summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJulien Cristau <jcristau@debian.org>2011-01-26 13:06:53 +0100
committerJulien Cristau <jcristau@debian.org>2011-10-21 20:37:51 +0200
commitc821bd84e594e86d5dd766f680064e88a29a10d1 (patch)
treea09a275b42f6501bab8a9ebda1b7d9f970d35fdd
parent5b76d710d3cebbfb8a5f02eaa7920f73deadff21 (diff)
glx: fix BindTexImageEXT length check
The request is followed by a list of attributes. X.Org bug#33449 Reported-and-tested-by: meng <mengmeng.meng@intel.com> Signed-off-by: Julien Cristau <jcristau@debian.org> Reviewed-by: Adam Jackson <ajax@redhat.com> (cherry picked from commit 1137c11be0f82049d28024eaf963c6f76e0d4334)
-rw-r--r--glx/glxcmds.c10
-rw-r--r--glx/glxcmdsswap.c6
2 files changed, 14 insertions, 2 deletions
diff --git a/glx/glxcmds.c b/glx/glxcmds.c
index ff1249fbf..f42cce8c5 100644
--- a/glx/glxcmds.c
+++ b/glx/glxcmds.c
@@ -1674,13 +1674,21 @@ int __glXDisp_BindTexImageEXT(__GLXclientState *cl, GLbyte *pc)
GLXDrawable drawId;
int buffer;
int error;
+ CARD32 num_attribs;
- REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 8);
+ if ((sizeof(xGLXVendorPrivateReq) + 12) >> 2 > client->req_len)
+ return BadLength;
pc += __GLX_VENDPRIV_HDR_SIZE;
drawId = *((CARD32 *) (pc));
buffer = *((INT32 *) (pc + 4));
+ num_attribs = *((CARD32 *) (pc + 8));
+ if (num_attribs > (UINT32_MAX >> 3)) {
+ client->errorValue = num_attribs;
+ return BadValue;
+ }
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 12 + (num_attribs << 3));
if (buffer != GLX_FRONT_LEFT_EXT)
return __glXError(GLXBadPixmap);
diff --git a/glx/glxcmdsswap.c b/glx/glxcmdsswap.c
index 1155b2362..c20024407 100644
--- a/glx/glxcmdsswap.c
+++ b/glx/glxcmdsswap.c
@@ -649,19 +649,23 @@ int __glXDispSwap_BindTexImageEXT(__GLXclientState *cl, GLbyte *pc)
xGLXVendorPrivateReq *req = (xGLXVendorPrivateReq *) pc;
GLXDrawable *drawId;
int *buffer;
+ CARD32 *num_attribs;
__GLX_DECLARE_SWAP_VARIABLES;
- REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 8);
+ if ((sizeof(xGLXVendorPrivateReq) + 12) >> 2 > client->req_len)
+ return BadLength;
pc += __GLX_VENDPRIV_HDR_SIZE;
drawId = ((GLXDrawable *) (pc));
buffer = ((int *) (pc + 4));
+ num_attribs = ((CARD32 *) (pc + 8));
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->contextTag);
__GLX_SWAP_INT(drawId);
__GLX_SWAP_INT(buffer);
+ __GLX_SWAP_INT(num_attribs);
return __glXDisp_BindTexImageEXT(cl, (GLbyte *)pc);
}