glx: validate request lengths

Reviewed-by: Adam Jackson <ajax@redhat.com> Reviewed-by: Kristian Høgsberg <krh@bitplanet.net> Reviewed-by: Daniel Stone <daniel@fooishbar.org> Signed-off-by: Julien Cristau <jcristau@debian.org>
author: Julien Cristau <jcristau@debian.org> 2010-07-03 19:47:55 +0100
committer: Julien Cristau <jcristau@debian.org> 2011-01-10 15:31:30 +0100
commit: ec9c97c6bf70b523bc500bd3adf62176f1bb33a4 (patch)
tree: f4ac424a5ca15ee0ed084ef1d83dcbd2cf22924e
parent: 3f0d3f4d97bce75c1828635c322b6560a45a037f (diff)
2 files changed, 135 insertions, 9 deletions
diff --git a/glx/glxcmds.c b/glx/glxcmds.c
index 419cc4626..566dbbe57 100644
--- a/glx/glxcmds.c
+++ b/glx/glxcmds.c
@@ -316,2 +316,3 @@ int __glXDisp_CreateContext(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXCreateContextReq *req = (xGLXCreateContextReq *) pc;
@@ -321,2 +322,4 @@ int __glXDisp_CreateContext(__GLXclientState *cl, GLbyte *pc)
 
+    REQUEST_SIZE_MATCH(xGLXCreateContextReq);
+
     if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err))
@@ -332,2 +335,3 @@ int __glXDisp_CreateNewContext(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXCreateNewContextReq *req = (xGLXCreateNewContextReq *) pc;
@@ -337,2 +341,4 @@ int __glXDisp_CreateNewContext(__GLXclientState *cl, GLbyte *pc)
 
+    REQUEST_SIZE_MATCH(xGLXCreateNewContextReq);
+
     if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err))
@@ -348,2 +354,3 @@ int __glXDisp_CreateContextWithConfigSGIX(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXCreateContextWithConfigSGIXReq *req = 
@@ -354,2 +361,4 @@ int __glXDisp_CreateContextWithConfigSGIX(__GLXclientState *cl, GLbyte *pc)
 
+    REQUEST_SIZE_MATCH(xGLXCreateContextWithConfigSGIXReq);
+
     if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err))
@@ -364,2 +373,3 @@ int __glXDisp_DestroyContext(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXDestroyContextReq *req = (xGLXDestroyContextReq *) pc;
@@ -368,2 +378,4 @@ int __glXDisp_DestroyContext(__GLXclientState *cl, GLbyte *pc)
 
+    REQUEST_SIZE_MATCH(xGLXDestroyContextReq);
+
     if (!validGlxContext(cl->client, req->context, DixDestroyAccess,
@@ -687,4 +699,7 @@ int __glXDisp_MakeCurrent(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXMakeCurrentReq *req = (xGLXMakeCurrentReq *) pc;
 
+    REQUEST_SIZE_MATCH(xGLXMakeCurrentReq);
+
     return DoMakeCurrent( cl, req->drawable, req->drawable,
@@ -695,4 +710,7 @@ int __glXDisp_MakeContextCurrent(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXMakeContextCurrentReq *req = (xGLXMakeContextCurrentReq *) pc;
 
+    REQUEST_SIZE_MATCH(xGLXMakeContextCurrentReq);
+
     return DoMakeCurrent( cl, req->drawable, req->readdrawable,
@@ -703,4 +721,7 @@ int __glXDisp_MakeCurrentReadSGI(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXMakeCurrentReadSGIReq *req = (xGLXMakeCurrentReadSGIReq *) pc;
 
+    REQUEST_SIZE_MATCH(xGLXMakeCurrentReadSGIReq);
+
     return DoMakeCurrent( cl, req->drawable, req->readable,
@@ -717,2 +738,4 @@ int __glXDisp_IsDirect(__GLXclientState *cl, GLbyte *pc)
 
