[X2Go-Commits] [vcxsrv] 20/24: Fix CVE-2014-8091..8103. Patches were ported from Ubuntu 14.04 (xorg-server 1.15.1)

This is an automated email from the git hooks/post-receive script. x2go pushed a commit to annotated tag 1.15.2.2-xp+vc2013+x2go1 in repository vcxsrv. commit 7e1c3b94f42dfc5e52f0f724b6bf7d03e3b743e3 Author: Mike DePaulo <mikedep333@gmail.com> Date: Sat Jan 10 12:03:47 2015 -0500 Fix CVE-2014-8091..8103. Patches were ported from Ubuntu 14.04 (xorg-server 1.15.1) --- xorg-server/Xext/xcmisc.c | 1 + xorg-server/Xext/xvdisp.c | 20 +++ xorg-server/Xi/chgdctl.c | 8 +- xorg-server/Xi/chgfctl.c | 2 + xorg-server/Xi/sendexev.c | 3 + xorg-server/Xi/xiallowev.c | 2 + xorg-server/Xi/xichangecursor.c | 2 +- xorg-server/Xi/xichangehierarchy.c | 35 ++++- xorg-server/Xi/xigetclientpointer.c | 1 + xorg-server/Xi/xigrabdev.c | 9 +- xorg-server/Xi/xipassivegrab.c | 12 +- xorg-server/Xi/xiproperty.c | 14 +- xorg-server/Xi/xiquerydevice.c | 1 + xorg-server/Xi/xiquerypointer.c | 2 + xorg-server/Xi/xiselectev.c | 8 ++ xorg-server/Xi/xisetclientpointer.c | 3 +- xorg-server/Xi/xisetdevfocus.c | 4 + xorg-server/Xi/xiwarppointer.c | 2 + xorg-server/configure.ac | 1 + xorg-server/dbe/dbe.c | 17 ++- xorg-server/dix/dispatch.c | 3 + xorg-server/dix/region.c | 20 ++- xorg-server/dri3/dri3_request.c | 6 + xorg-server/glx/clientinfo.c | 20 ++- xorg-server/glx/glxcmds.c | 85 ++++++----- xorg-server/glx/glxcmdsswap.c | 4 + xorg-server/glx/glxserver.h | 43 +++++- xorg-server/glx/indirect_dispatch.c | 25 ++++ xorg-server/glx/indirect_dispatch_swap.c | 26 ++++ xorg-server/glx/indirect_program.c | 2 + xorg-server/glx/indirect_reqsize.c | 152 ++++++++++---------- xorg-server/glx/indirect_reqsize.h | 148 +++++++++---------- xorg-server/glx/indirect_texture_compression.c | 4 + xorg-server/glx/indirect_util.c | 9 +- xorg-server/glx/rensize.c | 114 +++++++++------ xorg-server/glx/single2.c | 23 ++- xorg-server/glx/single2swap.c | 19 ++- xorg-server/glx/singlepix.c | 60 +++++--- xorg-server/glx/singlepixswap.c | 50 +++++-- xorg-server/glx/swap_interval.c | 2 + xorg-server/glx/unpack.h | 3 +- xorg-server/hw/xfree86/dri2/dri2ext.c | 3 + xorg-server/include/dix.h | 7 +- xorg-server/include/regionstr.h | 12 +- xorg-server/os/access.c | 6 + xorg-server/os/rpcauth.c | 4 + xorg-server/present/present_request.c | 6 + xorg-server/randr/rrsdispatch.c | 4 + xorg-server/render/render.c | 19 ++- xorg-server/test/misc.c | 37 +++++ xorg-server/test/xi1/Makefile.am | 34 +++++ .../test/xi1/protocol-xchangedevicecontrol.c | 122 ++++++++++++++++ xorg-server/test/xi2/protocol-xigetclientpointer.c | 5 + .../test/xi2/protocol-xipassivegrabdevice.c | 8 ++ xorg-server/test/xi2/protocol-xiquerypointer.c | 4 + xorg-server/test/xi2/protocol-xiwarppointer.c | 3 + xorg-server/xfixes/select.c | 1 + 57 files changed, 917 insertions(+), 323 deletions(-) diff --git a/xorg-server/Xext/xcmisc.c b/xorg-server/Xext/xcmisc.c index a48f612..ddbae0d 100644 --- a/xorg-server/Xext/xcmisc.c +++ b/xorg-server/Xext/xcmisc.c @@ -163,6 +163,7 @@ static int SProcXCMiscGetXIDList(ClientPtr client) { REQUEST(xXCMiscGetXIDListReq); + REQUEST_SIZE_MATCH(xXCMiscGetXIDListReq); swaps(&stuff->length); swapl(&stuff->count); diff --git a/xorg-server/Xext/xvdisp.c b/xorg-server/Xext/xvdisp.c index f2d49a2..c466af5 100644 --- a/xorg-server/Xext/xvdisp.c +++ b/xorg-server/Xext/xvdisp.c @@ -1207,6 +1207,7 @@ static int SProcXvQueryExtension(ClientPtr client) { REQUEST(xvQueryExtensionReq); + REQUEST_SIZE_MATCH(xvQueryExtensionReq); swaps(&stuff->length); return XvProcVector[xv_QueryExtension] (client); } @@ -1215,6 +1216,7 @@ static int SProcXvQueryAdaptors(ClientPtr client) { REQUEST(xvQueryAdaptorsReq); + REQUEST_SIZE_MATCH(xvQueryAdaptorsReq); swaps(&stuff->length); swapl(&stuff->window); return XvProcVector[xv_QueryAdaptors] (client); @@ -1224,6 +1226,7 @@ static int SProcXvQueryEncodings(ClientPtr client) { REQUEST(xvQueryEncodingsReq); + REQUEST_SIZE_MATCH(xvQueryEncodingsReq); swaps(&stuff->length); swapl(&stuff->port); return XvProcVector[xv_QueryEncodings] (client); @@ -1233,6 +1236,7 @@ static int SProcXvGrabPort(ClientPtr client) { REQUEST(xvGrabPortReq); + REQUEST_SIZE_MATCH(xvGrabPortReq); swaps(&stuff->length); swapl(&stuff->port); swapl(&stuff->time); @@ -1243,6 +1247,7 @@ static int SProcXvUngrabPort(ClientPtr client) { REQUEST(xvUngrabPortReq); + REQUEST_SIZE_MATCH(xvUngrabPortReq); swaps(&stuff->length); swapl(&stuff->port); swapl(&stuff->time); @@ -1253,6 +1258,7 @@ static int SProcXvPutVideo(ClientPtr client) { REQUEST(xvPutVideoReq); + REQUEST_SIZE_MATCH(xvPutVideoReq); swaps(&stuff->length); swapl(&stuff->port); swapl(&stuff->drawable); @@ -1272,6 +1278,7 @@ static int SProcXvPutStill(ClientPtr client) { REQUEST(xvPutStillReq); + REQUEST_SIZE_MATCH(xvPutStillReq); swaps(&stuff->length); swapl(&stuff->port); swapl(&stuff->drawable); @@ -1291,6 +1298,7 @@ static int SProcXvGetVideo(ClientPtr client) { REQUEST(xvGetVideoReq); + REQUEST_SIZE_MATCH(xvGetVideoReq); swaps(&stuff->length); swapl(&stuff->port); swapl(&stuff->drawable); @@ -1310,6 +1318,7 @@ static int SProcXvGetStill(ClientPtr client) { REQUEST(xvGetStillReq); + REQUEST_SIZE_MATCH(xvGetStillReq); swaps(&stuff->length); swapl(&stuff->port); swapl(&stuff->drawable); @@ -1329,6 +1338,7 @@ static int SProcXvPutImage(ClientPtr client) { REQUEST(xvPutImageReq); + REQUEST_AT_LEAST_SIZE(xvPutImageReq); swaps(&stuff->length); swapl(&stuff->port); swapl(&stuff->drawable); @@ -1352,6 +1362,7 @@ static int SProcXvShmPutImage(ClientPtr client) { REQUEST(xvShmPutImageReq); + REQUEST_SIZE_MATCH(xvShmPutImageReq); swaps(&stuff->length); swapl(&stuff->port); swapl(&stuff->drawable); @@ -1379,6 +1390,7 @@ static int SProcXvSelectVideoNotify(ClientPtr client) { REQUEST(xvSelectVideoNotifyReq); + REQUEST_SIZE_MATCH(xvSelectVideoNotifyReq); swaps(&stuff->length); swapl(&stuff->drawable); return XvProcVector[xv_SelectVideoNotify] (client); @@ -1388,6 +1400,7 @@ static int SProcXvSelectPortNotify(ClientPtr client) { REQUEST(xvSelectPortNotifyReq); + REQUEST_SIZE_MATCH(xvSelectPortNotifyReq); swaps(&stuff->length); swapl(&stuff->port); return XvProcVector[xv_SelectPortNotify] (client); @@ -1397,6 +1410,7 @@ static int SProcXvStopVideo(ClientPtr client) { REQUEST(xvStopVideoReq); + REQUEST_SIZE_MATCH(xvStopVideoReq); swaps(&stuff->length); swapl(&stuff->port); swapl(&stuff->drawable); @@ -1407,6 +1421,7 @@ static int SProcXvSetPortAttribute(ClientPtr client) { REQUEST(xvSetPortAttributeReq); + REQUEST_SIZE_MATCH(xvSetPortAttributeReq); swaps(&stuff->length); swapl(&stuff->port); swapl(&stuff->attribute); @@ -1418,6 +1433,7 @@ static int SProcXvGetPortAttribute(ClientPtr client) { REQUEST(xvGetPortAttributeReq); + REQUEST_SIZE_MATCH(xvGetPortAttributeReq); swaps(&stuff->length); swapl(&stuff->port); swapl(&stuff->attribute); @@ -1428,6 +1444,7 @@ static int SProcXvQueryBestSize(ClientPtr client) { REQUEST(xvQueryBestSizeReq); + REQUEST_SIZE_MATCH(xvQueryBestSizeReq); swaps(&stuff->length); swapl(&stuff->port); swaps(&stuff->vid_w); @@ -1441,6 +1458,7 @@ static int SProcXvQueryPortAttributes(ClientPtr client) { REQUEST(xvQueryPortAttributesReq); + REQUEST_SIZE_MATCH(xvQueryPortAttributesReq); swaps(&stuff->length); swapl(&stuff->port); return XvProcVector[xv_QueryPortAttributes] (client); @@ -1450,6 +1468,7 @@ static int SProcXvQueryImageAttributes(ClientPtr client) { REQUEST(xvQueryImageAttributesReq); + REQUEST_SIZE_MATCH(xvQueryImageAttributesReq); swaps(&stuff->length); swapl(&stuff->port); swapl(&stuff->id); @@ -1462,6 +1481,7 @@ static int SProcXvListImageFormats(ClientPtr client) { REQUEST(xvListImageFormatsReq); + REQUEST_SIZE_MATCH(xvListImageFormatsReq); swaps(&stuff->length); swapl(&stuff->port); return XvProcVector[xv_ListImageFormats] (client); diff --git a/xorg-server/Xi/chgdctl.c b/xorg-server/Xi/chgdctl.c index 106b9aa..cb7ad1e 100644 --- a/xorg-server/Xi/chgdctl.c +++ b/xorg-server/Xi/chgdctl.c @@ -78,7 +78,7 @@ SProcXChangeDeviceControl(ClientPtr client) REQUEST(xChangeDeviceControlReq); swaps(&stuff->length); - REQUEST_AT_LEAST_SIZE(xChangeDeviceControlReq); + REQUEST_AT_LEAST_EXTRA_SIZE(xChangeDeviceControlReq, sizeof(xDeviceCtl)); swaps(&stuff->control); ctl = (xDeviceCtl *) &stuff[1]; swaps(&ctl->control); @@ -115,7 +115,7 @@ ProcXChangeDeviceControl(ClientPtr client) xDeviceEnableCtl *e; REQUEST(xChangeDeviceControlReq); - REQUEST_AT_LEAST_SIZE(xChangeDeviceControlReq); + REQUEST_AT_LEAST_EXTRA_SIZE(xChangeDeviceControlReq, sizeof(xDeviceCtl)); len = stuff->length - bytes_to_int32(sizeof(xChangeDeviceControlReq)); ret = dixLookupDevice(&dev, stuff->deviceid, client, DixManageAccess); @@ -191,6 +191,10 @@ ProcXChangeDeviceControl(ClientPtr client) break; case DEVICE_ENABLE: e = (xDeviceEnableCtl *) &stuff[1]; + if ((len != bytes_to_int32(sizeof(xDeviceEnableCtl)))) { + ret = BadLength; + goto out; + } if (IsXTestDevice(dev, NULL)) status = !Success; diff --git a/xorg-server/Xi/chgfctl.c b/xorg-server/Xi/chgfctl.c index 6dcf60c..224c2ba 100644 --- a/xorg-server/Xi/chgfctl.c +++ b/xorg-server/Xi/chgfctl.c @@ -467,6 +467,8 @@ ProcXChangeFeedbackControl(ClientPtr client) xStringFeedbackCtl *f = ((xStringFeedbackCtl *) &stuff[1]); if (client->swapped) { + if (len < bytes_to_int32(sizeof(xStringFeedbackCtl))) + return BadLength; swaps(&f->num_keysyms); } if (len != diff --git a/xorg-server/Xi/sendexev.c b/xorg-server/Xi/sendexev.c index 3c21386..183f88d 100644 --- a/xorg-server/Xi/sendexev.c +++ b/xorg-server/Xi/sendexev.c @@ -135,6 +135,9 @@ ProcXSendExtensionEvent(ClientPtr client) if (ret != Success) return ret; + if (stuff->num_events == 0) + return ret; + /* The client's event type must be one defined by an extension. */ first = ((xEvent *) &stuff[1]); diff --git a/xorg-server/Xi/xiallowev.c b/xorg-server/Xi/xiallowev.c index ebef233..ca263ef 100644 --- a/xorg-server/Xi/xiallowev.c +++ b/xorg-server/Xi/xiallowev.c @@ -48,6 +48,7 @@ int SProcXIAllowEvents(ClientPtr client) { REQUEST(xXIAllowEventsReq); + REQUEST_AT_LEAST_SIZE(xXIAllowEventsReq); swaps(&stuff->length); swaps(&stuff->deviceid); @@ -55,6 +56,7 @@ SProcXIAllowEvents(ClientPtr client) if (stuff->length > 3) { xXI2_2AllowEventsReq *req_xi22 = (xXI2_2AllowEventsReq *) stuff; + REQUEST_AT_LEAST_SIZE(xXI2_2AllowEventsReq); swapl(&req_xi22->touchid); swapl(&req_xi22->grab_window); } diff --git a/xorg-server/Xi/xichangecursor.c b/xorg-server/Xi/xichangecursor.c index 7a1bb7a..8e6255b 100644 --- a/xorg-server/Xi/xichangecursor.c +++ b/xorg-server/Xi/xichangecursor.c @@ -57,11 +57,11 @@ int SProcXIChangeCursor(ClientPtr client) { REQUEST(xXIChangeCursorReq); + REQUEST_SIZE_MATCH(xXIChangeCursorReq); swaps(&stuff->length); swapl(&stuff->win); swapl(&stuff->cursor); swaps(&stuff->deviceid); - REQUEST_SIZE_MATCH(xXIChangeCursorReq); return (ProcXIChangeCursor(client)); } diff --git a/xorg-server/Xi/xichangehierarchy.c b/xorg-server/Xi/xichangehierarchy.c index 9e36354..2732445 100644 --- a/xorg-server/Xi/xichangehierarchy.c +++ b/xorg-server/Xi/xichangehierarchy.c @@ -411,7 +411,7 @@ int ProcXIChangeHierarchy(ClientPtr client) { xXIAnyHierarchyChangeInfo *any; - int required_len = sizeof(xXIChangeHierarchyReq); + size_t len; /* length of data remaining in request */ int rc = Success; int flags[MAXDEVICES] = { 0 }; @@ -421,21 +421,46 @@ ProcXIChangeHierarchy(ClientPtr client) if (!stuff->num_changes) return rc; + if (stuff->length > (INT_MAX >> 2)) + return BadAlloc; + len = (stuff->length << 2) - sizeof(xXIAnyHierarchyChangeInfo); + any = (xXIAnyHierarchyChangeInfo *) &stuff[1]; while (stuff->num_changes--) { + if (len < sizeof(xXIAnyHierarchyChangeInfo)) { + rc = BadLength; + goto unwind; + } + SWAPIF(swaps(&any->type)); SWAPIF(swaps(&any->length)); - required_len += any->length; - if ((stuff->length * 4) < required_len) + if ((any->length > (INT_MAX >> 2)) || (len < (any->length << 2))) return BadLength; +#define CHANGE_SIZE_MATCH(type) \ + do { \ + if ((len < sizeof(type)) || (any->length != (sizeof(type) >> 2))) { \ + rc = BadLength; \ + goto unwind; \ + } \ + } while(0) + switch (any->type) { case XIAddMaster: { xXIAddMasterInfo *c = (xXIAddMasterInfo *) any; + /* Variable length, due to appended name string */ + if (len < sizeof(xXIAddMasterInfo)) { + rc = BadLength; + goto unwind; + } SWAPIF(swaps(&c->name_len)); + if (c->name_len > (len - sizeof(xXIAddMasterInfo))) { + rc = BadLength; + goto unwind; + } rc = add_master(client, c, flags); if (rc != Success) @@ -446,6 +471,7 @@ ProcXIChangeHierarchy(ClientPtr client) { xXIRemoveMasterInfo *r = (xXIRemoveMasterInfo *) any; + CHANGE_SIZE_MATCH(xXIRemoveMasterInfo); rc = remove_master(client, r, flags); if (rc != Success) goto unwind; @@ -455,6 +481,7 @@ ProcXIChangeHierarchy(ClientPtr client) { xXIDetachSlaveInfo *c = (xXIDetachSlaveInfo *) any; + CHANGE_SIZE_MATCH(xXIDetachSlaveInfo); rc = detach_slave(client, c, flags); if (rc != Success) goto unwind; @@ -464,6 +491,7 @@ ProcXIChangeHierarchy(ClientPtr client) { xXIAttachSlaveInfo *c = (xXIAttachSlaveInfo *) any; + CHANGE_SIZE_MATCH(xXIAttachSlaveInfo); rc = attach_slave(client, c, flags); if (rc != Success) goto unwind; @@ -471,6 +499,7 @@ ProcXIChangeHierarchy(ClientPtr client) break; } + len -= any->length * 4; any = (xXIAnyHierarchyChangeInfo *) ((char *) any + any->length * 4); } diff --git a/xorg-server/Xi/xigetclientpointer.c b/xorg-server/Xi/xigetclientpointer.c index 6ab2867..9d7feca 100644 --- a/xorg-server/Xi/xigetclientpointer.c +++ b/xorg-server/Xi/xigetclientpointer.c @@ -50,6 +50,7 @@ int SProcXIGetClientPointer(ClientPtr client) { REQUEST(xXIGetClientPointerReq); + REQUEST_SIZE_MATCH(xXIGetClientPointerReq); swaps(&stuff->length); swapl(&stuff->win); diff --git a/xorg-server/Xi/xigrabdev.c b/xorg-server/Xi/xigrabdev.c index 086e275..6be9971 100644 --- a/xorg-server/Xi/xigrabdev.c +++ b/xorg-server/Xi/xigrabdev.c @@ -47,6 +47,11 @@ int SProcXIGrabDevice(ClientPtr client) { REQUEST(xXIGrabDeviceReq); + /* + * Check here for at least the length of the struct we swap, then + * let ProcXIGrabDevice check the full size after we swap mask_len. + */ + REQUEST_AT_LEAST_SIZE(xXIGrabDeviceReq); swaps(&stuff->length); swaps(&stuff->deviceid); @@ -71,7 +76,7 @@ ProcXIGrabDevice(ClientPtr client) unsigned int pointer_mode; REQUEST(xXIGrabDeviceReq); - REQUEST_AT_LEAST_SIZE(xXIGrabDeviceReq); + REQUEST_FIXED_SIZE(xXIGrabDeviceReq, ((size_t) stuff->mask_len) * 4); ret = dixLookupDevice(&dev, stuff->deviceid, client, DixGrabAccess); if (ret != Success) @@ -130,6 +135,7 @@ int SProcXIUngrabDevice(ClientPtr