diff options
| author | Adam Jackson <ajax@redhat.com> | 2014-11-10 12:13:47 -0500 |
|---|---|---|
| committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2014-12-08 18:09:50 -0800 |
| commit | 984583a497c813df5827ae22483133e704fee79c (patch) | |
| tree | d177a7ba5050fa32c6523a6e6c11ad6f6e61a59f /glx/single2swap.c | |
| parent | 44ba149f28ece93c2fbfc9cc980588de5322dd4b (diff) | |
glx: Length checking for non-generated single requests (v2) [CVE-2014-8098 7/8]
v2:
Fix single versus vendor-private length checking for ARB_imaging subset
extensions. (Julien Cristau)
v3:
Fix single versus vendor-private length checking for ARB_imaging subset
extensions. (Julien Cristau)
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Diffstat (limited to 'glx/single2swap.c')
| -rw-r--r-- | glx/single2swap.c | 19 |
1 files changed, 15 insertions, 4 deletions
diff --git a/glx/single2swap.c b/glx/single2swap.c index 764501f59..53490694b 100644 --- a/glx/single2swap.c +++ b/glx/single2swap.c @@ -41,6 +41,7 @@ int __glXDispSwap_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc) { + ClientPtr client = cl->client; GLsizei size; GLenum type; @@ -48,6 +49,8 @@ __glXDispSwap_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc) __GLXcontext *cx; int error; + REQUEST_FIXED_SIZE(xGLXSingleReq, 8); + __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { @@ -77,12 +80,15 @@ __glXDispSwap_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc) int __glXDispSwap_SelectBuffer(__GLXclientState * cl, GLbyte * pc) { + ClientPtr client = cl->client; __GLXcontext *cx; GLsizei size; __GLX_DECLARE_SWAP_VARIABLES; int error; + REQUEST_FIXED_SIZE(xGLXSingleReq, 4); + __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { @@ -109,7 +115,7 @@ __glXDispSwap_SelectBuffer(__GLXclientState * cl, GLbyte * pc) int __glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc) { - ClientPtr client; + ClientPtr client = cl->client; __GLXcontext *cx; xGLXRenderModeReply reply; GLint nitems = 0, retBytes = 0, retval, newModeCheck; @@ -120,6 +126,8 @@ __glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc) __GLX_DECLARE_SWAP_ARRAY_VARIABLES; int error; + REQUEST_FIXED_SIZE(xGLXSingleReq, 4); + __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { @@ -200,7 +208,6 @@ __glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc) ** selection array, as per the API for glRenderMode itself. */ noChangeAllowed:; - client = cl->client; reply = (xGLXRenderModeReply) { .type = X_Reply, .sequenceNumber = client->sequence, @@ -224,11 +231,14 @@ __glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc) int __glXDispSwap_Flush(__GLXclientState * cl, GLbyte * pc) { + ClientPtr client = cl->client; __GLXcontext *cx; int error; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXSingleReq); + __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { @@ -243,12 +253,14 @@ __glXDispSwap_Flush(__GLXclientState * cl, GLbyte * pc) int __glXDispSwap_Finish(__GLXclientState * cl, GLbyte * pc) { + ClientPtr client = cl->client; __GLXcontext *cx; - ClientPtr client; int error; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXSingleReq); + __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { @@ -260,7 +272,6 @@ __glXDispSwap_Finish(__GLXclientState * cl, GLbyte * pc) cx->hasUnflushedCommands = GL_FALSE; /* Send empty reply packet to indicate finish is finished */ - client = cl->client; __GLX_BEGIN_REPLY(0); __GLX_PUT_RETVAL(0); __GLX_SWAP_REPLY_HEADER(); |