diff options
| author | Julien Cristau <jcristau@debian.org> | 2010-11-10 22:39:54 +0100 |
|---|---|---|
| committer | Julien Cristau <jcristau@debian.org> | 2011-01-10 15:36:09 +0100 |
| commit | d9225b9602c85603ae616a7381c784f5cf5e811c (patch) | |
| tree | d6c09a1d547d1a4a778d42fe46938fbdc4425e4c /glx/glxcmdsswap.c | |
| parent | 62319e8381ebd645ae36b25e5fc3c0e9b098387b (diff) | |
glx: validate numAttribs field before using it
Reviewed-by: Kristian Høgsberg <krh@bitplanet.net>
Reviewed-by: Daniel Stone <daniel@fooishbar.org>
Signed-off-by: Julien Cristau <jcristau@debian.org>
Diffstat (limited to 'glx/glxcmdsswap.c')
| -rw-r--r-- | glx/glxcmdsswap.c | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/glx/glxcmdsswap.c b/glx/glxcmdsswap.c index 87bf75b79..3bb4cade9 100644 --- a/glx/glxcmdsswap.c +++ b/glx/glxcmdsswap.c @@ -319,6 +319,10 @@ int __glXDispSwap_CreatePixmap(__GLXclientState *cl, GLbyte *pc) __GLX_SWAP_INT(&req->glxpixmap); __GLX_SWAP_INT(&req->numAttribs); + if (req->numAttribs > (UINT32_MAX >> 3)) { + client->errorValue = req->numAttribs; + return BadValue; + } REQUEST_FIXED_SIZE(xGLXCreatePixmapReq, req->numAttribs << 3); attribs = (CARD32*)(req + 1); __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1); @@ -400,6 +404,10 @@ int __glXDispSwap_CreatePbuffer(__GLXclientState *cl, GLbyte *pc) __GLX_SWAP_INT(&req->pbuffer); __GLX_SWAP_INT(&req->numAttribs); + if (req->numAttribs > (UINT32_MAX >> 3)) { + client->errorValue = req->numAttribs; + return BadValue; + } REQUEST_FIXED_SIZE(xGLXCreatePbufferReq, req->numAttribs << 3); attribs = (CARD32*)(req + 1); __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1); @@ -464,6 +472,10 @@ int __glXDispSwap_ChangeDrawableAttributes(__GLXclientState *cl, GLbyte *pc) __GLX_SWAP_INT(&req->drawable); __GLX_SWAP_INT(&req->numAttribs); + if (req->numAttribs > (UINT32_MAX >> 3)) { + client->errorValue = req->numAttribs; + return BadValue; + } REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3); attribs = (CARD32*)(req + 1); __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1); @@ -486,6 +498,10 @@ int __glXDispSwap_ChangeDrawableAttributesSGIX(__GLXclientState *cl, __GLX_SWAP_INT(&req->drawable); __GLX_SWAP_INT(&req->numAttribs); + if (req->numAttribs > (UINT32_MAX >> 3)) { + client->errorValue = req->numAttribs; + return BadValue; + } REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesSGIXReq, req->numAttribs << 3); attribs = (CARD32*)(req + 1); __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1); @@ -509,6 +525,10 @@ int __glXDispSwap_CreateWindow(__GLXclientState *cl, GLbyte *pc) __GLX_SWAP_INT(&req->glxwindow); __GLX_SWAP_INT(&req->numAttribs); + if (req->numAttribs > (UINT32_MAX >> 3)) { + client->errorValue = req->numAttribs; + return BadValue; + } REQUEST_FIXED_SIZE(xGLXCreateWindowReq, req->numAttribs << 3); attribs = (CARD32*)(req + 1); __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1); |