diff options
author | Adam Jackson <ajax@redhat.com> | 2014-11-10 12:13:48 -0500 |
---|---|---|
committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2014-12-08 18:09:50 -0800 |
commit | e883c170c15493ab3637c0a01890f5a7ca4e16a5 (patch) | |
tree | e649e5ca6cdabe91783a3e9ad1e05a2d0af8629b /glx | |
parent | 984583a497c813df5827ae22483133e704fee79c (diff) |
glx: Pass remaining request length into ->varsize (v2) [CVE-2014-8098 8/8]
v2: Handle more multiplies in indirect_reqsize.c (Julien Cristau)
Reviewed-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Diffstat (limited to 'glx')
-rw-r--r-- | glx/glxcmds.c | 7 | ||||
-rw-r--r-- | glx/glxserver.h | 2 | ||||
-rw-r--r-- | glx/indirect_reqsize.c | 142 | ||||
-rw-r--r-- | glx/indirect_reqsize.h | 181 | ||||
-rw-r--r-- | glx/rensize.c | 27 |
5 files changed, 205 insertions, 154 deletions
diff --git a/glx/glxcmds.c b/glx/glxcmds.c index a7a517293..bd6cb8dc0 100644 --- a/glx/glxcmds.c +++ b/glx/glxcmds.c @@ -2067,7 +2067,8 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc) if (entry.varsize) { /* variable size command */ extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE, - client->swapped); + client->swapped, + left - __GLX_RENDER_HDR_SIZE); if (extra < 0) { return BadLength; } @@ -2144,6 +2145,7 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc) if (cl->largeCmdRequestsSoFar == 0) { __GLXrenderSizeData entry; int extra = 0; + int left = (req->length << 2) - sz_xGLXRenderLargeReq; size_t cmdlen; int err; @@ -2184,7 +2186,8 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc) ** will be in the 1st request, so it's okay to do this. */ extra = (*entry.varsize) (pc + __GLX_RENDER_LARGE_HDR_SIZE, - client->swapped); + client->swapped, + left - __GLX_RENDER_LARGE_HDR_SIZE); if (extra < 0) { return BadLength; } diff --git a/glx/glxserver.h b/glx/glxserver.h index 948260149..9088ec478 100644 --- a/glx/glxserver.h +++ b/glx/glxserver.h @@ -177,7 +177,7 @@ typedef int (*__GLXprocPtr) (__GLXclientState *, char *pc); /* * Tables for computing the size of each rendering command. */ -typedef int (*gl_proto_size_func) (const GLbyte *, Bool); +typedef int (*gl_proto_size_func) (const GLbyte *, Bool, int); typedef struct { int bytes; diff --git a/glx/indirect_reqsize.c b/glx/indirect_reqsize.c index abd076604..020aae2fe 100644 --- a/glx/indirect_reqsize.c +++ b/glx/indirect_reqsize.c @@ -31,24 +31,22 @@ #include "indirect_size.h" #include "indirect_reqsize.h" -#define __GLX_PAD(x) (((x) + 3) & ~3) - #if defined(__CYGWIN__) || defined(__MINGW32__) #undef HAVE_ALIAS #endif #ifdef HAVE_ALIAS #define ALIAS2(from,to) \ - GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap ) \ + GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap, int reqlen ) \ __attribute__ ((alias( # to ))); #define ALIAS(from,to) ALIAS2( from, __glX ## to ## ReqSize ) #else #define ALIAS(from,to) \ - GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap ) \ - { return __glX ## to ## ReqSize( pc, swap ); } + GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap, int reqlen ) \ + { return __glX ## to ## ReqSize( pc, swap, reqlen ); } #endif int -__glXCallListsReqSize(const GLbyte * pc, Bool swap) +__glXCallListsReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei n = *(GLsizei *) (pc + 0); GLenum type = *(GLenum *) (pc + 4); @@ -60,11 +58,11 @@ __glXCallListsReqSize(const GLbyte * pc, Bool swap) } compsize = __glCallLists_size(type); - return __GLX_PAD((compsize * n)); + return safe_pad(safe_mul(compsize, n)); } int -__glXBitmapReqSize(const GLbyte * pc, Bool swap) +__glXBitmapReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLint row_length = *(GLint *) (pc + 4); GLint image_height = 0; @@ -88,7 +86,7 @@ __glXBitmapReqSize(const GLbyte * pc, Bool swap) } int -__glXFogfvReqSize(const GLbyte * pc, Bool swap) +__glXFogfvReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLenum pname = *(GLenum *) (pc + 0); GLsizei compsize; @@ -98,11 +96,11 @@ __glXFogfvReqSize(const GLbyte * pc, Bool swap) } compsize = __glFogfv_size(pname); - return __GLX_PAD((compsize * 4)); + return safe_pad(safe_mul(compsize, 4)); } int -__glXLightfvReqSize(const GLbyte * pc, Bool swap) +__glXLightfvReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLenum pname = *(GLenum *) (pc + 4); GLsizei compsize; @@ -112,11 +110,11 @@ __glXLightfvReqSize(const GLbyte * pc, Bool swap) } compsize = __glLightfv_size(pname); - return __GLX_PAD((compsize * 4)); + return safe_pad(safe_mul(compsize, 4)); } int -__glXLightModelfvReqSize(const GLbyte * pc, Bool swap) +__glXLightModelfvReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLenum pname = *(GLenum *) (pc + 0); GLsizei compsize; @@ -126,11 +124,11 @@ __glXLightModelfvReqSize(const GLbyte * pc, Bool swap) } compsize = __glLightModelfv_size(pname); - return __GLX_PAD((compsize * 4)); + return safe_pad(safe_mul(compsize, 4)); } int -__glXMaterialfvReqSize(const GLbyte * pc, Bool swap) +__glXMaterialfvReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLenum pname = *(GLenum *) (pc + 4); GLsizei compsize; @@ -140,11 +138,11 @@ __glXMaterialfvReqSize(const GLbyte * pc, Bool swap) } compsize = __glMaterialfv_size(pname); - return __GLX_PAD((compsize * 4)); + return safe_pad(safe_mul(compsize, 4)); } int -__glXPolygonStippleReqSize(const GLbyte * pc, Bool swap) +__glXPolygonStippleReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLint row_length = *(GLint *) (pc + 4); GLint image_height = 0; @@ -164,7 +162,7 @@ __glXPolygonStippleReqSize(const GLbyte * pc, Bool swap) } int -__glXTexParameterfvReqSize(const GLbyte * pc, Bool swap) +__glXTexParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLenum pname = *(GLenum *) (pc + 4); GLsizei compsize; @@ -174,11 +172,11 @@ __glXTexParameterfvReqSize(const GLbyte * pc, Bool swap) } compsize = __glTexParameterfv_size(pname); - return __GLX_PAD((compsize * 4)); + return safe_pad(safe_mul(compsize, 4)); } int -__glXTexImage1DReqSize(const GLbyte * pc, Bool swap) +__glXTexImage1DReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLint row_length = *(GLint *) (pc + 4); GLint image_height = 0; @@ -206,7 +204,7 @@ __glXTexImage1DReqSize(const GLbyte * pc, Bool swap) } int -__glXTexImage2DReqSize(const GLbyte * pc, Bool swap) +__glXTexImage2DReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLint row_length = *(GLint *) (pc + 4); GLint image_height = 0; @@ -236,7 +234,7 @@ __glXTexImage2DReqSize(const GLbyte * pc, Bool swap) } int -__glXTexEnvfvReqSize(const GLbyte * pc, Bool swap) +__glXTexEnvfvReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLenum pname = *(GLenum *) (pc + 4); GLsizei compsize; @@ -246,11 +244,11 @@ __glXTexEnvfvReqSize(const GLbyte * pc, Bool swap) } compsize = __glTexEnvfv_size(pname); - return __GLX_PAD((compsize * 4)); + return safe_pad(safe_mul(compsize, 4)); } int -__glXTexGendvReqSize(const GLbyte * pc, Bool swap) +__glXTexGendvReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLenum pname = *(GLenum *) (pc + 4); GLsizei compsize; @@ -260,11 +258,11 @@ __glXTexGendvReqSize(const GLbyte * pc, Bool swap) } compsize = __glTexGendv_size(pname); - return __GLX_PAD((compsize * 8)); + return safe_pad(safe_mul(compsize, 8)); } int -__glXTexGenfvReqSize(const