From d22de252621e09ead235001af4e09c4c83c2626f Mon Sep 17 00:00:00 2001
From: Julien Cristau <jcristau@debian.org>
Date: Wed, 10 Nov 2010 22:39:54 +0100
Subject: [PATCH] glx: validate numAttribs field before using it
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Reviewed-by: Kristian Høgsberg <krh@bitplanet.net>
Reviewed-by: Daniel Stone <daniel@fooishbar.org>
Signed-off-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit d9225b9602c85603ae616a7381c784f5cf5e811c)
---
 glx/glxcmds.c     | 25 +++++++++++++++++++++++++
 glx/glxcmdsswap.c | 20 ++++++++++++++++++++
 2 files changed, 45 insertions(+)

diff --git a/glx/glxcmds.c b/glx/glxcmds.c
index 1973ada7f..40934ded1 100644
--- a/glx/glxcmds.c
+++ b/glx/glxcmds.c
@@ -1284,6 +1284,11 @@ int __glXDisp_CreatePixmap(__GLXclientState *cl, GLbyte *pc)
     __GLXscreen *pGlxScreen;
     int err;
 
+    REQUEST_AT_LEAST_SIZE(xGLXCreatePixmapReq);
+    if (req->numAttribs > (UINT32_MAX >> 3)) {
+	client->errorValue = req->numAttribs;
+	return BadValue;
+    }
     REQUEST_FIXED_SIZE(xGLXCreatePixmapReq, req->numAttribs << 3);
 
     if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err))
@@ -1397,6 +1402,11 @@ int __glXDisp_CreatePbuffer(__GLXclientState *cl, GLbyte *pc)
     CARD32			*attrs;
     int				 width, height, i;
 
+    REQUEST_AT_LEAST_SIZE(xGLXCreatePbufferReq);
+    if (req->numAttribs > (UINT32_MAX >> 3)) {
+	client->errorValue = req->numAttribs;
+	return BadValue;
+    }
     REQUEST_FIXED_SIZE(xGLXCreatePbufferReq, req->numAttribs << 3);
 
     attrs = (CARD32 *) (req + 1);
@@ -1484,6 +1494,11 @@ int __glXDisp_ChangeDrawableAttributes(__GLXclientState *cl, GLbyte *pc)
     xGLXChangeDrawableAttributesReq *req =
 	(xGLXChangeDrawableAttributesReq *) pc;
 
+    REQUEST_AT_LEAST_SIZE(xGLXChangeDrawableAttributesReq);
+    if (req->numAttribs > (UINT32_MAX >> 3)) {
+	client->errorValue = req->numAttribs;
+	return BadValue;
+    }
     REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3);
 
     return DoChangeDrawableAttributes(cl->client, req->drawable,
@@ -1496,6 +1511,11 @@ int __glXDisp_ChangeDrawableAttributesSGIX(__GLXclientState *cl, GLbyte *pc)
     xGLXChangeDrawableAttributesSGIXReq *req =
 	(xGLXChangeDrawableAttributesSGIXReq *)pc;
 
+    REQUEST_AT_LEAST_SIZE(xGLXChangeDrawableAttributesSGIXReq);
+    if (req->numAttribs > (UINT32_MAX >> 3)) {
+	client->errorValue = req->numAttribs;
+	return BadValue;
+    }
     REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesSGIXReq, req->numAttribs << 3);
 
     return DoChangeDrawableAttributes(cl->client, req->drawable,
@@ -1511,6 +1531,11 @@ int __glXDisp_CreateWindow(__GLXclientState *cl, GLbyte *pc)
     DrawablePtr		 pDraw;
     int			 err;
 
+    REQUEST_AT_LEAST_SIZE(xGLXCreateWindowReq);
+    if (req->numAttribs > (UINT32_MAX >> 3)) {
+	client->errorValue = req->numAttribs;
+	return BadValue;
+    }
     REQUEST_FIXED_SIZE(xGLXCreateWindowReq, req->numAttribs << 3);
 
     LEGAL_NEW_RESOURCE(req->glxwindow, client);
diff --git a/glx/glxcmdsswap.c b/glx/glxcmdsswap.c
index cbd9b8884..a0e0882cd 100644
--- a/glx/glxcmdsswap.c
+++ b/glx/glxcmdsswap.c
@@ -320,6 +320,10 @@ int __glXDispSwap_CreatePixmap(__GLXclientState *cl, GLbyte *pc)
     __GLX_SWAP_INT(&req->glxpixmap);
     __GLX_SWAP_INT(&req->numAttribs);
 
+    if (req->numAttribs > (UINT32_MAX >> 3)) {
+	client->errorValue = req->numAttribs;
+	return BadValue;
+    }
     REQUEST_FIXED_SIZE(xGLXCreatePixmapReq, req->numAttribs << 3);
     attribs = (CARD32*)(req + 1);
     __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
@@ -401,6 +405,10 @@ int __glXDispSwap_CreatePbuffer(__GLXclientState *cl, GLbyte *pc)
     __GLX_SWAP_INT(&req->pbuffer);
     __GLX_SWAP_INT(&req->numAttribs);
 
+    if (req->numAttribs > (UINT32_MAX >> 3)) {
+	client->errorValue = req->numAttribs;
+	return BadValue;
+    }
     REQUEST_FIXED_SIZE(xGLXCreatePbufferReq, req->numAttribs << 3);
     attribs = (CARD32*)(req + 1);
     __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
@@ -465,6 +473,10 @@ int __glXDispSwap_ChangeDrawableAttributes(__GLXclientState *cl, GLbyte *pc)
     __GLX_SWAP_INT(&req->drawable);
     __GLX_SWAP_INT(&req->numAttribs);
 
+    if (req->numAttribs > (UINT32_MAX >> 3)) {
+	client->errorValue = req->numAttribs;
+	return BadValue;
+    }
     REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3);
     attribs = (CARD32*)(req + 1);
     __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
@@ -487,6 +499,10 @@ int __glXDispSwap_ChangeDrawableAttributesSGIX(__GLXclientState *cl,
     __GLX_SWAP_INT(&req->drawable);
     __GLX_SWAP_INT(&req->numAttribs);
 
+    if (req->numAttribs > (UINT32_MAX >> 3)) {
+	client->errorValue = req->numAttribs;
+	return BadValue;
+    }
     REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesSGIXReq, req->numAttribs << 3);
     attribs = (CARD32*)(req + 1);
     __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
@@ -510,6 +526,10 @@ int __glXDispSwap_CreateWindow(__GLXclientState *cl, GLbyte *pc)
     __GLX_SWAP_INT(&req->glxwindow);
     __GLX_SWAP_INT(&req->numAttribs);
 
+    if (req->numAttribs > (UINT32_MAX >> 3)) {
+	client->errorValue = req->numAttribs;
+	return BadValue;
+    }
     REQUEST_FIXED_SIZE(xGLXCreateWindowReq, req->numAttribs << 3);
     attribs = (CARD32*)(req + 1);
     __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);