[X2Go-Commits] [vcxsrv] 20/24: Fix CVE-2014-8091..8103. Patches were ported from Ubuntu 14.04 (xorg-server 1.15.1)

git-admin at x2go.org git-admin at x2go.org
Mon Mar 9 05:11:32 CET 2015


This is an automated email from the git hooks/post-receive script.

x2go pushed a commit to annotated tag 1.15.2.2-xp+vc2013+x2go1
in repository vcxsrv.

commit 7e1c3b94f42dfc5e52f0f724b6bf7d03e3b743e3
Author: Mike DePaulo <mikedep333 at gmail.com>
Date:   Sat Jan 10 12:03:47 2015 -0500

    Fix CVE-2014-8091..8103. Patches were ported from Ubuntu 14.04 (xorg-server 1.15.1)
---
 xorg-server/Xext/xcmisc.c                          |    1 +
 xorg-server/Xext/xvdisp.c                          |   20 +++
 xorg-server/Xi/chgdctl.c                           |    8 +-
 xorg-server/Xi/chgfctl.c                           |    2 +
 xorg-server/Xi/sendexev.c                          |    3 +
 xorg-server/Xi/xiallowev.c                         |    2 +
 xorg-server/Xi/xichangecursor.c                    |    2 +-
 xorg-server/Xi/xichangehierarchy.c                 |   35 ++++-
 xorg-server/Xi/xigetclientpointer.c                |    1 +
 xorg-server/Xi/xigrabdev.c                         |    9 +-
 xorg-server/Xi/xipassivegrab.c                     |   12 +-
 xorg-server/Xi/xiproperty.c                        |   14 +-
 xorg-server/Xi/xiquerydevice.c                     |    1 +
 xorg-server/Xi/xiquerypointer.c                    |    2 +
 xorg-server/Xi/xiselectev.c                        |    8 ++
 xorg-server/Xi/xisetclientpointer.c                |    3 +-
 xorg-server/Xi/xisetdevfocus.c                     |    4 +
 xorg-server/Xi/xiwarppointer.c                     |    2 +
 xorg-server/configure.ac                           |    1 +
 xorg-server/dbe/dbe.c                              |   17 ++-
 xorg-server/dix/dispatch.c                         |    3 +
 xorg-server/dix/region.c                           |   20 ++-
 xorg-server/dri3/dri3_request.c                    |    6 +
 xorg-server/glx/clientinfo.c                       |   20 ++-
 xorg-server/glx/glxcmds.c                          |   85 ++++++-----
 xorg-server/glx/glxcmdsswap.c                      |    4 +
 xorg-server/glx/glxserver.h                        |   43 +++++-
 xorg-server/glx/indirect_dispatch.c                |   25 ++++
 xorg-server/glx/indirect_dispatch_swap.c           |   26 ++++
 xorg-server/glx/indirect_program.c                 |    2 +
 xorg-server/glx/indirect_reqsize.c                 |  152 ++++++++++----------
 xorg-server/glx/indirect_reqsize.h                 |  148 +++++++++----------
 xorg-server/glx/indirect_texture_compression.c     |    4 +
 xorg-server/glx/indirect_util.c                    |    9 +-
 xorg-server/glx/rensize.c                          |  114 +++++++++------
 xorg-server/glx/single2.c                          |   23 ++-
 xorg-server/glx/single2swap.c                      |   19 ++-
 xorg-server/glx/singlepix.c                        |   60 +++++---
 xorg-server/glx/singlepixswap.c                    |   50 +++++--
 xorg-server/glx/swap_interval.c                    |    2 +
 xorg-server/glx/unpack.h                           |    3 +-
 xorg-server/hw/xfree86/dri2/dri2ext.c              |    3 +
 xorg-server/include/dix.h                          |    7 +-
 xorg-server/include/regionstr.h                    |   12 +-
 xorg-server/os/access.c                            |    6 +
 xorg-server/os/rpcauth.c                           |    4 +
 xorg-server/present/present_request.c              |    6 +
 xorg-server/randr/rrsdispatch.c                    |    4 +
 xorg-server/render/render.c                        |   19 ++-
 xorg-server/test/misc.c                            |   37 +++++
 xorg-server/test/xi1/Makefile.am                   |   34 +++++
 .../test/xi1/protocol-xchangedevicecontrol.c       |  122 ++++++++++++++++
 xorg-server/test/xi2/protocol-xigetclientpointer.c |    5 +
 .../test/xi2/protocol-xipassivegrabdevice.c        |    8 ++
 xorg-server/test/xi2/protocol-xiquerypointer.c     |    4 +
 xorg-server/test/xi2/protocol-xiwarppointer.c      |    3 +
 xorg-server/xfixes/select.c                        |    1 +
 57 files changed, 917 insertions(+), 323 deletions(-)

diff --git a/xorg-server/Xext/xcmisc.c b/xorg-server/Xext/xcmisc.c
index a48f612..ddbae0d 100644
--- a/xorg-server/Xext/xcmisc.c
+++ b/xorg-server/Xext/xcmisc.c
@@ -163,6 +163,7 @@ static int
 SProcXCMiscGetXIDList(ClientPtr client)
 {
     REQUEST(xXCMiscGetXIDListReq);
+    REQUEST_SIZE_MATCH(xXCMiscGetXIDListReq);
 
     swaps(&stuff->length);
     swapl(&stuff->count);
diff --git a/xorg-server/Xext/xvdisp.c b/xorg-server/Xext/xvdisp.c
index f2d49a2..c466af5 100644
--- a/xorg-server/Xext/xvdisp.c
+++ b/xorg-server/Xext/xvdisp.c
@@ -1207,6 +1207,7 @@ static int
 SProcXvQueryExtension(ClientPtr client)
 {
     REQUEST(xvQueryExtensionReq);
+    REQUEST_SIZE_MATCH(xvQueryExtensionReq);
     swaps(&stuff->length);
     return XvProcVector[xv_QueryExtension] (client);
 }
@@ -1215,6 +1216,7 @@ static int
 SProcXvQueryAdaptors(ClientPtr client)
 {
     REQUEST(xvQueryAdaptorsReq);
+    REQUEST_SIZE_MATCH(xvQueryAdaptorsReq);
     swaps(&stuff->length);
     swapl(&stuff->window);
     return XvProcVector[xv_QueryAdaptors] (client);
@@ -1224,6 +1226,7 @@ static int
 SProcXvQueryEncodings(ClientPtr client)
 {
     REQUEST(xvQueryEncodingsReq);
+    REQUEST_SIZE_MATCH(xvQueryEncodingsReq);
     swaps(&stuff->length);
     swapl(&stuff->port);
     return XvProcVector[xv_QueryEncodings] (client);
@@ -1233,6 +1236,7 @@ static int
 SProcXvGrabPort(ClientPtr client)
 {
     REQUEST(xvGrabPortReq);
+    REQUEST_SIZE_MATCH(xvGrabPortReq);
     swaps(&stuff->length);
     swapl(&stuff->port);
     swapl(&stuff->time);
@@ -1243,6 +1247,7 @@ static int
 SProcXvUngrabPort(ClientPtr client)
 {
     REQUEST(xvUngrabPortReq);
+    REQUEST_SIZE_MATCH(xvUngrabPortReq);
     swaps(&stuff->length);
     swapl(&stuff->port);
     swapl(&stuff->time);
@@ -1253,6 +1258,7 @@ static int
 SProcXvPutVideo(ClientPtr client)
 {
     REQUEST(xvPutVideoReq);
+    REQUEST_SIZE_MATCH(xvPutVideoReq);
     swaps(&stuff->length);
     swapl(&stuff->port);
     swapl(&stuff->drawable);
@@ -1272,6 +1278,7 @@ static int
 SProcXvPutStill(ClientPtr client)
 {
     REQUEST(xvPutStillReq);
+    REQUEST_SIZE_MATCH(xvPutStillReq);
     swaps(&stuff->length);
     swapl(&stuff->port);
     swapl(&stuff->drawable);
@@ -1291,6 +1298,7 @@ static int
 SProcXvGetVideo(ClientPtr client)
 {
     REQUEST(xvGetVideoReq);
+    REQUEST_SIZE_MATCH(xvGetVideoReq);
     swaps(&stuff->length);
     swapl(&stuff->port);
     swapl(&stuff->drawable);
@@ -1310,6 +1318,7 @@ static int
 SProcXvGetStill(ClientPtr client)
 {
     REQUEST(xvGetStillReq);
+    REQUEST_SIZE_MATCH(xvGetStillReq);
     swaps(&stuff->length);
     swapl(&stuff->port);
     swapl(&stuff->drawable);
@@ -1329,6 +1338,7 @@ static int
 SProcXvPutImage(ClientPtr client)
 {
     REQUEST(xvPutImageReq);
+    REQUEST_AT_LEAST_SIZE(xvPutImageReq);
     swaps(&stuff->length);
     swapl(&stuff->port);
     swapl(&stuff->drawable);
@@ -1352,6 +1362,7 @@ static int
 SProcXvShmPutImage(ClientPtr client)
 {
     REQUEST(xvShmPutImageReq);
+    REQUEST_SIZE_MATCH(xvShmPutImageReq);
     swaps(&stuff->length);
     swapl(&stuff->port);
     swapl(&stuff->drawable);
@@ -1379,6 +1390,7 @@ static int
 SProcXvSelectVideoNotify(ClientPtr client)
 {
     REQUEST(xvSelectVideoNotifyReq);
+    REQUEST_SIZE_MATCH(xvSelectVideoNotifyReq);
     swaps(&stuff->length);
     swapl(&stuff->drawable);
     return XvProcVector[xv_SelectVideoNotify] (client);
@@ -1388,6 +1400,7 @@ static int
 SProcXvSelectPortNotify(ClientPtr client)
 {
     REQUEST(xvSelectPortNotifyReq);
+    REQUEST_SIZE_MATCH(xvSelectPortNotifyReq);
     swaps(&stuff->length);
     swapl(&stuff->port);
     return XvProcVector[xv_SelectPortNotify] (client);
@@ -1397,6 +1410,7 @@ static int
 SProcXvStopVideo(ClientPtr client)
 {
     REQUEST(xvStopVideoReq);
+    REQUEST_SIZE_MATCH(xvStopVideoReq);
     swaps(&stuff->length);
     swapl(&stuff->port);
     swapl(&stuff->drawable);
@@ -1407,6 +1421,7 @@ static int
 SProcXvSetPortAttribute(ClientPtr client)
 {
     REQUEST(xvSetPortAttributeReq);
+    REQUEST_SIZE_MATCH(xvSetPortAttributeReq);
     swaps(&stuff->length);
     swapl(&stuff->port);
     swapl(&stuff->attribute);
@@ -1418,6 +1433,7 @@ static int
 SProcXvGetPortAttribute(ClientPtr client)
 {
     REQUEST(xvGetPortAttributeReq);
+    REQUEST_SIZE_MATCH(xvGetPortAttributeReq);
     swaps(&stuff->length);
     swapl(&stuff->port);
     swapl(&stuff->attribute);
@@ -1428,6 +1444,7 @@ static int
 SProcXvQueryBestSize(ClientPtr client)
 {
     REQUEST(xvQueryBestSizeReq);
+    REQUEST_SIZE_MATCH(xvQueryBestSizeReq);
     swaps(&stuff->length);
     swapl(&stuff->port);
     swaps(&stuff->vid_w);
@@ -1441,6 +1458,7 @@ static int
 SProcXvQueryPortAttributes(ClientPtr client)
 {
     REQUEST(xvQueryPortAttributesReq);
+    REQUEST_SIZE_MATCH(xvQueryPortAttributesReq);
     swaps(&stuff->length);
     swapl(&stuff->port);
     return XvProcVector[xv_QueryPortAttributes] (client);
@@ -1450,6 +1468,7 @@ static int
 SProcXvQueryImageAttributes(ClientPtr client)
 {
     REQUEST(xvQueryImageAttributesReq);
+    REQUEST_SIZE_MATCH(xvQueryImageAttributesReq);
     swaps(&stuff->length);
     swapl(&stuff->port);
     swapl(&stuff->id);
@@ -1462,6 +1481,7 @@ static int
 SProcXvListImageFormats(ClientPtr client)
 {
     REQUEST(xvListImageFormatsReq);
+    REQUEST_SIZE_MATCH(xvListImageFormatsReq);
     swaps(&stuff->length);
     swapl(&stuff->port);
     return XvProcVector[xv_ListImageFormats] (client);
diff --git a/xorg-server/Xi/chgdctl.c b/xorg-server/Xi/chgdctl.c
index 106b9aa..cb7ad1e 100644
--- a/xorg-server/Xi/chgdctl.c
+++ b/xorg-server/Xi/chgdctl.c
@@ -78,7 +78,7 @@ SProcXChangeDeviceControl(ClientPtr client)
 