+    REQUEST_SIZE_MATCH(xGLXIsDirectReq);
+
     if (!validGlxContext(cl->client, req->context, DixReadAccess, &glxc, &err))
@@ -741,2 +764,4 @@ int __glXDisp_QueryVersion(__GLXclientState *cl, GLbyte *pc)
 
+    REQUEST_SIZE_MATCH(xGLXQueryVersionReq);
+
     major = req->majorVersion;
@@ -767,4 +792,5 @@ int __glXDisp_WaitGL(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXWaitGLReq *req = (xGLXWaitGLReq *)pc;
-    GLXContextTag tag = req->contextTag;
+    GLXContextTag tag;
     __GLXcontext *glxc = NULL;
@@ -772,2 +798,5 @@ int __glXDisp_WaitGL(__GLXclientState *cl, GLbyte *pc)
 
+    REQUEST_SIZE_MATCH(xGLXWaitGLReq);
+
+    tag = req->contextTag;
     if (tag) {
@@ -791,4 +820,5 @@ int __glXDisp_WaitX(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXWaitXReq *req = (xGLXWaitXReq *)pc;
-    GLXContextTag tag = req->contextTag;
+    GLXContextTag tag;
     __GLXcontext *glxc = NULL;
@@ -796,2 +826,5 @@ int __glXDisp_WaitX(__GLXclientState *cl, GLbyte *pc)
 
+    REQUEST_SIZE_MATCH(xGLXWaitXReq);
+
+    tag = req->contextTag;
     if (tag) {
@@ -815,6 +848,6 @@ int __glXDisp_CopyContext(__GLXclientState *cl, GLbyte *pc)
     xGLXCopyContextReq *req = (xGLXCopyContextReq *) pc;
-    GLXContextID source = req->source;
-    GLXContextID dest = req->dest;
-    GLXContextTag tag = req->contextTag;
-    unsigned long mask = req->mask;
+    GLXContextID source;
+    GLXContextID dest;
+    GLXContextTag tag;
+    unsigned long mask;
     __GLXcontext *src, *dst;
@@ -822,2 +855,8 @@ int __glXDisp_CopyContext(__GLXclientState *cl, GLbyte *pc)
 
+    REQUEST_SIZE_MATCH(xGLXCopyContextReq);
+
+    source = req->source;
+    dest = req->dest;
+    tag = req->contextTag;
+    mask = req->mask;
     if (!validGlxContext(cl->client, source, DixReadAccess, &src, &error))
@@ -904,2 +943,4 @@ int __glXDisp_GetVisualConfigs(__GLXclientState *cl, GLbyte *pc)
 
+    REQUEST_SIZE_MATCH(xGLXGetVisualConfigsReq);
+
     if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err))
@@ -1083,3 +1124,5 @@ int __glXDisp_GetFBConfigs(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXGetFBConfigsReq *req = (xGLXGetFBConfigsReq *) pc;
+    REQUEST_SIZE_MATCH(xGLXGetFBConfigsReq);
     return DoGetFBConfigs(cl, req->screen);
@@ -1089,3 +1132,5 @@ int __glXDisp_GetFBConfigsSGIX(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXGetFBConfigsSGIXReq *req = (xGLXGetFBConfigsSGIXReq *) pc;
+    REQUEST_SIZE_MATCH(xGLXGetFBConfigsSGIXReq);
     return DoGetFBConfigs(cl, req->screen);
@@ -1215,2 +1260,3 @@ int __glXDisp_CreateGLXPixmap(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXCreateGLXPixmapReq *req = (xGLXCreateGLXPixmapReq *) pc;
@@ -1220,2 +1266,4 @@ int __glXDisp_CreateGLXPixmap(__GLXclientState *cl, GLbyte *pc)
 
