From 37a79fa54d3ddd1d4f6c9c0362dbe9616151ec9c Mon Sep 17 00:00:00 2001 From: Adam Jackson Date: Mon, 10 Nov 2014 12:13:48 -0500 Subject: [PATCH 31/31] glx: Pass remaining request length into ->varsize (v2) [CVE-2014-8098 8/8] v2: Handle more multiplies in indirect_reqsize.c (Julien Cristau) Reviewed-by: Julien Cristau Reviewed-by: Michal Srb Reviewed-by: Andy Ritger Signed-off-by: Adam Jackson Signed-off-by: Alan Coopersmith Signed-off-by: Fedora X Ninjas --- glx/glxcmds.c | 7 ++- glx/glxserver.h | 2 +- glx/indirect_reqsize.c | 154 ++++++++++++++++++++++++------------------------- glx/indirect_reqsize.h | 148 +++++++++++++++++++++++------------------------ glx/rensize.c | 27 ++++++--- 5 files changed, 174 insertions(+), 164 deletions(-) diff --git a/glx/glxcmds.c b/glx/glxcmds.c index 4715328..59b1de5 100644 --- a/glx/glxcmds.c +++ b/glx/glxcmds.c @@ -2013,7 +2013,8 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc) if (entry.varsize) { /* variable size command */ extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE, - client->swapped); + client->swapped, + left - __GLX_RENDER_HDR_SIZE); if (extra < 0) { return BadLength; } @@ -2090,6 +2091,7 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc) if (cl->largeCmdRequestsSoFar == 0) { __GLXrenderSizeData entry; int extra = 0; + int left = (req->length << 2) - sz_xGLXRenderLargeReq; size_t cmdlen; int err; @@ -2130,7 +2132,8 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc) ** will be in the 1st request, so it's okay to do this. */ extra = (*entry.varsize) (pc + __GLX_RENDER_LARGE_HDR_SIZE, - client->swapped); + client->swapped, + left - __GLX_RENDER_LARGE_HDR_SIZE); if (extra < 0) { return BadLength; } diff --git a/glx/glxserver.h b/glx/glxserver.h index 1bc398b..9e660a5 100644 --- a/glx/glxserver.h +++ b/glx/glxserver.h @@ -163,7 +163,7 @@ typedef int (*__GLXprocPtr) (__GLXclientState *, char *pc); /* * Tables for computing the size of each rendering command. */ -typedef int (*gl_proto_size_func) (const GLbyte *, Bool); +typedef int (*gl_proto_size_func) (const GLbyte *, Bool, int); typedef struct { int bytes; diff --git a/glx/indirect_reqsize.c b/glx/indirect_reqsize.c index 86ea970..ce58214 100644 --- a/glx/indirect_reqsize.c +++ b/glx/indirect_reqsize.c @@ -31,24 +31,22 @@ #include "indirect_size.h" #include "indirect_reqsize.h" -#define __GLX_PAD(x) (((x) + 3) & ~3) - #if defined(__CYGWIN__) || defined(__MINGW32__) #undef HAVE_ALIAS #endif #ifdef HAVE_ALIAS #define ALIAS2(from,to) \ - GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap ) \ + GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap, int reqlen ) \ __attribute__ ((alias( # to ))); #define ALIAS(from,to) ALIAS2( from, __glX ## to ## ReqSize ) #else #define ALIAS(from,to) \ - GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap ) \ - { return __glX ## to ## ReqSize( pc, swap ); } + GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap, int reqlen ) \ + { return __glX ## to ## ReqSize( pc, swap, reqlen ); } #endif int -__glXCallListsReqSize(const GLbyte * pc, Bool swap) +__glXCallListsReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei n = *(GLsizei *) (pc + 0); GLenum type = *(GLenum *) (pc + 4); @@ -60,11 +58,11 @@ __glXCallListsReqSize(const GLbyte * pc, Bool swap) } compsize = __glCallLists_size(type); - return __GLX_PAD((compsize * n)); + return safe_pad(safe_mul(compsize, n)); } int -__glXBitmapReqSize(const GLbyte * pc, Bool swap) +__glXBitmapReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLint row_length = *(GLint *) (pc + 4); GLint image_height = 0; @@ -88,7 +86,7 @@ __glXBitmapReqSize(const GLbyte * pc, Bool swap) } int -__glXFogfvReqSize(const GLbyte * pc, Bool swap) +__glXFogfvReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLenum pname = *(GLenum *) (pc + 0); GLsizei compsize; @@ -98,11 +96,11 @@ __glXFogfvReqSize(const GLbyte * pc, Bool swap) } compsize = __glFogfv_size(pname); - return __GLX_PAD((compsize * 4)); + return safe_pad(safe_mul(compsize, 4)); } int -__glXLightfvReqSize(const GLbyte * pc, Bool swap) +__glXLightfvReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLenum pname = *(GLenum *) (pc + 4); GLsizei compsize; @@ -112,11 +110,11 @@ __glXLightfvReqSize(const GLbyte * pc, Bool swap) } compsize = __glLightfv_size(pname); - return __GLX_PAD((compsize * 4)); + return safe_pad(safe_mul(compsize, 4)); } int -__glXLightModelfvReqSize(const GLbyte * pc, Bool swap) +__glXLightModelfvReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLenum pname = *(GLenum *) (pc + 0); GLsizei compsize; @@ -126,11 +124,11 @@ __glXLightModelfvReqSize(const GLbyte * pc, Bool swap) } compsize = __glLightModelfv_size(pname); - return __GLX_PAD((compsize * 4)); + return safe_pad(safe_mul(compsize, 4)); } int -__glXMaterialfvReqSize(const GLbyte * pc, Bool swap) +__glXMaterialfvReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLenum pname = *(GLenum *) (pc + 4); GLsizei compsize; @@ -140,11 +138,11 @@ __glXMaterialfvReqSize(const GLbyte * pc, Bool swap) } compsize = __glMaterialfv_size(pname); - return __GLX_PAD((compsize * 4)); + return safe_pad(safe_mul(compsize, 4)); } int -__glXPolygonStippleReqSize(const GLbyte * pc, Bool swap) +__glXPolygonStippleReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLint row_length = *(GLint *) (pc + 4); GLint image_height = 0; @@ -164,7 +162,7 @@ __glXPolygonStippleReqSize(const GLbyte * pc, Bool swap) } int -__glXTexParameterfvReqSize(const GLbyte * pc, Bool swap) +__glXTexParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLenum pname = *(GLenum *) (pc + 4); GLsizei compsize; @@ -174,11 +172,11 @@ __glXTexParameterfvReqSize(const GLbyte * pc, Bool swap) } compsize = __glTexParameterfv_size(pname); - return __GLX_PAD((compsize * 4)); + return safe_pad(safe_mul(compsize, 4)); } int -__glXTexImage1DReqSize(const GLbyte * pc, Bool swap) +__glXTexImage1DReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLint row_length = *(GLint *) (pc + 4); GLint image_height = 0; @@ -206,7 +204,7 @@ __glXTexImage1DReqSize(const GLbyte * pc, Bool swap) } int -__glXTexImage2DReqSize(const GLbyte * pc, Bool swap) +__glXTexImage2DReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLint row_length = *(GLint *) (pc + 4); GLint image_height = 0; @@ -236,7 +234,7 @@ __glXTexImage2DReqSize(const GLbyte * pc, Bool swap) } int -__glXTexEnvfvReqSize(const GLbyte * pc, Bool swap) +__glXTexEnvfvReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLenum pname = *(GLenum *) (pc + 4); GLsizei compsize; @@ -246,11 +244,11 @@ __glXTexEnvfvReqSize(const GLbyte * pc, Bool swap) } compsize = __glTexEnvfv_size(pname); - return __GLX_PAD((compsize * 4)); + return safe_pad(safe_mul(compsize, 4)); } int -__glXTexGendvReqSize(const GLbyte * pc, Bool swap) +__glXTexGendvReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLenum pname = *(GLenum *) (pc + 4); GLsizei compsize; @@ -260,11 +258,11 @@ __glXTexGendvReqSize(const GLbyte * pc, Bool swap) } compsize = __glTexGendv_size(pname); - return __GLX_PAD((compsize * 8)); + return safe_pad(safe_mul(compsize, 8)); } int -__glXTexGenfvReqSize(const GLbyte * pc, Bool swap) +__glXTexGenfvReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLenum pname = *(GLenum *) (pc + 4); GLsizei compsize; @@ -274,11 +272,11 @@ __glXTexGenfvReqSize(const GLbyte * pc, Bool swap) } compsize = __glTexGenfv_size(pname); - return __GLX_PAD((compsize * 4)); + return safe_pad(safe_mul(compsize, 4)); } int -__glXPixelMapfvReqSize(const GLbyte * pc, Bool swap) +__glXPixelMapfvReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei mapsize = *(GLsizei *) (pc + 4); @@ -286,11 +284,11 @@ __glXPixelMapfvReqSize(const GLbyte * pc, Bool swap) mapsize = bswap_32(mapsize); } - return __GLX_PAD((mapsize * 4)); + return safe_pad(safe_mul(mapsize, 4)); } int -__glXPixelMapusvReqSize(const GLbyte * pc, Bool swap) +__glXPixelMapusvReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei mapsize = *(GLsizei *) (pc + 4); @@ -298,11 +296,11 @@ __glXPixelMapusvReqSize(const GLbyte * pc, Bool swap) mapsize = bswap_32(mapsize); } - return __GLX_PAD((mapsize * 2)); + return safe_pad(safe_mul(mapsize, 2)); } int -__glXDrawPixelsReqSize(const GLbyte * pc, Bool swap) +__glXDrawPixelsReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLint row_length = *(GLint *) (pc + 4); GLint image_height = 0; @@ -330,7 +328,7 @@ __glXDrawPixelsReqSize(const GLbyte * pc, Bool swap) } int -__glXPrioritizeTexturesReqSize(const GLbyte * pc, Bool swap) +__glXPrioritizeTexturesReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei n = *(GLsizei *) (pc + 0); @@ -338,11 +336,11 @@ __glXPrioritizeTexturesReqSize(const GLbyte * pc, Bool swap) n = bswap_32(n); } - return __GLX_PAD((n * 4) + (n * 4)); + return safe_pad(safe_add(safe_mul(n, 4), safe_mul(n, 4))); } int -__glXTexSubImage1DReqSize(const GLbyte * pc, Bool swap) +__glXTexSubImage1DReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLint row_length = *(GLint *) (pc + 4); GLint image_height = 0; @@ -370,7 +368,7 @@ __glXTexSubImage1DReqSize(const GLbyte * pc, Bool swap) } int -__glXTexSubImage2DReqSize(const GLbyte * pc, Bool swap) +__glXTexSubImage2DReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLint row_length = *(GLint *) (pc + 4); GLint image_height = 0; @@ -400,7 +398,7 @@ __glXTexSubImage2DReqSize(const GLbyte * pc, Bool swap) } int -__glXColorTableReqSize(const GLbyte * pc, Bool swap) +__glXColorTableReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLint row_length = *(GLint *) (pc + 4); GLint image_height = 0; @@ -428,7 +426,7 @@ __glXColorTableReqSize(const GLbyte * pc, Bool swap) } int -__glXColorTableParameterfvReqSize(const GLbyte * pc, Bool swap) +__glXColorTableParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLenum pname = *(GLenum *) (pc + 4); GLsizei compsize; @@ -438,11 +436,11 @@ __glXColorTableParameterfvReqSize(const GLbyte * pc, Bool swap) } compsize = __glColorTableParameterfv_size(pname); - return __GLX_PAD((compsize * 4)); + return safe_pad(safe_mul(compsize, 4)); } int -__glXColorSubTableReqSize(const GLbyte * pc, Bool swap) +__glXColorSubTableReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLint row_length = *(GLint *) (pc + 4); GLint image_height = 0; @@ -470,7 +468,7 @@ __glXColorSubTableReqSize(const GLbyte * pc, Bool swap) } int -__glXConvolutionFilter1DReqSize(const GLbyte * pc, Bool swap) +__glXConvolutionFilter1DReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLint row_length = *(GLint *) (pc + 4); GLint image_height = 0; @@ -498,7 +496,7 @@ __glXConvolutionFilter1DReqSize(const GLbyte * pc, Bool swap) } int -__glXConvolutionFilter2DReqSize(const GLbyte * pc, Bool swap) +__glXConvolutionFilter2DReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLint row_length = *(GLint *) (pc + 4); GLint image_height = 0; @@ -528,7 +526,7 @@ __glXConvolutionFilter2DReqSize(const GLbyte * pc, Bool swap) } int -__glXConvolutionParameterfvReqSize(const GLbyte * pc, Bool swap) +__glXConvolutionParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLenum pname = *(GLenum *) (pc + 4); GLsizei compsize; @@ -538,11 +536,11 @@ __glXConvolutionParameterfvReqSize(const GLbyte * pc, Bool swap) } compsize = __glConvolutionParameterfv_size(pname); - return __GLX_PAD((compsize * 4)); + return safe_pad(safe_mul(compsize, 4)); } int -__glXTexImage3DReqSize(const