     REQUEST(xChangeDeviceControlReq);
     swaps(&stuff->length);
-    REQUEST_AT_LEAST_SIZE(xChangeDeviceControlReq);
+    REQUEST_AT_LEAST_EXTRA_SIZE(xChangeDeviceControlReq, sizeof(xDeviceCtl));
     swaps(&stuff->control);
     ctl = (xDeviceCtl *) &stuff[1];
     swaps(&ctl->control);
@@ -115,7 +115,7 @@ ProcXChangeDeviceControl(ClientPtr client)
     xDeviceEnableCtl *e;
 
     REQUEST(xChangeDeviceControlReq);
-    REQUEST_AT_LEAST_SIZE(xChangeDeviceControlReq);
+    REQUEST_AT_LEAST_EXTRA_SIZE(xChangeDeviceControlReq, sizeof(xDeviceCtl));
 
     len = stuff->length - bytes_to_int32(sizeof(xChangeDeviceControlReq));
     ret = dixLookupDevice(&dev, stuff->deviceid, client, DixManageAccess);
@@ -191,6 +191,10 @@ ProcXChangeDeviceControl(ClientPtr client)
         break;
     case DEVICE_ENABLE:
         e = (xDeviceEnableCtl *) &stuff[1];
+        if ((len != bytes_to_int32(sizeof(xDeviceEnableCtl)))) {
+            ret = BadLength;
+            goto out;
+        }
 
         if (IsXTestDevice(dev, NULL))
             status = !Success;
diff --git a/xorg-server/Xi/chgfctl.c b/xorg-server/Xi/chgfctl.c
index 6dcf60c..224c2ba 100644
--- a/xorg-server/Xi/chgfctl.c
+++ b/xorg-server/Xi/chgfctl.c
@@ -467,6 +467,8 @@ ProcXChangeFeedbackControl(ClientPtr client)
         xStringFeedbackCtl *f = ((xStringFeedbackCtl *) &stuff[1]);
 
         if (client->swapped) {
+            if (len < bytes_to_int32(sizeof(xStringFeedbackCtl)))
+                return BadLength;
             swaps(&f->num_keysyms);
         }
         if (len !=
diff --git a/xorg-server/Xi/sendexev.c b/xorg-server/Xi/sendexev.c
index 3c21386..183f88d 100644
--- a/xorg-server/Xi/sendexev.c
+++ b/xorg-server/Xi/sendexev.c
@@ -135,6 +135,9 @@ ProcXSendExtensionEvent(ClientPtr client)
     if (ret != Success)
         return ret;
 
+    if (stuff->num_events == 0)
+        return ret;
+
     /* The client's event type must be one defined by an extension. */
 
     first = ((xEvent *) &stuff[1]);
diff --git a/xorg-server/Xi/xiallowev.c b/xorg-server/Xi/xiallowev.c
index ebef233..ca263ef 100644
--- a/xorg-server/Xi/xiallowev.c
+++ b/xorg-server/Xi/xiallowev.c
@@ -48,6 +48,7 @@ int
 SProcXIAllowEvents(ClientPtr client)
 {
     REQUEST(xXIAllowEventsReq);
+    REQUEST_AT_LEAST_SIZE(xXIAllowEventsReq);
 
     swaps(&stuff->length);
     swaps(&stuff->deviceid);
@@ -55,6 +56,7 @@ SProcXIAllowEvents(ClientPtr client)
     if (stuff->length > 3) {
         xXI2_2AllowEventsReq *req_xi22 = (xXI2_2AllowEventsReq *) stuff;
 
+        REQUEST_AT_LEAST_SIZE(xXI2_2AllowEventsReq);
         swapl(&req_xi22->touchid);
         swapl(&req_xi22->grab_window);
     }
diff --git a/xorg-server/Xi/xichangecursor.c b/xorg-server/Xi/xichangecursor.c
index 7a1bb7a..8e6255b 100644
--- a/xorg-server/Xi/xichangecursor.c
+++ b/xorg-server/Xi/xichangecursor.c
@@ -57,11 +57,11 @@ int
 SProcXIChangeCursor(ClientPtr client)
 {
     REQUEST(xXIChangeCursorReq);
+    REQUEST_SIZE_MATCH(xXIChangeCursorReq);
     swaps(&stuff->length);
     swapl(&stuff->win);
     swapl(&stuff->cursor);
     swaps(&stuff->deviceid);
-    REQUEST_SIZE_MATCH(xXIChangeCursorReq);
     return (ProcXIChangeCursor(client));
 }
 
diff --git a/xorg-server/Xi/xichangehierarchy.c b/xorg-server/Xi/xichangehierarchy.c
index 9e36354..2732445 100644
--- a/xorg-server/Xi/xichangehierarchy.c
+++ b/xorg-server/Xi/xichangehierarchy.c
@@ -411,7 +411,7 @@ int
 ProcXIChangeHierarchy(ClientPtr client)
 {
     xXIAnyHierarchyChangeInfo *any;
-    int required_len = sizeof(xXIChangeHierarchyReq);
+    size_t len;			/* length of data remaining in request */
     int rc = Success;
     int flags[MAXDEVICES] = { 0 };
 
@@ -421,21 +421,46 @@ ProcXIChangeHierarchy(ClientPtr client)
     if (!stuff->num_changes)
         return rc;
 
+    if (stuff->length > (INT_MAX >> 2))
+        return BadAlloc;
+    len = (stuff->length << 2) - sizeof(xXIAnyHierarchyChangeInfo);
+
     any = (xXIAnyHierarchyChangeInfo *) &stuff[1];
     while (stuff->num_changes--) {
+        if (len < sizeof(xXIAnyHierarchyChangeInfo)) {
+            rc = BadLength;
+            goto unwind;
+        }
+
         SWAPIF(swaps(&any->type));
         SWAPIF(swaps(&any->length));
 
-        required_len += any->length;
-        if ((stuff->length * 4) < required_len)
+        if ((any->length > (INT_MAX >> 2)) || (len < (any->length << 2)))
             return BadLength;
 
+#define CHANGE_SIZE_MATCH(type) \
+    do { \
+        if ((len < sizeof(type)) || (any->length != (sizeof(type) >> 2))) { \
+            rc = BadLength; \
+            goto unwind; \
+        } \
+    } while(0)
+
         switch (any->type) {
         case XIAddMaster:
         {
             xXIAddMasterInfo *c = (xXIAddMasterInfo *) any;
 
+            /* Variable length, due to appended name string */
+            if (len < sizeof(xXIAddMasterInfo)) {
+                rc = BadLength;
+                goto unwind;
+            }
             SWAPIF(swaps(&c->name_len));
+            if (c->name_len > (len - sizeof(xXIAddMasterInfo))) {
+                rc = BadLength;
+                goto unwind;
+            }
 
             rc = add_master(client, c, flags);
             if (rc != Success)
@@ -446,6 +471,7 @@ ProcXIChangeHierarchy(ClientPtr client)
         {
             xXIRemoveMasterInfo *r = (xXIRemoveMasterInfo *) any;
 
+            CHANGE_SIZE_MATCH(xXIRemoveMasterInfo);
             rc = remove_master(client, r, flags);
             if (rc != Success)
                 goto unwind;
@@ -455,6 +481,7 @@ ProcXIChangeHierarchy(ClientPtr client)
         {
             xXIDetachSlaveInfo *c = (xXIDetachSlaveInfo *) any;
 
+            CHANGE_SIZE_MATCH(xXIDetachSlaveInfo);
             rc = detach_slave(client, c, flags);
             if (rc != Success)
                 goto unwind;
@@ -464,6 +491,7 @@ ProcXIChangeHierarchy(ClientPtr client)
         {
             xXIAttachSlaveInfo *c = (xXIAttachSlaveInfo *) any;
 
+            CHANGE_SIZE_MATCH(xXIAttachSlaveInfo);
             rc = attach_slave(client, c, flags);
             if (rc != Success)
                 goto unwind;
@@ -471,6 +499,7 @@ ProcXIChangeHierarchy(ClientPtr client)
             break;
         }
 
+        len -= any->length * 4;
         any = (xXIAnyHierarchyChangeInfo *) ((char *) any + any->length * 4);
     }
 
diff --git a/xorg-server/Xi/xigetclientpointer.c b/xorg-server/Xi/xigetclientpointer.c
index 6ab2867..9d7feca 100644
--- a/xorg-server/Xi/xigetclientpointer.c
+++ b/xorg-server/Xi/xigetclientpointer.c
@@ -50,6 +50,7 @@ int
 SProcXIGetClientPointer(ClientPtr client)
 {
     REQUEST(xXIGetClientPointerReq);
+    REQUEST_SIZE_MATCH(xXIGetClientPointerReq);
 
     swaps(&stuff->length);
     swapl(&stuff->win);
diff --git a/xorg-server/Xi/xigrabdev.c b/xorg-server/Xi/xigrabdev.c
index 086e275..6be9971 100644
--- a/xorg-server/Xi/xigrabdev.c
+++ b/xorg-server/Xi/xigrabdev.c
@@ -47,6 +47,11 @@ int
 SProcXIGrabDevice(ClientPtr client)
 {
     REQUEST(xXIGrabDeviceReq);
+    /*
+     * Check here for at least the length of the struct we swap, then
+     * let ProcXIGrabDevice check the full size after we swap mask_len.
+     */
+    REQUEST_AT_LEAST_SIZE(xXIGrabDeviceReq);
 
     swaps(&stuff->length);
     swaps(&stuff->deviceid);
@@ -71,7 +76,7 @@ ProcXIGrabDevice(ClientPtr client)
     unsigned int pointer_mode;
 
     REQUEST(xXIGrabDeviceReq);
-    REQUEST_AT_LEAST_SIZE(xXIGrabDeviceReq);
+    REQUEST_FIXED_SIZE(xXIGrabDeviceReq, ((size_t) stuff->mask_len) * 4);
 
     ret = dixLookupDevice(&dev, stuff->deviceid, client, DixGrabAccess);
     if (ret != Success)
@@ -130,6 +135,7 @@ int
 SProcXIUngrabDevice(ClientPtr client)
 {
     REQUEST(xXIUngrabDeviceReq);
+    REQUEST_SIZE_MATCH(xXIUngrabDeviceReq);
 
     swaps(&stuff->length);
     swaps(&stuff->deviceid);
@@ -147,6 +153,7 @@ ProcXIUngrabDevice(ClientPtr client)
     TimeStamp time;
 
     REQUEST(xXIUngrabDeviceReq);
+    REQUEST_SIZE_MATCH(xXIUngrabDeviceReq);
 
     ret = dixLookupDevice(&dev, stuff->deviceid, client, DixGetAttrAccess);
     if (ret != Success)
diff --git a/xorg-server/Xi/xipassivegrab.c b/xorg-server/Xi/xipassivegrab.c
index ca69050..3f6268f 100644
--- a/xorg-server/Xi/xipassivegrab.c
+++ b/xorg-server/Xi/xipassivegrab.c
@@ -53,6 +53,7 @@ SProcXIPassiveGrabDevice(ClientPtr client)
     uint32_t *mods;
 
     REQUEST(xXIPassiveGrabDeviceReq);
+    REQUEST_AT_LEAST_SIZE(xXIPassiveGrabDeviceReq);
 
     swaps(&stuff->length);
     swaps(&stuff->deviceid);
@@ -63,6 +64,8 @@ SProcXIPassiveGrabDevice(ClientPtr client)
     swaps(&stuff->mask_len);
     swaps(&stuff->num_modifiers);
 
+    REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq,
+        ((uint32_t) stuff->mask_len + stuff->num_modifiers) *4);
     mods = (uint32_t *) &stuff[1] + stuff->mask_len;
 
     for (i = 0; i < stuff->num_modifiers; i++, mods++) {
@@ -86,7 +89,8 @@ ProcXIPassiveGrabDevice(ClientPtr client)
     int mask_len;
 