+    REQUEST_SIZE_MATCH(xGLXCreateGLXPixmapReq);
+
     if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err))
@@ -1231,2 +1279,3 @@ int __glXDisp_CreatePixmap(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXCreatePixmapReq *req = (xGLXCreatePixmapReq *) pc;
@@ -1236,2 +1285,4 @@ int __glXDisp_CreatePixmap(__GLXclientState *cl, GLbyte *pc)
 
+    REQUEST_FIXED_SIZE(xGLXCreatePixmapReq, req->numAttribs << 3);
+
     if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err))
@@ -1254,2 +1305,3 @@ int __glXDisp_CreateGLXPixmapWithConfigSGIX(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXCreateGLXPixmapWithConfigSGIXReq *req = 
@@ -1260,2 +1312,4 @@ int __glXDisp_CreateGLXPixmapWithConfigSGIX(__GLXclientState *cl, GLbyte *pc)
 
+    REQUEST_SIZE_MATCH(xGLXCreateGLXPixmapWithConfigSGIXReq);
+
     if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err))
@@ -1286,4 +1340,7 @@ int __glXDisp_DestroyGLXPixmap(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXDestroyGLXPixmapReq *req = (xGLXDestroyGLXPixmapReq *) pc;
 
+    REQUEST_SIZE_MATCH(xGLXDestroyGLXPixmapReq);
+
     return DoDestroyDrawable(cl, req->glxpixmap, GLX_DRAWABLE_PIXMAP);
@@ -1293,4 +1350,7 @@ int __glXDisp_DestroyPixmap(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXDestroyPixmapReq *req = (xGLXDestroyPixmapReq *) pc;
 
+    REQUEST_SIZE_MATCH(xGLXDestroyPixmapReq);
+
     return DoDestroyDrawable(cl, req->glxpixmap, GLX_DRAWABLE_PIXMAP);
@@ -1333,2 +1393,3 @@ int __glXDisp_CreatePbuffer(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXCreatePbufferReq	*req = (xGLXCreatePbufferReq *) pc;
@@ -1337,2 +1398,4 @@ int __glXDisp_CreatePbuffer(__GLXclientState *cl, GLbyte *pc)
 
+    REQUEST_FIXED_SIZE(xGLXCreatePbufferReq, req->numAttribs << 3);
+
     attrs = (CARD32 *) (req + 1);
@@ -1362,4 +1425,7 @@ int __glXDisp_CreateGLXPbufferSGIX(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXCreateGLXPbufferSGIXReq *req = (xGLXCreateGLXPbufferSGIXReq *) pc;
 
+    REQUEST_SIZE_MATCH(xGLXCreateGLXPbufferSGIXReq);
+
     return DoCreatePbuffer(cl->client, req->screen, req->fbconfig,
@@ -1370,4 +1436,7 @@ int __glXDisp_DestroyPbuffer(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXDestroyPbufferReq *req = (xGLXDestroyPbufferReq *) pc;
 
+    REQUEST_SIZE_MATCH(xGLXDestroyPbufferReq);
+
     return DoDestroyDrawable(cl, req->pbuffer, GLX_DRAWABLE_PBUFFER);
@@ -1377,4 +1446,7 @@ int __glXDisp_DestroyGLXPbufferSGIX(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXDestroyGLXPbufferSGIXReq *req = (xGLXDestroyGLXPbufferSGIXReq *) pc;
 
+    REQUEST_SIZE_MATCH(xGLXDestroyGLXPbufferSGIXReq);
+
     return DoDestroyDrawable(cl, req->pbuffer, GLX_DRAWABLE_PBUFFER);
@@ -1409,2 +1481,3 @@ int __glXDisp_ChangeDrawableAttributes(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXChangeDrawableAttributesReq *req =
@@ -1412,2 +1485,4 @@ int __glXDisp_ChangeDrawableAttributes(__GLXclientState *cl, GLbyte *pc)
 
