fdo-mirrors/xserver
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/xorg/xserver.git synced 2026-06-06 22:18:24 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

glx: reject negative size in FeedbackBuffer and SelectBuffer requests

Browse source 
Assisted-by: Claude:claude-claude-opus-4-6
(cherry picked from commit 54860e6c7f)

Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2225>
This commit is contained in:
Peter Hutterer 2026-04-17 12:02:13 +10:00 committed by Alan Coopersmith
parent d4e3dfe3e9
commit c8bdb55426
2 changed files with 16 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
glx/single2.c
View file

@ -61,6 +61,10 @@ __glXDisp_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
pc += __GLX_SINGLE_HDR_SIZE;
size = *(GLsizei *) (pc + 0);
type = *(GLenum *) (pc + 4);
if (size < 0) {
cl->client->errorValue = size;
return BadValue;
}
if (cx->feedbackBufSize < size) {
cx->feedbackBuf = reallocarray(cx->feedbackBuf,
(size_t) size, __GLX_SIZE_FLOAT32);
@ -91,6 +95,10 @@ __glXDisp_SelectBuffer(__GLXclientState * cl, GLbyte * pc)
pc += __GLX_SINGLE_HDR_SIZE;
size = *(GLsizei *) (pc + 0);
if (size < 0) {
cl->client->errorValue = size;
return BadValue;
}
if (cx->selectBufSize < size) {
cx->selectBuf = reallocarray(cx->selectBuf,
(size_t) size, __GLX_SIZE_CARD32);

8
glx/single2swap.c
View file

@ -62,6 +62,10 @@ __glXDispSwap_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
__GLX_SWAP_INT(pc + 4);
size = *(GLsizei *) (pc + 0);
type = *(GLenum *) (pc + 4);
if (size < 0) {
cl->client->errorValue = size;
return BadValue;
}
if (cx->feedbackBufSize < size) {
cx->feedbackBuf = reallocarray(cx->feedbackBuf,
(size_t) size, __GLX_SIZE_FLOAT32);
@ -96,6 +100,10 @@ __glXDispSwap_SelectBuffer(__GLXclientState * cl, GLbyte * pc)
pc += __GLX_SINGLE_HDR_SIZE;
__GLX_SWAP_INT(pc + 0);
size = *(GLsizei *) (pc + 0);
if (size < 0) {
cl->client->errorValue = size;
return BadValue;
}
if (cx->selectBufSize < size) {
cx->selectBuf = reallocarray(cx->selectBuf,
(size_t) size, __GLX_SIZE_CARD32);