     REQUEST(xXIPassiveGrabDeviceReq);
-    REQUEST_AT_LEAST_SIZE(xXIPassiveGrabDeviceReq);
+    REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq,
+        ((uint32_t) stuff->mask_len + stuff->num_modifiers) * 4);
 
     rep.repType = X_Reply;
     rep.RepType = X_XIPassiveGrabDevice;
@@ -252,6 +256,7 @@ SProcXIPassiveUngrabDevice(ClientPtr client)
     uint32_t *modifiers;
 
     REQUEST(xXIPassiveUngrabDeviceReq);
+    REQUEST_AT_LEAST_SIZE(xXIPassiveUngrabDeviceReq);
 
     swaps(&stuff->length);
     swapl(&stuff->grab_window);
@@ -259,6 +264,8 @@ SProcXIPassiveUngrabDevice(ClientPtr client)
     swapl(&stuff->detail);
     swaps(&stuff->num_modifiers);
 
+    REQUEST_FIXED_SIZE(xXIPassiveUngrabDeviceReq,
+                       ((uint32_t) stuff->num_modifiers) << 2);
     modifiers = (uint32_t *) &stuff[1];
 
     for (i = 0; i < stuff->num_modifiers; i++, modifiers++)
@@ -277,7 +284,8 @@ ProcXIPassiveUngrabDevice(ClientPtr client)
     int i, rc;
 
     REQUEST(xXIPassiveUngrabDeviceReq);
-    REQUEST_AT_LEAST_SIZE(xXIPassiveUngrabDeviceReq);
+    REQUEST_FIXED_SIZE(xXIPassiveUngrabDeviceReq,
+                       ((uint32_t) stuff->num_modifiers) << 2);
 
     if (stuff->deviceid == XIAllDevices)
         dev = inputInfo.all_devices;
diff --git a/xorg-server/Xi/xiproperty.c b/xorg-server/Xi/xiproperty.c
index 18936c5..13c478e 100644
--- a/xorg-server/Xi/xiproperty.c
+++ b/xorg-server/Xi/xiproperty.c
@@ -1011,10 +1011,9 @@ int
 SProcXListDeviceProperties(ClientPtr client)
 {
     REQUEST(xListDevicePropertiesReq);
+    REQUEST_SIZE_MATCH(xListDevicePropertiesReq);
 
     swaps(&stuff->length);
-
-    REQUEST_SIZE_MATCH(xListDevicePropertiesReq);
     return (ProcXListDeviceProperties(client));
 }
 
@@ -1035,10 +1034,10 @@ int
 SProcXDeleteDeviceProperty(ClientPtr client)
 {
     REQUEST(xDeleteDevicePropertyReq);
+    REQUEST_SIZE_MATCH(xDeleteDevicePropertyReq);
 
     swaps(&stuff->length);
     swapl(&stuff->property);
-    REQUEST_SIZE_MATCH(xDeleteDevicePropertyReq);
     return (ProcXDeleteDeviceProperty(client));
 }
 
@@ -1046,13 +1045,13 @@ int
 SProcXGetDeviceProperty(ClientPtr client)
 {
     REQUEST(xGetDevicePropertyReq);
+    REQUEST_SIZE_MATCH(xGetDevicePropertyReq);
 
     swaps(&stuff->length);
     swapl(&stuff->property);
     swapl(&stuff->type);
     swapl(&stuff->longOffset);
     swapl(&stuff->longLength);
-    REQUEST_SIZE_MATCH(xGetDevicePropertyReq);
     return (ProcXGetDeviceProperty(client));
 }
 
@@ -1249,11 +1248,10 @@ int
 SProcXIListProperties(ClientPtr client)
 {
     REQUEST(xXIListPropertiesReq);
+    REQUEST_SIZE_MATCH(xXIListPropertiesReq);
 
     swaps(&stuff->length);
     swaps(&stuff->deviceid);
-
-    REQUEST_SIZE_MATCH(xXIListPropertiesReq);
     return (ProcXIListProperties(client));
 }
 
@@ -1275,11 +1273,11 @@ int
 SProcXIDeleteProperty(ClientPtr client)
 {
     REQUEST(xXIDeletePropertyReq);
+    REQUEST_SIZE_MATCH(xXIDeletePropertyReq);
 
     swaps(&stuff->length);
     swaps(&stuff->deviceid);
     swapl(&stuff->property);
-    REQUEST_SIZE_MATCH(xXIDeletePropertyReq);
     return (ProcXIDeleteProperty(client));
 }
 
@@ -1287,6 +1285,7 @@ int
 SProcXIGetProperty(ClientPtr client)
 {
     REQUEST(xXIGetPropertyReq);
+    REQUEST_SIZE_MATCH(xXIGetPropertyReq);
 
     swaps(&stuff->length);
     swaps(&stuff->deviceid);
@@ -1294,7 +1293,6 @@ SProcXIGetProperty(ClientPtr client)
     swapl(&stuff->type);
     swapl(&stuff->offset);
     swapl(&stuff->len);
-    REQUEST_SIZE_MATCH(xXIGetPropertyReq);
     return (ProcXIGetProperty(client));
 }
 
diff --git a/xorg-server/Xi/xiquerydevice.c b/xorg-server/Xi/xiquerydevice.c
index 1d10900..186e21b 100644
--- a/xorg-server/Xi/xiquerydevice.c
+++ b/xorg-server/Xi/xiquerydevice.c
@@ -54,6 +54,7 @@ int
 SProcXIQueryDevice(ClientPtr client)
 {
     REQUEST(xXIQueryDeviceReq);
+    REQUEST_SIZE_MATCH(xXIQueryDeviceReq);
 
     swaps(&stuff->length);
     swaps(&stuff->deviceid);
diff --git a/xorg-server/Xi/xiquerypointer.c b/xorg-server/Xi/xiquerypointer.c
index a873261..014bffa 100644
--- a/xorg-server/Xi/xiquerypointer.c
+++ b/xorg-server/Xi/xiquerypointer.c
@@ -63,6 +63,8 @@ int
 SProcXIQueryPointer(ClientPtr client)
 {
     REQUEST(xXIQueryPointerReq);
+    REQUEST_SIZE_MATCH(xXIQueryPointerReq);
+
     swaps(&stuff->length);
     swaps(&stuff->deviceid);
     swapl(&stuff->win);
diff --git a/xorg-server/Xi/xiselectev.c b/xorg-server/Xi/xiselectev.c
index 8592747..701748e 100644
--- a/xorg-server/Xi/xiselectev.c
+++ b/xorg-server/Xi/xiselectev.c
@@ -114,6 +114,7 @@ int
 SProcXISelectEvents(ClientPtr client)
 {
     int i;
+    int len;
     xXIEventMask *evmask;
 
     REQUEST(xXISelectEventsReq);
@@ -122,10 +123,17 @@ SProcXISelectEvents(ClientPtr client)
     swapl(&stuff->win);
     swaps(&stuff->num_masks);
 
+    len = stuff->length - bytes_to_int32(sizeof(xXISelectEventsReq));
     evmask = (xXIEventMask *) &stuff[1];
     for (i = 0; i < stuff->num_masks; i++) {
+        if (len < bytes_to_int32(sizeof(xXIEventMask)))
+            return BadLength;
+        len -= bytes_to_int32(sizeof(xXIEventMask));
         swaps(&evmask->deviceid);
         swaps(&evmask->mask_len);
+        if (len < evmask->mask_len)
+            return BadLength;
+        len -= evmask->mask_len;
         evmask =
             (xXIEventMask *) (((char *) &evmask[1]) + evmask->mask_len * 4);
     }
diff --git a/xorg-server/Xi/xisetclientpointer.c b/xorg-server/Xi/xisetclientpointer.c
index 38ff51e..24d4a53 100644
--- a/xorg-server/Xi/xisetclientpointer.c
+++ b/xorg-server/Xi/xisetclientpointer.c
@@ -51,10 +51,11 @@ int
 SProcXISetClientPointer(ClientPtr client)
 {
     REQUEST(xXISetClientPointerReq);
+    REQUEST_SIZE_MATCH(xXISetClientPointerReq);
+
     swaps(&stuff->length);
     swapl(&stuff->win);
     swaps(&stuff->deviceid);
-    REQUEST_SIZE_MATCH(xXISetClientPointerReq);
     return (ProcXISetClientPointer(client));
 }
 
diff --git a/xorg-server/Xi/xisetdevfocus.c b/xorg-server/Xi/xisetdevfocus.c
index aec822c..f3584d5 100644
--- a/xorg-server/Xi/xisetdevfocus.c
+++ b/xorg-server/Xi/xisetdevfocus.c
@@ -44,6 +44,8 @@ int
 SProcXISetFocus(ClientPtr client)
 {
     REQUEST(xXISetFocusReq);
+    REQUEST_AT_LEAST_SIZE(xXISetFocusReq);
+
     swaps(&stuff->length);
     swaps(&stuff->deviceid);
     swapl(&stuff->focus);
@@ -56,6 +58,8 @@ int
 SProcXIGetFocus(ClientPtr client)
 {
     REQUEST(xXIGetFocusReq);
+    REQUEST_AT_LEAST_SIZE(xXIGetFocusReq);
+
     swaps(&stuff->length);
     swaps(&stuff->deviceid);
 
diff --git a/xorg-server/Xi/xiwarppointer.c b/xorg-server/Xi/xiwarppointer.c
index 3f051f7..780758a 100644
--- a/xorg-server/Xi/xiwarppointer.c
+++ b/xorg-server/Xi/xiwarppointer.c
@@ -56,6 +56,8 @@ int
 SProcXIWarpPointer(ClientPtr client)
 {
     REQUEST(xXIWarpPointerReq);
+    REQUEST_SIZE_MATCH(xXIWarpPointerReq);
+
     swaps(&stuff->length);
     swapl(&stuff->src_win);
     swapl(&stuff->dst_win);
diff --git a/xorg-server/configure.ac b/xorg-server/configure.ac
index 2daa6be..51395db 100644
--- a/xorg-server/configure.ac
+++ b/xorg-server/configure.ac
@@ -2610,6 +2610,7 @@ hw/kdrive/linux/Makefile
 hw/kdrive/src/Makefile
 hw/xwayland/Makefile
 test/Makefile
+test/xi1/Makefile
 test/xi2/Makefile
 xserver.ent
 xorg-server.pc
diff --git a/xorg-server/dbe/dbe.c b/xorg-server/dbe/dbe.c
index d64fb40..43edb08 100644
--- a/xorg-server/dbe/dbe.c
+++ b/xorg-server/dbe/dbe.c
@@ -450,18 +450,21 @@ ProcDbeSwapBuffers(ClientPtr client)
     DbeSwapInfoPtr swapInfo;
     xDbeSwapInfo *dbeSwapInfo;
     int error;
-    register int i, j;
-    int nStuff;
+    unsigned int i, j;
+    unsigned int nStuff;
+    int nStuff_i;       /* DDX API requires int for nStuff */
 
     REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq);
     nStuff = stuff->n;          /* use local variable for performance. */
 
     if (nStuff == 0) {
+        REQUEST_SIZE_MATCH(xDbeSwapBuffersReq);
         return Success;
     }
 
     if (nStuff > UINT32_MAX / sizeof(DbeSwapInfoRec))
         return BadAlloc;
+    REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, nStuff * sizeof(xDbeSwapInfo));
 
     /* Get to the swap info appended to the end of the request. */
     dbeSwapInfo = (xDbeSwapInfo *) &stuff[1];
@@ -525,9 +528,10 @@ ProcDbeSwapBuffers(ClientPtr client)
      * could deal with cross-screen synchronization.
      */
 