+    REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3);
+
     return DoChangeDrawableAttributes(cl->client, req->drawable,
@@ -1418,2 +1493,3 @@ int __glXDisp_ChangeDrawableAttributesSGIX(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXChangeDrawableAttributesSGIXReq *req =
@@ -1421,2 +1497,4 @@ int __glXDisp_ChangeDrawableAttributesSGIX(__GLXclientState *cl, GLbyte *pc)
 
+    REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesSGIXReq, req->numAttribs << 3);
+
     return DoChangeDrawableAttributes(cl->client, req->drawable,
@@ -1434,2 +1512,4 @@ int __glXDisp_CreateWindow(__GLXclientState *cl, GLbyte *pc)
 
+    REQUEST_FIXED_SIZE(xGLXCreateWindowReq, req->numAttribs << 3);
+
     LEGAL_NEW_RESOURCE(req->glxwindow, client);
@@ -1457,4 +1537,7 @@ int __glXDisp_DestroyWindow(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXDestroyWindowReq *req = (xGLXDestroyWindowReq *) pc;
 
+    REQUEST_SIZE_MATCH(xGLXDestroyWindowReq);
+
     return DoDestroyDrawable(cl, req->glxwindow, GLX_DRAWABLE_WINDOW);
@@ -1474,4 +1557,4 @@ int __glXDisp_SwapBuffers(__GLXclientState *cl, GLbyte *pc)
     xGLXSwapBuffersReq *req = (xGLXSwapBuffersReq *) pc;
-    GLXContextTag tag = req->contextTag;
-    XID drawId = req->drawable;
+    GLXContextTag tag;
+    XID drawId;
     __GLXcontext *glxc = NULL;
@@ -1480,2 +1563,6 @@ int __glXDisp_SwapBuffers(__GLXclientState *cl, GLbyte *pc)
 
+    REQUEST_SIZE_MATCH(xGLXSwapBuffersReq);
+
+    tag = req->contextTag;
+    drawId = req->drawable;
     if (tag) {
@@ -1560,4 +1647,7 @@ int __glXDisp_QueryContextInfoEXT(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXQueryContextInfoEXTReq *req = (xGLXQueryContextInfoEXTReq *) pc;
 
+    REQUEST_SIZE_MATCH(xGLXQueryContextInfoEXTReq);
+
     return DoQueryContext(cl, req->context);
@@ -1567,4 +1657,7 @@ int __glXDisp_QueryContext(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXQueryContextReq *req = (xGLXQueryContextReq *) pc;
 
+    REQUEST_SIZE_MATCH(xGLXQueryContextReq);
+
     return DoQueryContext(cl, req->context);
@@ -1582,2 +1675,4 @@ int __glXDisp_BindTexImageEXT(__GLXclientState *cl, GLbyte *pc)
 
+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 8);
+
     pc += __GLX_VENDPRIV_HDR_SIZE;
@@ -1616,2 +1711,4 @@ int __glXDisp_ReleaseTexImageEXT(__GLXclientState *cl, GLbyte *pc)
 
+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 8);
+
     pc += __GLX_VENDPRIV_HDR_SIZE;
@@ -1651,2 +1748,4 @@ int __glXDisp_CopySubBufferMESA(__GLXclientState *cl, GLbyte *pc)
 
+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 20);
+
     pc += __GLX_VENDPRIV_HDR_SIZE;
@@ -1739,4 +1838,7 @@ int __glXDisp_GetDrawableAttributes(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXGetDrawableAttributesReq *req = (xGLXGetDrawableAttributesReq *)pc;
 
+    REQUEST_SIZE_MATCH(xGLXGetDrawableAttributesReq);
+
     return DoGetDrawableAttributes(cl, req->drawable);
@@ -1746,2 +1848,3 @@ int __glXDisp_GetDrawableAttributesSGIX(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXGetDrawableAttributesSGIXReq *req =
@@ -1749,2 +1852,4 @@ int __glXDisp_GetDrawableAttributesSGIX(__GLXclientState *cl, GLbyte *pc)
     
