ALIAS + #endif + #ifdef HAVE_ALIAS + #define ALIAS2(from,to) \ +- GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap ) \ ++ GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap, int reqlen ) \ + __attribute__ ((alias( # to ))); + #define ALIAS(from,to) ALIAS2( from, __glX ## to ## ReqSize ) + #else + #define ALIAS(from,to) \ +- GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap ) \ +- { return __glX ## to ## ReqSize( pc, swap ); } ++ GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap, int reqlen ) \ ++ { return __glX ## to ## ReqSize( pc, swap, reqlen ); } + #endif + + int +-__glXCallListsReqSize(const GLbyte * pc, Bool swap) ++__glXCallListsReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei n = *(GLsizei *) (pc + 0); + GLenum type = *(GLenum *) (pc + 4); +@@ -60,11 +58,11 @@ __glXCallListsReqSize(const GLbyte * pc, Bool swap) + } + + compsize = __glCallLists_size(type); +- return __GLX_PAD((compsize * n)); ++ return safe_pad(safe_mul(compsize, n)); + } + + int +-__glXBitmapReqSize(const GLbyte * pc, Bool swap) ++__glXBitmapReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLint row_length = *(GLint *) (pc + 4); + GLint image_height = 0; +@@ -88,7 +86,7 @@ __glXBitmapReqSize(const GLbyte * pc, Bool swap) + } + + int +-__glXFogfvReqSize(const GLbyte * pc, Bool swap) ++__glXFogfvReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *) (pc + 0); + GLsizei compsize; +@@ -98,11 +96,11 @@ __glXFogfvReqSize(const GLbyte * pc, Bool swap) + } + + compsize = __glFogfv_size(pname); +- return __GLX_PAD((compsize * 4)); ++ return safe_pad(safe_mul(compsize, 4)); + } + + int +-__glXLightfvReqSize(const GLbyte * pc, Bool swap) ++__glXLightfvReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *) (pc + 4); + GLsizei compsize; +@@ -112,11 +110,11 @@ __glXLightfvReqSize(const GLbyte * pc, Bool swap) + } + + compsize = __glLightfv_size(pname); +- return __GLX_PAD((compsize * 4)); ++ return safe_pad(safe_mul(compsize, 4)); + } + + int +-__glXLightModelfvReqSize(const GLbyte * pc, Bool swap) ++__glXLightModelfvReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *) (pc + 0); + GLsizei compsize; +@@ -126,11 +124,11 @@ __glXLightModelfvReqSize(const GLbyte * pc, Bool swap) + } + + compsize = __glLightModelfv_size(pname); +- return __GLX_PAD((compsize * 4)); ++ return safe_pad(safe_mul(compsize, 4)); + } + + int +-__glXMaterialfvReqSize(const GLbyte * pc, Bool swap) ++__glXMaterialfvReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *) (pc + 4); + GLsizei compsize; +@@ -140,11 +138,11 @@ __glXMaterialfvReqSize(const GLbyte * pc, Bool swap) + } + + compsize = __glMaterialfv_size(pname); +- return __GLX_PAD((compsize * 4)); ++ return safe_pad(safe_mul(compsize, 4)); + } + + int +-__glXPolygonStippleReqSize(const GLbyte * pc, Bool swap) ++__glXPolygonStippleReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLint row_length = *(GLint *) (pc + 4); + GLint image_height = 0; +@@ -164,7 +162,7 @@ __glXPolygonStippleReqSize(const GLbyte * pc, Bool swap) + } + + int +-__glXTexParameterfvReqSize(const GLbyte * pc, Bool swap) ++__glXTexParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *) (pc + 4); + GLsizei compsize; +@@ -174,11 +172,11 @@ __glXTexParameterfvReqSize(const GLbyte * pc, Bool swap) + } + + compsize = __glTexParameterfv_size(pname); +- return __GLX_PAD((compsize * 4)); ++ return safe_pad(safe_mul(compsize, 4)); + } + + int +-__glXTexImage1DReqSize(const GLbyte * pc, Bool swap) ++__glXTexImage1DReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLint row_length = *(GLint *) (pc + 4); + GLint image_height = 0; +@@ -206,7 +204,7 @@ __glXTexImage1DReqSize(const GLbyte * pc, Bool swap) + } + + int +-__glXTexImage2DReqSize(const GLbyte * pc, Bool swap) ++__glXTexImage2DReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLint row_length = *(GLint *) (pc + 4); + GLint image_height = 0; +@@ -236,7 +234,7 @@ __glXTexImage2DReqSize(const GLbyte * pc, Bool swap) + } + + int +-__glXTexEnvfvReqSize(const GLbyte * pc, Bool swap) ++__glXTexEnvfvReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *) (pc + 4); + GLsizei compsize; +@@ -246,11 +244,11 @@ __glXTexEnvfvReqSize(const GLbyte * pc, Bool swap) + } + + compsize = __glTexEnvfv_size(pname); +- return __GLX_PAD((compsize * 4)); ++ return safe_pad(safe_mul(compsize, 4)); + } + + int +-__glXTexGendvReqSize(const