-    while (nStuff > 0) {
+    nStuff_i = nStuff;
+    while (nStuff_i > 0) {
         pDbeScreenPriv = DBE_SCREEN_PRIV_FROM_WINDOW(swapInfo[0].pWindow);
-        error = (*pDbeScreenPriv->SwapBuffers) (client, &nStuff, swapInfo);
+        error = (*pDbeScreenPriv->SwapBuffers) (client, &nStuff_i, swapInfo);
         if (error != Success) {
             free(swapInfo);
             return error;
@@ -912,13 +916,16 @@ static int
 SProcDbeSwapBuffers(ClientPtr client)
 {
     REQUEST(xDbeSwapBuffersReq);
-    register int i;
+    unsigned int i;
     xDbeSwapInfo *pSwapInfo;
 
     swaps(&stuff->length);
     REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq);
 
     swapl(&stuff->n);
+    if (stuff->n > UINT32_MAX / sizeof(DbeSwapInfoRec))
+        return BadAlloc;
+    REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, stuff->n * sizeof(xDbeSwapInfo));
 
     if (stuff->n != 0) {
         pSwapInfo = (xDbeSwapInfo *) stuff + 1;
diff --git a/xorg-server/dix/dispatch.c b/xorg-server/dix/dispatch.c
index 28a54de..67dbce6 100644
--- a/xorg-server/dix/dispatch.c
+++ b/xorg-server/dix/dispatch.c
@@ -2002,6 +2002,9 @@ ProcPutImage(ClientPtr client)
     tmpImage = (char *) &stuff[1];
     lengthProto = length;
 
+    if (lengthProto >= (INT32_MAX / stuff->height))
+        return BadLength;
+
     if ((bytes_to_int32(lengthProto * stuff->height) +
          bytes_to_int32(sizeof(xPutImageReq))) != client->req_len)
         return BadLength;
diff --git a/xorg-server/dix/region.c b/xorg-server/dix/region.c
index 15f3d01..e5eed01 100644
--- a/xorg-server/dix/region.c
+++ b/xorg-server/dix/region.c
@@ -169,7 +169,6 @@ Equipment Corporation.
         ((r1)->y1 <= (r2)->y1) && \
         ((r1)->y2 >= (r2)->y2) )
 
-#define xallocData(n) malloc(RegionSizeof(n))
 #define xfreeData(reg) if ((reg)->data && (reg)->data->size) free((reg)->data)
 
 #define RECTALLOC_BAIL(pReg,n,bail) \
@@ -205,8 +204,9 @@ if (!(pReg)->data || (((pReg)->data->numRects + (n)) > (pReg)->data->size)) \
 #define DOWNSIZE(reg,numRects)						 \
 if (((numRects) < ((reg)->data->size >> 1)) && ((reg)->data->size > 50)) \
 {									 \
-    RegDataPtr NewData;							 \
-    NewData = (RegDataPtr)realloc((reg)->data, RegionSizeof(numRects));	 \
+    size_t NewSize = RegionSizeof(numRects);				 \
+    RegDataPtr NewData =						 \
+        (NewSize > 0) ? realloc((reg)->data, NewSize) : NULL ;		 \
     if (NewData)							 \
     {									 \
 	NewData->size = (numRects);					 \
@@ -345,17 +345,20 @@ Bool
 RegionRectAlloc(RegionPtr pRgn, int n)
 {
     RegDataPtr data;
+    size_t rgnSize;
 
     if (!pRgn->data) {
         n++;
-        pRgn->data = xallocData(n);
+        rgnSize = RegionSizeof(n);
+        pRgn->data = (rgnSize > 0) ? malloc(rgnSize) : NULL;
         if (!pRgn->data)
             return RegionBreak(pRgn);
         pRgn->data->numRects = 1;
         *RegionBoxptr(pRgn) = pRgn->extents;
     }
     else if (!pRgn->data->size) {
-        pRgn->data = xallocData(n);
+        rgnSize = RegionSizeof(n);
+        pRgn->data = (rgnSize > 0) ? malloc(rgnSize) : NULL;
         if (!pRgn->data)
             return RegionBreak(pRgn);
         pRgn->data->numRects = 0;
@@ -367,7 +370,8 @@ RegionRectAlloc(RegionPtr pRgn, int n)
                 n = 250;
         }
         n += pRgn->data->numRects;
-        data = (RegDataPtr) realloc(pRgn->data, RegionSizeof(n));
+        rgnSize = RegionSizeof(n);
+        data = (rgnSize > 0) ? realloc(pRgn->data, rgnSize) : NULL;
         if (!data)
             return RegionBreak(pRgn);
         pRgn->data = data;
@@ -1312,6 +1316,7 @@ RegionFromRects(int nrects, xRectangle *prect, int ctype)
 {
 
     RegionPtr pRgn;
+    size_t rgnSize;
     RegDataPtr pData;
     BoxPtr pBox;
     int i;
@@ -1338,7 +1343,8 @@ RegionFromRects(int nrects, xRectangle *prect, int ctype)
         }
         return pRgn;
     }
-    pData = xallocData(nrects);
+    rgnSize = RegionSizeof(nrects);
+    pData = (rgnSize > 0) ? malloc(rgnSize) : NULL;
     if (!pData) {
         RegionBreak(pRgn);
         return pRgn;
diff --git a/xorg-server/dri3/dri3_request.c b/xorg-server/dri3/dri3_request.c
index fe45620..2d75588 100644
--- a/xorg-server/dri3/dri3_request.c
+++ b/xorg-server/dri3/dri3_request.c
@@ -321,6 +321,7 @@ static int
 sproc_dri3_query_version(ClientPtr client)
 {
     REQUEST(xDRI3QueryVersionReq);
+    REQUEST_SIZE_MATCH(xDRI3QueryVersionReq);
 
     swaps(&stuff->length);
     swapl(&stuff->majorVersion);
@@ -332,6 +333,7 @@ static int
 sproc_dri3_open(ClientPtr client)
 {
     REQUEST(xDRI3OpenReq);
+    REQUEST_SIZE_MATCH(xDRI3OpenReq);
 
     swaps(&stuff->length);
     swapl(&stuff->drawable);
@@ -343,6 +345,7 @@ static int
 sproc_dri3_pixmap_from_buffer(ClientPtr client)
 {
     REQUEST(xDRI3PixmapFromBufferReq);
+    REQUEST_SIZE_MATCH(xDRI3PixmapFromBufferReq);
 
     swaps(&stuff->length);
     swapl(&stuff->pixmap);
@@ -358,6 +361,7 @@ static int
 sproc_dri3_buffer_from_pixmap(ClientPtr client)
 {
     REQUEST(xDRI3BufferFromPixmapReq);
+    REQUEST_SIZE_MATCH(xDRI3BufferFromPixmapReq);
 
     swaps(&stuff->length);
     swapl(&stuff->pixmap);
@@ -368,6 +372,7 @@ static int
 sproc_dri3_fence_from_fd(ClientPtr client)
 {
     REQUEST(xDRI3FenceFromFDReq);
+    REQUEST_SIZE_MATCH(xDRI3FenceFromFDReq);
 
     swaps(&stuff->length);
     swapl(&stuff->drawable);
@@ -379,6 +384,7 @@ static int
 sproc_dri3_fd_from_fence(ClientPtr client)
 {
     REQUEST(xDRI3FDFromFenceReq);
+    REQUEST_SIZE_MATCH(xDRI3FDFromFenceReq);
 
     swaps(&stuff->length);
     swapl(&stuff->drawable);
diff --git a/xorg-server/glx/clientinfo.c b/xorg-server/glx/clientinfo.c
index 4aaa4c9..74ad919 100644
--- a/xorg-server/glx/clientinfo.c
+++ b/xorg-server/glx/clientinfo.c
@@ -33,18 +33,22 @@ static int
 set_client_info(__GLXclientState * cl, xGLXSetClientInfoARBReq * req,
                 unsigned bytes_per_version)
 {
+    ClientPtr client = cl->client;
     char *gl_extensions;
     char *glx_extensions;
+    int size;
+
+    REQUEST_AT_LEAST_SIZE(xGLXSetClientInfoARBReq);
 
     /* Verify that the size of the packet matches the size inferred from the
      * sizes specified for the various fields.
      */
-    const unsigned expected_size = sz_xGLXSetClientInfoARBReq
-        + (req->numVersions * bytes_per_version)
-        + __GLX_PAD(req->numGLExtensionBytes)
-        + __GLX_PAD(req->numGLXExtensionBytes);
+    size = sz_xGLXSetClientInfoARBReq;
+    size = safe_add(size, safe_mul(req->numVersions, bytes_per_version));
+    size = safe_add(size, safe_pad(req->numGLExtensionBytes));
+    size = safe_add(size, safe_pad(req->numGLXExtensionBytes));
 
-    if (req->length != (expected_size / 4))
+    if (size < 0 || req->length != (size / 4))
         return BadLength;
 
     /* Verify that the actual length of the GL extension string matches what's
@@ -80,8 +84,11 @@ __glXDisp_SetClientInfoARB(__GLXclientState * cl, GLbyte * pc)
 int
 __glXDispSwap_SetClientInfoARB(__GLXclientState * cl, GLbyte * pc)
 {
+    ClientPtr client = cl->client;
     xGLXSetClientInfoARBReq *req = (xGLXSetClientInfoARBReq *) pc;
 
+    REQUEST_AT_LEAST_SIZE(xGLXSetClientInfoARBReq);
+
     req->length = bswap_16(req->length);
     req->numVersions = bswap_32(req->numVersions);
     req->numGLExtensionBytes = bswap_32(req->numGLExtensionBytes);
@@ -99,8 +106,11 @@ __glXDisp_SetClientInfo2ARB(__GLXclientState * cl, GLbyte * pc)
 int
 __glXDispSwap_SetClientInfo2ARB(__GLXclientState * cl, GLbyte * pc)
 {
+    ClientPtr client = cl->client;
     xGLXSetClientInfoARBReq *req = (xGLXSetClientInfoARBReq *) pc;
 
+    REQUEST_AT_LEAST_SIZE(xGLXSetClientInfoARBReq);
+
     req->length = bswap_16(req->length);
     req->numVersions = bswap_32(req->numVersions);
     req->numGLExtensionBytes = bswap_32(req->numGLExtensionBytes);
diff --git a/xorg-server/glx/glxcmds.c b/xorg-server/glx/glxcmds.c
index c39a3f4..88093da 100644
--- a/xorg-server/glx/glxcmds.c
+++ b/xorg-server/glx/glxcmds.c
@@ -2028,7 +2028,7 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
     left = (req->length << 2) - sz_xGLXRenderReq;
     while (left > 0) {
         __GLXrenderSizeData entry;
-        int extra;
+        int extra = 0;
         __GLXdispatchRenderProcPtr proc;
         int err;
 
@@ -2047,6 +2047,9 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
         cmdlen = hdr->length;
         opcode = hdr->opcode;
 
+        if (left < cmdlen)
+            return BadLength;
+
         /*
          ** Check for core opcodes and grab entry data.
          */
@@ -2060,24 +2063,21 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
             return __glXError(GLXBadRenderRequest);
         }
 
+        if (cmdlen < entry.bytes) {
+            return BadLength;
+        }
+
         if (entry.varsize) {
             /* variable size command */
             extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE,
-                                      client->swapped);
+                                      client->swapped,
+                                      left - __GLX_RENDER_HDR_SIZE);
             if (extra < 0) {
-                extra = 0;
-            }
-            if (cmdlen != __GLX_PAD(entry.bytes + extra)) {
                 return BadLength;
             }
         }
-        else {
-            /* constant size command */
-            if (cmdlen != __GLX_PAD(entry.bytes)) {
-                return BadLength;
-            }
-        }
-        if (left < cmdlen) {
+
+        if (cmdlen != safe_pad(safe_add(entry.bytes, extra))) {
             return BadLength;
         }
 
@@ -2113,6 +2113,8 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
 
     __GLX_DECLARE_SWAP_VARIABLES;
 
+    REQUEST_AT_LEAST_SIZE(xGLXRenderLargeReq);
+
     req = (xGLXRenderLargeReq *) pc;
     if (client->swapped) {
         __GLX_SWAP_SHORT(&req->length);
@@ -2128,12 +2130,14 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
         __glXResetLargeCommandStatus(cl);
         return error;
     }
+    if (safe_pad(req->dataBytes) < 0)
+        return BadLength;
     dataBytes = req->dataBytes;
 
     /*
      ** Check the request length.
      */
-    if ((req->length << 2) != __GLX_PAD(dataBytes) + sz_xGLXRenderLargeReq) {
+    if ((req->length << 2) != safe_pad(dataBytes) + sz_xGLXRenderLargeReq) {
         client->errorValue = req->length;
         /* Reset in case this isn't 1st request. */
         __glXResetLargeCommandStatus(cl);
@@ -2143,7 +2147,8 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
 
     if (cl->largeCmdRequestsSoFar == 0) {
         __GLXrenderSizeData entry;
-        int extra;
+        int extra = 0;
+        int left = (req->length << 2) - sz_xGLXRenderLargeReq;
         size_t cmdlen;
         int err;
 
