From c8bdb554268c152b8bcea71800c8cf189dc31409 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Fri, 17 Apr 2026 12:02:13 +1000
Subject: [PATCH] glx: reject negative size in FeedbackBuffer and SelectBuffer
 requests

Assisted-by: Claude:claude-claude-opus-4-6
(cherry picked from commit 54860e6c7f513739adf225a7998004f230db81a0)

Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2225>
---
 glx/single2.c     | 8 ++++++++
 glx/single2swap.c | 8 ++++++++
 2 files changed, 16 insertions(+)

diff --git a/glx/single2.c b/glx/single2.c
index 36a01f0cb..948d00f1d 100644
--- a/glx/single2.c
+++ b/glx/single2.c
@@ -61,6 +61,10 @@ __glXDisp_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
     pc += __GLX_SINGLE_HDR_SIZE;
     size = *(GLsizei *) (pc + 0);
     type = *(GLenum *) (pc + 4);
+    if (size < 0) {
+        cl->client->errorValue = size;
+        return BadValue;
+    }
     if (cx->feedbackBufSize < size) {
         cx->feedbackBuf = reallocarray(cx->feedbackBuf,
                                        (size_t) size, __GLX_SIZE_FLOAT32);
@@ -91,6 +95,10 @@ __glXDisp_SelectBuffer(__GLXclientState * cl, GLbyte * pc)
 
     pc += __GLX_SINGLE_HDR_SIZE;
     size = *(GLsizei *) (pc + 0);
+    if (size < 0) {
+        cl->client->errorValue = size;
+        return BadValue;
+    }
     if (cx->selectBufSize < size) {
         cx->selectBuf = reallocarray(cx->selectBuf,
                                      (size_t) size, __GLX_SIZE_CARD32);
diff --git a/glx/single2swap.c b/glx/single2swap.c
index b140946ba..fdc093900 100644
--- a/glx/single2swap.c
+++ b/glx/single2swap.c
@@ -62,6 +62,10 @@ __glXDispSwap_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
     __GLX_SWAP_INT(pc + 4);
     size = *(GLsizei *) (pc + 0);
     type = *(GLenum *) (pc + 4);
+    if (size < 0) {
+        cl->client->errorValue = size;
+        return BadValue;
+    }
     if (cx->feedbackBufSize < size) {
         cx->feedbackBuf = reallocarray(cx->feedbackBuf,
                                        (size_t) size, __GLX_SIZE_FLOAT32);
@@ -96,6 +100,10 @@ __glXDispSwap_SelectBuffer(__GLXclientState * cl, GLbyte * pc)
     pc += __GLX_SINGLE_HDR_SIZE;
     __GLX_SWAP_INT(pc + 0);
     size = *(GLsizei *) (pc + 0);
+    if (size < 0) {
+        cl->client->errorValue = size;
+        return BadValue;
+    }
     if (cx->selectBufSize < size) {
         cx->selectBuf = reallocarray(cx->selectBuf,
                                      (size_t) size, __GLX_SIZE_CARD32);