GLbyte * pc, Bool swap) ++__glXTexGendvReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *) (pc + 4); + GLsizei compsize; +@@ -260,11 +258,11 @@ __glXTexGendvReqSize(const GLbyte * pc, Bool swap) + } + + compsize = __glTexGendv_size(pname); +- return __GLX_PAD((compsize * 8)); ++ return safe_pad(safe_mul(compsize, 8)); + } + + int +-__glXTexGenfvReqSize(const GLbyte * pc, Bool swap) ++__glXTexGenfvReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *) (pc + 4); + GLsizei compsize; +@@ -274,11 +272,11 @@ __glXTexGenfvReqSize(const GLbyte * pc, Bool swap) + } + + compsize = __glTexGenfv_size(pname); +- return __GLX_PAD((compsize * 4)); ++ return safe_pad(safe_mul(compsize, 4)); + } + + int +-__glXPixelMapfvReqSize(const GLbyte * pc, Bool swap) ++__glXPixelMapfvReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei mapsize = *(GLsizei *) (pc + 4); + +@@ -286,11 +284,11 @@ __glXPixelMapfvReqSize(const GLbyte * pc, Bool swap) + mapsize = bswap_32(mapsize); + } + +- return __GLX_PAD((mapsize * 4)); ++ return safe_pad(safe_mul(mapsize, 4)); + } + + int +-__glXPixelMapusvReqSize(const GLbyte * pc, Bool swap) ++__glXPixelMapusvReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei mapsize = *(GLsizei *) (pc + 4); + +@@ -298,11 +296,11 @@ __glXPixelMapusvReqSize(const GLbyte * pc, Bool swap) + mapsize = bswap_32(mapsize); + } + +- return __GLX_PAD((mapsize * 2)); ++ return safe_pad(safe_mul(mapsize, 2)); + } + + int +-__glXDrawPixelsReqSize(const GLbyte * pc, Bool swap) ++__glXDrawPixelsReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLint row_length = *(GLint *) (pc + 4); + GLint image_height = 0; +@@ -330,7 +328,7 @@ __glXDrawPixelsReqSize(const GLbyte * pc, Bool swap) + } + + int +-__glXPrioritizeTexturesReqSize(const GLbyte * pc, Bool swap) ++__glXPrioritizeTexturesReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei n = *(GLsizei *) (pc + 0); + +@@ -338,11 +336,11 @@ __glXPrioritizeTexturesReqSize(const GLbyte * pc, Bool swap) + n = bswap_32(n); + } + +- return __GLX_PAD((n * 4) + (n * 4)); ++ return safe_pad(safe_add(safe_mul(n, 4), safe_mul(n, 4))); + } + + int +-__glXTexSubImage1DReqSize(const GLbyte * pc, Bool swap) ++__glXTexSubImage1DReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLint row_length = *(GLint *) (pc + 4); + GLint image_height = 0; +@@ -370,7 +368,7 @@ __glXTexSubImage1DReqSize(const GLbyte * pc, Bool swap) + } + + int +-__glXTexSubImage2DReqSize(const GLbyte * pc, Bool swap) ++__glXTexSubImage2DReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLint row_length = *(GLint *) (pc + 4); + GLint image_height = 0; +@@ -400,7 +398,7 @@ __glXTexSubImage2DReqSize(const GLbyte * pc, Bool swap) + } + + int +-__glXColorTableReqSize(const GLbyte * pc, Bool swap) ++__glXColorTableReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLint row_length = *(GLint *) (pc + 4); + GLint image_height = 0; +@@ -428,7 +426,7 @@ __glXColorTableReqSize(const GLbyte * pc, Bool swap) + } + + int +-__glXColorTableParameterfvReqSize(const GLbyte * pc, Bool swap) ++__glXColorTableParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *) (pc + 4); + GLsizei compsize; +@@ -438,11 +436,11 @@ __glXColorTableParameterfvReqSize(const GLbyte * pc, Bool swap) + } + + compsize = __glColorTableParameterfv_size(pname); +- return __GLX_PAD((compsize * 4)); ++ return safe_pad(safe_mul(compsize, 4)); + } + + int +-__glXColorSubTableReqSize(const GLbyte * pc, Bool swap) ++__glXColorSubTableReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLint row_length = *(GLint *) (pc + 4); + GLint image_height = 0; +@@ -470,7 +468,7 @@ __glXColorSubTableReqSize(const GLbyte * pc, Bool swap) + } + + int +-__glXConvolutionFilter1DReqSize(const GLbyte * pc, Bool swap) ++__glXConvolutionFilter1DReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLint row_length = *(GLint *) (pc + 4); + GLint image_height = 0; +@@ -498,7 +496,7 @@ __glXConvolutionFilter1DReqSize(const GLbyte * pc, Bool swap) + } + + int +-__glXConvolutionFilter2DReqSize(const GLbyte * pc, Bool swap) ++__glXConvolutionFilter2DReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLint row_length = *(GLint *) (pc + 4); + GLint image_height = 0; +@@ -528,7 +526,7 @@ __glXConvolutionFilter2DReqSize(const GLbyte * pc, Bool swap) + } + + int +-__glXConvolutionParameterfvReqSize(const GLbyte * pc, Bool