@@ -2156,13 +2161,17 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
             return __glXError(GLXBadLargeRequest);
         }
 
+        if (dataBytes < __GLX_RENDER_LARGE_HDR_SIZE)
+            return BadLength;
+
         hdr = (__GLXrenderLargeHeader *) pc;
         if (client->swapped) {
             __GLX_SWAP_INT(&hdr->length);
             __GLX_SWAP_INT(&hdr->opcode);
         }
-        cmdlen = hdr->length;
         opcode = hdr->opcode;
+        if ((cmdlen = safe_pad(hdr->length)) < 0)
+            return BadLength;
 
         /*
          ** Check for core opcodes and grab entry data.
@@ -2180,21 +2189,18 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
              ** will be in the 1st request, so it's okay to do this.
              */
             extra = (*entry.varsize) (pc + __GLX_RENDER_LARGE_HDR_SIZE,
-                                      client->swapped);
+                                      client->swapped,
+                                      left - __GLX_RENDER_LARGE_HDR_SIZE);
             if (extra < 0) {
-                extra = 0;
-            }
-            /* large command's header is 4 bytes longer, so add 4 */
-            if (cmdlen != __GLX_PAD(entry.bytes + 4 + extra)) {
                 return BadLength;
             }
         }
-        else {
-            /* constant size command */
-            if (cmdlen != __GLX_PAD(entry.bytes + 4)) {
-                return BadLength;
-            }
+
+        /* the +4 is safe because we know entry.bytes is small */
+        if (cmdlen != safe_pad(safe_add(entry.bytes + 4, extra))) {
+            return BadLength;
         }
+
         /*
          ** Make enough space in the buffer, then copy the entire request.
          */
@@ -2221,6 +2227,7 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
          ** We are receiving subsequent (i.e. not the first) requests of a
          ** multi request command.
          */
+        int bytesSoFar; /* including this packet */
 
         /*
          ** Check the request number and the total request count.
@@ -2239,11 +2246,18 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
         /*
          ** Check that we didn't get too much data.
          */
-        if ((cl->largeCmdBytesSoFar + dataBytes) > cl->largeCmdBytesTotal) {
+        if ((bytesSoFar = safe_add(cl->largeCmdBytesSoFar, dataBytes)) < 0) {
             client->errorValue = dataBytes;
             __glXResetLargeCommandStatus(cl);
             return __glXError(GLXBadLargeRequest);
         }
+
+        if (bytesSoFar > cl->largeCmdBytesTotal) {
+            client->errorValue = dataBytes;
+            __glXResetLargeCommandStatus(cl);
+            return __glXError(GLXBadLargeRequest);
+        }
+
         memcpy(cl->largeCmdBuf + cl->largeCmdBytesSoFar, pc, dataBytes);
         cl->largeCmdBytesSoFar += dataBytes;
         cl->largeCmdRequestsSoFar++;
@@ -2255,17 +2269,16 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
              ** This is the last request; it must have enough bytes to complete
              ** the command.
              */
-            /* NOTE: the two pad macros have been added below; they are needed
-             ** because the client library pads the total byte count, but not
-             ** the per-request byte counts.  The Protocol Encoding says the
-             ** total byte count should not be padded, so a proposal will be 
-             ** made to the ARB to relax the padding constraint on the total 
-             ** byte count, thus preserving backward compatibility.  Meanwhile, 
-             ** the padding done below fixes a bug that did not allow
-             ** large commands of odd sizes to be accepted by the server.
+            /* NOTE: the pad macro below is needed because the client library
+             ** pads the total byte count, but not the per-request byte counts.
+             ** The Protocol Encoding says the total byte count should not be
+             ** padded, so a proposal will be made to the ARB to relax the
+             ** padding constraint on the total byte count, thus preserving
+             ** backward compatibility.  Meanwhile, the padding done below
+             ** fixes a bug that did not allow large commands of odd sizes to
+             ** be accepted by the server.
              */
-            if (__GLX_PAD(cl->largeCmdBytesSoFar) !=
-                __GLX_PAD(cl->largeCmdBytesTotal)) {
+            if (safe_pad(cl->largeCmdBytesSoFar) != cl->largeCmdBytesTotal) {
                 client->errorValue = dataBytes;
                 __glXResetLargeCommandStatus(cl);
                 return __glXError(GLXBadLargeRequest);
diff --git a/xorg-server/glx/glxcmdsswap.c b/xorg-server/glx/glxcmdsswap.c
index fd1fd70..eca7009 100644
--- a/xorg-server/glx/glxcmdsswap.c
+++ b/xorg-server/glx/glxcmdsswap.c
@@ -960,11 +960,13 @@ __glXDispSwap_RenderLarge(__GLXclientState * cl, GLbyte * pc)
 int
 __glXDispSwap_VendorPrivate(__GLXclientState * cl, GLbyte * pc)
 {
+    ClientPtr client = cl->client;
     xGLXVendorPrivateReq *req;
     GLint vendorcode;
     __GLXdispatchVendorPrivProcPtr proc;
 
     __GLX_DECLARE_SWAP_VARIABLES;
+    REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateReq);
 
     req = (xGLXVendorPrivateReq *) pc;
     __GLX_SWAP_SHORT(&req->length);
@@ -987,11 +989,13 @@ __glXDispSwap_VendorPrivate(__GLXclientState * cl, GLbyte * pc)
 int
 __glXDispSwap_VendorPrivateWithReply(__GLXclientState * cl, GLbyte * pc)
 {
+    ClientPtr client = cl->client;
     xGLXVendorPrivateWithReplyReq *req;
     GLint vendorcode;
     __GLXdispatchVendorPrivProcPtr proc;
 
     __GLX_DECLARE_SWAP_VARIABLES;
+    REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateWithReplyReq);
 
     req = (xGLXVendorPrivateWithReplyReq *) pc;
     __GLX_SWAP_SHORT(&req->length);
diff --git a/xorg-server/glx/glxserver.h b/xorg-server/glx/glxserver.h
index a324b29..9088ec4 100644
--- a/xorg-server/glx/glxserver.h
+++ b/xorg-server/glx/glxserver.h
@@ -177,7 +177,7 @@ typedef int (*__GLXprocPtr) (__GLXclientState *, char *pc);
 /*
  * Tables for computing the size of each rendering command.
  */
-typedef int (*gl_proto_size_func) (const GLbyte *, Bool);
+typedef int (*gl_proto_size_func) (const GLbyte *, Bool, int);
 
 typedef struct {
     int bytes;
@@ -228,6 +228,47 @@ extern void glxSwapQueryServerStringReply(ClientPtr client,
  * Routines for computing the size of variably-sized rendering commands.
  */
 
+static _X_INLINE int
+safe_add(int a, int b)
+{
+    if (a < 0 || b < 0)
+        return -1;
+
+    if (INT_MAX - a < b)
+        return -1;
+
+    return a + b;
+}
+
+static _X_INLINE int
+safe_mul(int a, int b)
+{
+    if (a < 0 || b < 0)
+        return -1;
+
+    if (a == 0 || b == 0)
+        return 0;
+
+    if (a > INT_MAX / b)
+        return -1;
+
+    return a * b;
+}
+
+static _X_INLINE int
+safe_pad(int a)
+{
+    int ret;
+
+    if (a < 0)
+        return -1;
+
+    if ((ret = safe_add(a, 3)) < 0)
+        return -1;
+
+    return ret & (GLuint)~3;
+}
+
 extern int __glXTypeSize(GLenum enm);
 extern int __glXImageSize(GLenum format, GLenum type,
                           GLenum target, GLsizei w, GLsizei h, GLsizei d,
diff --git a/xorg-server/glx/indirect_dispatch.c b/xorg-server/glx/indirect_dispatch.c
index 67e5280..80b4964 100644
--- a/xorg-server/glx/indirect_dispatch.c
+++ b/xorg-server/glx/indirect_dispatch.c
@@ -2747,6 +2747,9 @@ int __glXDisp_AreTexturesResident(__GLXclientState *cl, GLbyte *pc)
         GLboolean retval;
         GLboolean answerBuffer[200];
         GLboolean * residences = __glXGetAnswerBuffer(cl, n, answerBuffer, sizeof(answerBuffer), 1);
+
+        if (residences == NULL)
+            return BadAlloc;
         retval = CALL_AreTexturesResident( GET_DISPATCH(), (
             n,
              (const GLuint *)(pc +  4),
@@ -2772,6 +2775,9 @@ int __glXDisp_AreTexturesResidentEXT(__GLXclientState *cl, GLbyte *pc)
         GLboolean retval;
         GLboolean answerBuffer[200];
         GLboolean * residences = __glXGetAnswerBuffer(cl, n, answerBuffer, sizeof(answerBuffer), 1);
+
+        if (residences == NULL)
+            return BadAlloc;
         retval = CALL_AreTexturesResident( GET_DISPATCH(), (
             n,
              (const GLuint *)(pc +  4),
@@ -2889,6 +2895,9 @@ int __glXDisp_GenTextures(__GLXclientState *cl, GLbyte *pc)
 
         GLuint answerBuffer[200];
         GLuint * textures = __glXGetAnswerBuffer(cl, n * 4, answerBuffer, sizeof(answerBuffer), 4);
+
+        if (textures == NULL)
+            return BadAlloc;
         CALL_GenTextures( GET_DISPATCH(), (
             n,
             textures
@@ -2912,6 +2921,9 @@ int __glXDisp_GenTexturesEXT(__GLXclientState *cl, GLbyte *pc)
 
         GLuint answerBuffer[200];
         GLuint * textures = __glXGetAnswerBuffer(cl, n * 4, answerBuffer, sizeof(answerBuffer), 4);
+
+        if (textures == NULL)
+            return BadAlloc;
         CALL_GenTextures( GET_DISPATCH(), (
             n,
             textures
@@ -4261,6 +4273,9 @@ int __glXDisp_GenQueries(__GLXclientState *cl, GLbyte *pc)
 
         GLuint answerBuffer[200];
         GLuint * ids = __glXGetAnswerBuffer(cl, n * 4, answerBuffer, sizeof(answerBuffer), 4);
+
+        if (ids == NULL)
+            return BadAlloc;
         CALL_GenQueries( GET_DISPATCH(), (
             n,
             ids
@@ -4711,6 +4726,9 @@ int __glXDisp_GenProgramsARB(__GLXclientState *cl, GLbyte *pc)
 
         GLuint answerBuffer[200];
         GLuint * programs = __glXGetAnswerBuffer(cl, n * 4, answerBuffer, sizeof(answerBuffer), 4);
+
+        if (programs == NULL)
+            return BadAlloc;
         CALL_GenProgramsARB( GET_DISPATCH(), (
             n,
             programs
@@ -5086,6 +5104,10 @@ int __glXDisp_GenFramebuffers(__GLXclientState *cl, GLbyte *pc)
 
         GLuint answerBuffer[200];
         GLuint * framebuffers = __glXGetAnswerBuffer(cl, n * 4, answerBuffer, sizeof(answerBuffer), 4);
+
+        if (framebuffers == NULL)
+            return BadAlloc;
+
         CALL_GenFramebuffers( GET_DISPATCH(), (
             n,
             framebuffers
@@ -5109,6 +5131,9 @@ int __glXDisp_GenRenderbuffers(__GLXclientState *cl, GLbyte *pc)
 