+    REQUEST_SIZE_MATCH(xGLXGetDrawableAttributesSGIXReq);
+
     return DoGetDrawableAttributes(cl, req->drawable);
@@ -1773,2 +1878,4 @@ int __glXDisp_Render(__GLXclientState *cl, GLbyte *pc)
 
+    REQUEST_AT_LEAST_SIZE(xGLXRenderReq);
+
     req = (xGLXRenderReq *) pc;
@@ -1793,2 +1900,5 @@ int __glXDisp_Render(__GLXclientState *cl, GLbyte *pc)
 
+	if (left < sizeof(__GLXrenderHeader))
+	    return BadLength;
+
 	/*
@@ -2071,2 +2181,3 @@ int __glXDisp_VendorPrivate(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXVendorPrivateReq *req = (xGLXVendorPrivateReq *) pc;
@@ -2075,2 +2186,3 @@ int __glXDisp_VendorPrivate(__GLXclientState *cl, GLbyte *pc)
 
+    REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateReq);
 
@@ -2090,2 +2202,3 @@ int __glXDisp_VendorPrivateWithReply(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXVendorPrivateReq *req = (xGLXVendorPrivateReq *) pc;
@@ -2094,2 +2207,3 @@ int __glXDisp_VendorPrivateWithReply(__GLXclientState *cl, GLbyte *pc)
 
+    REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateReq);
 
@@ -2116,2 +2230,4 @@ int __glXDisp_QueryExtensionsString(__GLXclientState *cl, GLbyte *pc)
 
+    REQUEST_SIZE_MATCH(xGLXQueryExtensionsStringReq);
+
     if (!validGlxScreen(client, req->screen, &pGlxScreen, &err))
@@ -2155,2 +2271,4 @@ int __glXDisp_QueryServerString(__GLXclientState *cl, GLbyte *pc)
 
+    REQUEST_SIZE_MATCH(xGLXQueryServerStringReq);
+
     if (!validGlxScreen(client, req->screen, &pGlxScreen, &err))
@@ -2202,2 +2320,3 @@ int __glXDisp_ClientInfo(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXClientInfoReq *req = (xGLXClientInfoReq *) pc;
@@ -2205,2 +2324,8 @@ int __glXDisp_ClientInfo(__GLXclientState *cl, GLbyte *pc)
    
+    REQUEST_AT_LEAST_SIZE(xGLXClientInfoReq);
+
+    buf = (const char *)(req+1);
+    if (!memchr(buf, 0, (client->req_len << 2) - sizeof(xGLXClientInfoReq)))
+	return BadLength;
+
     cl->GLClientmajorVersion = req->major;
@@ -2208,3 +2333,2 @@ int __glXDisp_ClientInfo(__GLXclientState *cl, GLbyte *pc)
     free(cl->GLClientextensions);
-    buf = (const char *)(req+1);
     cl->GLClientextensions = strdup(buf);
diff --git a/glx/xfont.c b/glx/xfont.c
index 99437842e..84a301f9b 100644
--- a/glx/xfont.c
+++ b/glx/xfont.c
@@ -156,2 +156,4 @@ int __glXDisp_UseXFont(__GLXclientState *cl, GLbyte *pc)
 
+    REQUEST_SIZE_MATCH(xGLXUseXFontReq);
+
     req = (xGLXUseXFontReq *) pc;
author	Julien Cristau <jcristau@debian.org>	2010-07-03 19:47:55 +0100
committer	Julien Cristau <jcristau@debian.org>	2011-01-10 15:31:30 +0100
commit	ec9c97c6bf70b523bc500bd3adf62176f1bb33a4 (patch)
tree	f4ac424a5ca15ee0ed084ef1d83dcbd2cf22924e
parent	3f0d3f4d97bce75c1828635c322b6560a45a037f (diff)