client) { REQUEST(xXIUngrabDeviceReq); + REQUEST_SIZE_MATCH(xXIUngrabDeviceReq); swaps(&stuff->length); swaps(&stuff->deviceid); @@ -147,6 +153,7 @@ ProcXIUngrabDevice(ClientPtr client) TimeStamp time; REQUEST(xXIUngrabDeviceReq); + REQUEST_SIZE_MATCH(xXIUngrabDeviceReq); ret = dixLookupDevice(&dev, stuff->deviceid, client, DixGetAttrAccess); if (ret != Success) diff --git a/xorg-server/Xi/xipassivegrab.c b/xorg-server/Xi/xipassivegrab.c index ca69050..3f6268f 100644 --- a/xorg-server/Xi/xipassivegrab.c +++ b/xorg-server/Xi/xipassivegrab.c @@ -53,6 +53,7 @@ SProcXIPassiveGrabDevice(ClientPtr client) uint32_t *mods; REQUEST(xXIPassiveGrabDeviceReq); + REQUEST_AT_LEAST_SIZE(xXIPassiveGrabDeviceReq); swaps(&stuff->length); swaps(&stuff->deviceid); @@ -63,6 +64,8 @@ SProcXIPassiveGrabDevice(ClientPtr client) swaps(&stuff->mask_len); swaps(&stuff->num_modifiers); + REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq, + ((uint32_t) stuff->mask_len + stuff->num_modifiers) *4); mods = (uint32_t *) &stuff[1] + stuff->mask_len; for (i = 0; i < stuff->num_modifiers; i++, mods++) { @@ -86,7 +89,8 @@ ProcXIPassiveGrabDevice(ClientPtr client) int mask_len; REQUEST(xXIPassiveGrabDeviceReq); - REQUEST_AT_LEAST_SIZE(xXIPassiveGrabDeviceReq); + REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq, + ((uint32_t) stuff->mask_len + stuff->num_modifiers) * 4); rep.repType = X_Reply; rep.RepType = X_XIPassiveGrabDevice; @@ -252,6 +256,7 @@ SProcXIPassiveUngrabDevice(ClientPtr client) uint32_t *modifiers; REQUEST(xXIPassiveUngrabDeviceReq); + REQUEST_AT_LEAST_SIZE(xXIPassiveUngrabDeviceReq); swaps(&stuff->length); swapl(&stuff->grab_window); @@ -259,6 +264,8 @@ SProcXIPassiveUngrabDevice(ClientPtr client) swapl(&stuff->detail); swaps(&stuff->num_modifiers); + REQUEST_FIXED_SIZE(xXIPassiveUngrabDeviceReq, + ((uint32_t) stuff->num_modifiers) << 2); modifiers = (uint32_t *) &stuff[1]; for (i = 0; i < stuff->num_modifiers; i++, modifiers++) @@ -277,7 +284,8 @@ ProcXIPassiveUngrabDevice(ClientPtr client) int i, rc; REQUEST(xXIPassiveUngrabDeviceReq); - REQUEST_AT_LEAST_SIZE(xXIPassiveUngrabDeviceReq); + REQUEST_FIXED_SIZE(xXIPassiveUngrabDeviceReq, + ((uint32_t) stuff->num_modifiers) << 2); if (stuff->deviceid == XIAllDevices) dev = inputInfo.all_devices; diff --git a/xorg-server/Xi/xiproperty.c b/xorg-server/Xi/xiproperty.c index 18936c5..13c478e 100644 --- a/xorg-server/Xi/xiproperty.c +++ b/xorg-server/Xi/xiproperty.c @@ -1011,10 +1011,9 @@ int SProcXListDeviceProperties(ClientPtr client) { REQUEST(xListDevicePropertiesReq); + REQUEST_SIZE_MATCH(xListDevicePropertiesReq); swaps(&stuff->length); - - REQUEST_SIZE_MATCH(xListDevicePropertiesReq); return (ProcXListDeviceProperties(client)); } @@ -1035,10 +1034,10 @@ int SProcXDeleteDeviceProperty(ClientPtr client) { REQUEST(xDeleteDevicePropertyReq); + REQUEST_SIZE_MATCH(xDeleteDevicePropertyReq); swaps(&stuff->length); swapl(&stuff->property); - REQUEST_SIZE_MATCH(xDeleteDevicePropertyReq); return (ProcXDeleteDeviceProperty(client)); } @@ -1046,13 +1045,13 @@ int SProcXGetDeviceProperty(ClientPtr client) { REQUEST(xGetDevicePropertyReq); + REQUEST_SIZE_MATCH(xGetDevicePropertyReq); swaps(&stuff->length); swapl(&stuff->property); swapl(&stuff->type); swapl(&stuff->longOffset); swapl(&stuff->longLength); - REQUEST_SIZE_MATCH(xGetDevicePropertyReq); return (ProcXGetDeviceProperty(client)); } @@ -1249,11 +1248,10 @@ int SProcXIListProperties(ClientPtr client) { REQUEST(xXIListPropertiesReq); + REQUEST_SIZE_MATCH(xXIListPropertiesReq); swaps(&stuff->length); swaps(&stuff->deviceid); - - REQUEST_SIZE_MATCH(xXIListPropertiesReq); return (ProcXIListProperties(client)); } @@ -1275,11 +1273,11 @@ int SProcXIDeleteProperty(ClientPtr client) { REQUEST(xXIDeletePropertyReq); + REQUEST_SIZE_MATCH(xXIDeletePropertyReq); swaps(&stuff->length); swaps(&stuff->deviceid); swapl(&stuff->property); - REQUEST_SIZE_MATCH(xXIDeletePropertyReq); return (ProcXIDeleteProperty(client)); } @@ -1287,6 +1285,7 @@ int SProcXIGetProperty(ClientPtr client) { REQUEST(xXIGetPropertyReq); + REQUEST_SIZE_MATCH(xXIGetPropertyReq); swaps(&stuff->length); swaps(&stuff->deviceid); @@ -1294,7 +1293,6 @@ SProcXIGetProperty(ClientPtr client) swapl(&stuff->type); swapl(&stuff->offset); swapl(&stuff->len); - REQUEST_SIZE_MATCH(xXIGetPropertyReq); return (ProcXIGetProperty(client)); } diff --git a/xorg-server/Xi/xiquerydevice.c b/xorg-server/Xi/xiquerydevice.c index 1d10900..186e21b 100644 --- a/xorg-server/Xi/xiquerydevice.c +++ b/xorg-server/Xi/xiquerydevice.c @@ -54,6 +54,7 @@ int SProcXIQueryDevice(ClientPtr client) { REQUEST(xXIQueryDeviceReq); + REQUEST_SIZE_MATCH(xXIQueryDeviceReq); swaps(&stuff->length); swaps(&stuff->deviceid); diff --git a/xorg-server/Xi/xiquerypointer.c b/xorg-server/Xi/xiquerypointer.c index a873261..014bffa 100644 --- a/xorg-server/Xi/xiquerypointer.c +++ b/xorg-server/Xi/xiquerypointer.c @@ -63,6 +63,8 @@ int SProcXIQueryPointer(ClientPtr client) { REQUEST(xXIQueryPointerReq); + REQUEST_SIZE_MATCH(xXIQueryPointerReq); + swaps(&stuff->length); swaps(&stuff->deviceid); swapl(&stuff->win); diff --git a/xorg-server/Xi/xiselectev.c b/xorg-server/Xi/xiselectev.c index 8592747..701748e 100644 --- a/xorg-server/Xi/xiselectev.c +++ b/xorg-server/Xi/xiselectev.c @@ -114,6 +114,7 @@ int SProcXISelectEvents(ClientPtr client) { int i; + int len; xXIEventMask *evmask; REQUEST(xXISelectEventsReq); @@ -122,10 +123,17 @@ SProcXISelectEvents(ClientPtr client) swapl(&stuff->win); swaps(&stuff->num_masks); + len = stuff->length - bytes_to_int32(sizeof(xXISelectEventsReq)); evmask = (xXIEventMask *) &stuff[1]; for (i = 0; i < stuff->num_masks; i++) { + if (len < bytes_to_int32(sizeof(xXIEventMask))) + return BadLength; + len -= bytes_to_int32(sizeof(xXIEventMask)); swaps(&evmask->deviceid); swaps(&evmask->mask_len); + if (len < evmask->mask_len) + return BadLength; + len -= evmask->mask_len; evmask = (xXIEventMask *) (((char *) &evmask[1]) + evmask->mask_len * 4); } diff --git a/xorg-server/Xi/xisetclientpointer.c b/xorg-server/Xi/xisetclientpointer.c index 38ff51e..24d4a53 100644 --- a/xorg-server/Xi/xisetclientpointer.c +++ b/xorg-server/Xi/xisetclientpointer.c @@ -51,10 +51,11 @@ int SProcXISetClientPointer(ClientPtr client) { REQUEST(xXISetClientPointerReq); + REQUEST_SIZE_MATCH(xXISetClientPointerReq); + swaps(&stuff->length); swapl(&stuff->win); swaps(&stuff->deviceid); - REQUEST_SIZE_MATCH(xXISetClientPointerReq); return (ProcXISetClientPointer(client)); } diff --git a/xorg-server/Xi/xisetdevfocus.c b/xorg-server/Xi/xisetdevfocus.c index aec822c..f3584d5 100644 --- a/xorg-server/Xi/xisetdevfocus.c +++ b/xorg-server/Xi/xisetdevfocus.c @@ -44,6 +44,8 @@ int SProcXISetFocus(ClientPtr client) { REQUEST(xXISetFocusReq); + REQUEST_AT_LEAST_SIZE(xXISetFocusReq); + swaps(&stuff->length); swaps(&stuff->deviceid); swapl(&stuff->focus); @@ -56,6 +58,8 @@ int SProcXIGetFocus(ClientPtr client) { REQUEST(xXIGetFocusReq); + REQUEST_AT_LEAST_SIZE(xXIGetFocusReq); + swaps(&stuff->length); swaps(&stuff->deviceid); diff --git a/xorg-server/Xi/xiwarppointer.c b/xorg-server/Xi/xiwarppointer.c index 3f051f7..780758a 100644 --- a/xorg-server/Xi/xiwarppointer.c +++ b/xorg-server/Xi/xiwarppointer.c @@ -56,6 +56,8 @@ int SProcXIWarpPointer(ClientPtr client) { REQUEST(xXIWarpPointerReq); + REQUEST_SIZE_MATCH(xXIWarpPointerReq); + swaps(&stuff->length); swapl(&stuff->src_win); swapl(&stuff->dst_win); diff --git a/xorg-server/configure.ac b/xorg-server/configure.ac index 2daa6be..51395db 100644 --- a/xorg-server/configure.ac +++ b/xorg-server/configure.ac @@ -2610,6 +2610,7 @@ hw/kdrive/linux/Makefile hw/kdrive/src/Makefile hw/xwayland/Makefile test/Makefile +test/xi1/Makefile test/xi2/Makefile xserver.ent xorg-server.pc diff --git a/xorg-server/dbe/dbe.c b/xorg-server/dbe/dbe.c index d64fb40..43edb08 100644 --- a/xorg-server/dbe/dbe.c +++ b/xorg-server/dbe/dbe.c @@ -450,18 +450,21 @@ ProcDbeSwapBuffers(ClientPtr client) DbeSwapInfoPtr swapInfo; xDbeSwapInfo *dbeSwapInfo; int error; - register int i, j; - int nStuff; + unsigned int i, j; + unsigned int nStuff; + int nStuff_i; /* DDX API requires int for nStuff */ REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq); nStuff = stuff->n; /* use local variable for performance. */ if (nStuff == 0) { + REQUEST_SIZE_MATCH(xDbeSwapBuffersReq); return Success; } if (nStuff > UINT32_MAX / sizeof(DbeSwapInfoRec)) return BadAlloc; + REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, nStuff * sizeof(xDbeSwapInfo)); /* Get to the swap info appended to the end of the request. */ dbeSwapInfo = (xDbeSwapInfo *) &stuff[1]; @@ -525,9 +528,10 @@ ProcDbeSwapBuffers(ClientPtr client) * could deal with cross-screen synchronization. */ - while (nStuff > 0) { + nStuff_i = nStuff; + while (nStuff_i > 0) { pDbeScreenPriv = DBE_SCREEN_PRIV_FROM_WINDOW(swapInfo[0].pWindow); - error = (*pDbeScreenPriv->SwapBuffers) (client, &nStuff, swapInfo); + error = (*pDbeScreenPriv->SwapBuffers) (client, &nStuff_i, swapInfo); if (error != Success) { free(swapInfo); return error; @@ -912,13 +916,16 @@ static int SProcDbeSwapBuffers(ClientPtr client) { REQUEST(xDbeSwapBuffersReq); - register int i; + unsigned int i; xDbeSwapInfo *pSwapInfo; swaps(&stuff->length); REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq); swapl(&stuff->n); + if (stuff->n > UINT32_MAX / sizeof(DbeSwapInfoRec)) + return BadAlloc; + REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, stuff->n * sizeof(xDbeSwapInfo)); if (stuff->n != 0) { pSwapInfo = (xDbeSwapInfo *) stuff + 1; diff --git a/xorg-server/dix/dispatch.c b/xorg-server/dix/dispatch.c index 28a54de..67dbce6 100644 --- a/xorg-server/dix/dispatch.c +++ b/xorg-server/dix/dispatch.c @@ -2002,6 +2002,9 @@ ProcPutImage(ClientPtr client) tmpImage = (char *) &stuff[1]; lengthProto = length; + if (lengthProto >= (INT32_MAX / stuff->height)) + return BadLength; + if ((bytes_to_int32(lengthProto * stuff->height) + bytes_to_int32(sizeof(xPutImageReq))) != client->req_len) return BadLength; diff --git a/xorg-server/dix/region.c b/xorg-server/dix/region.c index 15f3d01..e5eed01 100644 --- a/xorg-server/dix/region.c +++ b/xorg-server/dix/region.c @@ -169,7 +169,6 @@ Equipment Corporation. ((r1)->y1 <= (r2)->y1) && \ ((r1)->y2 >= (r2)->y2) ) -#define xallocData(n) malloc(RegionSizeof(n)) #define xfreeData(reg) if ((reg)->data && (reg)->data->size) free((reg)->data) #define RECTALLOC_BAIL(pReg,n,bail) \ @@ -205,8 +204,9 @@ if (!(pReg)->data || (((pReg)->data->numRects + (n)) > (pReg)->data->size)) \ #define DOWNSIZE(reg,numRects) \ if (((numRects) < ((reg)->data->size >> 1)) && ((reg)->data->size > 50)) \ { \ - RegDataPtr NewData; \ - NewData = (RegDataPtr)realloc((reg)->data, RegionSizeof(numRects)); \ + size_t NewSize = RegionSizeof(numRects); \ + RegDataPtr NewData = \ + (NewSize > 0) ? realloc((reg)->data, NewSize) : NULL ; \ if (NewData) \ { \ NewData->size = (numRects); \ @@ -345,17 +345,20 @@ Bool RegionRectAlloc(RegionPtr pRgn, int n) { RegDataPtr data; + size_t rgnSize; if (!pRgn->data) { n++; - pRgn->data = xallocData(n); + rgnSize = RegionSizeof(n); + pRgn->data = (rgnSize > 0) ? malloc(rgnSize) : NULL; if (!pRgn->data) return RegionBreak(pRgn); pRgn->data->numRects = 1; *RegionBoxptr(pRgn) = pRgn->extents; } else if (!pRgn->data->size) { - pRgn->data = xallocData(n); + rgnSize = RegionSizeof(n); + pRgn->data = (rgnSize > 0) ? malloc(rgnSize) : NULL; if (!pRgn->data) return RegionBreak(pRgn); pRgn->data->numRects = 0; @@ -367,7 +370,8 @@ RegionRectAlloc(RegionPtr pRgn, int n) n = 250; } n += pRgn->data->numRects; - data = (RegDataPtr) realloc(pRgn->data, RegionSizeof(n)); + rgnSize = RegionSizeof(n); + data = (rgnSize > 0) ? realloc(pRgn->data, rgnSize) : NULL; if (!data) return RegionBreak(pRgn); pRgn->data = data; @@ -1312,6 +1316,7 @@ RegionFromRects(int nrects, xRectangle *prect, int ctype) { RegionPtr pRgn; + size_t rgnSize; RegDataPtr pData; BoxPtr pBox; int i; @@ -1338,7 +1343,8 @@ RegionFromRects(int nrects, xRectangle *prect, int ctype) } return pRgn; } - pData = xallocData(nrects); + rgnSize = RegionSizeof(nrects); + pData = (rgnSize > 0) ? malloc(rgnSize) : NULL; if (!pData) { RegionBreak(pRgn); return pRgn; diff --git a/xorg-server/dri3/dri3_request.c b/xorg-server/dri3/dri3_request.c index fe45620..2d75588 100644 --- a/xorg-server/dri3/dri3_request.c +++ b/xorg-server/dri3/dri3_request.c @@ -321,6 +321,7 @@ static int sproc_dri3_query_version(ClientPtr client) { REQUEST(xDRI3QueryVersionReq); + REQUEST_SIZE_MATCH(xDRI3QueryVersionReq); swaps(&stuff->length); swapl(&stuff->majorVersion); @@ -332,6 +333,7 @@ static int sproc_dri3_open(ClientPtr client) { REQUEST(xDRI3OpenReq); + REQUEST_SIZE_MATCH(xDRI3OpenReq); swaps(&stuff->length); swapl(&stuff->drawable); @@ -343,6 +345,7 @@ static int sproc_dri3_pixmap_from_buffer(ClientPtr client) { REQUEST(xDRI3PixmapFromBufferReq); + REQUEST_SIZE_MATCH(xDRI3PixmapFromBufferReq); swaps(&stuff->length); swapl(&stuff->pixmap); @@ -358,6 +361,7 @@ static int sproc_dri3_buffer_from_pixmap(ClientPtr client) { REQUEST(xDRI3BufferFromPixmapReq); + REQUEST_SIZE_MATCH(xDRI3BufferFromPixmapReq); swaps(&stuff->length); swapl(&stuff->pixmap); @@ -368,6 +372,7 @@ static int sproc_dri3_fence_from_fd(ClientPtr client) { REQUEST(xDRI3FenceFromFDReq); + REQUEST_SIZE_MATCH(xDRI3FenceFromFDReq); swaps(&stuff->length); swapl(&stuff->drawable); @@ -379,6 +384,7 @@ static int sproc_dri3_fd_from_fence(ClientPtr client) { REQUEST(xDRI3FDFromFenceReq); + REQUEST_SIZE_MATCH(xDRI3FDFromFenceReq); swaps(&stuff->length); swapl(&stuff->drawable); diff --git a/xorg-server/glx/clientinfo.c b/xorg-server/glx/clientinfo.c index 4aaa4c9..74ad919 100644 --- a/xorg-server/glx/clientinfo.c +++ b/xorg-server/glx/clientinfo.c @@ -33,18 +33,22 @@ static int set_client_info(__GLXclientState * cl, xGLXSetClientInfoARBReq * req, unsigned bytes_per_version) { + ClientPtr client = cl->client; char *gl_extensions; char *glx_extensions; + int size; + + REQUEST_AT_LEAST_SIZE(xGLXSetClientInfoARBReq); /* Verify that the size of the packet matches the size inferred from the * sizes specified for the various fields. */ - const unsigned expected_size = sz_xGLXSetClientInfoARBReq - + (req->numVersions * bytes_per_version) - + __GLX_PAD(req->numGLExtensionBytes) - + __GLX_PAD(req->numGLXExtensionBytes); + size = sz_xGLXSetClientInfoARBReq; + size = safe_add(size, safe_mul(req->numVersions, bytes_per_version)); + size = safe_add(size, safe_pad(req->numGLExtensionBytes)); + size = safe_add(size, safe_pad(req->numGLXExtensionBytes)); - if (req->length != (expected_size / 4)) + if (size < 0 || req->length != (size / 4)) return BadLength; /* Verify that the actual length of the GL extension string matches what's @@ -80,8 +84,11 @@ __glXDisp_SetClientInfoARB(__GLXclientState * cl, GLbyte * pc) int __glXDispSwap_SetClientInfoARB(__GLXclientState * cl, GLbyte * pc) { + ClientPtr client = cl->client; xGLXSetClientInfoARBReq *req = (xGLXSetClientInfoARBReq *) pc; + REQUEST_AT_LEAST_SIZE(xGLXSetClientInfoARBReq); + req->length = bswap_16(req->length); req->numVersions = bswap_32(req->numVersions); req->numGLExtensionBytes = bswap_32(req->numGLExtensionBytes); @@ -99,8 +106,11 @@ __glXDisp_SetClientInfo2ARB(__GLXclientState * cl, GLbyte * pc) int __glXDispSwap_SetClientInfo2ARB(__GLXclientState * cl, GLbyte * pc) { + ClientPtr client = cl->client; xGLXSetClientInfoARBReq *req = (xGLXSetClientInfoARBReq *) pc; + REQUEST_AT_LEAST_SIZE(xGLXSetClientInfoARBReq); + req->length = bswap_16(req->length); req->numVersions = bswap_32(req->numVersions); req->numGLExtensionBytes = bswap_32(req->numGLExtensionBytes); diff --git a/xorg-server/glx/glxcmds.c b/xorg-server/glx/glxcmds.c index c39a3f4..88093da 100644 --- a/xorg-server/glx/glxcmds.c +++ b/xorg-server/glx/glxcmds.c @@ -2028,7 +2028,7 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc) left = (req->length << 2) - sz_xGLXRenderReq; while (left > 0) { __GLXrenderSizeData entry; - int extra; + int extra = 0; __GLXdispatchRenderProcPtr proc; int err; @@ -2047,6 +2047,9 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc) cmdlen = hdr->length; opcode = hdr->opcode; + if (left < cmdlen) + return BadLength; + /* ** Check for core opcodes and grab entry data. */ @@ -2060,24 +2063,21 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc) return __glXError(GLXBadRenderRequest); } + if (cmdlen < entry.bytes) { + return BadLength; + } + if (entry.varsize) { /* variable size command */ extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE, - client->swapped); + client->swapped, + left - __GLX_RENDER_HDR_SIZE); if (extra < 0) { - extra = 0; - } - if (cmdlen != __GLX_PAD(entry.bytes + extra)) { return BadLength; } } - else { - /* constant size command */ - if (cmdlen != __GLX_PAD(entry.bytes)) { - return BadLength; - } - } - if (left < cmdlen) { + + if (cmdlen != safe_pad(safe_add(entry.bytes, extra))) { return BadLength; } @@ -2113,6 +2113,8 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc) __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_AT_LEAST_SIZE(xGLXRenderLargeReq); + req = (xGLXRenderLargeReq *) pc; if (client->swapped) { __GLX_SWAP_SHORT(&req->length); @@ -2128,12 +2130,14 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc) __glXResetLargeCommandStatus(cl); return error; } + if (safe_pad(req->dataBytes) < 0) + return BadLength; dataBytes = req->dataBytes; /* ** Check the request length. */ - if ((req->length << 2) != __GLX_PAD(dataBytes) + sz_xGLXRenderLargeReq) { + if ((req->length << 2) != safe_pad(dataBytes) + sz_xGLXRenderLargeReq) { client->errorValue = req->length; /* Reset in case this isn't 1st request. */ __glXResetLargeCommandStatus(cl); @@ -2143,7 +2147,8 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc) if (cl->largeCmdRequestsSoFar == 0) { __GLXrenderSizeData entry; - int extra; + int extra = 0; + int left = (req->length << 2) - sz_xGLXRenderLargeReq; size_t cmdlen; int err; @@ -2156,13 +2161,17 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc) return __glXError(GLXBadLargeRequest); } + if (dataBytes < __GLX_RENDER_LARGE_HDR_SIZE) + return BadLength; + hdr = (__GLXrenderLargeHeader *) pc; if (client->swapped) { __GLX_SWAP_INT(&hdr->length); __GLX_SWAP_INT(&hdr->opcode); } - cmdlen = hdr->length; opcode = hdr->opcode; + if ((cmdlen = safe_pad(hdr->length)) < 0) + return BadLength; /* ** Check for core opcodes and grab entry data. @@ -2180,21 +2189,18 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc) ** will be in the 1st request, so it's okay to do this. */ extra = (*entry.varsize) (pc + __GLX_RENDER_LARGE_HDR_SIZE, - client->swapped); + client->swapped, + left - __GLX_RENDER_LARGE_HDR_SIZE); if (extra < 0) { - extra = 0; - } - /* large command's header is 4 bytes longer, so add 4 */ - if (cmdlen != __GLX_PAD(entry.bytes + 4 + extra)) { return BadLength; } } - else { - /* constant size command */ - if (cmdlen != __GLX_PAD(entry.bytes + 4)) { - return BadLength; - } + + /* the +4 is safe because we know entry.bytes is small */ + if (cmdlen != safe_pad(safe_add(entry.bytes + 4, extra))) { + return BadLength; } + /* ** Make enough space in the buffer, then copy the entire request. */ @@ -2221,6 +2227,7 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc) ** We are receiving subsequent (i.e. not the first) requests of a ** multi request command. */ + int bytesSoFar; /* including this packet */ /* ** Check the request number and the total request count. @@ -2239,11 +2246,18 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc) /* ** Check that we didn't get too much data. */ - if ((cl->largeCmdBytesSoFar + dataBytes) > cl->largeCmdBytesTotal) { + if ((bytesSoFar = safe_add(cl->largeCmdBytesSoFar, dataBytes)) < 0) { client->errorValue = dataBytes; __glXResetLargeCommandStatus(cl); return __glXError(GLXBadLargeRequest); } + + if (bytesSoFar > cl->largeCmdBytesTotal) { + client->errorValue = dataBytes; + __glXResetLargeCommandStatus(cl); + return __glXError(GLXBadLargeRequest); + } + memcpy(cl->largeCmdBuf + cl->largeCmdBytesSoFar, pc, dataBytes); cl->largeCmdBytesSoFar += dataBytes; cl->largeCmdRequestsSoFar++; @@ -2255,17 +2269,16 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc) ** This is the last request; it must have enough bytes to complete ** the command. */ - /* NOTE: the two pad macros have been added below; they are needed - ** because the client library pads the total byte count, but not - ** the per-request byte counts. The Protocol Encoding says the - ** total byte count should not be padded, so a proposal will be - ** made to the ARB to relax the padding constraint on the total - ** byte count, thus preserving backward compatibility. Meanwhile, - ** the padding done below fixes a bug that did not allow - ** large commands of odd sizes to be accepted by the server. + /* NOTE: the pad macro below is needed because the client library + ** pads the total byte count, but not the per-request byte counts. + ** The Protocol Encoding says the total byte count should not be + ** padded, so a proposal will be made to the ARB to relax the + ** padding constraint on the total byte count, thus preserving + ** backward compatibility. Meanwhile, the padding done below + ** fixes a bug that did not allow large commands of odd sizes to + ** be accepted by the server. */ - if (__GLX_PAD(cl->largeCmdBytesSoFar) != - __GLX_PAD(cl->largeCmdBytesTotal)) { + if (safe_pad(cl->largeCmdBytesSoFar) != cl->largeCmdBytesTotal) { client->errorValue = dataBytes; __glXResetLargeCommandStatus(cl); return __glXError(GLXBadLargeRequest); diff --git a/xorg-server/glx/glxcmdsswap.c b/xorg-server/glx/glxcmdsswap.c index fd1fd70..eca7009 100644 --- a/xorg-server/glx/glxcmdsswap.c +++ b/xorg-server/glx/glxcmdsswap.c @@ -960,11 +960,13 @@ __glXDispSwap_RenderLarge(__GLXclientState * cl, GLbyte * pc) int __glXDispSwap_VendorPrivate(__GLXclientState * cl, GLbyte * pc) { + ClientPtr client = cl->client; xGLXVendorPrivateReq *req; GLint vendorcode; __GLXdispatchVendorPrivProcPtr proc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateReq); req = (xGLXVendorPrivateReq *) pc; __GLX_SWAP_SHORT(&req->length); @@ -987,11 +989,13 @@ __glXDispSwap_VendorPrivate(__GLXclientState * cl, GLbyte * pc) int __glXDispSwap_VendorPrivateWithReply(__GLXclientState * cl, GLbyte * pc) { + ClientPtr client = cl->client; xGLXVendorPrivateWithReplyReq *req; GLint vendorcode; __GLXdispatchVendorPrivProcPtr proc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateWithReplyReq); req = (xGLXVendorPrivateWithReplyReq *) pc; __GLX_SWAP_SHORT(&req->length); diff --git a/xorg-server/glx/glxserver.h b/xorg-server/glx/glxserver.h index a324b29..9088ec4 100644 --- a/xorg-server/glx/glxserver.h +++ b/xorg-server/glx/glxserver.h @@ -177,7 +177,7 @@ typedef int (*__GLXprocPtr) (__GLXclientState *, char *pc); /* * Tables for computing the size of each rendering command. */ -typedef int (*gl_proto_size_func) (const GLbyte *, Bool); +typedef int (*gl_proto_size_func) (const GLbyte *, Bool, int); typedef struct { int bytes; @@ -228,6 +228,47 @@ extern void glxSwapQueryServerStringReply(ClientPtr client, * Routines for computing the size of variably-sized rendering commands. */ +static _X_INLINE int +safe_add(int a, int b) +{ + if (a < 0 || b < 0) + return -1; + + if (INT_MAX - a < b) + return -1; + + return a + b; +} + +static _X_INLINE int +safe_mul(int a, int b) +{ + if (a < 0 || b < 0) + return -1; + + if (a == 0 || b == 0) + return 0; + + if (a > INT_MAX / b) + return -1; + + return a * b; +} + +static _X_INLINE int +safe_pad(int a) +{ + int ret; + + if (a < 0) + return -1; + + if ((ret = safe_add(a, 3)) < 0) + return -1; + + return ret & (GLuint)~3; +} + extern int __glXTypeSize(GLenum enm); extern int __glXImageSize(GLenum format, GLenum type, GLenum target, GLsizei w, GLsizei h, GLsizei d, diff --git a/xorg-server/glx/indirect_dispatch.c b/xorg-server/glx/indirect_dispatch.c index 67e5280..80b4964 100644 --- a/xorg-server/glx/indirect_dispatch.c +++ b/xorg-server/glx/indirect_dispatch.c @@ -2747,6 +2747,9 @@ int __glXDisp_AreTexturesResident(__GLXclientState *cl, GLbyte *pc) GLboolean retval; GLboolean answerBuffer[200]; GLboolean * residences = __glXGetAnswerBuffer(cl, n, answerBuffer, sizeof(answerBuffer), 1); + + if (residences == NULL) + return BadAlloc; retval = CALL_AreTexturesResident( GET_DISPATCH(), ( n, (const GLuint *)(pc + 4), @@ -2772,6 +2775,9 @@ int __glXDisp_AreTexturesResidentEXT(__GLXclientState *cl, GLbyte *pc) GLboolean retval; GLboolean answerBuffer[200]; GLboolean * residences = __glXGetAnswerBuffer(cl, n, answerBuffer, sizeof(answerBuffer), 1); + + if (residences == NULL) + return BadAlloc; retval = CALL_AreTexturesResident( GET_DISPATCH(), ( n, (const GLuint *)(pc + 4), @@ -2889,6 +2895,9 @@ int __glXDisp_GenTextures(__GLXclientState *cl, GLbyte *pc) GLuint answerBuffer[200]; GLuint * textures = __glXGetAnswerBuffer(cl, n * 4, answerBuffer, sizeof(answerBuffer), 4); + + if (textures == NULL) + return BadAlloc; CALL_GenTextures( GET_DISPATCH(), ( n, textures @@ -2912,6 +2921,9 @@ int __glXDisp_GenTexturesEXT(__GLXclientState *cl, GLbyte *pc) GLuint answerBuffer[200]; GLuint * textures = __glXGetAnswerBuffer(cl, n * 4, answerBuffer, sizeof(answerBuffer), 4); + + if (textures == NULL) + return BadAlloc; CALL_GenTextures( GET_DISPATCH(), ( n, textures @@ -4261,6 +4273,9 @@ int __glXDisp_GenQueries(__GLXclientState *cl, GLbyte *pc) GLuint answerBuffer[200]; GLuint * ids = __glXGetAnswerBuffer(cl, n * 4, answerBuffer, sizeof(answerBuffer), 4); + + if (ids == NULL) + return BadAlloc; CALL_GenQueries( GET_DISPATCH(), ( n, ids @@ -4711,6 +4726,9 @@ int __glXDisp_GenProgramsARB(__GLXclientState *cl, GLbyte *pc) GLuint answerBuffer[200]; GLuint * programs = __glXGetAnswerBuffer(cl, n * 4, answerBuffer, sizeof(answerBuffer), 4); + + if (programs == NULL) + return BadAlloc; CALL_GenProgramsARB( GET_DISPATCH(), ( n, programs @@ -5086,6 +5104,10 @@ int __glXDisp_GenFramebuffers(__GLXclientState *cl, GLbyte *pc) GLuint answerBuffer[200]; GLuint * framebuffers = __glXGetAnswerBuffer(cl, n * 4, answerBuffer, sizeof(answerBuffer), 4); + + if (framebuffers == NULL) + return BadAlloc; + CALL_GenFramebuffers( GET_DISPATCH(), ( n, framebuffers @@ -5109,6 +5131,9 @@ int __glXDisp_GenRenderbuffers(__GLXclientState *cl, GLbyte *pc) GLuint answerBuffer[200]; GLuint * renderbuffers = __glXGetAnswerBuffer(cl, n * 4, answerBuffer, sizeof(answerBuffer), 4); + + if (renderbuffers == NULL) + return BadAlloc; CALL_GenRenderbuffers( GET_DISPATCH(), ( n, renderbuffers diff --git a/xorg-server/glx/indirect_dispatch_swap.c b/xorg-server/glx/indirect_dispatch_swap.c index 4096023..d1118d6 100644 --- a/xorg-server/glx/indirect_dispatch_swap.c +++ b/xorg-server/glx/indirect_dispatch_swap.c @@ -2875,6 +2875,9 @@ int __glXDispSwap_AreTexturesResident(__GLXclientState *cl, GLbyte *pc) GLboolean retval; GLboolean answerBuffer[200]; GLboolean * residences = __glXGetAnswerBuffer(cl, n, answerBuffer, sizeof(answerBuffer), 1); + + if (residences == NULL) + return BadAlloc; retval = CALL_AreTexturesResident( GET_DISPATCH(), ( n, (const GLuint *)bswap_32_array( (uint32_t *) (pc + 4), 0 ), @@ -2900,6 +2903,9 @@ int __glXDispSwap_AreTexturesResidentEXT(__GLXclientState *cl, GLbyte *pc) GLboolean retval; GLboolean answerBuffer[200]; GLboolean * residences = __glXGetAnswerBuffer(cl, n, answerBuffer, sizeof(answerBuffer), 1); + + if (residences == NULL) + return BadAlloc; retval = CALL_AreTexturesResident( GET_DISPATCH(), ( n, (const GLuint *)bswap_32_array( (uint32_t *) (pc + 4), 0 ), @@ -3017,6 +3023,9 @@ int __glXDispSwap_GenTextures(__GLXclientState *cl, GLbyte *pc) GLuint answerBuffer[200]; GLuint * textures = __glXGetAnswerBuffer(cl, n * 4, answerBuffer, sizeof(answerBuffer), 4); + + if (textures == NULL) + return BadAlloc; CALL_GenTextures( GET_DISPATCH(), ( n, textures @@ -3041,6 +3050,9 @@ int __glXDispSwap_GenTexturesEXT(__GLXclientState *cl, GLbyte *pc) GLuint answerBuffer[200]; GLuint * textures = __glXGetAnswerBuffer(cl, n * 4, answerBuffer, sizeof(answerBuffer), 4); + + if (textures == NULL) + return BadAlloc; CALL_GenTextures( GET_DISPATCH(), ( n, textures @@ -4407,6 +4419,9 @@ int __glXDispSwap_GenQueries(__GLXclientState *cl, GLbyte *pc) GLuint answerBuffer[200]; GLuint * ids = __glXGetAnswerBuffer(cl, n * 4, answerBuffer, sizeof(answerBuffer), 4); + if (ids == NULL) + return BadAlloc; + CALL_GenQueries( GET_DISPATCH(), ( n, ids @@ -4864,6 +4879,9 @@ int __glXDispSwap_GenProgramsARB(__GLXclientState *cl, GLbyte *pc) GLuint answerBuffer[200]; GLuint * programs = __glXGetAnswerBuffer(cl, n * 4, answerBuffer, sizeof(answerBuffer), 4); + if (programs == NULL) + return BadAlloc; + CALL_GenProgramsARB( GET_DISPATCH(), ( n, programs @@ -5245,6 +5263,10 @@ int __glXDispSwap_GenFramebuffers(__GLXclientState *cl, GLbyte *pc) GLuint answerBuffer[200]; GLuint * framebuffers = __glXGetAnswerBuffer(cl, n * 4, answerBuffer, sizeof(answerBuffer), 4); + + if (framebuffers == NULL) + return BadAlloc; + CALL_GenFramebuffers( GET_DISPATCH(), ( n, framebuffers @@ -5269,6 +5291,10 @@ int __glXDispSwap_GenRenderbuffers(__GLXclientState *cl, GLbyte *pc) GLuint answerBuffer[200]; GLuint * renderbuffers = __glXGetAnswerBuffer(cl, n * 4, answerBuffer, sizeof(answerBuffer), 4); + + if (renderbuffers == NULL) + return BadAlloc; + CALL_GenRenderbuffers( GET_DISPATCH(), ( n, renderbuffers diff --git a/xorg-server/glx/indirect_program.c b/xorg-server/glx/indirect_program.c index c5e562a..8f2d6a8 100644 --- a/xorg-server/glx/indirect_program.c +++ b/xorg-server/glx/indirect_program.c @@ -57,6 +57,8 @@ DoGetProgramString(struct __GLXclientStateRec *cl, GLbyte * pc, __GLXcontext *const cx = __glXForceCurrent(cl, req->contextTag, &error); ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXVendorPrivateWithReplyReq, 8); + pc += __GLX_VENDPRIV_HDR_SIZE; if (cx != NULL) { GLenum target; diff --git a/xorg-server/glx/indirect_reqsize.c b/xorg-server/glx/indirect_reqsize.c index a87f7d2..e67c847 100644 --- a/xorg-server/glx/indirect_reqsize.c +++ b/xorg-server/glx/indirect_reqsize.c @@ -40,25 +40,23 @@ #include "indirect_size.h" #include "indirect_reqsize.h" -#define __GLX_PAD(x) (((x) + 3) & ~3) - #if defined(__CYGWIN__) || defined(__MINGW32__) # undef HAVE_ALIAS #endif #ifdef HAVE_ALIAS # define ALIAS2(from,to) \ - GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap ) \ + GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap, int reqlen ) \ __attribute__ ((alias( # to ))); # define ALIAS(from,to) ALIAS2( from, __glX ## to ## ReqSize ) #else # define ALIAS(from,to) \ - GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap ) \ - { return __glX ## to ## ReqSize( pc, swap ); } + GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap, int reqlen ) \ + { return __glX ## to ## ReqSize( pc, swap, reqlen ); } #endif int -__glXCallListsReqSize( const GLbyte * pc, Bool swap ) +__glXCallListsReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei n = *(GLsizei *)(pc + 0); GLenum type = * (GLenum *)(pc + 4); @@ -70,11 +68,11 @@ GLenum type = * (GLenum *)(pc + 4); } compsize = __glCallLists_size(type); - return __GLX_PAD((compsize * n)); + return safe_pad(safe_mul(compsize, n)); } int -__glXBitmapReqSize( const GLbyte * pc, Bool swap ) +__glXBitmapReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLint row_length = * (GLint *)(pc + 4); GLint image_height = 0; @@ -98,7 +96,7 @@ GLsizei height = *(GLsizei *)(pc + 24); } int -__glXFogfvReqSize( const GLbyte * pc, Bool swap ) +__glXFogfvReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLenum pname = * (GLenum *)(pc + 0); GLsizei compsize; @@ -108,11 +106,11 @@ GLenum pname = * (GLenum *)(pc + 0); } compsize = __glFogfv_size(pname); - return __GLX_PAD((compsize * 4)); + return safe_pad(safe_mul(compsize, 4)); } int -__glXLightfvReqSize( const GLbyte * pc, Bool swap ) +__glXLightfvReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLenum pname = * (GLenum *)(pc + 4); GLsizei compsize; @@ -122,11 +120,11 @@ GLenum pname = * (GLenum *)(pc + 4); } compsize = __glLightfv_size(pname); - return __GLX_PAD((compsize * 4)); + return safe_pad(safe_mul(compsize, 4)); } int -__glXLightModelfvReqSize( const GLbyte * pc, Bool swap ) +__glXLightModelfvReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLenum pname = * (GLenum *)(pc + 0); GLsizei compsize; @@ -136,11 +134,11 @@ GLenum pname = * (GLenum *)(pc + 0); } compsize = __glLightModelfv_size(pname); - return __GLX_PAD((compsize * 4)); + return safe_pad(safe_mul(compsize, 4)); } int -__glXMaterialfvReqSize( const GLbyte * pc, Bool swap ) +__glXMaterialfvReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLenum pname = * (GLenum *)(pc + 4); GLsizei compsize; @@ -150,11 +148,11 @@ GLenum pname = * (GLenum *)(pc + 4); } compsize = __glMaterialfv_size(pname); - return __GLX_PAD((compsize * 4)); + return safe_pad(safe_mul(compsize, 4)); } int -__glXPolygonStippleReqSize( const GLbyte * pc, Bool swap ) +__glXPolygonStippleReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLint row_length = * (GLint *)(pc + 4); GLint image_height = 0; @@ -174,7 +172,7 @@ __glXPolygonStippleReqSize( const GLbyte * pc, Bool swap ) } int -__glXTexParameterfvReqSize( const GLbyte * pc, Bool swap ) +__glXTexParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLenum pname = * (GLenum *)(pc + 4); GLsizei compsize; @@ -184,11 +182,11 @@ GLenum pname = * (GLenum *)(pc + 4); } compsize = __glTexParameterfv_size(pname); - return __GLX_PAD((compsize * 4)); + return safe_pad(safe_mul(compsize, 4)); } int -__glXTexImage1DReqSize( const GLbyte * pc, Bool swap ) +__glXTexImage1DReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLint row_length = * (GLint *)(pc + 4); GLint image_height = 0; @@ -216,7 +214,7 @@ GLenum type = * (GLenum *)(pc + 48); } int -__glXTexImage2DReqSize( const GLbyte * pc, Bool swap ) +__glXTexImage2DReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLint row_length = * (GLint *)(pc + 4); GLint image_height = 0; @@ -246,7 +244,7 @@ GLenum type = * (GLenum *)(pc + 48); } int -__glXTexEnvfvReqSize( const GLbyte * pc, Bool swap ) +__glXTexEnvfvReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLenum pname = * (GLenum *)(pc + 4); GLsizei compsize; @@ -256,11 +254,11 @@ GLenum pname = * (GLenum *)(pc + 4); } compsize = __glTexEnvfv_size(pname); - return __GLX_PAD((compsize * 4)); + return safe_pad(safe_mul(compsize, 4)); } int -__glXTexGendvReqSize( const GLbyte * pc, Bool swap ) +__glXTexGendvReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLenum pname = * (GLenum *)(pc + 4); GLsizei compsize; @@ -270,11 +268,11 @@ GLenum pname = * (GLenum *)(pc + 4); } compsize = __glTexGendv_size(pname); - return __GLX_PAD((compsize * 8)); + return safe_pad(safe_mul(compsize, 8)); } int -__glXTexGenfvReqSize( const GLbyte * pc, Bool swap ) +__glXTexGenfvReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLenum pname = * (GLenum *)(pc + 4); GLsizei compsize; @@ -284,11 +282,11 @@ GLenum pname = * (GLenum *)(pc + 4); } compsize = __glTexGenfv_size(pname); - return __GLX_PAD((compsize * 4)); + return safe_pad(safe_mul(compsize, 4)); } int -__glXPixelMapfvReqSize( const GLbyte * pc, Bool swap ) +__glXPixelMapfvReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei mapsize = *(GLsizei *)(pc + 4); @@ -296,11 +294,11 @@ GLsizei mapsize = *(GLsizei *)(pc + 4); mapsize = bswap_32(mapsize); } - return __GLX_PAD((mapsize * 4)); + return safe_pad(safe_mul(mapsize, 4)); } int -__glXPixelMapusvReqSize( const GLbyte * pc, Bool swap ) +__glXPixelMapusvReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei mapsize = *(GLsizei *)(pc + 4); @@ -308,11 +306,11 @@ GLsizei mapsize = *(GLsizei *)(pc + 4); mapsize = bswap_32(mapsize); } - return __GLX_PAD((mapsize * 2)); + return safe_pad(safe_mul(mapsize, 2)); } int -__glXDrawPixelsReqSize( const GLbyte * pc, Bool swap ) +__glXDrawPixelsReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLint row_length = * (GLint *)(pc + 4); GLint image_height = 0; @@ -340,7 +338,7 @@ GLenum type = * (GLenum *)(pc + 32); } int -__glXPrioritizeTexturesReqSize( const GLbyte * pc, Bool swap ) +__glXPrioritizeTexturesReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei n = *(GLsizei *)(pc + 0); @@ -348,11 +346,11 @@ GLsizei n = *(GLsizei *)(pc + 0); n = bswap_32(n); } - return __GLX_PAD((n * 4) + (n * 4)); + return safe_pad(safe_add(safe_mul(n, 4), safe_mul(n, 4))); } int -__glXTexSubImage1DReqSize( const GLbyte * pc, Bool swap ) +__glXTexSubImage1DReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLint row_length = * (GLint *)(pc + 4); GLint image_height = 0; @@ -380,7 +378,7 @@ GLenum type = * (GLenum *)(pc + 48); } int -__glXTexSubImage2DReqSize( const GLbyte * pc, Bool swap ) +__glXTexSubImage2DReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLint row_length = * (GLint *)(pc + 4); GLint image_height = 0; @@ -410,7 +408,7 @@ GLenum type = * (GLenum *)(pc + 48); } int -__glXColorTableReqSize( const GLbyte * pc, Bool swap ) +__glXColorTableReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLint row_length = * (GLint *)(pc + 4); GLint image_height = 0; @@ -438,7 +436,7 @@ GLenum type = * (GLenum *)(pc + 36); } int -__glXColorTableParameterfvReqSize( const GLbyte * pc, Bool swap ) +__glXColorTableParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLenum pname = * (GLenum *)(pc + 4); GLsizei compsize; @@ -448,11 +446,11 @@ GLenum pname = * (GLenum *)(pc + 4); } compsize = __glColorTableParameterfv_size(pname); - return __GLX_PAD((compsize * 4)); + return safe_pad(safe_mul(compsize, 4)); } int -__glXColorSubTableReqSize( const GLbyte * pc, Bool swap ) +__glXColorSubTableReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLint row_length = * (GLint *)(pc + 4); GLint image_height = 0; @@ -480,7 +478,7 @@ GLenum type = * (GLenum *)(pc + 36); } int -__glXConvolutionFilter1DReqSize( const GLbyte * pc, Bool swap ) +__glXConvolutionFilter1DReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLint row_length = * (GLint *)(pc + 4); GLint image_height = 0; @@ -508,7 +506,7 @@ GLenum type = * (GLenum *)(pc + 40); } int -__glXConvolutionFilter2DReqSize( const GLbyte * pc, Bool swap ) +__glXConvolutionFilter2DReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLint row_length = * (GLint *)(pc + 4); GLint image_height = 0; @@ -538,7 +536,7 @@ GLenum type = * (GLenum *)(pc + 40); } int -__glXConvolutionParameterfvReqSize( const GLbyte * pc, Bool swap ) +__glXConvolutionParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLenum pname = * (GLenum *)(pc + 4); GLsizei compsize; @@ -548,7 +546,7 @@ GLenum pname = * (GLenum *)(pc + 4); } compsize = __glConvolutionParameterfv_size(pname); - return __GLX_PAD((compsize * 4)); + return safe_pad(safe_mul(compsize, 4)); } int @@ -589,7 +587,7 @@ GLenum type = * (GLenum *)(pc + 72); } int -__glXTexSubImage3DReqSize( const GLbyte * pc, Bool swap ) +__glXTexSubImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLint row_length = * (GLint *)(pc + 4); GLint image_height = * (GLint *)(pc + 8); @@ -623,7 +621,7 @@ GLenum type = * (GLenum *)(pc + 80); } int -__glXCompressedTexImage1DReqSize( const GLbyte * pc, Bool swap ) +__glXCompressedTexImage1DReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei imageSize = *(GLsizei *)(pc + 20); @@ -631,11 +629,11 @@ GLsizei imageSize = *(GLsizei *)(pc + 20); imageSize = bswap_32(imageSize); } - return __GLX_PAD(imageSize); + return safe_pad(imageSize); } int -__glXCompressedTexImage2DReqSize( const GLbyte * pc, Bool swap ) +__glXCompressedTexImage2DReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei imageSize = *(GLsizei *)(pc + 24); @@ -643,11 +641,11 @@ GLsizei imageSize = *(GLsizei *)(pc + 24); imageSize = bswap_32(imageSize); } - return __GLX_PAD(imageSize); + return safe_pad(imageSize); } int -__glXCompressedTexImage3DReqSize( const GLbyte * pc, Bool swap ) +__glXCompressedTexImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei imageSize = *(GLsizei *)(pc + 28); @@ -655,11 +653,11 @@ GLsizei imageSize = *(GLsizei *)(pc + 28); imageSize = bswap_32(imageSize); } - return __GLX_PAD(imageSize); + return safe_pad(imageSize); } int -__glXCompressedTexSubImage3DReqSize( const GLbyte * pc, Bool swap ) +__glXCompressedTexSubImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei imageSize = *(GLsizei *)(pc + 36); @@ -667,11 +665,11 @@ GLsizei imageSize = *(GLsizei *)(pc + 36); imageSize = bswap_32(imageSize); } - return __GLX_PAD(imageSize); + return safe_pad(imageSize); } int -__glXPointParameterfvReqSize( const GLbyte * pc, Bool swap ) +__glXPointParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLenum pname = * (GLenum *)(pc + 0); GLsizei compsize; @@ -681,11 +679,11 @@ GLenum pname = * (GLenum *)(pc + 0); } compsize = __glPointParameterfv_size(pname); - return __GLX_PAD((compsize * 4)); + return safe_pad(safe_mul(compsize, 4)); } int -__glXDrawBuffersReqSize( const GLbyte * pc, Bool swap ) +__glXDrawBuffersReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei n = *(GLsizei *)(pc + 0); @@ -693,11 +691,11 @@ GLsizei n = *(GLsizei *)(pc + 0); n = bswap_32(n); } - return __GLX_PAD((n * 4)); + return safe_pad(safe_mul(n, 4)); } int -__glXProgramStringARBReqSize( const GLbyte * pc, Bool swap ) +__glXProgramStringARBReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei len = *(GLsizei *)(pc + 8); @@ -705,11 +703,11 @@ GLsizei len = *(GLsizei *)(pc + 8); len = bswap_32(len); } - return __GLX_PAD(len); + return safe_pad(len); } int -__glXProgramParameters4dvNVReqSize( const GLbyte * pc, Bool swap ) +__glXProgramParameters4dvNVReqSize( const GLbyte * pc, Bool swap, int reqlen) { GLsizei num = *(GLsizei *)(pc + 8); @@ -717,11 +715,11 @@ GLsizei num = *(GLsizei *)(pc + 8); num = bswap_32(num); } - return __GLX_PAD((num * 32)); + return safe_pad(safe_mul(num, 32)); } int -__glXProgramParameters4fvNVReqSize( const GLbyte * pc, Bool swap ) +__glXProgramParameters4fvNVReqSize( const GLbyte * pc, Bool swap, int reqlen) { GLsizei num = *(GLsizei *)(pc + 8); @@ -729,11 +727,11 @@ GLsizei num = *(GLsizei *)(pc + 8); num = bswap_32(num); } - return __GLX_PAD((num * 16)); + return safe_pad(safe_mul(num, 16)); } int -__glXVertexAttribs1dvNVReqSize( const GLbyte * pc, Bool swap ) +__glXVertexAttribs1dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei n = *(GLsizei *)(pc + 4); @@ -741,11 +739,11 @@ GLsizei n = *(GLsizei *)(pc + 4); n = bswap_32(n); } - return __GLX_PAD((n * 8)); + return safe_pad(safe_mul(n, 8)); } int -__glXVertexAttribs2dvNVReqSize( const GLbyte * pc, Bool swap ) +__glXVertexAttribs2dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei n = *(GLsizei *)(pc + 4); @@ -753,11 +751,11 @@ GLsizei n = *(GLsizei *)(pc + 4); n = bswap_32(n); } - return __GLX_PAD((n * 16)); + return safe_pad(safe_mul(n, 16)); } int -__glXVertexAttribs3dvNVReqSize( const GLbyte * pc, Bool swap ) +__glXVertexAttribs3dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei n = *(GLsizei *)(pc + 4); @@ -765,11 +763,11 @@ GLsizei n = *(GLsizei *)(pc + 4); n = bswap_32(n); } - return __GLX_PAD((n * 24)); + return safe_pad(safe_mul(n, 24)); } int -__glXVertexAttribs3fvNVReqSize( const GLbyte * pc, Bool swap ) +__glXVertexAttribs3fvNVReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei n = *(GLsizei *)(pc + 4); @@ -777,11 +775,11 @@ GLsizei n = *(GLsizei *)(pc + 4); n = bswap_32(n); } - return __GLX_PAD((n * 12)); + return safe_pad(safe_mul(n, 12)); } int -__glXVertexAttribs3svNVReqSize( const GLbyte * pc, Bool swap ) +__glXVertexAttribs3svNVReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei n = *(GLsizei *)(pc + 4); @@ -789,11 +787,11 @@ GLsizei n = *(GLsizei *)(pc + 4); n = bswap_32(n); } - return __GLX_PAD((n * 6)); + return safe_pad(safe_mul(n, 6)); } int -__glXVertexAttribs4dvNVReqSize( const GLbyte * pc, Bool swap ) +__glXVertexAttribs4dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei n = *(GLsizei *)(pc + 4); @@ -801,11 +799,11 @@ GLsizei n = *(GLsizei *)(pc + 4); n = bswap_32(n); } - return __GLX_PAD((n * 32)); + return safe_pad(safe_mul(n, 32)); } int -__glXProgramNamedParameter4fvNVReqSize( const GLbyte * pc, Bool swap ) +__glXProgramNamedParameter4fvNVReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLsizei len = *(GLsizei *)(pc + 4); @@ -813,7 +811,7 @@ GLsizei len = *(GLsizei *)(pc + 4); len = bswap_32(len); } - return __GLX_PAD(len); + return safe_pad(len); } ALIAS( Fogiv, Fogfv ) diff --git a/xorg-server/glx/indirect_reqsize.h b/xorg-server/glx/indirect_reqsize.h index 1b7bd6e..9adba49 100644 --- a/xorg-server/glx/indirect_reqsize.h +++ b/xorg-server/glx/indirect_reqsize.h @@ -36,80 +36,80 @@ # define PURE # endif -extern PURE _X_HIDDEN int __glXCallListsReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXBitmapReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXFogfvReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXFogivReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXLightfvReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXLightivReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXLightModelfvReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXLightModelivReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXMaterialfvReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXMaterialivReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXPolygonStippleReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXTexParameterfvReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXTexParameterivReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXTexImage1DReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXTexImage2DReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXTexEnvfvReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXTexEnvivReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXTexGendvReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXTexGenfvReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXTexGenivReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXMap1dReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXMap1fReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXMap2dReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXMap2fReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXPixelMapfvReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXPixelMapuivReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXPixelMapusvReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXDrawPixelsReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXDrawArraysReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXPrioritizeTexturesReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXTexSubImage1DReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXTexSubImage2DReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXColorTableReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXColorTableParameterfvReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXColorTableParameterivReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXColorSubTableReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXConvolutionFilter1DReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXConvolutionFilter2DReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXConvolutionParameterfvReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXConvolutionParameterivReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXSeparableFilter2DReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXTexImage3DReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXTexSubImage3DReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXCompressedTexImage1DReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXCompressedTexImage2DReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXCompressedTexImage3DReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXCompressedTexSubImage1DReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXCompressedTexSubImage2DReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXCompressedTexSubImage3DReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXPointParameterfvReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXPointParameterivReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXDrawBuffersReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXProgramStringARBReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXDeleteFramebuffersReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXDeleteRenderbuffersReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXLoadProgramNVReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXProgramParameters4dvNVReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXProgramParameters4fvNVReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXRequestResidentProgramsNVReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXVertexAttribs1dvNVReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXVertexAttribs1fvNVReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXVertexAttribs1svNVReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXVertexAttribs2dvNVReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXVertexAttribs2fvNVReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXVertexAttribs2svNVReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXVertexAttribs3dvNVReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXVertexAttribs3fvNVReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXVertexAttribs3svNVReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXVertexAttribs4dvNVReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXVertexAttribs4fvNVReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXVertexAttribs4svNVReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXVertexAttribs4ubvNVReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXProgramNamedParameter4dvNVReqSize(const GLbyte *pc, Bool swap); -extern PURE _X_HIDDEN int __glXProgramNamedParameter4fvNVReqSize(const GLbyte *pc, Bool swap); +extern PURE _X_HIDDEN int __glXCallListsReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXBitmapReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXFogfvReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXFogivReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXLightfvReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXLightivReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXLightModelfvReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXLightModelivReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXMaterialfvReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXMaterialivReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXPolygonStippleReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXTexParameterfvReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXTexParameterivReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXTexImage1DReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXTexImage2DReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXTexEnvfvReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXTexEnvivReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXTexGendvReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXTexGenfvReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXTexGenivReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXMap1dReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXMap1fReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXMap2dReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXMap2fReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXPixelMapfvReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXPixelMapuivReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXPixelMapusvReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXDrawPixelsReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXDrawArraysReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXPrioritizeTexturesReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXTexSubImage1DReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXTexSubImage2DReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXColorTableReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXColorTableParameterfvReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXColorTableParameterivReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXColorSubTableReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXConvolutionFilter1DReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXConvolutionFilter2DReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXConvolutionParameterfvReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXConvolutionParameterivReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXSeparableFilter2DReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXTexImage3DReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXTexSubImage3DReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXCompressedTexImage1DReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXCompressedTexImage2DReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXCompressedTexImage3DReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXCompressedTexSubImage1DReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXCompressedTexSubImage2DReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXCompressedTexSubImage3DReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXPointParameterfvReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXPointParameterivReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXDrawBuffersReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXProgramStringARBReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXDeleteFramebuffersReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXDeleteRenderbuffersReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXLoadProgramNVReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXProgramParameters4dvNVReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXProgramParameters4fvNVReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXRequestResidentProgramsNVReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXVertexAttribs1dvNVReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXVertexAttribs1fvNVReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXVertexAttribs1svNVReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXVertexAttribs2dvNVReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXVertexAttribs2fvNVReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXVertexAttribs2svNVReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXVertexAttribs3dvNVReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXVertexAttribs3fvNVReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXVertexAttribs3svNVReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXVertexAttribs4dvNVReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXVertexAttribs4fvNVReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXVertexAttribs4svNVReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXVertexAttribs4ubvNVReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXProgramNamedParameter4dvNVReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE _X_HIDDEN int __glXProgramNamedParameter4fvNVReqSize(const GLbyte *pc, Bool swap, int reqlen); # undef PURE diff --git a/xorg-server/glx/indirect_texture_compression.c b/xorg-server/glx/indirect_texture_compression.c index 112811e..a39b158 100644 --- a/xorg-server/glx/indirect_texture_compression.c +++ b/xorg-server/glx/indirect_texture_compression.c @@ -45,6 +45,8 @@ __glXDisp_GetCompressedTexImage(struct __GLXclientStateRec *cl, GLbyte * pc) __GLXcontext *const cx = __glXForceCurrent(cl, req->contextTag, &error); ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXSingleReq, 8); + pc += __GLX_SINGLE_HDR_SIZE; if (cx != NULL) { const GLenum target = *(GLenum *) (pc + 0); @@ -89,6 +91,8 @@ __glXDispSwap_GetCompressedTexImage(struct __GLXclientStateRec *cl, GLbyte * pc) __glXForceCurrent(cl, bswap_32(req->contextTag), &error); ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXSingleReq, 8); + pc += __GLX_SINGLE_HDR_SIZE; if (cx != NULL) { const GLenum target = (GLenum) bswap_32(*(int *) (pc + 0)); diff --git a/xorg-server/glx/indirect_util.c b/xorg-server/glx/indirect_util.c index e7f11fb..96fa2e0 100644 --- a/xorg-server/glx/indirect_util.c +++ b/xorg-server/glx/indirect_util.c @@ -76,12 +76,17 @@ __glXGetAnswerBuffer(__GLXclientState * cl, size_t required_size, void *local_buffer, size_t local_size, unsigned alignment) { void *buffer = local_buffer; - const unsigned mask = alignment - 1; + const intptr_t mask = alignment - 1; if (local_size < required_size) { - const size_t worst_case_size = required_size + alignment; + size_t worst_case_size; intptr_t temp_buf; + if (required_size < SIZE_MAX - alignment) + worst_case_size = required_size + alignment; + else + return NULL; + if (cl->returnBufSize < worst_case_size) { void *temp = realloc(cl->returnBuf, worst_case_size); diff --git a/xorg-server/glx/rensize.c b/xorg-server/glx/rensize.c index 5522932..068e1ce 100644 --- a/xorg-server/glx/rensize.c +++ b/xorg-server/glx/rensize.c @@ -47,19 +47,11 @@ (((a & 0xff000000U)>>24) | ((a & 0xff0000U)>>8) | \ ((a & 0xff00U)<<8) | ((a & 0xffU)<<24)) -static int -Map1Size(GLint k, GLint order) -{ - if (order <= 0 || k < 0) - return -1; - return k * order; -} - int -__glXMap1dReqSize(const GLbyte * pc, Bool swap) +__glXMap1dReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLenum target; - GLint order, k; + GLint order; target = *(GLenum *) (pc + 16); order = *(GLint *) (pc + 20); @@ -67,15 +59,16 @@ __glXMap1dReqSize(const GLbyte * pc, Bool swap) target = SWAPL(target); order = SWAPL(order); } - k = __glMap1d_size(target); - return 8 * Map1Size(k, order); + if (order < 1) + return -1; + return safe_mul(8, safe_mul(__glMap1d_size(target), order)); } int -__glXMap1fReqSize(const GLbyte * pc, Bool swap) +__glXMap1fReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLenum target; - GLint order, k; + GLint order; target = *(GLenum *) (pc + 0); order = *(GLint *) (pc + 12); @@ -83,23 +76,24 @@ __glXMap1fReqSize(const GLbyte * pc, Bool swap) target = SWAPL(target); order = SWAPL(order); } - k = __glMap1f_size(target); - return 4 * Map1Size(k, order); + if (order < 1) + return -1; + return safe_mul(4, safe_mul(__glMap1f_size(target), order)); } static int Map2Size(int k, int majorOrder, int minorOrder) { - if (majorOrder <= 0 || minorOrder <= 0 || k < 0) + if (majorOrder < 1 || minorOrder < 1) return -1; - return k * majorOrder * minorOrder; + return safe_mul(k, safe_mul(majorOrder, minorOrder)); } int -__glXMap2dReqSize(const GLbyte * pc, Bool swap) +__glXMap2dReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLenum target; - GLint uorder, vorder, k; + GLint uorder, vorder; target = *(GLenum *) (pc + 32); uorder = *(GLint *) (pc + 36); @@ -109,15 +103,14 @@ __glXMap2dReqSize(const GLbyte * pc, Bool swap) uorder = SWAPL(uorder); vorder = SWAPL(vorder); } - k = __glMap2d_size(target); - return 8 * Map2Size(k, uorder, vorder); + return safe_mul(8, Map2Size(__glMap2d_size(target), uorder, vorder)); } int -__glXMap2fReqSize(const GLbyte * pc, Bool swap) +__glXMap2fReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLenum target; - GLint uorder, vorder, k; + GLint uorder, vorder; target = *(GLenum *) (pc + 0); uorder = *(GLint *) (pc + 12); @@ -127,8 +120,7 @@ __glXMap2fReqSize(const GLbyte * pc, Bool swap) uorder = SWAPL(uorder); vorder = SWAPL(vorder); } - k = __glMap2f_size(target); - return 4 * Map2Size(k, uorder, vorder); + return safe_mul(4, Map2Size(__glMap2f_size(target), uorder, vorder)); } /** @@ -179,14 +171,16 @@ __glXImageSize(GLenum format, GLenum type, GLenum target, GLint bytesPerElement, elementsPerGroup, groupsPerRow; GLint groupSize, rowSize, padding, imageSize; + if (w == 0 || h == 0 || d == 0) + return 0; + if (w < 0 || h < 0 || d < 0 || (type == GL_BITMAP && (format != GL_COLOR_INDEX && format != GL_STENCIL_INDEX))) { return -1; } - if (w == 0 || h == 0 || d == 0) - return 0; + /* proxy targets have no data */ switch (target) { case GL_PROXY_TEXTURE_1D: case GL_PROXY_TEXTURE_2D: @@ -203,6 +197,12 @@ __glXImageSize(GLenum format, GLenum type, GLenum target, return 0; } + /* real data has to have real sizes */ + if (imageHeight < 0 || rowLength < 0 || skipImages < 0 || skipRows < 0) + return -1; + if (alignment != 1 && alignment != 2 && alignment != 4 && alignment != 8) + return -1; + if (type == GL_BITMAP) { if (rowLength > 0) { groupsPerRow = rowLength; @@ -211,11 +211,14 @@ __glXImageSize(GLenum format, GLenum type, GLenum target, groupsPerRow = w; } rowSize = bits_to_bytes(groupsPerRow); + if (rowSize < 0) + return -1; padding = (rowSize % alignment); if (padding) { rowSize += alignment - padding; } - return ((h + skipRows) * rowSize); + + return safe_mul(safe_add(h, skipRows), rowSize); } else { switch (format) { @@ -228,6 +231,11 @@ __glXImageSize(GLenum format, GLenum type, GLenum target, case GL_ALPHA: case GL_LUMINANCE: case GL_INTENSITY: + case GL_RED_INTEGER_EXT: + case GL_GREEN_INTEGER_EXT: + case GL_BLUE_INTEGER_EXT: + case GL_ALPHA_INTEGER_EXT: + case GL_LUMINANCE_INTEGER_EXT: elementsPerGroup = 1; break; case GL_422_EXT: @@ -238,14 +246,19 @@ __glXImageSize(GLenum format, GLenum type, GLenum target, case GL_DEPTH_STENCIL_MESA: case GL_YCBCR_MESA: case GL_LUMINANCE_ALPHA: + case GL_LUMINANCE_ALPHA_INTEGER_EXT: elementsPerGroup = 2; break; case GL_RGB: case GL_BGR: + case GL_RGB_INTEGER_EXT: + case GL_BGR_INTEGER_EXT: elementsPerGroup = 3; break; case GL_RGBA: case GL_BGRA: + case GL_RGBA_INTEGER_EXT: + case GL_BGRA_INTEGER_EXT: case GL_ABGR_EXT: elementsPerGroup = 4; break; @@ -297,6 +310,7 @@ __glXImageSize(GLenum format, GLenum type, GLenum target, default: return -1; } + /* known safe by the switches above, not checked */ groupSize = bytesPerElement * elementsPerGroup; if (rowLength > 0) { groupsPerRow = rowLength; @@ -304,18 +318,21 @@ __glXImageSize(GLenum format, GLenum type, GLenum target, else { groupsPerRow = w; } - rowSize = groupsPerRow * groupSize; + + if ((rowSize = safe_mul(groupsPerRow, groupSize)) < 0) + return -1; padding = (rowSize % alignment); if (padding) { rowSize += alignment - padding; } - if (imageHeight > 0) { - imageSize = (imageHeight + skipRows) * rowSize; - } - else { - imageSize = (h + skipRows) * rowSize; - } - return ((d + skipImages) * imageSize); + + if (imageHeight > 0) + h = imageHeight; + h = safe_add(h, skipRows); + + imageSize = safe_mul(h, rowSize); + + return safe_mul(safe_add(d, skipImages), imageSize); } } @@ -346,13 +363,14 @@ __glXTypeSize(GLenum enm) } int -__glXDrawArraysReqSize(const GLbyte * pc, Bool swap) +__glXDrawArraysReqSize(const GLbyte * pc, Bool swap, int reqlen) { __GLXdispatchDrawArraysHeader *hdr = (__GLXdispatchDrawArraysHeader *) pc; __GLXdispatchDrawArraysComponentHeader *compHeader; GLint numVertexes = hdr->numVertexes; GLint numComponents = hdr->numComponents; GLint arrayElementSize = 0; + GLint x, size; int i; if (swap) { @@ -361,6 +379,13 @@ __glXDrawArraysReqSize(const GLbyte * pc, Bool swap) } pc += sizeof(__GLXdispatchDrawArraysHeader); + reqlen -= sizeof(__GLXdispatchDrawArraysHeader); + + size = safe_mul(sizeof(__GLXdispatchDrawArraysComponentHeader), + numComponents); + if (size < 0 || reqlen < 0 || reqlen < size) + return -1; + compHeader = (__GLXdispatchDrawArraysComponentHeader *) pc; for (i = 0; i < numComponents; i++) { @@ -404,17 +429,18 @@ __glXDrawArraysReqSize(const GLbyte * pc, Bool swap) return -1; } - arrayElementSize += __GLX_PAD(numVals * __glXTypeSize(datatype)); + x = safe_pad(safe_mul(numVals, __glXTypeSize(datatype))); + if ((arrayElementSize = safe_add(arrayElementSize, x)) < 0) + return -1; pc += sizeof(__GLXdispatchDrawArraysComponentHeader); } - return ((numComponents * sizeof(__GLXdispatchDrawArraysComponentHeader)) + - (numVertexes * arrayElementSize)); + return safe_add(size, safe_mul(numVertexes, arrayElementSize)); } int -__glXSeparableFilter2DReqSize(const GLbyte * pc, Bool swap) +__glXSeparableFilter2DReqSize(const GLbyte * pc, Bool swap, int reqlen) { __GLXdispatchConvolutionFilterHeader *hdr = (__GLXdispatchConvolutionFilterHeader *) pc; @@ -439,9 +465,7 @@ __glXSeparableFilter2DReqSize(const GLbyte * pc, Bool swap) /* XXX Should rowLength be used for either or both image? */ image1size = __glXImageSize(format, type, 0, w, 1, 1, 0, rowLength, 0, 0, alignment); - image1size = __GLX_PAD(image1size); image2size = __glXImageSize(format, type, 0, h, 1, 1, 0, rowLength, 0, 0, alignment); - return image1size + image2size; - + return safe_add(safe_pad(image1size), image2size); } diff --git a/xorg-server/glx/single2.c b/xorg-server/glx/single2.c index 8d4d1d0..cd35932 100644 --- a/xorg-server/glx/single2.c +++ b/xorg-server/glx/single2.c @@ -48,11 +48,14 @@ int __glXDisp_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc) { + ClientPtr client = cl->client; GLsizei size; GLenum type; __GLXcontext *cx; int error; + REQUEST_FIXED_SIZE(xGLXSingleReq, 8); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { return error; @@ -79,10 +82,13 @@ __glXDisp_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc) int __glXDisp_SelectBuffer(__GLXclientState * cl, GLbyte * pc) { + ClientPtr client = cl->client; __GLXcontext *cx; GLsizei size; int error; + REQUEST_FIXED_SIZE(xGLXSingleReq, 4); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { return error; @@ -107,7 +113,7 @@ __glXDisp_SelectBuffer(__GLXclientState * cl, GLbyte * pc) int __glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc) { - ClientPtr client; + ClientPtr client = cl->client; xGLXRenderModeReply reply; __GLXcontext *cx; GLint nitems = 0, retBytes = 0, retval, newModeCheck; @@ -115,6 +121,8 @@ __glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc) GLenum newMode; int error; + REQUEST_FIXED_SIZE(xGLXSingleReq, 4); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { return error; @@ -191,7 +199,6 @@ __glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc) ** selection array, as per the API for glRenderMode itself. */ noChangeAllowed:; - client = cl->client; reply = (xGLXRenderModeReply) { .type = X_Reply, .sequenceNumber = client->sequence, @@ -210,9 +217,12 @@ __glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc) int __glXDisp_Flush(__GLXclientState * cl, GLbyte * pc) { + ClientPtr client = cl->client; __GLXcontext *cx; int error; + REQUEST_SIZE_MATCH(xGLXSingleReq); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { return error; @@ -226,10 +236,12 @@ __glXDisp_Flush(__GLXclientState * cl, GLbyte * pc) int __glXDisp_Finish(__GLXclientState * cl, GLbyte * pc) { + ClientPtr client = cl->client; __GLXcontext *cx; - ClientPtr client; int error; + REQUEST_SIZE_MATCH(xGLXSingleReq); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { return error; @@ -320,7 +332,7 @@ __glXcombine_strings(const char *cext_string, const char *sext_string) int DoGetString(__GLXclientState * cl, GLbyte * pc, GLboolean need_swap) { - ClientPtr client; + ClientPtr client = cl->client; __GLXcontext *cx; GLenum name; const char *string; @@ -330,6 +342,8 @@ DoGetString(__GLXclientState * cl, GLbyte * pc, GLboolean need_swap) char *buf = NULL, *buf1 = NULL; GLint length = 0; + REQUEST_FIXED_SIZE(xGLXSingleReq, 4); + /* If the client has the opposite byte order, swap the contextTag and * the name. */ @@ -346,7 +360,6 @@ DoGetString(__GLXclientState * cl, GLbyte * pc, GLboolean need_swap) pc += __GLX_SINGLE_HDR_SIZE; name = *(GLenum *) (pc + 0); string = (const char *) glGetString(name); - client = cl->client; if (string == NULL) string = ""; diff --git a/xorg-server/glx/single2swap.c b/xorg-server/glx/single2swap.c index 90387a2..a35767f 100644 --- a/xorg-server/glx/single2swap.c +++ b/xorg-server/glx/single2swap.c @@ -44,6 +44,7 @@ int __glXDispSwap_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc) { + ClientPtr client = cl->client; GLsizei size; GLenum type; @@ -51,6 +52,8 @@ __glXDispSwap_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc) __GLXcontext *cx; int error; + REQUEST_FIXED_SIZE(xGLXSingleReq, 8); + __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { @@ -80,12 +83,15 @@ __glXDispSwap_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc) int __glXDispSwap_SelectBuffer(__GLXclientState * cl, GLbyte * pc) { + ClientPtr client = cl->client; __GLXcontext *cx; GLsizei size; __GLX_DECLARE_SWAP_VARIABLES; int error; + REQUEST_FIXED_SIZE(xGLXSingleReq, 4); + __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { @@ -112,7 +118,7 @@ __glXDispSwap_SelectBuffer(__GLXclientState * cl, GLbyte * pc) int __glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc) { - ClientPtr client; + ClientPtr client = cl->client; __GLXcontext *cx; xGLXRenderModeReply reply; GLint nitems = 0, retBytes = 0, retval, newModeCheck; @@ -123,6 +129,8 @@ __glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc) __GLX_DECLARE_SWAP_ARRAY_VARIABLES; int error; + REQUEST_FIXED_SIZE(xGLXSingleReq, 4); + __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { @@ -203,7 +211,6 @@ __glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc) ** selection array, as per the API for glRenderMode itself. */ noChangeAllowed:; - client = cl->client; reply = (xGLXRenderModeReply) { .type = X_Reply, .sequenceNumber = client->sequence, @@ -227,11 +234,14 @@ __glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc) int __glXDispSwap_Flush(__GLXclientState * cl, GLbyte * pc) { + ClientPtr client = cl->client; __GLXcontext *cx; int error; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXSingleReq); + __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { @@ -246,12 +256,14 @@ __glXDispSwap_Flush(__GLXclientState * cl, GLbyte * pc) int __glXDispSwap_Finish(__GLXclientState * cl, GLbyte * pc) { + ClientPtr client = cl->client; __GLXcontext *cx; - ClientPtr client; int error; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXSingleReq); + __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { @@ -263,7 +275,6 @@ __glXDispSwap_Finish(__GLXclientState * cl, GLbyte * pc) cx->hasUnflushedCommands = GL_FALSE; /* Send empty reply packet to indicate finish is finished */ - client = cl->client; __GLX_BEGIN_REPLY(0); __GLX_PUT_RETVAL(0); __GLX_SWAP_REPLY_HEADER(); diff --git a/xorg-server/glx/singlepix.c b/xorg-server/glx/singlepix.c index 06c0ad6..96c0e9f 100644 --- a/xorg-server/glx/singlepix.c +++ b/xorg-server/glx/singlepix.c @@ -54,6 +54,8 @@ __glXDisp_ReadPixels(__GLXclientState * cl, GLbyte * pc) int error; char *answer, answerBuffer[200]; + REQUEST_FIXED_SIZE(xGLXSingleReq, 28); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { return error; @@ -68,7 +70,7 @@ __glXDisp_ReadPixels(__GLXclientState * cl, GLbyte * pc) lsbFirst = *(GLboolean *) (pc + 25); compsize = __glReadPixels_size(format, type, width, height); if (compsize < 0) - compsize = 0; + return BadLength; glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes); glPixelStorei(GL_PACK_LSB_FIRST, lsbFirst); @@ -103,6 +105,8 @@ __glXDisp_GetTexImage(__GLXclientState * cl, GLbyte * pc) char *answer, answerBuffer[200]; GLint width = 0, height = 0, depth = 1; + REQUEST_FIXED_SIZE(xGLXSingleReq, 20); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { return error; @@ -127,7 +131,7 @@ __glXDisp_GetTexImage(__GLXclientState * cl, GLbyte * pc) compsize = __glGetTexImage_size(target, level, format, type, width, height, depth); if (compsize < 0) - compsize = 0; + return BadLength; glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes); __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1); @@ -160,6 +164,8 @@ __glXDisp_GetPolygonStipple(__GLXclientState * cl, GLbyte * pc) GLubyte answerBuffer[200]; char *answer; + REQUEST_FIXED_SIZE(xGLXSingleReq, 4); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { return error; @@ -220,15 +226,13 @@ GetSeparableFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag) compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1); compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1); - if (compsize < 0) - compsize = 0; - if (compsize2 < 0) - compsize2 = 0; - compsize = __GLX_PAD(compsize); - compsize2 = __GLX_PAD(compsize2); + if ((compsize = safe_pad(compsize)) < 0) + return BadLength; + if ((compsize2 = safe_pad(compsize2)) < 0) + return BadLength; glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes); - __GLX_GET_ANSWER_BUFFER(answer, cl, compsize + compsize2, 1); + __GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1); __glXClearErrorOccured(); glGetSeparableFilter(*(GLenum *) (pc + 0), *(GLenum *) (pc + 4), *(GLenum *) (pc + 8), answer, answer + compsize, NULL); @@ -252,7 +256,8 @@ int __glXDisp_GetSeparableFilter(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); - + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); return GetSeparableFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); } @@ -260,7 +265,8 @@ int __glXDisp_GetSeparableFilterEXT(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); - + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); return GetSeparableFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); } @@ -299,7 +305,7 @@ GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag) */ compsize = __glGetTexImage_size(target, 1, format, type, width, height, 1); if (compsize < 0) - compsize = 0; + return BadLength; glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes); __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1); @@ -326,7 +332,8 @@ int __glXDisp_GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); - + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); return GetConvolutionFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); } @@ -334,7 +341,8 @@ int __glXDisp_GetConvolutionFilterEXT(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); - + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); return GetConvolutionFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); } @@ -368,7 +376,7 @@ GetHistogram(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag) */ compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1); if (compsize < 0) - compsize = 0; + return BadLength; glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes); __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1); @@ -393,7 +401,8 @@ int __glXDisp_GetHistogram(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); - + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); return GetHistogram(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); } @@ -401,7 +410,8 @@ int __glXDisp_GetHistogramEXT(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); - + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); return GetHistogram(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); } @@ -429,7 +439,7 @@ GetMinmax(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag) compsize = __glGetTexImage_size(target, 1, format, type, 2, 1, 1); if (compsize < 0) - compsize = 0; + return BadLength; glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes); __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1); @@ -453,7 +463,8 @@ int __glXDisp_GetMinmax(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); - + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); return GetMinmax(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); } @@ -461,7 +472,8 @@ int __glXDisp_GetMinmaxEXT(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); - + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); return GetMinmax(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); } @@ -494,7 +506,7 @@ GetColorTable(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag) */ compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1); if (compsize < 0) - compsize = 0; + return BadLength; glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes); __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1); @@ -520,7 +532,8 @@ int __glXDisp_GetColorTable(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); - + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); return GetColorTable(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); } @@ -528,6 +541,7 @@ int __glXDisp_GetColorTableSGI(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); - + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); return GetColorTable(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); } diff --git a/xorg-server/glx/singlepixswap.c b/xorg-server/glx/singlepixswap.c index b1ed6ce..fa373fa 100644 --- a/xorg-server/glx/singlepixswap.c +++ b/xorg-server/glx/singlepixswap.c @@ -56,6 +56,8 @@ __glXDispSwap_ReadPixels(__GLXclientState * cl, GLbyte * pc) int error; char *answer, answerBuffer[200]; + REQUEST_FIXED_SIZE(xGLXSingleReq, 28); + __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { @@ -78,7 +80,7 @@ __glXDispSwap_ReadPixels(__GLXclientState * cl, GLbyte * pc) lsbFirst = *(GLboolean *) (pc + 25); compsize = __glReadPixels_size(format, type, width, height); if (compsize < 0) - compsize = 0; + return BadLength; glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes); glPixelStorei(GL_PACK_LSB_FIRST, lsbFirst); @@ -117,6 +119,8 @@ __glXDispSwap_GetTexImage(__GLXclientState * cl, GLbyte * pc) char *answer, answerBuffer[200]; GLint width = 0, height = 0, depth = 1; + REQUEST_FIXED_SIZE(xGLXSingleReq, 20); + __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { @@ -147,7 +151,7 @@ __glXDispSwap_GetTexImage(__GLXclientState * cl, GLbyte * pc) compsize = __glGetTexImage_size(target, level, format, type, width, height, depth); if (compsize < 0) - compsize = 0; + return BadLength; glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes); __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1); @@ -187,6 +191,8 @@ __glXDispSwap_GetPolygonStipple(__GLXclientState * cl, GLbyte * pc) __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_FIXED_SIZE(xGLXSingleReq, 4); + __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { @@ -254,15 +260,13 @@ GetSeparableFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag) compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1); compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1); - if (compsize < 0) - compsize = 0; - if (compsize2 < 0) - compsize2 = 0; - compsize = __GLX_PAD(compsize); - compsize2 = __GLX_PAD(compsize2); + if ((compsize = safe_pad(compsize)) < 0) + return BadLength; + if ((compsize2 = safe_pad(compsize2)) < 0) + return BadLength; glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes); - __GLX_GET_ANSWER_BUFFER(answer, cl, compsize + compsize2, 1); + __GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1); __glXClearErrorOccured(); glGetSeparableFilter(*(GLenum *) (pc + 0), *(GLenum *) (pc + 4), *(GLenum *) (pc + 8), answer, answer + compsize, NULL); @@ -288,7 +292,9 @@ int __glXDispSwap_GetSeparableFilter(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); return GetSeparableFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); } @@ -296,7 +302,9 @@ int __glXDispSwap_GetSeparableFilterEXT(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); return GetSeparableFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); } @@ -341,7 +349,7 @@ GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag) */ compsize = __glGetTexImage_size(target, 1, format, type, width, height, 1); if (compsize < 0) - compsize = 0; + return BadLength; glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes); __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1); @@ -370,7 +378,9 @@ int __glXDispSwap_GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); return GetConvolutionFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); } @@ -378,7 +388,9 @@ int __glXDispSwap_GetConvolutionFilterEXT(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); return GetConvolutionFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); } @@ -418,7 +430,7 @@ GetHistogram(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag) */ compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1); if (compsize < 0) - compsize = 0; + return BadLength; glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes); __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1); @@ -444,7 +456,9 @@ int __glXDispSwap_GetHistogram(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); return GetHistogram(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); } @@ -452,7 +466,9 @@ int __glXDispSwap_GetHistogramEXT(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); return GetHistogram(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); } @@ -486,7 +502,7 @@ GetMinmax(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag) compsize = __glGetTexImage_size(target, 1, format, type, 2, 1, 1); if (compsize < 0) - compsize = 0; + return BadLength; glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes); __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1); @@ -510,7 +526,9 @@ int __glXDispSwap_GetMinmax(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); return GetMinmax(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); } @@ -518,7 +536,9 @@ int __glXDispSwap_GetMinmaxEXT(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); return GetMinmax(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); } @@ -557,7 +577,7 @@ GetColorTable(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag) */ compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1); if (compsize < 0) - compsize = 0; + return BadLength; glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes); __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1); @@ -584,7 +604,9 @@ int __glXDispSwap_GetColorTable(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); return GetColorTable(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); } @@ -592,6 +614,8 @@ int __glXDispSwap_GetColorTableSGI(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); return GetColorTable(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); } diff --git a/xorg-server/glx/swap_interval.c b/xorg-server/glx/swap_interval.c index 80d8b94..d82e63f 100644 --- a/xorg-server/glx/swap_interval.c +++ b/xorg-server/glx/swap_interval.c @@ -47,6 +47,8 @@ DoSwapInterval(__GLXclientState * cl, GLbyte * pc, int do_swap) __GLXcontext *cx; GLint interval; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 4); + cx = __glXLookupContextByTag(cl, tag); if ((cx == NULL) || (cx->pGlxScreen == NULL)) { diff --git a/xorg-server/glx/unpack.h b/xorg-server/glx/unpack.h index 52fba74..2b1ebcf 100644 --- a/xorg-server/glx/unpack.h +++ b/xorg-server/glx/unpack.h @@ -83,7 +83,8 @@ extern xGLXSingleReply __glXReply; ** pointer. */ #define __GLX_GET_ANSWER_BUFFER(res,cl,size,align) \ - if ((size) > sizeof(answerBuffer)) { \ + if (size < 0) return BadLength; \ + else if ((size) > sizeof(answerBuffer)) { \ int bump; \ if ((cl)->returnBufSize < (size)+(align)) { \ (cl)->returnBuf = (GLbyte*)realloc((cl)->returnBuf, \ diff --git a/xorg-server/hw/xfree86/dri2/dri2ext.c b/xorg-server/hw/xfree86/dri2/dri2ext.c index ffd66fa..221ec53 100644 --- a/xorg-server/hw/xfree86/dri2/dri2ext.c +++ b/xorg-server/hw/xfree86/dri2/dri2ext.c @@ -270,6 +270,9 @@ ProcDRI2GetBuffers(ClientPtr client) unsigned int *attachments; REQUEST_FIXED_SIZE(xDRI2GetBuffersReq, stuff->count * 4); + if (stuff->count > (INT_MAX / 4)) + return BadLength; + if (!validDrawable(client, stuff->drawable, DixReadAccess | DixWriteAccess, &pDrawable, &status)) return status; diff --git a/xorg-server/include/dix.h b/xorg-server/include/dix.h index 82bb58c..821b0ed 100644 --- a/xorg-server/include/dix.h +++ b/xorg-server/include/dix.h @@ -74,9 +74,14 @@ SOFTWARE. if ((sizeof(req) >> 2) > client->req_len )\ return(BadLength) +#define REQUEST_AT_LEAST_EXTRA_SIZE(req, extra) \ + if (((sizeof(req) + ((uint64_t) extra)) >> 2) > client->req_len ) \ + return(BadLength) + #define REQUEST_FIXED_SIZE(req, n)\ if (((sizeof(req) >> 2) > client->req_len) || \ - (((sizeof(req) + (n) + 3) >> 2) != client->req_len)) \ + (((n) >> 2) >= client->req_len) || \ + ((((uint64_t) sizeof(req) + (n) + 3) >> 2) != (uint64_t) client->req_len)) \ return(BadLength) #define LEGAL_NEW_RESOURCE(id,client)\ diff --git a/xorg-server/include/regionstr.h b/xorg-server/include/regionstr.h index 4a0725d..079375d 100644 --- a/xorg-server/include/regionstr.h +++ b/xorg-server/include/regionstr.h @@ -125,9 +125,12 @@ RegionEnd(RegionPtr reg) } static inline size_t -RegionSizeof(int n) +RegionSizeof(size_t n) { - return (sizeof(RegDataRec) + ((n) * sizeof(BoxRec))); + if (n < ((INT_MAX - sizeof(RegDataRec)) / sizeof(BoxRec))) + return (sizeof(RegDataRec) + ((n) * sizeof(BoxRec))); + else + return 0; } static inline void @@ -138,9 +141,10 @@ RegionInit(RegionPtr _pReg, BoxPtr _rect, int _size) (_pReg)->data = (RegDataPtr) NULL; } else { + size_t rgnSize; (_pReg)->extents = RegionEmptyBox; - if (((_size) > 1) && ((_pReg)->data = - (RegDataPtr) malloc(RegionSizeof(_size)))) { + if (((_size) > 1) && ((rgnSize = RegionSizeof(_size)) > 0) && + (((_pReg)->data = malloc(rgnSize)) != NULL)) { (_pReg)->data->size = (_size); (_pReg)->data->numRects = 0; } diff --git a/xorg-server/os/access.c b/xorg-server/os/access.c index 62c3d99..1caedf6 100644 --- a/xorg-server/os/access.c +++ b/xorg-server/os/access.c @@ -1500,6 +1500,10 @@ GetHosts(void **data, int *pnHosts, int *pLen, BOOL * pEnabled) for (host = validhosts; host; host = host->next) { nHosts++; n += pad_to_int32(host->len) + sizeof(xHostEntry); + /* Could check for INT_MAX, but in reality having more than 1mb of + hostnames in the access list is ridiculous */ + if (n >= 1048576) + break; } if (n) { *data = ptr = malloc(n); @@ -1508,6 +1512,8 @@ GetHosts(void **data, int *pnHosts, int *pLen, BOOL * pEnabled) } for (host = validhosts; host; host = host->next) { len = host->len; + if ((ptr + sizeof(xHostEntry) + len) > ((unsigned char *) *data + n)) + break; ((xHostEntry *) ptr)->family = host->family; ((xHostEntry *) ptr)->length = len; ptr += sizeof(xHostEntry); diff --git a/xorg-server/os/rpcauth.c b/xorg-server/os/rpcauth.c index d60ea35..413cc61 100644 --- a/xorg-server/os/rpcauth.c +++ b/xorg-server/os/rpcauth.c @@ -66,6 +66,10 @@ authdes_ezdecode(const char *inmsg, int len) SVCXPRT xprt; temp_inmsg = malloc(len); + if (temp_inmsg == NULL) { + why = AUTH_FAILED; /* generic error, since there is no AUTH_BADALLOC */ + return NULL; + } memmove(temp_inmsg, inmsg, len); memset((char *) &msg, 0, sizeof(msg)); diff --git a/xorg-server/present/present_request.c b/xorg-server/present/present_request.c index c69e683..68076ed 100644 --- a/xorg-server/present/present_request.c +++ b/xorg-server/present/present_request.c @@ -210,6 +210,7 @@ proc_present_query_capabilities (ClientPtr client) rep.sequenceNumber = client->sequence; rep.length = 0; + REQUEST_SIZE_MATCH(xPresentQueryCapabilitiesReq); r = dixLookupWindow(&window, stuff->target, client, DixGetAttrAccess); switch (r) { case Success: @@ -254,6 +255,7 @@ static int sproc_present_query_version(ClientPtr client) { REQUEST(xPresentQueryVersionReq); + REQUEST_SIZE_MATCH(xPresentQueryVersionReq); swaps(&stuff->length); swapl(&stuff->majorVersion); @@ -265,6 +267,7 @@ static int sproc_present_pixmap(ClientPtr client) { REQUEST(xPresentPixmapReq); + REQUEST_AT_LEAST_SIZE(xPresentPixmapReq); swaps(&stuff->length); swapl(&stuff->window); @@ -284,6 +287,7 @@ static int