GLbyte * pc, Bool swap) +__glXTexGenfvReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLenum pname = *(GLenum *) (pc + 4); GLsizei compsize; @@ -274,11 +272,11 @@ __glXTexGenfvReqSize(const GLbyte * pc, Bool swap) } compsize = __glTexGenfv_size(pname); - return __GLX_PAD((compsize * 4)); + return safe_pad(safe_mul(compsize, 4)); } int -__glXPixelMapfvReqSize(const GLbyte * pc, Bool swap) +__glXPixelMapfvReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei mapsize = *(GLsizei *) (pc + 4); @@ -286,11 +284,11 @@ __glXPixelMapfvReqSize(const GLbyte * pc, Bool swap) mapsize = bswap_32(mapsize); } - return __GLX_PAD((mapsize * 4)); + return safe_pad(safe_mul(mapsize, 4)); } int -__glXPixelMapusvReqSize(const GLbyte * pc, Bool swap) +__glXPixelMapusvReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei mapsize = *(GLsizei *) (pc + 4); @@ -298,11 +296,11 @@ __glXPixelMapusvReqSize(const GLbyte * pc, Bool swap) mapsize = bswap_32(mapsize); } - return __GLX_PAD((mapsize * 2)); + return safe_pad(safe_mul(mapsize, 2)); } int -__glXDrawPixelsReqSize(const GLbyte * pc, Bool swap) +__glXDrawPixelsReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLint row_length = *(GLint *) (pc + 4); GLint image_height = 0; @@ -330,7 +328,7 @@ __glXDrawPixelsReqSize(const GLbyte * pc, Bool swap) } int -__glXPrioritizeTexturesReqSize(const GLbyte * pc, Bool swap) +__glXPrioritizeTexturesReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei n = *(GLsizei *) (pc + 0); @@ -338,11 +336,11 @@ __glXPrioritizeTexturesReqSize(const GLbyte * pc, Bool swap) n = bswap_32(n); } - return __GLX_PAD((n * 4) + (n * 4)); + return safe_pad(safe_add(safe_mul(n, 4), safe_mul(n, 4))); } int -__glXTexSubImage1DReqSize(const GLbyte * pc, Bool swap) +__glXTexSubImage1DReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLint row_length = *(GLint *) (pc + 4); GLint image_height = 0; @@ -370,7 +368,7 @@ __glXTexSubImage1DReqSize(const GLbyte * pc, Bool swap) } int -__glXTexSubImage2DReqSize(const GLbyte * pc, Bool swap) +__glXTexSubImage2DReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLint row_length = *(GLint *) (pc + 4); GLint image_height = 0; @@ -400,7 +398,7 @@ __glXTexSubImage2DReqSize(const GLbyte * pc, Bool swap) } int -__glXColorTableReqSize(const GLbyte * pc, Bool swap) +__glXColorTableReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLint row_length = *(GLint *) (pc + 4); GLint image_height = 0; @@ -428,7 +426,7 @@ __glXColorTableReqSize(const GLbyte * pc, Bool swap) } int -__glXColorTableParameterfvReqSize(const GLbyte * pc, Bool swap) +__glXColorTableParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLenum pname = *(GLenum *) (pc + 4); GLsizei compsize; @@ -438,11 +436,11 @@ __glXColorTableParameterfvReqSize(const GLbyte * pc, Bool swap) } compsize = __glColorTableParameterfv_size(pname); - return __GLX_PAD((compsize * 4)); + return safe_pad(safe_mul(compsize, 4)); } int -__glXColorSubTableReqSize(const GLbyte * pc, Bool swap) +__glXColorSubTableReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLint row_length = *(GLint *) (pc + 4); GLint image_height = 0; @@ -470,7 +468,7 @@ __glXColorSubTableReqSize(const GLbyte * pc, Bool swap) } int -__glXConvolutionFilter1DReqSize(const GLbyte * pc, Bool swap) +__glXConvolutionFilter1DReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLint row_length = *(GLint *) (pc + 4); GLint image_height = 0; @@ -498,7 +496,7 @@ __glXConvolutionFilter1DReqSize(const GLbyte * pc, Bool swap) } int -__glXConvolutionFilter2DReqSize(const GLbyte * pc, Bool swap) +__glXConvolutionFilter2DReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLint row_length = *(GLint *) (pc + 4); GLint image_height = 0; @@ -528,7 +526,7 @@ __glXConvolutionFilter2DReqSize(const GLbyte * pc, Bool swap) } int -__glXConvolutionParameterfvReqSize(const GLbyte * pc, Bool swap) +__glXConvolutionParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLenum pname = *(GLenum *) (pc + 4); GLsizei compsize; @@ -538,11 +536,11 @@ __glXConvolutionParameterfvReqSize(const GLbyte * pc, Bool swap) } compsize = __glConvolutionParameterfv_size(pname); - return __GLX_PAD((compsize * 4)); + return safe_pad(safe_mul(compsize, 4)); } int -__glXTexImage3DReqSize(const GLbyte * pc, Bool swap) +__glXTexImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLint row_length = *(GLint *) (pc + 4); GLint image_height = *(GLint *) (pc + 8); @@ -579,7 +577,7 @@ __glXTexImage3DReqSize(const GLbyte * pc, Bool swap) } int -__glXTexSubImage3DReqSize(const GLbyte * pc, Bool swap) +__glXTexSubImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLint row_length = *(GLint *) (pc + 4); GLint image_height = *(GLint *) (pc + 8); @@ -613,7 +611,7 @@ __glXTexSubImage3DReqSize(const GLbyte * pc, Bool swap) } int -__glXCompressedTexImage1DReqSize(const GLbyte * pc, Bool swap) +__glXCompressedTexImage1DReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei imageSize = *(GLsizei *) (pc + 20); @@ -621,11 +619,11 @@ __glXCompressedTexImage1DReqSize(const GLbyte * pc, Bool swap) imageSize = bswap_32(imageSize); } - return __GLX_PAD(imageSize); + return safe_pad(imageSize); } int -__glXCompressedTexImage2DReqSize(const GLbyte * pc, Bool swap) +__glXCompressedTexImage2DReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei imageSize = *(GLsizei *) (pc + 24); @@ -633,11 +631,11 @@ __glXCompressedTexImage2DReqSize(const GLbyte * pc, Bool swap) imageSize = bswap_32(imageSize); } - return __GLX_PAD(imageSize); + return safe_pad(imageSize); } int -__glXCompressedTexImage3DReqSize(const GLbyte * pc, Bool swap) +__glXCompressedTexImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei imageSize = *(GLsizei *) (pc + 28); @@ -645,11 +643,11 @@ __glXCompressedTexImage3DReqSize(const GLbyte * pc, Bool swap) imageSize = bswap_32(imageSize); } - return __GLX_PAD(imageSize); + return safe_pad(imageSize); } int -__glXCompressedTexSubImage3DReqSize(const GLbyte * pc, Bool swap) +__glXCompressedTexSubImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei imageSize = *(GLsizei *) (pc + 36); @@ -657,11 +655,11 @@ __glXCompressedTexSubImage3DReqSize(const GLbyte * pc, Bool swap) imageSize = bswap_32(imageSize); } - return __GLX_PAD(imageSize); + return safe_pad(imageSize); } int -__glXPointParameterfvReqSize(const GLbyte * pc, Bool swap) +__glXPointParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLenum pname = *(GLenum *) (pc + 0); GLsizei compsize; @@ -671,11 +669,11 @@ __glXPointParameterfvReqSize(const GLbyte * pc, Bool swap) } compsize = __glPointParameterfv_size(pname); - return __GLX_PAD((compsize * 4)); + return safe_pad(safe_mul(compsize, 4)); } int -__glXDrawBuffersReqSize(const GLbyte * pc, Bool swap) +__glXDrawBuffersReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei n = *(GLsizei *) (pc + 0); @@ -683,11 +681,11 @@ __glXDrawBuffersReqSize(const GLbyte * pc, Bool swap) n = bswap_32(n); } - return __GLX_PAD((n * 4)); + return safe_pad(safe_mul(n, 4)); } int -__glXProgramStringARBReqSize(const GLbyte * pc, Bool swap) +__glXProgramStringARBReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei len = *(GLsizei *) (pc + 8); @@ -695,11 +693,11 @@ __glXProgramStringARBReqSize(const GLbyte * pc, Bool swap) len = bswap_32(len); } - return __GLX_PAD(len); + return safe_pad(len); } int -__glXVertexAttribs1dvNVReqSize(const GLbyte * pc, Bool swap) +__glXVertexAttribs1dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei n = *(GLsizei *) (pc + 4); @@ -707,11 +705,11 @@ __glXVertexAttribs1dvNVReqSize(const GLbyte * pc, Bool swap) n = bswap_32(n); } - return __GLX_PAD((n * 8)); + return safe_pad(safe_mul(n, 8)); } int -__glXVertexAttribs2dvNVReqSize(const GLbyte * pc, Bool swap) +__glXVertexAttribs2dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei n = *(GLsizei *) (pc + 4); @@ -719,11 +717,11 @@ __glXVertexAttribs2dvNVReqSize(const GLbyte * pc, Bool swap) n = bswap_32(n); } - return __GLX_PAD((n * 16)); + return safe_pad(safe_mul(n, 16)); } int -__glXVertexAttribs3dvNVReqSize(const GLbyte * pc, Bool swap) +__glXVertexAttribs3dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei n = *(GLsizei *) (pc + 4); @@ -731,11 +729,11 @@ __glXVertexAttribs3dvNVReqSize(const GLbyte * pc, Bool swap) n = bswap_32(n); } - return __GLX_PAD((n * 24)); + return safe_pad(safe_mul(n, 24)); } int -__glXVertexAttribs3fvNVReqSize(const GLbyte * pc, Bool swap) +__glXVertexAttribs3fvNVReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei n = *(GLsizei *) (pc + 4); @@ -743,11 +741,11 @@ __glXVertexAttribs3fvNVReqSize(const GLbyte * pc, Bool swap) n = bswap_32(n); } - return __GLX_PAD((n * 12)); + return safe_pad(safe_mul(n, 12)); } int -__glXVertexAttribs3svNVReqSize(const GLbyte * pc, Bool swap) +__glXVertexAttribs3svNVReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei n = *(GLsizei *) (pc + 4); @@ -755,11 +753,11 @@ __glXVertexAttribs3svNVReqSize(const GLbyte * pc, Bool swap) n = bswap_32(n); } - return __GLX_PAD((n * 6)); + return safe_pad(safe_mul(n, 6)); } int -__glXVertexAttribs4dvNVReqSize(const GLbyte * pc, Bool swap) +__glXVertexAttribs4dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei n = *(GLsizei *) (pc + 4); @@ -767,7 +765,7 @@ __glXVertexAttribs4dvNVReqSize(const GLbyte * pc, Bool swap) n = bswap_32(n); } - return __GLX_PAD((n * 32)); + return safe_pad(safe_mul(n, 32)); } ALIAS(Fogiv, Fogfv) diff --git a/glx/indirect_reqsize.h b/glx/indirect_reqsize.h index 49d400c45..632a85b1c 100644 --- a/glx/indirect_reqsize.h +++ b/glx/indirect_reqsize.h @@ -36,115 +36,156 @@ #define PURE #endif -extern PURE _X_HIDDEN int __glXCallListsReqSize(const GLbyte * pc, Bool swap); -extern PURE _X_HIDDEN int __glXBitmapReqSize(const GLbyte * pc, Bool swap); -extern PURE _X_HIDDEN int __glXFogfvReqSize(const GLbyte * pc, Bool swap); -extern PURE _X_HIDDEN int __glXFogivReqSize(const GLbyte * pc, Bool swap); -extern PURE _X_HIDDEN int __glXLightfvReqSize(const GLbyte * pc, Bool swap); -extern PURE _X_HIDDEN int __glXLightivReqSize(const GLbyte * pc, Bool swap); -extern PURE _X_HIDDEN int __glXLightModelfvReqSize(const GLbyte * pc, - Bool swap); -extern PURE _X_HIDDEN int __glXLightModelivReqSize(const GLbyte * pc, - Bool swap); -extern PURE _X_HIDDEN int __glXMaterialfvReqSize(const GLbyte * pc, Bool swap); -extern PURE _X_HIDDEN int __glXMaterialivReqSize(const GLbyte * pc, Bool swap); +extern PURE _X_HIDDEN int __glXCallListsReqSize(const GLbyte * pc, Bool swap, + int reqlen); +extern PURE _X_HIDDEN int __glXBitmapReqSize(const GLbyte * pc, Bool swap, + int reqlen); +extern PURE _X_HIDDEN int __glXFogfvReqSize(const GLbyte * pc, Bool swap, + int reqlen); +extern PURE _X_HIDDEN int __glXFogivReqSize(const GLbyte * pc, Bool swap, + int reqlen); +extern PURE _X_HIDDEN int __glXLightfvReqSize(const GLbyte * pc, Bool swap, + int reqlen); +extern PURE _X_HIDDEN int __glXLightivReqSize(const