Merge remote branch 'jcristau/for-keith'

author: Keith Packard <keithp@keithp.com> 2011-02-18 14:29:32 -0800
committer: Keith Packard <keithp@keithp.com> 2011-02-18 14:29:32 -0800
commit: 2c77aeb39f59f1a94cc603a2e6256a62ce785c36 (patch)
tree: 3d0b3ace38e604fccebdf066a0d7a02eeeadf7ec
parent: 816d67de2ba9bdfe652da32cb6447a3056342b98 (diff)
parent: 402b329c3aa8ddbebaa1f593306a02d4cd6fed26 (diff)
2 files changed, 38 insertions, 13 deletions
diff --git a/glx/glxcmds.c b/glx/glxcmds.c
index 3ef567d10..9b4bc9ec3 100644
--- a/glx/glxcmds.c
+++ b/glx/glxcmds.c
@@ -1132,7 +1132,8 @@ int __glXDisp_GetFBConfigsSGIX(__GLXclientState *cl, GLbyte *pc)
 {
     ClientPtr client = cl->client;
     xGLXGetFBConfigsSGIXReq *req = (xGLXGetFBConfigsSGIXReq *) pc;
-    REQUEST_SIZE_MATCH(xGLXGetFBConfigsSGIXReq);
+    /* work around mesa bug, don't use REQUEST_SIZE_MATCH */
+    REQUEST_AT_LEAST_SIZE(xGLXGetFBConfigsSGIXReq);
     return DoGetFBConfigs(cl, req->screen);
 }
 
@@ -1356,7 +1357,9 @@ int __glXDisp_DestroyPixmap(__GLXclientState *cl, GLbyte *pc)
     ClientPtr client = cl->client;
     xGLXDestroyPixmapReq *req = (xGLXDestroyPixmapReq *) pc;
 
-    REQUEST_SIZE_MATCH(xGLXDestroyPixmapReq);
+    /* should be REQUEST_SIZE_MATCH, but mesa's glXDestroyPixmap used to set
+     * length to 3 instead of 2 */
+    REQUEST_AT_LEAST_SIZE(xGLXDestroyPixmapReq);
 
     return DoDestroyDrawable(cl, req->glxpixmap, GLX_DRAWABLE_PIXMAP);
 }
@@ -1436,7 +1439,7 @@ int __glXDisp_CreateGLXPbufferSGIX(__GLXclientState *cl, GLbyte *pc)
     ClientPtr client = cl->client;
     xGLXCreateGLXPbufferSGIXReq *req = (xGLXCreateGLXPbufferSGIXReq *) pc;
 
-    REQUEST_SIZE_MATCH(xGLXCreateGLXPbufferSGIXReq);
+    REQUEST_AT_LEAST_SIZE(xGLXCreateGLXPbufferSGIXReq);
 
     return DoCreatePbuffer(cl->client, req->screen, req->fbconfig,
 			   req->width, req->height, req->pbuffer);
@@ -1498,7 +1501,13 @@ int __glXDisp_ChangeDrawableAttributes(__GLXclientState *cl, GLbyte *pc)
 	client->errorValue = req->numAttribs;
 	return BadValue;
     }
+#if 0
+    /* mesa sends an additional 8 bytes */
     REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3);
+#else
+    if (((sizeof(xGLXChangeDrawableAttributesReq) + (req->numAttribs << 3)) >> 2) < client->req_len)
+	    return BadLength;
+#endif
 
     return DoChangeDrawableAttributes(cl->client, req->drawable,
 				      req->numAttribs, (CARD32 *) (req + 1));
@@ -1563,7 +1572,8 @@ int __glXDisp_DestroyWindow(__GLXclientState *cl, GLbyte *pc)
     ClientPtr client = cl->client;
     xGLXDestroyWindowReq *req = (xGLXDestroyWindowReq *) pc;
 
-    REQUEST_SIZE_MATCH(xGLXDestroyWindowReq);
+    /* mesa's glXDestroyWindow used to set length to 3 instead of 2 */
+    REQUEST_AT_LEAST_SIZE(xGLXDestroyWindowReq);
 
     return DoDestroyDrawable(cl, req->glxwindow, GLX_DRAWABLE_WINDOW);
 }
@@ -1697,13 +1707,21 @@ int __glXDisp_BindTexImageEXT(__GLXclientState *cl, GLbyte *pc)
     GLXDrawable		 drawId;
     int			 buffer;
     int			 error;
+    CARD32		 num_attribs;
 
-    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 8);
+    if ((sizeof(xGLXVendorPrivateReq) + 12) >> 2 > client->req_len)
+	return BadLength;
 
     pc += __GLX_VENDPRIV_HDR_SIZE;
 
     drawId = *((CARD32 *) (pc));
     buffer = *((INT32 *)  (pc + 4));
+    num_attribs = *((CARD32 *) (pc + 8));
+    if (num_attribs > (UINT32_MAX >> 3)) {
+	client->errorValue = num_attribs;
+	return BadValue;
+    }
+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 12 + (num_attribs << 3));
 
     if (buffer != GLX_FRONT_LEFT_EXT)
 	return __glXError(GLXBadPixmap);
@@ -1864,7 +1882,8 @@ int __glXDisp_GetDrawableAttributes(__GLXclientState *cl, GLbyte *pc)
     ClientPtr client = cl->client;
     xGLXGetDrawableAttributesReq *req = (xGLXGetDrawableAttributesReq *)pc;
 
