mirror of
https://gitlab.freedesktop.org/xorg/xserver.git
synced 2025-12-20 04:40:02 +01:00
a4df686888
Previously we leaked stack when invalid enum parameters were specified and caused __glGet*_size functions to return a 0 size. Further, we read out-of-bounds (and leaked) when the input data was less than 8 bytes (__glXDispSwap_GetFramebufferAttachmentParameteriv and __glXDisp_GetRenderbufferParameteriv). Now we only write a single element in the reply padding, and only when there is a single element. This is what the Mesa client-side libGL expects, and restores original GLX server behaviour, matching both pre-public (1996) SGI GLX and XFree86 4. The main risk of this change is if we have any error in element count or size; previously it may not have mattered but now it does. There are no piglit result changes from this modification using either mesa libGLX or NVIDIA libGLX. For performance considerations, an extra conditional and variable-length memcpy has no meaningful impact on the indirect rendering pipeline cost. There is still the possiblity to leak if our size checks allow an enum that the GL implemention does not. Guarding against that requires zero-initializing all temp storage, which wants re-evaluation of the blind 200-byte buffers used for many calls and thus is a much bigger change. Signed-off-by: Nathan Kidd <nkidd@rocketsoftware.com> Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1647> |
||
|---|---|---|
| .. | ||
| clientinfo.c | ||
| createcontext.c | ||
| extension_string.c | ||
| extension_string.h | ||
| glxcmds.c | ||
| glxcmdsswap.c | ||
| glxcontext.h | ||
| glxdrawable.h | ||
| glxdri2.c | ||
| glxdricommon.c | ||
| glxdricommon.h | ||
| glxdriswrast.c | ||
| glxext.c | ||
| glxext.h | ||
| glxscreens.c | ||
| glxscreens.h | ||
| glxserver.h | ||
| glxutil.h | ||
| indirect_dispatch.c | ||
| indirect_dispatch.h | ||
| indirect_dispatch_swap.c | ||
| indirect_program.c | ||
| indirect_reqsize.c | ||
| indirect_reqsize.h | ||
| indirect_size.h | ||
| indirect_size_get.c | ||
| indirect_size_get.h | ||
| indirect_table.c | ||
| indirect_table.h | ||
| indirect_texture_compression.c | ||
| indirect_util.c | ||
| indirect_util.h | ||
| meson.build | ||
| render2.c | ||
| render2swap.c | ||
| renderpix.c | ||
| renderpixswap.c | ||
| rensize.c | ||
| single2.c | ||
| single2swap.c | ||
| singlepix.c | ||
| singlepixswap.c | ||
| singlesize.c | ||
| singlesize.h | ||
| swap_interval.c | ||
| unpack.h | ||
| vnd_dispatch_stubs.c | ||
| vndcmds.c | ||
| vndext.c | ||
| vndserver.h | ||
| vndserver_priv.h | ||
| vndservermapping.c | ||
| vndservervendor.c | ||
| vndservervendor.h | ||
| xfont.c | ||