         GLuint answerBuffer[200];
         GLuint * renderbuffers = __glXGetAnswerBuffer(cl, n * 4, answerBuffer, sizeof(answerBuffer), 4);
+
+        if (renderbuffers == NULL)
+            return BadAlloc;
         CALL_GenRenderbuffers( GET_DISPATCH(), (
             n,
             renderbuffers
diff --git a/xorg-server/glx/indirect_dispatch_swap.c b/xorg-server/glx/indirect_dispatch_swap.c
index 4096023..d1118d6 100644
--- a/xorg-server/glx/indirect_dispatch_swap.c
+++ b/xorg-server/glx/indirect_dispatch_swap.c
@@ -2875,6 +2875,9 @@ int __glXDispSwap_AreTexturesResident(__GLXclientState *cl, GLbyte *pc)
         GLboolean retval;
         GLboolean answerBuffer[200];
         GLboolean * residences = __glXGetAnswerBuffer(cl, n, answerBuffer, sizeof(answerBuffer), 1);
+
+        if (residences == NULL)
+            return BadAlloc;
         retval = CALL_AreTexturesResident( GET_DISPATCH(), (
             n,
              (const GLuint *)bswap_32_array( (uint32_t *) (pc +  4), 0 ),
@@ -2900,6 +2903,9 @@ int __glXDispSwap_AreTexturesResidentEXT(__GLXclientState *cl, GLbyte *pc)
         GLboolean retval;
         GLboolean answerBuffer[200];
         GLboolean * residences = __glXGetAnswerBuffer(cl, n, answerBuffer, sizeof(answerBuffer), 1);
+
+        if (residences == NULL)
+            return BadAlloc;
         retval = CALL_AreTexturesResident( GET_DISPATCH(), (
             n,
              (const GLuint *)bswap_32_array( (uint32_t *) (pc +  4), 0 ),
@@ -3017,6 +3023,9 @@ int __glXDispSwap_GenTextures(__GLXclientState *cl, GLbyte *pc)
 
         GLuint answerBuffer[200];
         GLuint * textures = __glXGetAnswerBuffer(cl, n * 4, answerBuffer, sizeof(answerBuffer), 4);
+
+        if (textures == NULL)
+            return BadAlloc;
         CALL_GenTextures( GET_DISPATCH(), (
             n,
             textures
@@ -3041,6 +3050,9 @@ int __glXDispSwap_GenTexturesEXT(__GLXclientState *cl, GLbyte *pc)
 
         GLuint answerBuffer[200];
         GLuint * textures = __glXGetAnswerBuffer(cl, n * 4, answerBuffer, sizeof(answerBuffer), 4);
+
+        if (textures == NULL)
+            return BadAlloc;
         CALL_GenTextures( GET_DISPATCH(), (
             n,
             textures
@@ -4407,6 +4419,9 @@ int __glXDispSwap_GenQueries(__GLXclientState *cl, GLbyte *pc)
 
         GLuint answerBuffer[200];
         GLuint * ids = __glXGetAnswerBuffer(cl, n * 4, answerBuffer, sizeof(answerBuffer), 4);
+        if (ids == NULL)
+            return BadAlloc;
+
         CALL_GenQueries( GET_DISPATCH(), (
             n,
             ids
@@ -4864,6 +4879,9 @@ int __glXDispSwap_GenProgramsARB(__GLXclientState *cl, GLbyte *pc)
 
         GLuint answerBuffer[200];
         GLuint * programs = __glXGetAnswerBuffer(cl, n * 4, answerBuffer, sizeof(answerBuffer), 4);
+        if (programs == NULL)
+            return BadAlloc;
+
         CALL_GenProgramsARB( GET_DISPATCH(), (
             n,
             programs
@@ -5245,6 +5263,10 @@ int __glXDispSwap_GenFramebuffers(__GLXclientState *cl, GLbyte *pc)
 
         GLuint answerBuffer[200];
         GLuint * framebuffers = __glXGetAnswerBuffer(cl, n * 4, answerBuffer, sizeof(answerBuffer), 4);
+
+        if (framebuffers == NULL)
+            return BadAlloc;
+
         CALL_GenFramebuffers( GET_DISPATCH(), (
             n,
             framebuffers
@@ -5269,6 +5291,10 @@ int __glXDispSwap_GenRenderbuffers(__GLXclientState *cl, GLbyte *pc)
 
         GLuint answerBuffer[200];
         GLuint * renderbuffers = __glXGetAnswerBuffer(cl, n * 4, answerBuffer, sizeof(answerBuffer), 4);
+
+        if (renderbuffers == NULL)
+            return BadAlloc;
+
         CALL_GenRenderbuffers( GET_DISPATCH(), (
             n,
             renderbuffers
diff --git a/xorg-server/glx/indirect_program.c b/xorg-server/glx/indirect_program.c
index c5e562a..8f2d6a8 100644
--- a/xorg-server/glx/indirect_program.c
+++ b/xorg-server/glx/indirect_program.c
@@ -57,6 +57,8 @@ DoGetProgramString(struct __GLXclientStateRec *cl, GLbyte * pc,
     __GLXcontext *const cx = __glXForceCurrent(cl, req->contextTag, &error);
     ClientPtr client = cl->client;
 
+    REQUEST_FIXED_SIZE(xGLXVendorPrivateWithReplyReq, 8);
+
     pc += __GLX_VENDPRIV_HDR_SIZE;
     if (cx != NULL) {
         GLenum target;
diff --git a/xorg-server/glx/indirect_reqsize.c b/xorg-server/glx/indirect_reqsize.c
index a87f7d2..e67c847 100644
--- a/xorg-server/glx/indirect_reqsize.c
+++ b/xorg-server/glx/indirect_reqsize.c
@@ -40,25 +40,23 @@
 #include "indirect_size.h"
 #include "indirect_reqsize.h"
 
-#define __GLX_PAD(x)  (((x) + 3) & ~3)
-
 #if defined(__CYGWIN__) || defined(__MINGW32__)
 #  undef HAVE_ALIAS
 #endif
 #ifdef HAVE_ALIAS
 #  define ALIAS2(from,to) \
-    GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap ) \
+    GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap, int reqlen ) \
         __attribute__ ((alias( # to )));
 #  define ALIAS(from,to) ALIAS2( from, __glX ## to ## ReqSize )
 #else
 #  define ALIAS(from,to) \
-    GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap ) \
-    { return __glX ## to ## ReqSize( pc, swap ); }
+    GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap, int reqlen ) \
+    { return __glX ## to ## ReqSize( pc, swap, reqlen ); }
 #endif
 
 
 int
-__glXCallListsReqSize( const GLbyte * pc, Bool swap )
+__glXCallListsReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
 GLsizei n          = *(GLsizei *)(pc + 0);
 GLenum type        = * (GLenum *)(pc + 4);
@@ -70,11 +68,11 @@ GLenum type        = * (GLenum *)(pc + 4);
     }
 
     compsize = __glCallLists_size(type);
-    return __GLX_PAD((compsize * n));
+    return safe_pad(safe_mul(compsize, n));
 }
 
 int
-__glXBitmapReqSize( const GLbyte * pc, Bool swap )
+__glXBitmapReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
     GLint row_length   = *  (GLint *)(pc +  4);
     GLint image_height = 0;
@@ -98,7 +96,7 @@ GLsizei height     = *(GLsizei *)(pc + 24);
 }
 
 int
-__glXFogfvReqSize( const GLbyte * pc, Bool swap )
+__glXFogfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
 GLenum pname       = * (GLenum *)(pc + 0);
     GLsizei compsize;
@@ -108,11 +106,11 @@ GLenum pname       = * (GLenum *)(pc + 0);
     }
 
     compsize = __glFogfv_size(pname);
-    return __GLX_PAD((compsize * 4));
+    return safe_pad(safe_mul(compsize, 4));
 }
 
 int
-__glXLightfvReqSize( const GLbyte * pc, Bool swap )
+__glXLightfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
 GLenum pname       = * (GLenum *)(pc + 4);
     GLsizei compsize;
@@ -122,11 +120,11 @@ GLenum pname       = * (GLenum *)(pc + 4);
     }
 
     compsize = __glLightfv_size(pname);
-    return __GLX_PAD((compsize * 4));
+    return safe_pad(safe_mul(compsize, 4));
 }
 
 int
-__glXLightModelfvReqSize( const GLbyte * pc, Bool swap )
+__glXLightModelfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
 GLenum pname       = * (GLenum *)(pc + 0);
     GLsizei compsize;
@@ -136,11 +134,11 @@ GLenum pname       = * (GLenum *)(pc + 0);
     }
 
     compsize = __glLightModelfv_size(pname);
-    return __GLX_PAD((compsize * 4));
+    return safe_pad(safe_mul(compsize, 4));
 }
 
 int
-__glXMaterialfvReqSize( const GLbyte * pc, Bool swap )
+__glXMaterialfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
 GLenum pname       = * (GLenum *)(pc + 4);
     GLsizei compsize;
@@ -150,11 +148,11 @@ GLenum pname       = * (GLenum *)(pc + 4);
     }
 
     compsize = __glMaterialfv_size(pname);
-    return __GLX_PAD((compsize * 4));
+    return safe_pad(safe_mul(compsize, 4));
 }
 
 int
-__glXPolygonStippleReqSize( const GLbyte * pc, Bool swap )
+__glXPolygonStippleReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
     GLint row_length   = *  (GLint *)(pc +  4);
     GLint image_height = 0;
@@ -174,7 +172,7 @@ __glXPolygonStippleReqSize( const GLbyte * pc, Bool swap )
 }
 
 int
-__glXTexParameterfvReqSize( const GLbyte * pc, Bool swap )
+__glXTexParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
 GLenum pname       = * (GLenum *)(pc + 4);
     GLsizei compsize;
@@ -184,11 +182,11 @@ GLenum pname       = * (GLenum *)(pc + 4);
     }
 
     compsize = __glTexParameterfv_size(pname);
-    return __GLX_PAD((compsize * 4));
+    return safe_pad(safe_mul(compsize, 4));
 }
 
 int
-__glXTexImage1DReqSize( const GLbyte * pc, Bool swap )
+__glXTexImage1DReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
     GLint row_length   = *  (GLint *)(pc +  4);
     GLint image_height = 0;
@@ -216,7 +214,7 @@ GLenum type        = * (GLenum *)(pc + 48);
 }
 
 int
-__glXTexImage2DReqSize( const GLbyte * pc, Bool swap )
+__glXTexImage2DReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
     GLint row_length   = *  (GLint *)(pc +  4);
     GLint image_height = 0;
@@ -246,7 +244,7 @@ GLenum type        = * (GLenum *)(pc + 48);
 }
 
 int
-__glXTexEnvfvReqSize( const GLbyte * pc, Bool swap )
+__glXTexEnvfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
 GLenum pname       = * (GLenum *)(pc + 4);
     GLsizei compsize;
@@ -256,11 +254,11 @@ GLenum pname       = * (GLenum *)(pc + 4);
     }
 
     compsize = __glTexEnvfv_size(pname);
-    return __GLX_PAD((compsize * 4));
+    return safe_pad(safe_mul(compsize, 4));
 }
 
 int
-__glXTexGendvReqSize( const GLbyte * pc, Bool swap )
+__glXTexGendvReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
 GLenum pname       = * (GLenum *)(pc + 4);
     GLsizei compsize;
@@ -270,11 +268,11 @@ GLenum pname       = * (GLenum *)(pc + 4);
     }
 
     compsize = __glTexGendv_size(pname);
-    return __GLX_PAD((compsize * 8));
+    return safe_pad(safe_mul(compsize, 8));
 }
 
 int
-__glXTexGenfvReqSize( const GLbyte * pc, Bool swap )
+__glXTexGenfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
 GLenum pname       = * (GLenum *)(pc + 4);
     GLsizei compsize;
@@ -284,11 +282,11 @@ GLenum pname       = * (GLenum *)(pc + 4);
     }
 
     compsize = __glTexGenfv_size(pname);
-    return __GLX_PAD((compsize * 4));
+    return safe_pad(safe_mul(compsize, 4));
 }
 
 int
-__glXPixelMapfvReqSize( const GLbyte * pc, Bool swap )
+__glXPixelMapfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
 GLsizei mapsize    = *(GLsizei *)(pc + 4);
 
@@ -296,11 +294,11 @@ GLsizei mapsize    = *(GLsizei *)(pc + 4);
         mapsize = bswap_32(mapsize);
     }
 
-    return __GLX_PAD((mapsize * 4));
+    return safe_pad(safe_mul(mapsize, 4));
 }
 
 int
-__glXPixelMapusvReqSize( const GLbyte * pc, Bool swap )
+__glXPixelMapusvReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
 GLsizei mapsize    = *(GLsizei *)(pc + 4);
 
@@ -308,11 +306,11 @@ GLsizei mapsize    = *(GLsizei *)(pc + 4);
         mapsize = bswap_32(mapsize);
     }
 