GLbyte * pc, Bool swap) +__glXTexImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLint row_length = *(GLint *) (pc + 4); GLint image_height = *(GLint *) (pc + 8); @@ -579,7 +577,7 @@ __glXTexImage3DReqSize(const GLbyte * pc, Bool swap) } int -__glXTexSubImage3DReqSize(const GLbyte * pc, Bool swap) +__glXTexSubImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLint row_length = *(GLint *) (pc + 4); GLint image_height = *(GLint *) (pc + 8); @@ -613,7 +611,7 @@ __glXTexSubImage3DReqSize(const GLbyte * pc, Bool swap) } int -__glXCompressedTexImage1DARBReqSize(const GLbyte * pc, Bool swap) +__glXCompressedTexImage1DARBReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei imageSize = *(GLsizei *) (pc + 20); @@ -621,11 +619,11 @@ __glXCompressedTexImage1DARBReqSize(const GLbyte * pc, Bool swap) imageSize = bswap_32(imageSize); } - return __GLX_PAD(imageSize); + return safe_pad(imageSize); } int -__glXCompressedTexImage2DARBReqSize(const GLbyte * pc, Bool swap) +__glXCompressedTexImage2DARBReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei imageSize = *(GLsizei *) (pc + 24); @@ -633,11 +631,11 @@ __glXCompressedTexImage2DARBReqSize(const GLbyte * pc, Bool swap) imageSize = bswap_32(imageSize); } - return __GLX_PAD(imageSize); + return safe_pad(imageSize); } int -__glXCompressedTexImage3DARBReqSize(const GLbyte * pc, Bool swap) +__glXCompressedTexImage3DARBReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei imageSize = *(GLsizei *) (pc + 28); @@ -645,11 +643,11 @@ __glXCompressedTexImage3DARBReqSize(const GLbyte * pc, Bool swap) imageSize = bswap_32(imageSize); } - return __GLX_PAD(imageSize); + return safe_pad(imageSize); } int -__glXCompressedTexSubImage3DARBReqSize(const GLbyte * pc, Bool swap) +__glXCompressedTexSubImage3DARBReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei imageSize = *(GLsizei *) (pc + 36); @@ -657,11 +655,11 @@ __glXCompressedTexSubImage3DARBReqSize(const GLbyte * pc, Bool swap) imageSize = bswap_32(imageSize); } - return __GLX_PAD(imageSize); + return safe_pad(imageSize); } int -__glXProgramStringARBReqSize(const GLbyte * pc, Bool swap) +__glXProgramStringARBReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei len = *(GLsizei *) (pc + 8); @@ -669,11 +667,11 @@ __glXProgramStringARBReqSize(const GLbyte * pc, Bool swap) len = bswap_32(len); } - return __GLX_PAD(len); + return safe_pad(len); } int -__glXDrawBuffersARBReqSize(const GLbyte * pc, Bool swap) +__glXDrawBuffersARBReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei n = *(GLsizei *) (pc + 0); @@ -681,11 +679,11 @@ __glXDrawBuffersARBReqSize(const GLbyte * pc, Bool swap) n = bswap_32(n); } - return __GLX_PAD((n * 4)); + return safe_pad(safe_mul(n, 4)); } int -__glXPointParameterfvEXTReqSize(const GLbyte * pc, Bool swap) +__glXPointParameterfvEXTReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLenum pname = *(GLenum *) (pc + 0); GLsizei compsize; @@ -695,11 +693,11 @@ __glXPointParameterfvEXTReqSize(const GLbyte * pc, Bool swap) } compsize = __glPointParameterfvEXT_size(pname); - return __GLX_PAD((compsize * 4)); + return safe_pad(safe_mul(compsize, 4)); } int -__glXProgramParameters4dvNVReqSize(const GLbyte * pc, Bool swap) +__glXProgramParameters4dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei num = *(GLsizei *) (pc + 8); @@ -707,11 +705,11 @@ __glXProgramParameters4dvNVReqSize(const GLbyte * pc, Bool swap) num = bswap_32(num); } - return __GLX_PAD((num * 32)); + return safe_pad(safe_mul(num, 32)); } int -__glXProgramParameters4fvNVReqSize(const GLbyte * pc, Bool swap) +__glXProgramParameters4fvNVReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei num = *(GLsizei *) (pc + 8); @@ -719,11 +717,11 @@ __glXProgramParameters4fvNVReqSize(const GLbyte * pc, Bool swap) num = bswap_32(num); } - return __GLX_PAD((num * 16)); + return safe_pad(safe_mul(num, 16)); } int -__glXVertexAttribs1dvNVReqSize(const GLbyte * pc, Bool swap) +__glXVertexAttribs1dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei n = *(GLsizei *) (pc + 4); @@ -731,11 +729,11 @@ __glXVertexAttribs1dvNVReqSize(const GLbyte * pc, Bool swap) n = bswap_32(n); } - return __GLX_PAD((n * 8)); + return safe_pad(safe_mul(n, 8)); } int -__glXVertexAttribs2dvNVReqSize(const GLbyte * pc, Bool swap) +__glXVertexAttribs2dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei n = *(GLsizei *) (pc + 4); @@ -743,11 +741,11 @@ __glXVertexAttribs2dvNVReqSize(const GLbyte * pc, Bool swap) n = bswap_32(n); } - return __GLX_PAD((n * 16)); + return safe_pad(safe_mul(n, 16)); } int -__glXVertexAttribs3dvNVReqSize(const GLbyte * pc, Bool swap) +__glXVertexAttribs3dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei n = *(GLsizei *) (pc + 4); @@ -755,11 +753,11 @@ __glXVertexAttribs3dvNVReqSize(const GLbyte * pc, Bool swap) n = bswap_32(n); } - return __GLX_PAD((n * 24)); + return safe_pad(safe_mul(n, 24)); } int -__glXVertexAttribs3fvNVReqSize(const GLbyte * pc, Bool swap) +__glXVertexAttribs3fvNVReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei n = *(GLsizei *) (pc + 4); @@ -767,11 +765,11 @@ __glXVertexAttribs3fvNVReqSize(const GLbyte * pc, Bool swap) n = bswap_32(n); } - return __GLX_PAD((n * 12)); + return safe_pad(safe_mul(n, 12)); } int -__glXVertexAttribs3svNVReqSize(const GLbyte * pc, Bool swap) +__glXVertexAttribs3svNVReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei n = *(GLsizei *) (pc + 4); @@ -779,11 +777,11 @@ __glXVertexAttribs3svNVReqSize(const GLbyte * pc, Bool swap) n = bswap_32(n); } - return __GLX_PAD((n * 6)); + return safe_pad(safe_mul(n, 6)); } int -__glXVertexAttribs4dvNVReqSize(const GLbyte * pc, Bool swap) +__glXVertexAttribs4dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei n = *(GLsizei *) (pc + 4); @@ -791,11 +789,11 @@ __glXVertexAttribs4dvNVReqSize(const GLbyte * pc, Bool swap) n = bswap_32(n); } - return __GLX_PAD((n * 32)); + return safe_pad(safe_mul(n, 32)); } int -__glXProgramNamedParameter4fvNVReqSize(const GLbyte * pc, Bool swap) +__glXProgramNamedParameter4fvNVReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei len = *(GLsizei *) (pc + 4); @@ -803,7 +801,7 @@ __glXProgramNamedParameter4fvNVReqSize(const GLbyte * pc, Bool swap) len = bswap_32(len); } - return __GLX_PAD(len); + return safe_pad(len); } ALIAS(Fogiv, Fogfv) diff --git a/glx/indirect_reqsize.h b/glx/indirect_reqsize.h index d2c1da7..22e1350 100644 --- a/glx/indirect_reqsize.h +++ b/glx/indirect_reqsize.h @@ -36,128 +36,128 @@ #define PURE #endif -extern PURE _X_HIDDEN int __glXCallListsReqSize(const GLbyte * pc, Bool swap); -extern PURE _X_HIDDEN int __glXBitmapReqSize(const GLbyte * pc, Bool swap); -extern PURE _X_HIDDEN int __glXFogfvReqSize(const GLbyte * pc, Bool swap); -extern PURE _X_HIDDEN int __glXFogivReqSize(const GLbyte * pc, Bool swap); -extern PURE _X_HIDDEN int __glXLightfvReqSize(const GLbyte * pc, Bool swap); -extern PURE _X_HIDDEN int __glXLightivReqSize(const GLbyte * pc, Bool swap); +extern PURE _X_HIDDEN int __glXCallListsReqSize(const GLbyte * pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXBitmapReqSize(const GLbyte * pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXFogfvReqSize(const GLbyte * pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXFogivReqSize(const GLbyte * pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXLightfvReqSize(const GLbyte * pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXLightivReqSize(const GLbyte * pc, Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXLightModelfvReqSize(const GLbyte * pc, - Bool