GLbyte * pc, Bool swap, + int reqlen); +extern PURE _X_HIDDEN int __glXLightModelfvReqSize(const GLbyte * pc, Bool swap, + int reqlen); +extern PURE _X_HIDDEN int __glXLightModelivReqSize(const GLbyte * pc, Bool swap, + int reqlen); +extern PURE _X_HIDDEN int __glXMaterialfvReqSize(const GLbyte * pc, Bool swap, + int reqlen); +extern PURE _X_HIDDEN int __glXMaterialivReqSize(const GLbyte * pc, Bool swap, + int reqlen); extern PURE _X_HIDDEN int __glXPolygonStippleReqSize(const GLbyte * pc, - Bool swap); + Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXTexParameterfvReqSize(const GLbyte * pc, - Bool swap); + Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXTexParameterivReqSize(const GLbyte * pc, - Bool swap); -extern PURE _X_HIDDEN int __glXTexImage1DReqSize(const GLbyte * pc, Bool swap); -extern PURE _X_HIDDEN int __glXTexImage2DReqSize(const GLbyte * pc, Bool swap); -extern PURE _X_HIDDEN int __glXTexEnvfvReqSize(const GLbyte * pc, Bool swap); -extern PURE _X_HIDDEN int __glXTexEnvivReqSize(const GLbyte * pc, Bool swap); -extern PURE _X_HIDDEN int __glXTexGendvReqSize(const GLbyte * pc, Bool swap); -extern PURE _X_HIDDEN int __glXTexGenfvReqSize(const GLbyte * pc, Bool swap); -extern PURE _X_HIDDEN int __glXTexGenivReqSize(const GLbyte * pc, Bool swap); -extern PURE _X_HIDDEN int __glXMap1dReqSize(const GLbyte * pc, Bool swap); -extern PURE _X_HIDDEN int __glXMap1fReqSize(const GLbyte * pc, Bool swap); -extern PURE _X_HIDDEN int __glXMap2dReqSize(const GLbyte * pc, Bool swap); -extern PURE _X_HIDDEN int __glXMap2fReqSize(const GLbyte * pc, Bool swap); -extern PURE _X_HIDDEN int __glXPixelMapfvReqSize(const GLbyte * pc, Bool swap); -extern PURE _X_HIDDEN int __glXPixelMapuivReqSize(const GLbyte * pc, Bool swap); -extern PURE _X_HIDDEN int __glXPixelMapusvReqSize(const GLbyte * pc, Bool swap); -extern PURE _X_HIDDEN int __glXDrawPixelsReqSize(const GLbyte * pc, Bool swap); -extern PURE _X_HIDDEN int __glXDrawArraysReqSize(const GLbyte * pc, Bool swap); + Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXTexImage1DReqSize(const GLbyte * pc, Bool swap, + int reqlen); +extern PURE _X_HIDDEN int __glXTexImage2DReqSize(const GLbyte * pc, Bool swap, + int reqlen); +extern PURE _X_HIDDEN int __glXTexEnvfvReqSize(const GLbyte * pc, Bool swap, + int reqlen); +extern PURE _X_HIDDEN int __glXTexEnvivReqSize(const GLbyte * pc, Bool swap, + int reqlen); +extern PURE _X_HIDDEN int __glXTexGendvReqSize(const GLbyte * pc, Bool swap, + int reqlen); +extern PURE _X_HIDDEN int __glXTexGenfvReqSize(const GLbyte * pc, Bool swap, + int reqlen); +extern PURE _X_HIDDEN int __glXTexGenivReqSize(const GLbyte * pc, Bool swap, + int reqlen); +extern PURE _X_HIDDEN int __glXMap1dReqSize(const GLbyte * pc, Bool swap, + int reqlen); +extern PURE _X_HIDDEN int __glXMap1fReqSize(const GLbyte * pc, Bool swap, + int reqlen); +extern PURE _X_HIDDEN int __glXMap2dReqSize(const GLbyte * pc, Bool swap, + int reqlen); +extern PURE _X_HIDDEN int __glXMap2fReqSize(const GLbyte * pc, Bool swap, + int reqlen); +extern PURE _X_HIDDEN int __glXPixelMapfvReqSize(const GLbyte * pc, Bool swap, + int reqlen); +extern PURE _X_HIDDEN int __glXPixelMapuivReqSize(const GLbyte * pc, Bool swap, + int reqlen); +extern PURE _X_HIDDEN int __glXPixelMapusvReqSize(const GLbyte * pc, Bool swap, + int reqlen); +extern PURE _X_HIDDEN int __glXDrawPixelsReqSize(const GLbyte * pc, Bool swap, + int reqlen); +extern PURE _X_HIDDEN int __glXDrawArraysReqSize(const GLbyte * pc, Bool swap, + int reqlen); extern PURE _X_HIDDEN int __glXPrioritizeTexturesReqSize(const GLbyte * pc, - Bool