sproc_present_notify_msc(ClientPtr client) { REQUEST(xPresentNotifyMSCReq); + REQUEST_SIZE_MATCH(xPresentNotifyMSCReq); swaps(&stuff->length); swapl(&stuff->window); @@ -297,6 +301,7 @@ static int sproc_present_select_input (ClientPtr client) { REQUEST(xPresentSelectInputReq); + REQUEST_SIZE_MATCH(xPresentSelectInputReq); swaps(&stuff->length); swapl(&stuff->window); @@ -308,6 +313,7 @@ static int sproc_present_query_capabilities (ClientPtr client) { REQUEST(xPresentQueryCapabilitiesReq); + REQUEST_SIZE_MATCH(xPresentQueryCapabilitiesReq); swaps(&stuff->length); swapl(&stuff->target); return (*proc_present_vector[stuff->presentReqType]) (client); diff --git a/xorg-server/randr/rrsdispatch.c b/xorg-server/randr/rrsdispatch.c index 08c3b6a..47558cf 100644 --- a/xorg-server/randr/rrsdispatch.c +++ b/xorg-server/randr/rrsdispatch.c @@ -27,6 +27,7 @@ SProcRRQueryVersion(ClientPtr client) { REQUEST(xRRQueryVersionReq); + REQUEST_SIZE_MATCH(xRRQueryVersionReq); swaps(&stuff->length); swapl(&stuff->majorVersion); swapl(&stuff->minorVersion); @@ -38,6 +39,7 @@ SProcRRGetScreenInfo(ClientPtr client) { REQUEST(xRRGetScreenInfoReq); + REQUEST_SIZE_MATCH(xRRGetScreenInfoReq); swaps(&stuff->length); swapl(&stuff->window); return (*ProcRandrVector[stuff->randrReqType]) (client); @@ -69,6 +71,7 @@ SProcRRSelectInput(ClientPtr client) { REQUEST(xRRSelectInputReq); + REQUEST_SIZE_MATCH(xRRSelectInputReq); swaps(&stuff->length); swapl(&stuff->window); swaps(&stuff->enable); @@ -152,6 +155,7 @@ SProcRRConfigureOutputProperty(ClientPtr client) { REQUEST(xRRConfigureOutputPropertyReq); + REQUEST_AT_LEAST_SIZE(xRRConfigureOutputPropertyReq); swaps(&stuff->length); swapl(&stuff->output); swapl(&stuff->property); diff --git a/xorg-server/render/render.c b/xorg-server/render/render.c index db34fdc..93f1145 100644 --- a/xorg-server/render/render.c +++ b/xorg-server/render/render.c @@ -272,10 +272,11 @@ ProcRenderQueryVersion(ClientPtr client) REQUEST(xRenderQueryVersionReq); + REQUEST_SIZE_MATCH(xRenderQueryVersionReq); + pRenderClient->major_version = stuff->majorVersion; pRenderClient->minor_version = stuff->minorVersion; - REQUEST_SIZE_MATCH(xRenderQueryVersionReq); memset(&rep, 0, sizeof(xRenderQueryVersionReply)); rep.type = X_Reply; rep.sequenceNumber = client->sequence; @@ -1995,7 +1996,7 @@ static int SProcRenderQueryVersion(ClientPtr client) { REQUEST(xRenderQueryVersionReq); - + REQUEST_SIZE_MATCH(xRenderQueryVersionReq); swaps(&stuff->length); swapl(&stuff->majorVersion); swapl(&stuff->minorVersion); @@ -2006,6 +2007,7 @@ static int SProcRenderQueryPictFormats(ClientPtr client) { REQUEST(xRenderQueryPictFormatsReq); + REQUEST_SIZE_MATCH(xRenderQueryPictFormatsReq); swaps(&stuff->length); return (*ProcRenderVector[stuff->renderReqType]) (client); } @@ -2014,6 +2016,7 @@ static int SProcRenderQueryPictIndexValues(ClientPtr client) { REQUEST(xRenderQueryPictIndexValuesReq); + REQUEST_AT_LEAST_SIZE(xRenderQueryPictIndexValuesReq); swaps(&stuff->length); swapl(&stuff->format); return (*ProcRenderVector[stuff->renderReqType]) (client); @@ -2029,6 +2032,7 @@ static int SProcRenderCreatePicture(ClientPtr client) { REQUEST(xRenderCreatePictureReq); + REQUEST_AT_LEAST_SIZE(xRenderCreatePictureReq); swaps(&stuff->length); swapl(&stuff->pid); swapl(&stuff->drawable); @@ -2042,6 +2046,7 @@ static int SProcRenderChangePicture(ClientPtr client) { REQUEST(xRenderChangePictureReq); + REQUEST_AT_LEAST_SIZE(xRenderChangePictureReq); swaps(&stuff->length); swapl(&stuff->picture); swapl(&stuff->mask); @@ -2053,6 +2058,7 @@ static int SProcRenderSetPictureClipRectangles(ClientPtr client) { REQUEST(xRenderSetPictureClipRectanglesReq); + REQUEST_AT_LEAST_SIZE(xRenderSetPictureClipRectanglesReq); swaps(&stuff->length); swapl(&stuff->picture); swaps(&stuff->xOrigin); @@ -2065,6 +2071,7 @@ static int SProcRenderFreePicture(ClientPtr client) { REQUEST(xRenderFreePictureReq); + REQUEST_SIZE_MATCH(xRenderFreePictureReq); swaps(&stuff->length); swapl(&stuff->picture); return (*ProcRenderVector[stuff->renderReqType]) (client); @@ -2074,6 +2081,7 @@ static int SProcRenderComposite(ClientPtr client) { REQUEST(xRenderCompositeReq); + REQUEST_SIZE_MATCH(xRenderCompositeReq); swaps(&stuff->length); swapl(&stuff->src); swapl(&stuff->mask); @@ -2093,6 +2101,7 @@ static int SProcRenderScale(ClientPtr client) { REQUEST(xRenderScaleReq); + REQUEST_SIZE_MATCH(xRenderScaleReq); swaps(&stuff->length); swapl(&stuff->src); swapl(&stuff->dst); @@ -2193,6 +2202,7 @@ static int SProcRenderCreateGlyphSet(ClientPtr client) { REQUEST(xRenderCreateGlyphSetReq); + REQUEST_SIZE_MATCH(xRenderCreateGlyphSetReq); swaps(&stuff->length); swapl(&stuff->gsid); swapl(&stuff->format); @@ -2203,6 +2213,7 @@ static int SProcRenderReferenceGlyphSet(ClientPtr client) { REQUEST(xRenderReferenceGlyphSetReq); + REQUEST_SIZE_MATCH(xRenderReferenceGlyphSetReq); swaps(&stuff->length); swapl(&stuff->gsid); swapl(&stuff->existing); @@ -2213,6 +2224,7 @@ static int SProcRenderFreeGlyphSet(ClientPtr client) { REQUEST(xRenderFreeGlyphSetReq); + REQUEST_SIZE_MATCH(xRenderFreeGlyphSetReq); swaps(&stuff->length); swapl(&stuff->glyphset); return (*ProcRenderVector[stuff->renderReqType]) (client); @@ -2227,6 +2239,7 @@ SProcRenderAddGlyphs(ClientPtr client) xGlyphInfo *gi; REQUEST(xRenderAddGlyphsReq); + REQUEST_AT_LEAST_SIZE(xRenderAddGlyphsReq); swaps(&stuff->length); swapl(&stuff->glyphset); swapl(&stuff->nglyphs); @@ -2261,6 +2274,7 @@ static int SProcRenderFreeGlyphs(ClientPtr client) { REQUEST(xRenderFreeGlyphsReq); + REQUEST_AT_LEAST_SIZE(xRenderFreeGlyphsReq); swaps(&stuff->length); swapl(&stuff->glyphset); SwapRestL(stuff); @@ -2278,6 +2292,7 @@ SProcRenderCompositeGlyphs(ClientPtr client) int size; REQUEST(xRenderCompositeGlyphsReq); + REQUEST_AT_LEAST_SIZE(xRenderCompositeGlyphsReq); switch (stuff->renderReqType) { default: diff --git a/xorg-server/test/misc.c b/xorg-server/test/misc.c index dd792e6..66330a1 100644 --- a/xorg-server/test/misc.c +++ b/xorg-server/test/misc.c @@ -28,6 +28,8 @@ #include <stdint.h> #include "misc.h" #include "scrnintstr.h" +#include "dix.h" +#include "dixstruct.h" ScreenInfo screenInfo; @@ -155,11 +157,46 @@ dix_update_desktop_dimensions(void) assert_dimensions(-w2, -h2, w2, h2); } +static int +dix_request_fixed_size_overflow(ClientRec *client) +{ + xReq req = { 0 }; + + client->req_len = req.length = 1; + REQUEST_FIXED_SIZE(req, SIZE_MAX); + return Success; +} + +static int +dix_request_fixed_size_match(ClientRec *client) +{ + xReq req = { 0 }; + + client->req_len = req.length = 9; + REQUEST_FIXED_SIZE(req, 30); + return Success; +} + +static void +dix_request_size_checks(void) +{ + ClientRec client = { 0 }; + int rc; + + rc = dix_request_fixed_size_overflow(&client); + assert(rc == BadLength); + + rc = dix_request_fixed_size_match(&client); + assert(rc == Success); +} + + int main(int argc, char **argv) { dix_version_compare(); dix_update_desktop_dimensions(); + dix_request_size_checks(); return 0; } diff --git a/xorg-server/test/xi1/Makefile.am b/xorg-server/test/xi1/Makefile.am new file mode 100644 index 0000000..907fa7a --- /dev/null +++ b/xorg-server/test/xi1/Makefile.am @@ -0,0 +1,34 @@ +if ENABLE_UNIT_TESTS +if HAVE_LD_WRAP +noinst_PROGRAMS = \ + protocol-xchangedevicecontrol + +TESTS=$(noinst_PROGRAMS) +TESTS_ENVIRONMENT = $(XORG_MALLOC_DEBUG_ENV) + +AM_CFLAGS = $(DIX_CFLAGS) @XORG_CFLAGS@ +AM_CPPFLAGS = @XORG_INCS@ -I$(srcdir)/../xi2 +TEST_LDADD=../libxservertest.la $(XORG_SYS_LIBS) $(XSERVER_SYS_LIBS) $(GLX_SYS_LIBS) +COMMON_SOURCES=$(srcdir)/../xi2/protocol-common.c + +if SPECIAL_DTRACE_OBJECTS +TEST_LDADD += $(OS_LIB) $(DIX_LIB) +endif + +protocol_xchangedevicecontrol_LDADD=$(TEST_LDADD) + +protocol_xchangedevicecontrol_LDFLAGS=$(AM_LDFLAGS) -Wl,-wrap,WriteToClient + +protocol_xchangedevicecontrol_SOURCES=$(COMMON_SOURCES) protocol-xchangedevicecontrol.c + +else +# Print that xi1-tests were skipped (exit code 77 for automake test harness) +TESTS = xi1-tests +CLEANFILES = $(TESTS) + +xi1-tests: + @echo 'echo "ld -wrap support required for xi1 unit tests, skipping"' > $@ + @echo 'exit 77' >> $@ + $(AM_V_GEN)chmod +x $@ +endif +endif diff --git a/xorg-server/test/xi1/protocol-xchangedevicecontrol.c b/xorg-server/test/xi1/protocol-xchangedevicecontrol.c new file mode 100644 index 0000000..8e638b2 --- /dev/null +++ b/xorg-server/test/xi1/protocol-xchangedevicecontrol.c @@ -0,0 +1,122 @@ +/** + * Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice (including the next + * paragraph) shall be included in all copies or substantial portions of the + * Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL + * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifdef HAVE_DIX_CONFIG_H +#include <dix-config.h> +#endif + +/* + * Protocol testing for ChangeDeviceControl request. + */ +#include <stdint.h> +#include <X11/X.h> +#include <X11/Xproto.h> +#include <X11/extensions/XIproto.h> +#include "inputstr.h" +#include "chgdctl.h" + +#include "protocol-common.h" + +static ClientRec client_request; + +static void +reply_ChangeDeviceControl(ClientPtr client, int len, char *data, void *userdata) +{ + xChangeDeviceControlReply *rep = (xChangeDeviceControlReply *) data; + + if (client->swapped) { + swapl(&rep->length); + swaps(&rep->sequenceNumber); + } + + reply_check_defaults(rep, len, ChangeDeviceControl); + + /* XXX: check status code in reply */ +} + +static void +request_ChangeDeviceControl(ClientPtr client, xChangeDeviceControlReq * req, + xDeviceCtl *ctl, int error) +{ + int rc; + + client_request.req_len = req->length; + rc = ProcXChangeDeviceControl(&client_request); + assert(rc == error); + + /* XXX: ChangeDeviceControl doesn't seem to fill in errorValue to check */ + + client_request.swapped = TRUE; + swaps(&req->length); + swaps(&req->control); + swaps(&ctl->length); + swaps(&ctl->control); + /* XXX: swap other contents of ctl, depending on type */ + rc = SProcXChangeDeviceControl(&client_request); + assert(rc == error); +} + +static unsigned char *data[4096]; /* the request buffer */ + +static void +test_ChangeDeviceControl(void) +{ + xChangeDeviceControlReq *request = (xChangeDeviceControlReq *) data; + xDeviceCtl *control = (xDeviceCtl *) (&request[1]); + + request_init(request, ChangeDeviceControl); + + reply_handler = reply_ChangeDeviceControl; + + client_request = init_client(request->length, request); + + printf("Testing invalid lengths:\n"); + printf(" -- no control struct\n"); + request_ChangeDeviceControl(&client_request, request, control, BadLength); + + printf(" -- xDeviceResolutionCtl\n"); + request_init(request, ChangeDeviceControl); + request->control = DEVICE_RESOLUTION; + control->length = (sizeof(xDeviceResolutionCtl) >> 2); + request->length += control->length - 2; + request_ChangeDeviceControl(&client_request, request, control, BadLength); + + printf(" -- xDeviceEnableCtl\n"); + request_init(request, ChangeDeviceControl); + request->control = DEVICE_ENABLE; + control->length = (sizeof(xDeviceEnableCtl) >> 2); + request->length += control->length - 2; + request_ChangeDeviceControl(&client_request, request, control, BadLength); + + /* XXX: Test functionality! */ +} + +int +main(int argc, char **argv) +{ + init_simple(); + + test_ChangeDeviceControl(); + + return 0; +} diff --git a/xorg-server/test/xi2/protocol-xigetclientpointer.c b/xorg-server/test/xi2/protocol-xigetclientpointer.c index 28eb8d3..570c53e 100644 --- a/xorg-server/test/xi2/protocol-xigetclientpointer.c +++ b/xorg-server/test/xi2/protocol-xigetclientpointer.c @@ -124,6 +124,11 @@ test_XIGetClientPointer(void) request.win = INVALID_WINDOW_ID; request_XIGetClientPointer(&client_request, &request, BadWindow); + printf("Testing invalid length\n"); + client_request.req_len -= 4; + request_XIGetClientPointer(&client_request, &request, BadLength); + client_request.req_len += 4; + test_data.cp_is_set = FALSE; printf("Testing window None, unset ClientPointer.\n"); diff --git a/xorg-server/test/xi2/protocol-xipassivegrabdevice.c b/xorg-server/test/xi2/protocol-xipassivegrabdevice.c index c747ddf..95d8ebf 100644 --- a/xorg-server/test/xi2/protocol-xipassivegrabdevice.c +++ b/xorg-server/test/xi2/protocol-xipassivegrabdevice.c @@ -139,6 +139,7 @@ request_XIPassiveGrabDevice(ClientPtr client, xXIPassiveGrabDeviceReq * req, int local_modifiers; int mask_len; + client_request.req_len = req->length; rc = ProcXIPassiveGrabDevice(&client_request); assert(rc == error); @@ -190,6 +191,13 @@ test_XIPassiveGrabDevice(void) request_XIPassiveGrabDevice(&client_request, request, BadDevice, request->deviceid); + printf("Testing invalid length\n"); + request->length -= 2; + request_XIPassiveGrabDevice(&client_request, request, BadLength, + client_request.errorValue); + /* re-init request since swapped length test leaves some values swapped */ + request_init(request, XIPassiveGrabDevice); + request->grab_window = CLIENT_WINDOW_ID; request->deviceid = XIAllMasterDevices; printf("Testing invalid grab types\n"); diff --git a/xorg-server/test/xi2/protocol-xiquerypointer.c b/xorg-server/test/xi2/protocol-xiquerypointer.c index fc66b64..c0421f6 100644 --- a/xorg-server/test/xi2/protocol-xiquerypointer.c +++ b/xorg-server/test/xi2/protocol-xiquerypointer.c @@ -201,6 +201,10 @@ test_XIQueryPointer(void) test_data.dev = devices.mouse; request.deviceid = devices.mouse->id; request_XIQueryPointer(&client_request, &request, Success); + + /* test REQUEST_SIZE_MATCH */ + client_request.req_len -= 4; + request_XIQueryPointer(&client_request, &request, BadLength); } int diff --git a/xorg-server/test/xi2/protocol-xiwarppointer.c b/xorg-server/test/xi2/protocol-xiwarppointer.c index f7986c1..3aaaae6 100644 --- a/xorg-server/test/xi2/protocol-xiwarppointer.c +++ b/xorg-server/test/xi2/protocol-xiwarppointer.c @@ -198,6 +198,9 @@ test_XIWarpPointer(void) request_XIWarpPointer(&client_request, &request, Success); /* FIXME: src_x/y checks */ + + client_request.req_len -= 2; /* invalid length */ + request_XIWarpPointer(&client_request, &request, BadLength); } int diff --git a/xorg-server/xfixes/select.c b/xorg-server/xfixes/select.c index 5a6be7d..8772b2c 100644 --- a/xorg-server/xfixes/select.c +++ b/xorg-server/xfixes/select.c @@ -200,6 +200,7 @@ SProcXFixesSelectSelectionInput(ClientPtr client) { REQUEST(xXFixesSelectSelectionInputReq); + REQUEST_SIZE_MATCH(xXFixesSelectSelectionInputReq); swaps(&stuff->length); swapl(&stuff->window); swapl(&stuff->selection); -- Alioth's /srv/git/code.x2go.org/vcxsrv.git//..//_hooks_/post-receive-email on /srv/git/code.x2go.org/vcxsrv.git