swap); + Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXLightModelivReqSize(const GLbyte * pc, - Bool swap); -extern PURE _X_HIDDEN int __glXMaterialfvReqSize(const GLbyte * pc, Bool swap); -extern PURE _X_HIDDEN int __glXMaterialivReqSize(const GLbyte * pc, Bool swap); + Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXMaterialfvReqSize(const GLbyte * pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXMaterialivReqSize(const GLbyte * pc, Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXPolygonStippleReqSize(const GLbyte * pc, - Bool swap); + Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXTexParameterfvReqSize(const GLbyte * pc, - Bool swap); + Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXTexParameterivReqSize(const GLbyte * pc, - Bool swap); -extern PURE _X_HIDDEN int __glXTexImage1DReqSize(const GLbyte * pc, Bool swap); -extern PURE _X_HIDDEN int __glXTexImage2DReqSize(const GLbyte * pc, Bool swap); -extern PURE _X_HIDDEN int __glXTexEnvfvReqSize(const GLbyte * pc, Bool swap); -extern PURE _X_HIDDEN int __glXTexEnvivReqSize(const GLbyte * pc, Bool swap); -extern PURE _X_HIDDEN int __glXTexGendvReqSize(const GLbyte * pc, Bool swap); -extern PURE _X_HIDDEN int __glXTexGenfvReqSize(const GLbyte * pc, Bool swap); -extern PURE _X_HIDDEN int __glXTexGenivReqSize(const GLbyte * pc, Bool swap); -extern PURE _X_HIDDEN int __glXMap1dReqSize(const GLbyte * pc, Bool swap); -extern PURE _X_HIDDEN int __glXMap1fReqSize(const GLbyte * pc, Bool swap); -extern PURE _X_HIDDEN int __glXMap2dReqSize(const GLbyte * pc, Bool swap); -extern PURE _X_HIDDEN int __glXMap2fReqSize(const GLbyte * pc, Bool swap); -extern PURE _X_HIDDEN int __glXPixelMapfvReqSize(const GLbyte * pc, Bool swap); -extern PURE _X_HIDDEN int __glXPixelMapuivReqSize(const GLbyte * pc, Bool swap); -extern PURE _X_HIDDEN int __glXPixelMapusvReqSize(const GLbyte * pc, Bool swap); -extern PURE _X_HIDDEN int __glXDrawPixelsReqSize(const GLbyte * pc, Bool swap); -extern PURE _X_HIDDEN int __glXDrawArraysReqSize(const GLbyte * pc, Bool swap); + Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXTexImage1DReqSize(const GLbyte * pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXTexImage2DReqSize(const GLbyte * pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXTexEnvfvReqSize(const GLbyte * pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXTexEnvivReqSize(const GLbyte * pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXTexGendvReqSize(const GLbyte * pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXTexGenfvReqSize(const GLbyte * pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXTexGenivReqSize(const GLbyte * pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXMap1dReqSize(const GLbyte * pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXMap1fReqSize(const GLbyte * pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXMap2dReqSize(const GLbyte * pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXMap2fReqSize(const GLbyte * pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXPixelMapfvReqSize(const GLbyte * pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXPixelMapuivReqSize(const GLbyte * pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXPixelMapusvReqSize(const GLbyte * pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXDrawPixelsReqSize(const GLbyte * pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXDrawArraysReqSize(const GLbyte * pc, Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXPrioritizeTexturesReqSize(const GLbyte * pc, - Bool swap); + Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXTexSubImage1DReqSize(const GLbyte * pc, - Bool swap); + Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXTexSubImage2DReqSize(const GLbyte * pc, - Bool swap); -extern PURE _X_HIDDEN int __glXColorTableReqSize(const