swap); + Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXTexSubImage1DReqSize(const GLbyte * pc, - Bool swap); + Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXTexSubImage2DReqSize(const GLbyte * pc, - Bool swap); -extern PURE _X_HIDDEN int __glXColorTableReqSize(const GLbyte * pc, Bool swap); + Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXColorTableReqSize(const GLbyte * pc, Bool swap, + int reqlen); extern PURE _X_HIDDEN int __glXColorTableParameterfvReqSize(const GLbyte * pc, - Bool swap); + Bool swap, + int reqlen); extern PURE _X_HIDDEN int __glXColorTableParameterivReqSize(const GLbyte * pc, - Bool swap); + Bool swap, + int reqlen); extern PURE _X_HIDDEN int __glXColorSubTableReqSize(const GLbyte * pc, - Bool swap); + Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXConvolutionFilter1DReqSize(const GLbyte * pc, - Bool swap); + Bool swap, + int reqlen); extern PURE _X_HIDDEN int __glXConvolutionFilter2DReqSize(const GLbyte * pc, - Bool swap); + Bool swap, + int reqlen); extern PURE _X_HIDDEN int __glXConvolutionParameterfvReqSize(const GLbyte * pc, - Bool swap); + Bool swap, + int reqlen); extern PURE _X_HIDDEN int __glXConvolutionParameterivReqSize(const GLbyte * pc, - Bool swap); + Bool swap, + int reqlen); extern PURE _X_HIDDEN int __glXSeparableFilter2DReqSize(const GLbyte * pc, - Bool swap); -extern PURE _X_HIDDEN int __glXTexImage3DReqSize(const GLbyte * pc, Bool swap); + Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXTexImage3DReqSize(const GLbyte * pc, Bool swap, + int reqlen); extern PURE _X_HIDDEN int __glXTexSubImage3DReqSize(const GLbyte * pc, - Bool swap); + Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXCompressedTexImage1DReqSize(const GLbyte * pc, - Bool swap); + Bool swap, + int reqlen); extern PURE _X_HIDDEN int __glXCompressedTexImage2DReqSize(const GLbyte * pc, - Bool swap); + Bool swap, + int reqlen); extern PURE _X_HIDDEN int __glXCompressedTexImage3DReqSize(const GLbyte * pc, - Bool swap); + Bool swap, + int reqlen); extern PURE _X_HIDDEN int __glXCompressedTexSubImage1DReqSize(const GLbyte * pc, - Bool swap); + Bool swap, + int reqlen); extern PURE _X_HIDDEN int __glXCompressedTexSubImage2DReqSize(const GLbyte * pc, - Bool swap); + Bool swap, + int reqlen); extern PURE _X_HIDDEN int __glXCompressedTexSubImage3DReqSize(const GLbyte * pc, - Bool swap); + Bool swap, + int reqlen); extern PURE _X_HIDDEN int __glXPointParameterfvReqSize(const GLbyte * pc, - Bool swap); + Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXPointParameterivReqSize(const GLbyte * pc, - Bool swap); -extern PURE _X_HIDDEN int __glXDrawBuffersReqSize(const GLbyte * pc, Bool swap); + Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXDrawBuffersReqSize(const GLbyte * pc, Bool swap, + int reqlen); extern PURE _X_HIDDEN int __glXProgramStringARBReqSize(const GLbyte * pc, - Bool swap); + Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXDeleteFramebuffersReqSize(const GLbyte * pc, - Bool swap); + Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXDeleteRenderbuffersReqSize(const GLbyte * pc, - Bool swap); + Bool swap, + int reqlen); extern PURE _X_HIDDEN int __glXVertexAttribs1dvNVReqSize(const GLbyte * pc, - Bool swap); + Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXVertexAttribs1fvNVReqSize(const GLbyte * pc, - Bool swap); + Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXVertexAttribs1svNVReqSize(const GLbyte * pc, - Bool swap); + Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXVertexAttribs2dvNVReqSize(const GLbyte * pc, - Bool swap); + Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXVertexAttribs2fvNVReqSize(const