glx: fix BindTexImageEXT length check

The request is followed by a list of attributes. X.Org bug#33449 Reported-and-tested-by: meng <mengmeng.meng@intel.com> Signed-off-by: Julien Cristau <jcristau@debian.org> Reviewed-by: Adam Jackson <ajax@redhat.com>
author: Julien Cristau <jcristau@debian.org> 2011-01-26 13:06:53 +0100
committer: Julien Cristau <jcristau@debian.org> 2011-02-15 12:19:59 +0100
commit: 1137c11be0f82049d28024eaf963c6f76e0d4334 (patch)
tree: 11739d9550cc818c20ac384084588893a30cde1c /glx/glxcmds.c
parent: a883cf1545abd89bb2cadfa659718884b56fd234 (diff)
1 files changed, 9 insertions, 1 deletions
diff --git a/glx/glxcmds.c b/glx/glxcmds.c
index 0b375c382..5d633dfc5 100644
--- a/glx/glxcmds.c
+++ b/glx/glxcmds.c
@@ -1697,13 +1697,21 @@ int __glXDisp_BindTexImageEXT(__GLXclientState *cl, GLbyte *pc)
     GLXDrawable		 drawId;
     int			 buffer;
     int			 error;
+    CARD32		 num_attribs;
 
-    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 8);
+    if ((sizeof(xGLXVendorPrivateReq) + 12) >> 2 > client->req_len)
+	return BadLength;
 
     pc += __GLX_VENDPRIV_HDR_SIZE;
 
     drawId = *((CARD32 *) (pc));
     buffer = *((INT32 *)  (pc + 4));
+    num_attribs = *((CARD32 *) (pc + 8));
+    if (num_attribs > (UINT32_MAX >> 3)) {
+	client->errorValue = num_attribs;
+	return BadValue;
+    }
+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 12 + (num_attribs << 3));
 
     if (buffer != GLX_FRONT_LEFT_EXT)
 	return __glXError(GLXBadPixmap);
author	Julien Cristau <jcristau@debian.org>	2011-01-26 13:06:53 +0100
committer	Julien Cristau <jcristau@debian.org>	2011-02-15 12:19:59 +0100
commit	1137c11be0f82049d28024eaf963c6f76e0d4334 (patch)
tree	11739d9550cc818c20ac384084588893a30cde1c /glx/glxcmds.c
parent	a883cf1545abd89bb2cadfa659718884b56fd234 (diff)