GLbyte * pc, Bool swap); + Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXColorTableReqSize(const GLbyte * pc, Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXColorTableParameterfvReqSize(const GLbyte * pc, - Bool swap); + Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXColorTableParameterivReqSize(const GLbyte * pc, - Bool swap); + Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXColorSubTableReqSize(const GLbyte * pc, - Bool swap); + Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXConvolutionFilter1DReqSize(const GLbyte * pc, - Bool swap); + Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXConvolutionFilter2DReqSize(const GLbyte * pc, - Bool swap); + Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXConvolutionParameterfvReqSize(const GLbyte * pc, - Bool swap); + Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXConvolutionParameterivReqSize(const GLbyte * pc, - Bool swap); + Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXSeparableFilter2DReqSize(const GLbyte * pc, - Bool swap); -extern PURE _X_HIDDEN int __glXTexImage3DReqSize(const GLbyte * pc, Bool swap); + Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXTexImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXTexSubImage3DReqSize(const GLbyte * pc, - Bool swap); + Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXCompressedTexImage1DARBReqSize(const GLbyte * pc, - Bool swap); + Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXCompressedTexImage2DARBReqSize(const GLbyte * pc, - Bool swap); + Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXCompressedTexImage3DARBReqSize(const GLbyte * pc, - Bool swap); + Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXCompressedTexSubImage1DARBReqSize(const GLbyte * - pc, Bool swap); + pc, Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXCompressedTexSubImage2DARBReqSize(const GLbyte * - pc, Bool swap); + pc, Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXCompressedTexSubImage3DARBReqSize(const GLbyte * - pc, Bool swap); + pc, Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXProgramStringARBReqSize(const GLbyte * pc, - Bool swap); + Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXDrawBuffersARBReqSize(const GLbyte * pc, - Bool swap); + Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXPointParameterfvEXTReqSize(const GLbyte * pc, - Bool swap); + Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXLoadProgramNVReqSize(const GLbyte * pc, - Bool swap); + Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXProgramParameters4dvNVReqSize(const GLbyte * pc, - Bool swap); + Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXProgramParameters4fvNVReqSize(const GLbyte * pc, - Bool swap); + Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXRequestResidentProgramsNVReqSize(const GLbyte * - pc, Bool swap); + pc, Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXVertexAttribs1dvNVReqSize(const GLbyte * pc, - Bool swap); + Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXVertexAttribs1fvNVReqSize(const GLbyte * pc, - Bool swap); + Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXVertexAttribs1svNVReqSize(const GLbyte * pc, - Bool swap); + Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXVertexAttribs2dvNVReqSize(const GLbyte * pc, - Bool swap); + Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXVertexAttribs2fvNVReqSize(const GLbyte * pc, - Bool swap); + Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXVertexAttribs2svNVReqSize(const GLbyte * pc, - Bool swap); + Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXVertexAttribs3dvNVReqSize(const GLbyte * pc, - Bool swap); + Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXVertexAttribs3fvNVReqSize(const GLbyte * pc, - Bool