-    return __GLX_PAD((mapsize * 2));
+    return safe_pad(safe_mul(mapsize, 2));
 }
 
 int
-__glXDrawPixelsReqSize( const GLbyte * pc, Bool swap )
+__glXDrawPixelsReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
     GLint row_length   = *  (GLint *)(pc +  4);
     GLint image_height = 0;
@@ -340,7 +338,7 @@ GLenum type        = * (GLenum *)(pc + 32);
 }
 
 int
-__glXPrioritizeTexturesReqSize( const GLbyte * pc, Bool swap )
+__glXPrioritizeTexturesReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
 GLsizei n          = *(GLsizei *)(pc + 0);
 
@@ -348,11 +346,11 @@ GLsizei n          = *(GLsizei *)(pc + 0);
         n = bswap_32(n);
     }
 
-    return __GLX_PAD((n * 4) + (n * 4));
+    return safe_pad(safe_add(safe_mul(n, 4), safe_mul(n, 4)));
 }
 
 int
-__glXTexSubImage1DReqSize( const GLbyte * pc, Bool swap )
+__glXTexSubImage1DReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
     GLint row_length   = *  (GLint *)(pc +  4);
     GLint image_height = 0;
@@ -380,7 +378,7 @@ GLenum type        = * (GLenum *)(pc + 48);
 }
 
 int
-__glXTexSubImage2DReqSize( const GLbyte * pc, Bool swap )
+__glXTexSubImage2DReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
     GLint row_length   = *  (GLint *)(pc +  4);
     GLint image_height = 0;
@@ -410,7 +408,7 @@ GLenum type        = * (GLenum *)(pc + 48);
 }
 
 int
-__glXColorTableReqSize( const GLbyte * pc, Bool swap )
+__glXColorTableReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
     GLint row_length   = *  (GLint *)(pc +  4);
     GLint image_height = 0;
@@ -438,7 +436,7 @@ GLenum type        = * (GLenum *)(pc + 36);
 }
 
 int
-__glXColorTableParameterfvReqSize( const GLbyte * pc, Bool swap )
+__glXColorTableParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
 GLenum pname       = * (GLenum *)(pc + 4);
     GLsizei compsize;
@@ -448,11 +446,11 @@ GLenum pname       = * (GLenum *)(pc + 4);
     }
 
     compsize = __glColorTableParameterfv_size(pname);
-    return __GLX_PAD((compsize * 4));
+    return safe_pad(safe_mul(compsize, 4));
 }
 
 int
-__glXColorSubTableReqSize( const GLbyte * pc, Bool swap )
+__glXColorSubTableReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
     GLint row_length   = *  (GLint *)(pc +  4);
     GLint image_height = 0;
@@ -480,7 +478,7 @@ GLenum type        = * (GLenum *)(pc + 36);
 }
 
 int
-__glXConvolutionFilter1DReqSize( const GLbyte * pc, Bool swap )
+__glXConvolutionFilter1DReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
     GLint row_length   = *  (GLint *)(pc +  4);
     GLint image_height = 0;
@@ -508,7 +506,7 @@ GLenum type        = * (GLenum *)(pc + 40);
 }
 
 int
-__glXConvolutionFilter2DReqSize( const GLbyte * pc, Bool swap )
+__glXConvolutionFilter2DReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
     GLint row_length   = *  (GLint *)(pc +  4);
     GLint image_height = 0;
@@ -538,7 +536,7 @@ GLenum type        = * (GLenum *)(pc + 40);
 }
 
 int
-__glXConvolutionParameterfvReqSize( const GLbyte * pc, Bool swap )
+__glXConvolutionParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
 GLenum pname       = * (GLenum *)(pc + 4);
     GLsizei compsize;
@@ -548,7 +546,7 @@ GLenum pname       = * (GLenum *)(pc + 4);
     }
 
     compsize = __glConvolutionParameterfv_size(pname);
-    return __GLX_PAD((compsize * 4));
+    return safe_pad(safe_mul(compsize, 4));
 }
 
 int
@@ -589,7 +587,7 @@ GLenum type        = * (GLenum *)(pc + 72);
 }
 
 int
-__glXTexSubImage3DReqSize( const GLbyte * pc, Bool swap )
+__glXTexSubImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
     GLint row_length   = *  (GLint *)(pc +  4);
     GLint image_height = *  (GLint *)(pc +  8);
@@ -623,7 +621,7 @@ GLenum type        = * (GLenum *)(pc + 80);
 }
 
 int
-__glXCompressedTexImage1DReqSize( const GLbyte * pc, Bool swap )
+__glXCompressedTexImage1DReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
 GLsizei imageSize  = *(GLsizei *)(pc + 20);
 
@@ -631,11 +629,11 @@ GLsizei imageSize  = *(GLsizei *)(pc + 20);
         imageSize = bswap_32(imageSize);
     }
 
-    return __GLX_PAD(imageSize);
+    return safe_pad(imageSize);
 }
 
 int
-__glXCompressedTexImage2DReqSize( const GLbyte * pc, Bool swap )
+__glXCompressedTexImage2DReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
 GLsizei imageSize  = *(GLsizei *)(pc + 24);
 
@@ -643,11 +641,11 @@ GLsizei imageSize  = *(GLsizei *)(pc + 24);
         imageSize = bswap_32(imageSize);
     }
 
-    return __GLX_PAD(imageSize);
+    return safe_pad(imageSize);
 }
 
 int
-__glXCompressedTexImage3DReqSize( const GLbyte * pc, Bool swap )
+__glXCompressedTexImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
 GLsizei imageSize  = *(GLsizei *)(pc + 28);
 
@@ -655,11 +653,11 @@ GLsizei imageSize  = *(GLsizei *)(pc + 28);
         imageSize = bswap_32(imageSize);
     }
 
-    return __GLX_PAD(imageSize);
+    return safe_pad(imageSize);
 }
 
 int
-__glXCompressedTexSubImage3DReqSize( const GLbyte * pc, Bool swap )
+__glXCompressedTexSubImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
 GLsizei imageSize  = *(GLsizei *)(pc + 36);
 
@@ -667,11 +665,11 @@ GLsizei imageSize  = *(GLsizei *)(pc + 36);
         imageSize = bswap_32(imageSize);
     }
 
-    return __GLX_PAD(imageSize);
+    return safe_pad(imageSize);
 }
 
 int
-__glXPointParameterfvReqSize( const GLbyte * pc, Bool swap )
+__glXPointParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
 GLenum pname       = * (GLenum *)(pc + 0);
     GLsizei compsize;
@@ -681,11 +679,11 @@ GLenum pname       = * (GLenum *)(pc + 0);
     }
 
     compsize = __glPointParameterfv_size(pname);
-    return __GLX_PAD((compsize * 4));
+    return safe_pad(safe_mul(compsize, 4));
 }
 
 int
-__glXDrawBuffersReqSize( const GLbyte * pc, Bool swap )
+__glXDrawBuffersReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
 GLsizei n          = *(GLsizei *)(pc + 0);
 
@@ -693,11 +691,11 @@ GLsizei n          = *(GLsizei *)(pc + 0);
         n = bswap_32(n);
     }
 
-    return __GLX_PAD((n * 4));
+    return safe_pad(safe_mul(n, 4));
 }
 
 int
-__glXProgramStringARBReqSize( const GLbyte * pc, Bool swap )
+__glXProgramStringARBReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
 GLsizei len        = *(GLsizei *)(pc + 8);
 
@@ -705,11 +703,11 @@ GLsizei len        = *(GLsizei *)(pc + 8);
         len = bswap_32(len);
     }
 
-    return __GLX_PAD(len);
+    return safe_pad(len);
 }
 
 int
-__glXProgramParameters4dvNVReqSize( const GLbyte * pc, Bool swap )
+__glXProgramParameters4dvNVReqSize( const GLbyte * pc, Bool swap, int reqlen)
 {
 GLsizei num        = *(GLsizei *)(pc + 8);
 
@@ -717,11 +715,11 @@ GLsizei num        = *(GLsizei *)(pc + 8);
         num = bswap_32(num);
     }
 
-    return __GLX_PAD((num * 32));
+    return safe_pad(safe_mul(num, 32));
 }
 
 int
-__glXProgramParameters4fvNVReqSize( const GLbyte * pc, Bool swap )
+__glXProgramParameters4fvNVReqSize( const GLbyte * pc, Bool swap, int reqlen)
 {
 GLsizei num        = *(GLsizei *)(pc + 8);
 
@@ -729,11 +727,11 @@ GLsizei num        = *(GLsizei *)(pc + 8);
         num = bswap_32(num);
     }
 
-    return __GLX_PAD((num * 16));
+    return safe_pad(safe_mul(num, 16));
 }
 
 int
-__glXVertexAttribs1dvNVReqSize( const GLbyte * pc, Bool swap )
+__glXVertexAttribs1dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
 GLsizei n          = *(GLsizei *)(pc + 4);
 
@@ -741,11 +739,11 @@ GLsizei n          = *(GLsizei *)(pc + 4);
         n = bswap_32(n);
     }
 
-    return __GLX_PAD((n * 8));
+    return safe_pad(safe_mul(n, 8));
 }
 
 int
-__glXVertexAttribs2dvNVReqSize( const GLbyte * pc, Bool swap )
+__glXVertexAttribs2dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
 GLsizei n          = *(GLsizei *)(pc + 4);
 
@@ -753,11 +751,11 @@ GLsizei n          = *(GLsizei *)(pc + 4);
         n = bswap_32(n);
     }
 
-    return __GLX_PAD((n * 16));
+    return safe_pad(safe_mul(n, 16));
 }
 
 int
-__glXVertexAttribs3dvNVReqSize( const GLbyte * pc, Bool swap )
+__glXVertexAttribs3dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
 GLsizei n          = *(GLsizei *)(pc + 4);
 
@@ -765,11 +763,11 @@ GLsizei n          = *(GLsizei *)(pc + 4);
         n = bswap_32(n);
     }
 
-    return __GLX_PAD((n * 24));
+    return safe_pad(safe_mul(n, 24));
 }
 
 int
-__glXVertexAttribs3fvNVReqSize( const GLbyte * pc, Bool swap )
+__glXVertexAttribs3fvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
 GLsizei n          = *(GLsizei *)(pc + 4);
 
@@ -777,11 +775,11 @@ GLsizei n          = *(GLsizei *)(pc + 4);
         n = bswap_32(n);
     }
 
-    return __GLX_PAD((n * 12));
+    return safe_pad(safe_mul(n, 12));
 }
 
 int
-__glXVertexAttribs3svNVReqSize( const GLbyte * pc, Bool swap )
+__glXVertexAttribs3svNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
 GLsizei n          = *(GLsizei *)(pc + 4);
 
@@ -789,11 +787,11 @@ GLsizei n          = *(GLsizei *)(pc + 4);
         n = bswap_32(n);
     }
 
-    return __GLX_PAD((n * 6));
+    return safe_pad(safe_mul(n, 6));
 }
 
 int
-__glXVertexAttribs4dvNVReqSize( const GLbyte * pc, Bool swap )
+__glXVertexAttribs4dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
 GLsizei n          = *(GLsizei *)(pc + 4);
 
@@ -801,11 +799,11 @@ GLsizei n          = *(GLsizei *)(pc + 4);
         n = bswap_32(n);
     }
 
-    return __GLX_PAD((n * 32));
+    return safe_pad(safe_mul(n, 32));
 }
 
 int
-__glXProgramNamedParameter4fvNVReqSize( const GLbyte * pc, Bool swap )
+__glXProgramNamedParameter4fvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
 GLsizei len        = *(GLsizei *)(pc + 4);
 
@@ -813,7 +811,7 @@ GLsizei len        = *(GLsizei *)(pc + 4);
         len = bswap_32(len);
     }
 
-    return __GLX_PAD(len);
+    return safe_pad(len);
 }
 
 ALIAS( Fogiv, Fogfv )
diff --git a/xorg-server/glx/indirect_reqsize.h b/xorg-server/glx/indirect_reqsize.h
index 1b7bd6e..9adba49 100644
--- a/xorg-server/glx/indirect_reqsize.h
+++ b/xorg-server/glx/indirect_reqsize.h
@@ -36,80 +36,80 @@
 #    define PURE
 #  endif
 