swap) ++__glXConvolutionParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *) (pc + 4); + GLsizei compsize; +@@ -538,11 +536,11 @@ __glXConvolutionParameterfvReqSize(const GLbyte * pc, Bool swap) + } + + compsize = __glConvolutionParameterfv_size(pname); +- return __GLX_PAD((compsize * 4)); ++ return safe_pad(safe_mul(compsize, 4)); + } + + int +-__glXTexImage3DReqSize(const GLbyte * pc, Bool swap) ++__glXTexImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLint row_length = *(GLint *) (pc + 4); + GLint image_height = *(GLint *) (pc + 8); +@@ -579,7 +577,7 @@ __glXTexImage3DReqSize(const GLbyte * pc, Bool swap) + } + + int +-__glXTexSubImage3DReqSize(const GLbyte * pc, Bool swap) ++__glXTexSubImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLint row_length = *(GLint *) (pc + 4); + GLint image_height = *(GLint *) (pc + 8); +@@ -613,7 +611,7 @@ __glXTexSubImage3DReqSize(const GLbyte * pc, Bool swap) + } + + int +-__glXCompressedTexImage1DARBReqSize(const GLbyte * pc, Bool swap) ++__glXCompressedTexImage1DARBReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei imageSize = *(GLsizei *) (pc + 20); + +@@ -621,11 +619,11 @@ __glXCompressedTexImage1DARBReqSize(const GLbyte * pc, Bool swap) + imageSize = bswap_32(imageSize); + } + +- return __GLX_PAD(imageSize); ++ return safe_pad(imageSize); + } + + int +-__glXCompressedTexImage2DARBReqSize(const GLbyte * pc, Bool swap) ++__glXCompressedTexImage2DARBReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei imageSize = *(GLsizei *) (pc + 24); + +@@ -633,11 +631,11 @@ __glXCompressedTexImage2DARBReqSize(const GLbyte * pc, Bool swap) + imageSize = bswap_32(imageSize); + } + +- return __GLX_PAD(imageSize); ++ return safe_pad(imageSize); + } + + int +-__glXCompressedTexImage3DARBReqSize(const GLbyte * pc, Bool swap) ++__glXCompressedTexImage3DARBReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei imageSize = *(GLsizei *) (pc + 28); + +@@ -645,11 +643,11 @@ __glXCompressedTexImage3DARBReqSize(const GLbyte * pc, Bool swap) + imageSize = bswap_32(imageSize); + } + +- return __GLX_PAD(imageSize); ++ return safe_pad(imageSize); + } + + int +-__glXCompressedTexSubImage3DARBReqSize(const GLbyte * pc, Bool swap) ++__glXCompressedTexSubImage3DARBReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei imageSize = *(GLsizei *) (pc + 36); + +@@ -657,11 +655,11 @@ __glXCompressedTexSubImage3DARBReqSize(const GLbyte * pc, Bool swap) + imageSize = bswap_32(imageSize); + } + +- return __GLX_PAD(imageSize); ++ return safe_pad(imageSize); + } + + int +-__glXProgramStringARBReqSize(const GLbyte * pc, Bool swap) ++__glXProgramStringARBReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei len = *(GLsizei *) (pc + 8); + +@@ -669,11 +667,11 @@ __glXProgramStringARBReqSize(const GLbyte * pc, Bool swap) + len = bswap_32(len); + } + +- return __GLX_PAD(len); ++ return safe_pad(len); + } + + int +-__glXDrawBuffersARBReqSize(const GLbyte * pc, Bool swap) ++__glXDrawBuffersARBReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei n = *(GLsizei *) (pc + 0); + +@@ -681,11 +679,11 @@ __glXDrawBuffersARBReqSize(const GLbyte * pc, Bool swap) + n = bswap_32(n); + } + +- return __GLX_PAD((n * 4)); ++ return safe_pad(safe_mul(n, 4)); + } + + int +-__glXPointParameterfvEXTReqSize(const GLbyte * pc, Bool swap) ++__glXPointParameterfvEXTReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *) (pc + 0); + GLsizei compsize; +@@ -695,11 +693,11 @@ __glXPointParameterfvEXTReqSize(const GLbyte * pc, Bool swap) + } + + compsize = __glPointParameterfvEXT_size(pname); +- return __GLX_PAD((compsize * 4)); ++ return safe_pad(safe_mul(compsize, 4)); + } + + int +-__glXProgramParameters4dvNVReqSize(const GLbyte * pc, Bool swap) ++__glXProgramParameters4dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei num = *(GLsizei *) (pc + 8); + +@@ -707,11 +705,11 @@ __glXProgramParameters4dvNVReqSize(const GLbyte * pc, Bool swap) + num = bswap_32(num); + } + +- return __GLX_PAD((num * 32)); ++ return safe_pad(safe_mul(num, 32)); + } + + int +-__glXProgramParameters4fvNVReqSize(const GLbyte * pc, Bool swap) ++__glXProgramParameters4fvNVReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei num = *(GLsizei *) (pc + 8); + +@@ -719,11 +717,11 @@ __glXProgramParameters4fvNVReqSize(const GLbyte * pc, Bool swap) + num = bswap_32(num); + } + +- return __GLX_PAD((num * 16)); ++ return