-    REQUEST_SIZE_MATCH(xGLXGetDrawableAttributesReq);
+    /* this should be REQUEST_SIZE_MATCH, but mesa sends an additional 4 bytes */
+    REQUEST_AT_LEAST_SIZE(xGLXGetDrawableAttributesReq);
 
     return DoGetDrawableAttributes(cl, req->drawable);
 }
diff --git a/glx/glxcmdsswap.c b/glx/glxcmdsswap.c
index 3bb4cade9..76e6fb629 100644
--- a/glx/glxcmdsswap.c
+++ b/glx/glxcmdsswap.c
@@ -279,7 +279,7 @@ int __glXDispSwap_GetFBConfigsSGIX(__GLXclientState *cl, GLbyte *pc)
     xGLXGetFBConfigsSGIXReq *req = (xGLXGetFBConfigsSGIXReq *) pc;
     __GLX_DECLARE_SWAP_VARIABLES;
 
-    REQUEST_SIZE_MATCH(xGLXGetFBConfigsSGIXReq);
+    REQUEST_AT_LEAST_SIZE(xGLXGetFBConfigsSGIXReq);
 
     __GLX_SWAP_INT(&req->screen);
     return __glXDisp_GetFBConfigsSGIX(cl, pc);
@@ -368,7 +368,7 @@ int __glXDispSwap_DestroyPixmap(__GLXclientState *cl, GLbyte *pc)
     xGLXDestroyGLXPixmapReq *req = (xGLXDestroyGLXPixmapReq *) pc;
     __GLX_DECLARE_SWAP_VARIABLES;
 
-    REQUEST_SIZE_MATCH(xGLXDestroyGLXPixmapReq);
+    REQUEST_AT_LEAST_SIZE(xGLXDestroyGLXPixmapReq);
 
     __GLX_SWAP_SHORT(&req->length);
     __GLX_SWAP_INT(&req->glxpixmap);
@@ -421,7 +421,7 @@ int __glXDispSwap_CreateGLXPbufferSGIX(__GLXclientState *cl, GLbyte *pc)
     xGLXCreateGLXPbufferSGIXReq *req = (xGLXCreateGLXPbufferSGIXReq *) pc;    
     __GLX_DECLARE_SWAP_VARIABLES;
 
-    REQUEST_SIZE_MATCH(xGLXCreateGLXPbufferSGIXReq);
+    REQUEST_AT_LEAST_SIZE(xGLXCreateGLXPbufferSGIXReq);
 
     __GLX_SWAP_INT(&req->screen);
     __GLX_SWAP_INT(&req->fbconfig);
@@ -476,7 +476,9 @@ int __glXDispSwap_ChangeDrawableAttributes(__GLXclientState *cl, GLbyte *pc)
 	client->errorValue = req->numAttribs;
 	return BadValue;
     }
-    REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3);
+    if (((sizeof(xGLXChangeDrawableAttributesReq) + (req->numAttribs << 3)) >> 2) < client->req_len)
+	return BadLength;
+
     attribs = (CARD32*)(req + 1);
     __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
 
@@ -542,7 +544,7 @@ int __glXDispSwap_DestroyWindow(__GLXclientState *cl, GLbyte *pc)
     xGLXDestroyWindowReq *req = (xGLXDestroyWindowReq *) pc;
     __GLX_DECLARE_SWAP_VARIABLES;
 
-    REQUEST_SIZE_MATCH(xGLXDestroyWindowReq);
+    REQUEST_AT_LEAST_SIZE(xGLXDestroyWindowReq);
 
     __GLX_SWAP_INT(&req->glxwindow);
 
@@ -648,19 +650,23 @@ int __glXDispSwap_BindTexImageEXT(__GLXclientState *cl, GLbyte *pc)
     xGLXVendorPrivateReq *req = (xGLXVendorPrivateReq *) pc;
     GLXDrawable		 *drawId;
     int			 *buffer;
+    CARD32		 *num_attribs;
     __GLX_DECLARE_SWAP_VARIABLES;
 
-    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 8);
+    if ((sizeof(xGLXVendorPrivateReq) + 12) >> 2 > client->req_len)
+	return BadLength;
 
     pc += __GLX_VENDPRIV_HDR_SIZE;
 
     drawId = ((GLXDrawable *) (pc));
     buffer = ((int *)	      (pc + 4));
+    num_attribs = ((CARD32 *) (pc + 8));
     
     __GLX_SWAP_SHORT(&req->length);
     __GLX_SWAP_INT(&req->contextTag);
     __GLX_SWAP_INT(drawId);
     __GLX_SWAP_INT(buffer);
+    __GLX_SWAP_INT(num_attribs);
 
     return __glXDisp_BindTexImageEXT(cl, (GLbyte *)pc);
 }
@@ -738,7 +744,7 @@ int __glXDispSwap_GetDrawableAttributes(__GLXclientState *cl, GLbyte *pc)
     xGLXGetDrawableAttributesReq *req = (xGLXGetDrawableAttributesReq *)pc;
     __GLX_DECLARE_SWAP_VARIABLES;
 
-    REQUEST_SIZE_MATCH(xGLXGetDrawableAttributesReq);
+    REQUEST_AT_LEAST_SIZE(xGLXGetDrawableAttributesReq);
 
     __GLX_SWAP_SHORT(&req->length);
     __GLX_SWAP_INT(&req->drawable);
author	Keith Packard <keithp@keithp.com>	2011-02-18 14:29:32 -0800
committer	Keith Packard <keithp@keithp.com>	2011-02-18 14:29:32 -0800
commit	2c77aeb39f59f1a94cc603a2e6256a62ce785c36 (patch)
tree	3d0b3ace38e604fccebdf066a0d7a02eeeadf7ec
parent	816d67de2ba9bdfe652da32cb6447a3056342b98 (diff)
parent	402b329c3aa8ddbebaa1f593306a02d4cd6fed26 (diff)