mirror of
https://gitlab.freedesktop.org/xorg/xserver.git
synced 2026-02-14 20:20:34 +01:00
1af7e6c89d
Previously we leaked stack when invalid enum parameters were
specified and caused __glGet*_size functions to return a 0 size.
Further, we read out-of-bounds (and leaked) when the input data was less
than 8 bytes (__glXDispSwap_GetFramebufferAttachmentParameteriv and
__glXDisp_GetRenderbufferParameteriv).
Now we only write a single element in the reply padding, and only when there
is a single element. This is what the Mesa client-side libGL expects, and
restores original GLX server behaviour, matching both pre-public (1996) SGI GLX
and XFree86 4.
The main risk of this change is if we have any error in element count or size;
previously it may not have mattered but now it does.
There are no piglit result changes from this modification using either mesa
libGLX or NVIDIA libGLX.
For performance considerations, an extra conditional and variable-length
memcpy has no meaningful impact on the indirect rendering pipeline cost.
There is still the possiblity to leak if our size checks allow an enum that
the GL implemention does not. Guarding against that requires zero-initializing
all temp storage, which wants re-evaluation of the blind 200-byte buffers
used for many calls and thus is a much bigger change.
Signed-off-by: Nathan Kidd <nkidd@rocketsoftware.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1647>
(cherry picked from commit
|
||
|---|---|---|
| .. | ||
| clientinfo.c | ||
| createcontext.c | ||
| extension_string.c | ||
| extension_string.h | ||
| glxcmds.c | ||
| glxcmdsswap.c | ||
| glxcontext.h | ||
| glxdrawable.h | ||
| glxdri2.c | ||
| glxdricommon.c | ||
| glxdricommon.h | ||
| glxdriswrast.c | ||
| glxext.c | ||
| glxext.h | ||
| glxscreens.c | ||
| glxscreens.h | ||
| glxserver.h | ||
| glxutil.h | ||
| indirect_dispatch.c | ||
| indirect_dispatch.h | ||
| indirect_dispatch_swap.c | ||
| indirect_program.c | ||
| indirect_reqsize.c | ||
| indirect_reqsize.h | ||
| indirect_size.h | ||
| indirect_size_get.c | ||
| indirect_size_get.h | ||
| indirect_table.c | ||
| indirect_table.h | ||
| indirect_texture_compression.c | ||
| indirect_util.c | ||
| indirect_util.h | ||
| meson.build | ||
| render2.c | ||
| render2swap.c | ||
| renderpix.c | ||
| renderpixswap.c | ||
| rensize.c | ||
| single2.c | ||
| single2swap.c | ||
| singlepix.c | ||
| singlepixswap.c | ||
| singlesize.c | ||
| singlesize.h | ||
| swap_interval.c | ||
| unpack.h | ||
| vnd_dispatch_stubs.c | ||
| vndcmds.c | ||
| vndext.c | ||
| vndserver.h | ||
| vndserver_priv.h | ||
| vndservermapping.c | ||
| vndservervendor.c | ||
| vndservervendor.h | ||
| xfont.c | ||