GLbyte * pc, - Bool swap); + Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXVertexAttribs2svNVReqSize(const GLbyte * pc, - Bool swap); + Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXVertexAttribs3dvNVReqSize(const GLbyte * pc, - Bool swap); + Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXVertexAttribs3fvNVReqSize(const GLbyte * pc, - Bool swap); + Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXVertexAttribs3svNVReqSize(const GLbyte * pc, - Bool swap); + Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXVertexAttribs4dvNVReqSize(const GLbyte * pc, - Bool swap); + Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXVertexAttribs4fvNVReqSize(const GLbyte * pc, - Bool swap); + Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXVertexAttribs4svNVReqSize(const GLbyte * pc, - Bool swap); + Bool swap, int reqlen); extern PURE _X_HIDDEN int __glXVertexAttribs4ubvNVReqSize(const GLbyte * pc, - Bool swap); + Bool swap, + int reqlen); #undef PURE diff --git a/glx/rensize.c b/glx/rensize.c index d46334a71..6bfe99b2a 100644 --- a/glx/rensize.c +++ b/glx/rensize.c @@ -44,7 +44,7 @@ ((a & 0xff00U)<<8) | ((a & 0xffU)<<24)) int -__glXMap1dReqSize(const GLbyte * pc, Bool swap) +__glXMap1dReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLenum target; GLint order; @@ -61,7 +61,7 @@ __glXMap1dReqSize(const GLbyte * pc, Bool swap) } int -__glXMap1fReqSize(const GLbyte * pc, Bool swap) +__glXMap1fReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLenum target; GLint order; @@ -86,7 +86,7 @@ Map2Size(int k, int majorOrder, int minorOrder) } int -__glXMap2dReqSize(const GLbyte * pc, Bool swap) +__glXMap2dReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLenum target; GLint uorder, vorder; @@ -103,7 +103,7 @@ __glXMap2dReqSize(const GLbyte * pc, Bool swap) } int -__glXMap2fReqSize(const GLbyte * pc, Bool swap) +__glXMap2fReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLenum target; GLint uorder, vorder; @@ -359,13 +359,14 @@ __glXTypeSize(GLenum enm) } int -__glXDrawArraysReqSize(const GLbyte * pc, Bool swap) +__glXDrawArraysReqSize(const GLbyte * pc, Bool swap, int reqlen) { __GLXdispatchDrawArraysHeader *hdr = (__GLXdispatchDrawArraysHeader *) pc; __GLXdispatchDrawArraysComponentHeader *compHeader; GLint numVertexes = hdr->numVertexes; GLint numComponents = hdr->numComponents; GLint arrayElementSize = 0; + GLint x, size; int i; if (swap) { @@ -374,6 +375,13 @@ __glXDrawArraysReqSize(const GLbyte * pc, Bool swap) } pc += sizeof(__GLXdispatchDrawArraysHeader); + reqlen -= sizeof(__GLXdispatchDrawArraysHeader); + + size = safe_mul(sizeof(__GLXdispatchDrawArraysComponentHeader), + numComponents); + if (size < 0 || reqlen < 0 || reqlen < size) + return -1; + compHeader = (__GLXdispatchDrawArraysComponentHeader *) pc; for (i = 0; i < numComponents; i++) { @@ -417,17 +425,18 @@ __glXDrawArraysReqSize(const GLbyte * pc, Bool swap) return -1; } - arrayElementSize += __GLX_PAD(numVals * __glXTypeSize(datatype)); + x = safe_pad(safe_mul(numVals, __glXTypeSize(datatype))); + if ((arrayElementSize = safe_add(arrayElementSize, x)) < 0) + return -1; pc += sizeof(__GLXdispatchDrawArraysComponentHeader); } - return ((numComponents * sizeof(__GLXdispatchDrawArraysComponentHeader)) + - (numVertexes * arrayElementSize)); + return safe_add(size, safe_mul(numVertexes, arrayElementSize)); } int -__glXSeparableFilter2DReqSize(const GLbyte * pc, Bool swap) +__glXSeparableFilter2DReqSize(const GLbyte * pc, Bool swap, int reqlen) { __GLXdispatchConvolutionFilterHeader *hdr = (__GLXdispatchConvolutionFilterHeader *) pc; |