fdo-mirrors/xserver
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/xorg/xserver.git synced 2025-12-20 08:10:03 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

glx: fix BindTexImageEXT length check

Browse source 
The request is followed by a list of attributes.

X.Org bug#33449

Reported-and-tested-by: meng <mengmeng.meng@intel.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Adam Jackson <ajax@redhat.com>
(cherry picked from commit 1137c11be0)
This commit is contained in:
Julien Cristau 2011-01-26 13:06:53 +01:00
parent 5f3e015ae0
commit d6831f5aa1
2 changed files with 14 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
glx/glxcmds.c
View file

@ -1698,13 +1698,21 @@ int __glXDisp_BindTexImageEXT(__GLXclientState *cl, GLbyte *pc)
GLXDrawable drawId; GLXDrawable drawId;
int buffer; int buffer;
int error; int error;
CARD32 num_attribs;
REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 8); if ((sizeof(xGLXVendorPrivateReq) + 12) >> 2 > client->req_len)
return BadLength;
pc += __GLX_VENDPRIV_HDR_SIZE; pc += __GLX_VENDPRIV_HDR_SIZE;
drawId = *((CARD32 *) (pc)); drawId = *((CARD32 *) (pc));
buffer = *((INT32 *) (pc + 4)); buffer = *((INT32 *) (pc + 4));
num_attribs = *((CARD32 *) (pc + 8));
if (num_attribs > (UINT32_MAX >> 3)) {
client->errorValue = num_attribs;
return BadValue;
}
REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 12 + (num_attribs << 3));
if (buffer != GLX_FRONT_LEFT_EXT) if (buffer != GLX_FRONT_LEFT_EXT)
return __glXError(GLXBadPixmap); return __glXError(GLXBadPixmap);

6
glx/glxcmdsswap.c
View file

@ -649,19 +649,23 @@ int __glXDispSwap_BindTexImageEXT(__GLXclientState *cl, GLbyte *pc)
xGLXVendorPrivateReq *req = (xGLXVendorPrivateReq *) pc; xGLXVendorPrivateReq *req = (xGLXVendorPrivateReq *) pc;
GLXDrawable *drawId; GLXDrawable *drawId;
int *buffer; int *buffer;
CARD32 *num_attribs;
__GLX_DECLARE_SWAP_VARIABLES; __GLX_DECLARE_SWAP_VARIABLES;
REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 8); if ((sizeof(xGLXVendorPrivateReq) + 12) >> 2 > client->req_len)
return BadLength;
pc += __GLX_VENDPRIV_HDR_SIZE; pc += __GLX_VENDPRIV_HDR_SIZE;
drawId = ((GLXDrawable *) (pc)); drawId = ((GLXDrawable *) (pc));
buffer = ((int *) (pc + 4)); buffer = ((int *) (pc + 4));
num_attribs = ((CARD32 *) (pc + 8));
__GLX_SWAP_SHORT(&req->length); __GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->contextTag); __GLX_SWAP_INT(&req->contextTag);
__GLX_SWAP_INT(drawId); __GLX_SWAP_INT(drawId);
__GLX_SWAP_INT(buffer); __GLX_SWAP_INT(buffer);
__GLX_SWAP_INT(num_attribs);
return __glXDisp_BindTexImageEXT(cl, (GLbyte *)pc); return __glXDisp_BindTexImageEXT(cl, (GLbyte *)pc);
} }