fdo-mirrors/xserver
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/xorg/xserver.git synced 2025-12-30 06:10:08 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

glx: validate numAttribs field before using it

Browse source 
Reviewed-by: Kristian Høgsberg <krh@bitplanet.net>
Reviewed-by: Daniel Stone <daniel@fooishbar.org>
Signed-off-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit d9225b9602)
This commit is contained in:
Julien Cristau 2010-11-10 22:39:54 +01:00
parent 83f5faba54
commit d22de25262
2 changed files with 45 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
glx/glxcmds.c
View file

@ -1284,6 +1284,11 @@ int __glXDisp_CreatePixmap(__GLXclientState *cl, GLbyte *pc)
__GLXscreen *pGlxScreen;
int err;
REQUEST_AT_LEAST_SIZE(xGLXCreatePixmapReq);
if (req->numAttribs > (UINT32_MAX >> 3)) {
client->errorValue = req->numAttribs;
return BadValue;
}
REQUEST_FIXED_SIZE(xGLXCreatePixmapReq, req->numAttribs << 3);
if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err))
@ -1397,6 +1402,11 @@ int __glXDisp_CreatePbuffer(__GLXclientState *cl, GLbyte *pc)
CARD32 *attrs;
int width, height, i;
REQUEST_AT_LEAST_SIZE(xGLXCreatePbufferReq);
if (req->numAttribs > (UINT32_MAX >> 3)) {
client->errorValue = req->numAttribs;
return BadValue;
}
REQUEST_FIXED_SIZE(xGLXCreatePbufferReq, req->numAttribs << 3);
attrs = (CARD32 *) (req + 1);
@ -1484,6 +1494,11 @@ int __glXDisp_ChangeDrawableAttributes(__GLXclientState *cl, GLbyte *pc)
xGLXChangeDrawableAttributesReq *req =
(xGLXChangeDrawableAttributesReq *) pc;
REQUEST_AT_LEAST_SIZE(xGLXChangeDrawableAttributesReq);
if (req->numAttribs > (UINT32_MAX >> 3)) {
client->errorValue = req->numAttribs;
return BadValue;
}
REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3);
return DoChangeDrawableAttributes(cl->client, req->drawable,
@ -1496,6 +1511,11 @@ int __glXDisp_ChangeDrawableAttributesSGIX(__GLXclientState *cl, GLbyte *pc)
xGLXChangeDrawableAttributesSGIXReq *req =
(xGLXChangeDrawableAttributesSGIXReq *)pc;
REQUEST_AT_LEAST_SIZE(xGLXChangeDrawableAttributesSGIXReq);
if (req->numAttribs > (UINT32_MAX >> 3)) {
client->errorValue = req->numAttribs;
return BadValue;
}
REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesSGIXReq, req->numAttribs << 3);
return DoChangeDrawableAttributes(cl->client, req->drawable,
@ -1511,6 +1531,11 @@ int __glXDisp_CreateWindow(__GLXclientState *cl, GLbyte *pc)
DrawablePtr pDraw;
int err;
REQUEST_AT_LEAST_SIZE(xGLXCreateWindowReq);
if (req->numAttribs > (UINT32_MAX >> 3)) {
client->errorValue = req->numAttribs;
return BadValue;
}
REQUEST_FIXED_SIZE(xGLXCreateWindowReq, req->numAttribs << 3);
LEGAL_NEW_RESOURCE(req->glxwindow, client);

20
glx/glxcmdsswap.c
View file

@ -320,6 +320,10 @@ int __glXDispSwap_CreatePixmap(__GLXclientState *cl, GLbyte *pc)
__GLX_SWAP_INT(&req->glxpixmap);
__GLX_SWAP_INT(&req->numAttribs);
if (req->numAttribs > (UINT32_MAX >> 3)) {
client->errorValue = req->numAttribs;
return BadValue;
}
REQUEST_FIXED_SIZE(xGLXCreatePixmapReq, req->numAttribs << 3);
attribs = (CARD32*)(req + 1);
__GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
@ -401,6 +405,10 @@ int __glXDispSwap_CreatePbuffer(__GLXclientState *cl, GLbyte *pc)
__GLX_SWAP_INT(&req->pbuffer);
__GLX_SWAP_INT(&req->numAttribs);
if (req->numAttribs > (UINT32_MAX >> 3)) {
client->errorValue = req->numAttribs;
return BadValue;
}
REQUEST_FIXED_SIZE(xGLXCreatePbufferReq, req->numAttribs << 3);
attribs = (CARD32*)(req + 1);
__GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
@ -465,6 +473,10 @@ int __glXDispSwap_ChangeDrawableAttributes(__GLXclientState *cl, GLbyte *pc)
__GLX_SWAP_INT(&req->drawable);
__GLX_SWAP_INT(&req->numAttribs);
if (req->numAttribs > (UINT32_MAX >> 3)) {
client->errorValue = req->numAttribs;
return BadValue;
}
REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3);
attribs = (CARD32*)(req + 1);
__GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
@ -487,6 +499,10 @@ int __glXDispSwap_ChangeDrawableAttributesSGIX(__GLXclientState *cl,
__GLX_SWAP_INT(&req->drawable);
__GLX_SWAP_INT(&req->numAttribs);
if (req->numAttribs > (UINT32_MAX >> 3)) {
client->errorValue = req->numAttribs;
return BadValue;
}
REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesSGIXReq, req->numAttribs << 3);
attribs = (CARD32*)(req + 1);
__GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
@ -510,6 +526,10 @@ int __glXDispSwap_CreateWindow(__GLXclientState *cl, GLbyte *pc)
__GLX_SWAP_INT(&req->glxwindow);
__GLX_SWAP_INT(&req->numAttribs);
if (req->numAttribs > (UINT32_MAX >> 3)) {
client->errorValue = req->numAttribs;
return BadValue;
}
REQUEST_FIXED_SIZE(xGLXCreateWindowReq, req->numAttribs << 3);
attribs = (CARD32*)(req + 1);
__GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);