glx: Length checking for GLXRender requests (v2) [CVE-2014-8098 2/8]

v2:
Remove can't-happen comparison for cmdlen < 0 (Michal Srb)

Reviewed-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit be09e0c988)
Signed-off-by: Julien Cristau <jcristau@debian.org>

glx/glxcmds.c

@@ -2023,7 +2023,7 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
     left = (req->length << 2) - sz_xGLXRenderReq;
     while (left > 0) {
         __GLXrenderSizeData entry;
-        int extra;
+        int extra = 0;
         __GLXdispatchRenderProcPtr proc;
         int err;
 
@@ -2042,6 +2042,9 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
         cmdlen = hdr->length;
         opcode = hdr->opcode;
 
+        if (left < cmdlen)
+            return BadLength;
+
         /*
          ** Check for core opcodes and grab entry data.
          */
@@ -2055,6 +2058,10 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
             return __glXError(GLXBadRenderRequest);
         }
 
+        if (cmdlen < entry.bytes) {
+            return BadLength;
+        }
+
         if (entry.varsize) {
             /* variable size command */
             extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE,
@@ -2062,17 +2069,9 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
             if (extra < 0) {
                 return BadLength;
             }
-            if (cmdlen != __GLX_PAD(entry.bytes + extra)) {
-                return BadLength;
-            }
         }
-        else {
-            /* constant size command */
-            if (cmdlen != __GLX_PAD(entry.bytes)) {
-                return BadLength;
-            }
-        }
-        if (left < cmdlen) {
+
+        if (cmdlen != safe_pad(safe_add(entry.bytes, extra))) {
             return BadLength;
         }