safe_pad(safe_mul(num, 16)); + } + + int +-__glXVertexAttribs1dvNVReqSize(const GLbyte * pc, Bool swap) ++__glXVertexAttribs1dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei n = *(GLsizei *) (pc + 4); + +@@ -731,11 +729,11 @@ __glXVertexAttribs1dvNVReqSize(const GLbyte * pc, Bool swap) + n = bswap_32(n); + } + +- return __GLX_PAD((n * 8)); ++ return safe_pad(safe_mul(n, 8)); + } + + int +-__glXVertexAttribs2dvNVReqSize(const GLbyte * pc, Bool swap) ++__glXVertexAttribs2dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei n = *(GLsizei *) (pc + 4); + +@@ -743,11 +741,11 @@ __glXVertexAttribs2dvNVReqSize(const GLbyte * pc, Bool swap) + n = bswap_32(n); + } + +- return __GLX_PAD((n * 16)); ++ return safe_pad(safe_mul(n, 16)); + } + + int +-__glXVertexAttribs3dvNVReqSize(const GLbyte * pc, Bool swap) ++__glXVertexAttribs3dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei n = *(GLsizei *) (pc + 4); + +@@ -755,11 +753,11 @@ __glXVertexAttribs3dvNVReqSize(const GLbyte * pc, Bool swap) + n = bswap_32(n); + } + +- return __GLX_PAD((n * 24)); ++ return safe_pad(safe_mul(n, 24)); + } + + int +-__glXVertexAttribs3fvNVReqSize(const GLbyte * pc, Bool swap) ++__glXVertexAttribs3fvNVReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei n = *(GLsizei *) (pc + 4); + +@@ -767,11 +765,11 @@ __glXVertexAttribs3fvNVReqSize(const GLbyte * pc, Bool swap) + n = bswap_32(n); + } + +- return __GLX_PAD((n * 12)); ++ return safe_pad(safe_mul(n, 12)); + } + + int +-__glXVertexAttribs3svNVReqSize(const GLbyte * pc, Bool swap) ++__glXVertexAttribs3svNVReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei n = *(GLsizei *) (pc + 4); + +@@ -779,11 +777,11 @@ __glXVertexAttribs3svNVReqSize(const GLbyte * pc, Bool swap) + n = bswap_32(n); + } + +- return __GLX_PAD((n * 6)); ++ return safe_pad(safe_mul(n, 6)); + } + + int +-__glXVertexAttribs4dvNVReqSize(const GLbyte * pc, Bool swap) ++__glXVertexAttribs4dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei n = *(GLsizei *) (pc + 4); + +@@ -791,11 +789,11 @@ __glXVertexAttribs4dvNVReqSize(const GLbyte * pc, Bool swap) + n = bswap_32(n); + } + +- return __GLX_PAD((n * 32)); ++ return safe_pad(safe_mul(n, 32)); + } + + int +-__glXProgramNamedParameter4fvNVReqSize(const GLbyte * pc, Bool swap) ++__glXProgramNamedParameter4fvNVReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei len = *(GLsizei *) (pc + 4); + +@@ -803,7 +801,7 @@ __glXProgramNamedParameter4fvNVReqSize(const GLbyte * pc, Bool swap) + len = bswap_32(len); + } + +- return __GLX_PAD(len); ++ return safe_pad(len); + } + + ALIAS(Fogiv, Fogfv) +diff --git a/glx/indirect_reqsize.h b/glx/indirect_reqsize.h +index d2c1da7..22e1350 100644 +--- a/glx/indirect_reqsize.h ++++ b/glx/indirect_reqsize.h +@@ -36,128 +36,128 @@ + #define PURE + #endif + +-extern PURE _X_HIDDEN int __glXCallListsReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXBitmapReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXFogfvReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXFogivReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXLightfvReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXLightivReqSize(const GLbyte * pc, Bool swap); ++extern PURE _X_HIDDEN int __glXCallListsReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXBitmapReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXFogfvReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXFogivReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXLightfvReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXLightivReqSize(const GLbyte * pc, Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXLightModelfvReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXLightModelivReqSize(const GLbyte * pc, +- Bool swap); +-extern PURE _X_HIDDEN int __glXMaterialfvReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXMaterialivReqSize(const GLbyte * pc, Bool swap); ++ Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXMaterialfvReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXMaterialivReqSize(const GLbyte * pc, Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXPolygonStippleReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXTexParameterfvReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXTexParameterivReqSize(const GLbyte * pc, +- Bool swap); +-extern PURE _X_HIDDEN int __glXTexImage1DReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXTexImage2DReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXTexEnvfvReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXTexEnvivReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXTexGendvReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXTexGenfvReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXTexGenivReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXMap1dReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXMap1fReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXMap2dReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXMap2fReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXPixelMapfvReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXPixelMapuivReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXPixelMapusvReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXDrawPixelsReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXDrawArraysReqSize(const GLbyte * pc, Bool swap); ++ Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXTexImage1DReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXTexImage2DReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXTexEnvfvReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXTexEnvivReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXTexGendvReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXTexGenfvReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXTexGenivReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXMap1dReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXMap1fReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXMap2dReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXMap2fReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXPixelMapfvReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXPixelMapuivReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXPixelMapusvReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXDrawPixelsReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXDrawArraysReqSize(const GLbyte * pc, Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXPrioritizeTexturesReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXTexSubImage1DReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXTexSubImage2DReqSize(const GLbyte * pc, +- Bool swap); +-extern PURE _X_HIDDEN int __glXColorTableReqSize(const GLbyte * pc, Bool swap); ++ Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXColorTableReqSize(const GLbyte * pc, Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXColorTableParameterfvReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXColorTableParameterivReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXColorSubTableReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXConvolutionFilter1DReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXConvolutionFilter2DReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXConvolutionParameterfvReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXConvolutionParameterivReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXSeparableFilter2DReqSize(const GLbyte * pc, +- Bool swap); +-extern PURE _X_HIDDEN int __glXTexImage3DReqSize(const GLbyte * pc, Bool swap); ++ Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXTexImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXTexSubImage3DReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXCompressedTexImage1DARBReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXCompressedTexImage2DARBReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXCompressedTexImage3DARBReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXCompressedTexSubImage1DARBReqSize(const GLbyte * +- pc, Bool swap); ++ pc, Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXCompressedTexSubImage2DARBReqSize(const GLbyte * +- pc, Bool swap); ++ pc, Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXCompressedTexSubImage3DARBReqSize(const GLbyte * +- pc, Bool swap); ++ pc, Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXProgramStringARBReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXDrawBuffersARBReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXPointParameterfvEXTReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXLoadProgramNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXProgramParameters4dvNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXProgramParameters4fvNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXRequestResidentProgramsNVReqSize(const GLbyte * +- pc, Bool swap); ++ pc, Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXVertexAttribs1dvNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXVertexAttribs1fvNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXVertexAttribs1svNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXVertexAttribs2dvNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXVertexAttribs2fvNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXVertexAttribs2svNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXVertexAttribs3dvNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXVertexAttribs3fvNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXVertexAttribs3svNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXVertexAttribs4dvNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXVertexAttribs4fvNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXVertexAttribs4svNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXVertexAttribs4ubvNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXPointParameterivNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXProgramNamedParameter4dvNVReqSize(const GLbyte * +- pc, Bool swap); ++ pc, Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXProgramNamedParameter4fvNVReqSize(const GLbyte * +- pc, Bool swap); ++ pc, Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXDeleteFramebuffersEXTReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXDeleteRenderbuffersEXTReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + + #undef PURE + +diff --git a/glx/rensize.c b/glx/rensize.c +index 6ee0f9c..a532467 100644 +--- a/glx/rensize.c ++++ b/glx/rensize.c +@@ -44,7 +44,7 @@ + ((a & 0xff00U)<<8) | ((a & 0xffU)<<24)) + + int +-__glXMap1dReqSize(const GLbyte * pc, Bool swap) ++__glXMap1dReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLenum target; + GLint order; +@@ -61,7 +61,7 @@ __glXMap1dReqSize(const GLbyte * pc, Bool swap) + } + + int +-__glXMap1fReqSize(const GLbyte * pc, Bool swap) ++__glXMap1fReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLenum target; + GLint order; +@@ -86,7 +86,7 @@ Map2Size(int k, int majorOrder, int minorOrder) + } + + int +-__glXMap2dReqSize(const GLbyte * pc, Bool swap) ++__glXMap2dReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLenum target; + GLint uorder, vorder; +@@ -103,7 +103,7 @@ __glXMap2dReqSize(const GLbyte * pc, Bool swap) + } + + int +-__glXMap2fReqSize(const GLbyte * pc, Bool swap) ++__glXMap2fReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLenum target; + GLint uorder, vorder; +@@ -359,13 +359,14 @@ __glXTypeSize(GLenum enm) + } + + int +-__glXDrawArraysReqSize(const GLbyte * pc, Bool swap) ++__glXDrawArraysReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + __GLXdispatchDrawArraysHeader *hdr = (__GLXdispatchDrawArraysHeader *) pc; + __GLXdispatchDrawArraysComponentHeader *compHeader; + GLint numVertexes = hdr->numVertexes; + GLint numComponents = hdr->numComponents; + GLint arrayElementSize = 0; ++ GLint x, size; + int i; + + if (swap) { +@@ -374,6 +375,13 @@ __glXDrawArraysReqSize(const GLbyte * pc, Bool swap) + } + + pc += sizeof(__GLXdispatchDrawArraysHeader); ++ reqlen -= sizeof(__GLXdispatchDrawArraysHeader); ++ ++ size = safe_mul(sizeof(__GLXdispatchDrawArraysComponentHeader), ++ numComponents); ++ if (size < 0 || reqlen < 0 || reqlen < size) ++ return -1; ++ + compHeader = (__GLXdispatchDrawArraysComponentHeader *) pc; + + for (i = 0; i < numComponents; i++) { +@@ -417,17 +425,18 @@ __glXDrawArraysReqSize(const GLbyte * pc, Bool swap) + return -1; + } + +- arrayElementSize += __GLX_PAD(numVals * __glXTypeSize(datatype)); ++ x = safe_pad(safe_mul(numVals, __glXTypeSize(datatype))); ++ if ((arrayElementSize = safe_add(arrayElementSize, x)) < 0) ++ return -1; + + pc += sizeof(__GLXdispatchDrawArraysComponentHeader); + } + +- return ((numComponents * sizeof(__GLXdispatchDrawArraysComponentHeader)) + +- (numVertexes * arrayElementSize)); ++ return safe_add(size, safe_mul(numVertexes, arrayElementSize)); + } + + int +-__glXSeparableFilter2DReqSize(const GLbyte * pc, Bool swap) ++__glXSeparableFilter2DReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + __GLXdispatchConvolutionFilterHeader *hdr = + (__GLXdispatchConvolutionFilterHeader *) pc; +-- +1.9.3 + |