glx: validate numAttribs field before using it

Reviewed-by: Kristian Høgsberg <krh@bitplanet.net> Reviewed-by: Daniel Stone <daniel@fooishbar.org> Signed-off-by: Julien Cristau <jcristau@debian.org>
author: Julien Cristau <jcristau@debian.org> 2010-11-10 22:39:54 +0100
committer: Julien Cristau <jcristau@debian.org> 2011-01-10 15:36:09 +0100
commit: d9225b9602c85603ae616a7381c784f5cf5e811c (patch)
tree: d6c09a1d547d1a4a778d42fe46938fbdc4425e4c
parent: 62319e8381ebd645ae36b25e5fc3c0e9b098387b (diff)
2 files changed, 45 insertions, 0 deletions
diff --git a/glx/glxcmds.c b/glx/glxcmds.c
index 566dbbe57..3ef567d10 100644
--- a/glx/glxcmds.c
+++ b/glx/glxcmds.c
@@ -1283,6 +1283,11 @@ int __glXDisp_CreatePixmap(__GLXclientState *cl, GLbyte *pc)
     __GLXscreen *pGlxScreen;
     int err;
 
+    REQUEST_AT_LEAST_SIZE(xGLXCreatePixmapReq);
+    if (req->numAttribs > (UINT32_MAX >> 3)) {
+	client->errorValue = req->numAttribs;
+	return BadValue;
+    }
     REQUEST_FIXED_SIZE(xGLXCreatePixmapReq, req->numAttribs << 3);
 
     if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err))
@@ -1396,6 +1401,11 @@ int __glXDisp_CreatePbuffer(__GLXclientState *cl, GLbyte *pc)
     CARD32			*attrs;
     int				 width, height, i;
 
+    REQUEST_AT_LEAST_SIZE(xGLXCreatePbufferReq);
+    if (req->numAttribs > (UINT32_MAX >> 3)) {
+	client->errorValue = req->numAttribs;
+	return BadValue;
+    }
     REQUEST_FIXED_SIZE(xGLXCreatePbufferReq, req->numAttribs << 3);
 
     attrs = (CARD32 *) (req + 1);
@@ -1483,6 +1493,11 @@ int __glXDisp_ChangeDrawableAttributes(__GLXclientState *cl, GLbyte *pc)
     xGLXChangeDrawableAttributesReq *req =
 	(xGLXChangeDrawableAttributesReq *) pc;
 
+    REQUEST_AT_LEAST_SIZE(xGLXChangeDrawableAttributesReq);
+    if (req->numAttribs > (UINT32_MAX >> 3)) {
+	client->errorValue = req->numAttribs;
+	return BadValue;
+    }
     REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3);
 
     return DoChangeDrawableAttributes(cl->client, req->drawable,
@@ -1495,6 +1510,11 @@ int __glXDisp_ChangeDrawableAttributesSGIX(__GLXclientState *cl, GLbyte *pc)
     xGLXChangeDrawableAttributesSGIXReq *req =
 	(xGLXChangeDrawableAttributesSGIXReq *)pc;
 
+    REQUEST_AT_LEAST_SIZE(xGLXChangeDrawableAttributesSGIXReq);
+    if (req->numAttribs > (UINT32_MAX >> 3)) {
+	client->errorValue = req->numAttribs;
+	return BadValue;
+    }
     REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesSGIXReq, req->numAttribs << 3);
 
     return DoChangeDrawableAttributes(cl->client, req->drawable,
@@ -1510,6 +1530,11 @@ int __glXDisp_CreateWindow(__GLXclientState *cl, GLbyte *pc)
     DrawablePtr		 pDraw;
     int			 err;
 
+    REQUEST_AT_LEAST_SIZE(xGLXCreateWindowReq);
+    if (req->numAttribs > (UINT32_MAX >> 3)) {
+	client->errorValue = req->numAttribs;
+	return BadValue;
+    }
     REQUEST_FIXED_SIZE(xGLXCreateWindowReq, req->numAttribs << 3);
 
     LEGAL_NEW_RESOURCE(req->glxwindow, client);
diff --git a/glx/glxcmdsswap.c b/glx/glxcmdsswap.c
index 87bf75b79..3bb4cade9 100644
--- a/glx/glxcmdsswap.c
+++ b/glx/glxcmdsswap.c
@@ -319,6 +319,10 @@ int __glXDispSwap_CreatePixmap(__GLXclientState *cl, GLbyte *pc)
     __GLX_SWAP_INT(&req->glxpixmap);
     __GLX_SWAP_INT(&req->numAttribs);
 
+    if (req->numAttribs > (UINT32_MAX >> 3)) {
+	client->errorValue = req->numAttribs;
+	return BadValue;
+    }
     REQUEST_FIXED_SIZE(xGLXCreatePixmapReq, req->numAttribs << 3);
     attribs = (CARD32*)(req + 1);
     __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
@@ -400,6 +404,10 @@ int __glXDispSwap_CreatePbuffer(__GLXclientState *cl, GLbyte *pc)
     __GLX_SWAP_INT(&req->pbuffer);
     __GLX_SWAP_INT(&req->numAttribs);
 
+    if (req->numAttribs > (UINT32_MAX >> 3)) {
+	client->errorValue = req->numAttribs;
+	return BadValue;
+    }
     REQUEST_FIXED_SIZE(xGLXCreatePbufferReq, req->numAttribs << 3);
     attribs = (CARD32*)(req + 1);
     __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
@@ -464,6 +472,10 @@ int __glXDispSwap_ChangeDrawableAttributes(__GLXclientState *cl, GLbyte *pc)
     __GLX_SWAP_INT(&req->drawable);
     __GLX_SWAP_INT(&req->numAttribs);
 
+    if (req->numAttribs > (UINT32_MAX >> 3)) {
+	client->errorValue = req->numAttribs;
+	return BadValue;
+    }
     REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3);
     attribs = (CARD32*)(req + 1);
     __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
@@ -486,6 +498,10 @@ int __glXDispSwap_ChangeDrawableAttributesSGIX(__GLXclientState *cl,
     __GLX_SWAP_INT(&req->drawable);
     __GLX_SWAP_INT(&req->numAttribs);
 
+    if (req->numAttribs > (UINT32_MAX >> 3)) {
+	client->errorValue = req->numAttribs;
+	return BadValue;
+    }
     REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesSGIXReq, req->numAttribs << 3);
     attribs = (CARD32*)(req + 1);
     __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
@@ -509,6 +525,10 @@ int __glXDispSwap_CreateWindow(__GLXclientState *cl, GLbyte *pc)
     __GLX_SWAP_INT(&req->glxwindow);
     __GLX_SWAP_INT(&req->numAttribs);
 
+    if (req->numAttribs > (UINT32_MAX >> 3)) {
+	client->errorValue = req->numAttribs;
+	return BadValue;
+    }
     REQUEST_FIXED_SIZE(xGLXCreateWindowReq, req->numAttribs << 3);
     attribs = (CARD32*)(req + 1);
     __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
author	Julien Cristau <jcristau@debian.org>	2010-11-10 22:39:54 +0100
committer	Julien Cristau <jcristau@debian.org>	2011-01-10 15:36:09 +0100
commit	d9225b9602c85603ae616a7381c784f5cf5e811c (patch)
tree	d6c09a1d547d1a4a778d42fe46938fbdc4425e4c
parent	62319e8381ebd645ae36b25e5fc3c0e9b098387b (diff)