swap); + Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXVertexAttribs3svNVReqSize(const GLbyte * pc, - Bool swap); + Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXVertexAttribs4dvNVReqSize(const GLbyte * pc, - Bool swap); + Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXVertexAttribs4fvNVReqSize(const GLbyte * pc, - Bool swap); + Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXVertexAttribs4svNVReqSize(const GLbyte * pc, - Bool swap); + Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXVertexAttribs4ubvNVReqSize(const GLbyte * pc, - Bool swap); + Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXPointParameterivNVReqSize(const GLbyte * pc, - Bool swap); + Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXProgramNamedParameter4dvNVReqSize(const GLbyte * - pc, Bool swap); + pc, Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXProgramNamedParameter4fvNVReqSize(const GLbyte * - pc, Bool swap); + pc, Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXDeleteFramebuffersEXTReqSize(const GLbyte * pc, - Bool swap); + Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXDeleteRenderbuffersEXTReqSize(const GLbyte * pc, - Bool swap); + Bool swap, int reqlen); #undef PURE diff --git a/glx/rensize.c b/glx/rensize.c index 6ee0f9c..a532467 100644 --- a/glx/rensize.c +++ b/glx/rensize.c @@ -44,7 +44,7 @@ ((a & 0xff00U)<<8) | ((a & 0xffU)<<24)) int -__glXMap1dReqSize(const GLbyte * pc, Bool swap) +__glXMap1dReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLenum target; GLint order; @@ -61,7 +61,7 @@ __glXMap1dReqSize(const GLbyte * pc, Bool swap) } int -__glXMap1fReqSize(const GLbyte * pc, Bool swap) +__glXMap1fReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLenum target; GLint order; @@ -86,7 +86,7 @@ Map2Size(int k, int majorOrder, int minorOrder) } int -__glXMap2dReqSize(const GLbyte * pc, Bool swap) +__glXMap2dReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLenum target; GLint uorder, vorder; @@ -103,7 +103,7 @@ __glXMap2dReqSize(const GLbyte * pc, Bool swap) } int -__glXMap2fReqSize(const GLbyte * pc, Bool swap) +__glXMap2fReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLenum target; GLint uorder, vorder; @@ -359,13 +359,14 @@ __glXTypeSize(GLenum enm) } int -__glXDrawArraysReqSize(const GLbyte * pc, Bool swap) +__glXDrawArraysReqSize(const GLbyte * pc, Bool swap, int reqlen) { __GLXdispatchDrawArraysHeader *hdr = (__GLXdispatchDrawArraysHeader *) pc; __GLXdispatchDrawArraysComponentHeader *compHeader; GLint numVertexes = hdr->numVertexes; GLint numComponents = hdr->numComponents; GLint arrayElementSize = 0; + GLint x, size; int i; if (swap) { @@ -374,6 +375,13 @@ __glXDrawArraysReqSize(const GLbyte * pc, Bool swap) } pc += sizeof(__GLXdispatchDrawArraysHeader); + reqlen -= sizeof(__GLXdispatchDrawArraysHeader); + + size = safe_mul(sizeof(__GLXdispatchDrawArraysComponentHeader), + numComponents); + if (size < 0 || reqlen < 0 || reqlen < size) + return -1; + compHeader = (__GLXdispatchDrawArraysComponentHeader *) pc; for (i = 0; i < numComponents; i++) { @@ -417,17 +425,18 @@ __glXDrawArraysReqSize(const GLbyte * pc, Bool swap) return -1; } - arrayElementSize += __GLX_PAD(numVals * __glXTypeSize(datatype)); + x = safe_pad(safe_mul(numVals, __glXTypeSize(datatype))); + if ((arrayElementSize = safe_add(arrayElementSize, x)) < 0) + return -1; pc += sizeof(__GLXdispatchDrawArraysComponentHeader); } - return ((numComponents * sizeof(__GLXdispatchDrawArraysComponentHeader)) + - (numVertexes * arrayElementSize)); + return safe_add(size, safe_mul(numVertexes, arrayElementSize)); } int -__glXSeparableFilter2DReqSize(const GLbyte * pc, Bool swap) +__glXSeparableFilter2DReqSize(const GLbyte * pc, Bool swap, int reqlen) { __GLXdispatchConvolutionFilterHeader *hdr = (__GLXdispatchConvolutionFilterHeader *) pc; -- 1.9.3