-extern PURE _X_HIDDEN int __glXCallListsReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXBitmapReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXFogfvReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXFogivReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXLightfvReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXLightivReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXLightModelfvReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXLightModelivReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXMaterialfvReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXMaterialivReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXPolygonStippleReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXTexParameterfvReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXTexParameterivReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXTexImage1DReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXTexImage2DReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXTexEnvfvReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXTexEnvivReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXTexGendvReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXTexGenfvReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXTexGenivReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXMap1dReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXMap1fReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXMap2dReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXMap2fReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXPixelMapfvReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXPixelMapuivReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXPixelMapusvReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXDrawPixelsReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXDrawArraysReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXPrioritizeTexturesReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXTexSubImage1DReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXTexSubImage2DReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXColorTableReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXColorTableParameterfvReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXColorTableParameterivReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXColorSubTableReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXConvolutionFilter1DReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXConvolutionFilter2DReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXConvolutionParameterfvReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXConvolutionParameterivReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXSeparableFilter2DReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXTexImage3DReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXTexSubImage3DReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXCompressedTexImage1DReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXCompressedTexImage2DReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXCompressedTexImage3DReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXCompressedTexSubImage1DReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXCompressedTexSubImage2DReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXCompressedTexSubImage3DReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXPointParameterfvReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXPointParameterivReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXDrawBuffersReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXProgramStringARBReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXDeleteFramebuffersReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXDeleteRenderbuffersReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXLoadProgramNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXProgramParameters4dvNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXProgramParameters4fvNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXRequestResidentProgramsNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXVertexAttribs1dvNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXVertexAttribs1fvNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXVertexAttribs1svNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXVertexAttribs2dvNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXVertexAttribs2fvNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXVertexAttribs2svNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXVertexAttribs3dvNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXVertexAttribs3fvNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXVertexAttribs3svNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXVertexAttribs4dvNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXVertexAttribs4fvNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXVertexAttribs4svNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXVertexAttribs4ubvNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXProgramNamedParameter4dvNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE _X_HIDDEN int __glXProgramNamedParameter4fvNVReqSize(const GLbyte *pc, Bool swap);
+extern PURE _X_HIDDEN int __glXCallListsReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXBitmapReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXFogfvReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXFogivReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXLightfvReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXLightivReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXLightModelfvReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXLightModelivReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXMaterialfvReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXMaterialivReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXPolygonStippleReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXTexParameterfvReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXTexParameterivReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXTexImage1DReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXTexImage2DReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXTexEnvfvReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXTexEnvivReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXTexGendvReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXTexGenfvReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXTexGenivReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXMap1dReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXMap1fReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXMap2dReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXMap2fReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXPixelMapfvReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXPixelMapuivReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXPixelMapusvReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXDrawPixelsReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXDrawArraysReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXPrioritizeTexturesReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXTexSubImage1DReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXTexSubImage2DReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXColorTableReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXColorTableParameterfvReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXColorTableParameterivReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXColorSubTableReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXConvolutionFilter1DReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXConvolutionFilter2DReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXConvolutionParameterfvReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXConvolutionParameterivReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXSeparableFilter2DReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXTexImage3DReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXTexSubImage3DReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXCompressedTexImage1DReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXCompressedTexImage2DReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXCompressedTexImage3DReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXCompressedTexSubImage1DReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXCompressedTexSubImage2DReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXCompressedTexSubImage3DReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXPointParameterfvReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXPointParameterivReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXDrawBuffersReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXProgramStringARBReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXDeleteFramebuffersReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXDeleteRenderbuffersReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXLoadProgramNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXProgramParameters4dvNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXProgramParameters4fvNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXRequestResidentProgramsNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXVertexAttribs1dvNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXVertexAttribs1fvNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXVertexAttribs1svNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXVertexAttribs2dvNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXVertexAttribs2fvNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXVertexAttribs2svNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXVertexAttribs3dvNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXVertexAttribs3fvNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXVertexAttribs3svNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXVertexAttribs4dvNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXVertexAttribs4fvNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXVertexAttribs4svNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXVertexAttribs4ubvNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXProgramNamedParameter4dvNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXProgramNamedParameter4fvNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
 
 #  undef PURE
 
diff --git a/xorg-server/glx/indirect_texture_compression.c b/xorg-server/glx/indirect_texture_compression.c
index 112811e..a39b158 100644
--- a/xorg-server/glx/indirect_texture_compression.c
+++ b/xorg-server/glx/indirect_texture_compression.c
@@ -45,6 +45,8 @@ __glXDisp_GetCompressedTexImage(struct __GLXclientStateRec *cl, GLbyte * pc)
     __GLXcontext *const cx = __glXForceCurrent(cl, req->contextTag, &error);
     ClientPtr client = cl->client;
 
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
+
     pc += __GLX_SINGLE_HDR_SIZE;
     if (cx != NULL) {
         const GLenum target = *(GLenum *) (pc + 0);
@@ -89,6 +91,8 @@ __glXDispSwap_GetCompressedTexImage(struct __GLXclientStateRec *cl, GLbyte * pc)
         __glXForceCurrent(cl, bswap_32(req->contextTag), &error);
     ClientPtr client = cl->client;
 
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
+
     pc += __GLX_SINGLE_HDR_SIZE;
     if (cx != NULL) {
         const GLenum target = (GLenum) bswap_32(*(int *) (pc + 0));
diff --git a/xorg-server/glx/indirect_util.c b/xorg-server/glx/indirect_util.c
index e7f11fb..96fa2e0 100644
--- a/xorg-server/glx/indirect_util.c
+++ b/xorg-server/glx/indirect_util.c
@@ -76,12 +76,17 @@ __glXGetAnswerBuffer(__GLXclientState * cl, size_t required_size,
                      void *local_buffer, size_t local_size, unsigned alignment)
 {
     void *buffer = local_buffer;
-    const unsigned mask = alignment - 1;
+    const intptr_t mask = alignment - 1;
 
     if (local_size < required_size) {
-        const size_t worst_case_size = required_size + alignment;
+        size_t worst_case_size;
         intptr_t temp_buf;
 
+        if (required_size < SIZE_MAX - alignment)
+            worst_case_size = required_size + alignment;
+        else
+            return NULL;
+
         if (cl->returnBufSize < worst_case_size) {
             void *temp = realloc(cl->returnBuf, worst_case_size);
 
diff --git a/xorg-server/glx/rensize.c b/xorg-server/glx/rensize.c
index 5522932..068e1ce 100644
--- a/xorg-server/glx/rensize.c
+++ b/xorg-server/glx/rensize.c
@@ -47,19 +47,11 @@
   (((a & 0xff000000U)>>24) | ((a & 0xff0000U)>>8) | \
    ((a & 0xff00U)<<8) | ((a & 0xffU)<<24))
 
-static int
-Map1Size(GLint k, GLint order)
-{
-    if (order <= 0 || k < 0)
-        return -1;
-    return k * order;
-}
-
 int
-__glXMap1dReqSize(const GLbyte * pc, Bool swap)
+__glXMap1dReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
     GLenum target;
-    GLint order, k;
+    GLint order;
 
     target = *(GLenum *) (pc + 16);
     order = *(GLint *) (pc + 20);
@@ -67,15 +59,16 @@ __glXMap1dReqSize(const GLbyte * pc, Bool swap)
         target = SWAPL(target);
         order = SWAPL(order);
     }
-    k = __glMap1d_size(target);
-    return 8 * Map1Size(k, order);
+    if (order < 1)
+        return -1;
+    return safe_mul(8, safe_mul(__glMap1d_size(target), order));
 }
 
 int
-__glXMap1fReqSize(const GLbyte * pc, Bool swap)
+__glXMap1fReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
     GLenum target;
-    GLint order, k;
+    GLint order;
 
     target = *(GLenum *) (pc + 0);
     order = *(GLint *) (pc + 12);
@@ -83,23 +76,24 @@ __glXMap1fReqSize(const GLbyte * pc, Bool swap)
         target = SWAPL(target);
         order = SWAPL(order);
     }
-    k = __glMap1f_size(target);
-    return 4 * Map1Size(k, order);
+    if (order < 1)
+        return -1;
+    return safe_mul(4, safe_mul(__glMap1f_size(target), order));
 }
 
 static int
 Map2Size(int k, int majorOrder, int minorOrder)
 {
-    if (majorOrder <= 0 || minorOrder <= 0 || k < 0)
+    if (majorOrder < 1 || minorOrder < 1)
         return -1;
-    return k * majorOrder * minorOrder;
+    return safe_mul(k, safe_mul(majorOrder, minorOrder));
 }
 
 int
-__glXMap2dReqSize(const GLbyte * pc, Bool swap)
+__glXMap2dReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
     GLenum target;
-    GLint uorder, vorder, k;
+    GLint uorder, vorder;
 
     target = *(GLenum *) (pc + 32);
     uorder = *(GLint *) (pc + 36);
@@ -109,15 +103,14 @@ __glXMap2dReqSize(const GLbyte * pc, Bool swap)
         uorder = SWAPL(uorder);
         vorder = SWAPL(vorder);
     }
-    k = __glMap2d_size(target);
-    return 8 * Map2Size(k, uorder, vorder);
+    return safe_mul(8, Map2Size(__glMap2d_size(target), uorder, vorder));
 }
 
 int
-__glXMap2fReqSize(const GLbyte * pc, Bool swap)
+__glXMap2fReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
     GLenum target;
-    GLint uorder, vorder, k;
+    GLint uorder, vorder;
 
     target = *(GLenum *) (pc + 0);
     uorder = *(GLint *) (pc + 12);
@@ -127,8 +120,7 @@ __glXMap2fReqSize(const GLbyte * pc, Bool swap)
         uorder = SWAPL(uorder);
         vorder = SWAPL(vorder);
     }
-    k = __glMap2f_size(target);
-    return 4 * Map2Size(k, uorder, vorder);
+    return safe_mul(4, Map2Size(__glMap2f_size(target), uorder, vorder));
 }
 
 /**
@@ -179,14 +171,16 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
     GLint bytesPerElement, elementsPerGroup, groupsPerRow;
     GLint groupSize, rowSize, padding, imageSize;
 
+    if (w == 0 || h == 0 || d == 0)
+        return 0;
+
     if (w < 0 || h < 0 || d < 0 ||
         (type == GL_BITMAP &&
          (format != GL_COLOR_INDEX && format != GL_STENCIL_INDEX))) {
         return -1;
     }
-    if (w == 0 || h == 0 || d == 0)
-        return 0;
 
+    /* proxy targets have no data */
     switch (target) {
     case GL_PROXY_TEXTURE_1D:
     case GL_PROXY_TEXTURE_2D:
@@ -203,6 +197,12 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
         return 0;
     }
 
+    /* real data has to have real sizes */
+    if (imageHeight < 0 || rowLength < 0 || skipImages < 0 || skipRows < 0)
+        return -1;
+    if (alignment != 1 && alignment != 2 && alignment != 4 && alignment != 8)
+        return -1;
+
     if (type == GL_BITMAP) {
         if (rowLength > 0) {
             groupsPerRow = rowLength;
@@ -211,11 +211,14 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
             groupsPerRow = w;
         }
         rowSize = bits_to_bytes(groupsPerRow);
+        if (rowSize < 0)
+            return -1;
         padding = (rowSize % alignment);
         if (padding) {
             rowSize += alignment - padding;
         }
-        return ((h + skipRows) * rowSize);
+
+        return safe_mul(safe_add(h, skipRows), rowSize);
     }
     else {
         switch (format) {
@@ -228,6 +231,11 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
         case GL_ALPHA:
         case GL_LUMINANCE:
         case GL_INTENSITY:
+        case GL_RED_INTEGER_EXT:
+        case GL_GREEN_INTEGER_EXT:
+        case GL_BLUE_INTEGER_EXT:
+        case GL_ALPHA_INTEGER_EXT:
+        case GL_LUMINANCE_INTEGER_EXT:
             elementsPerGroup = 1;
             break;
         case GL_422_EXT:
@@ -238,14 +246,19 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
         case GL_DEPTH_STENCIL_MESA:
         case GL_YCBCR_MESA:
         case GL_LUMINANCE_ALPHA:
+        case GL_LUMINANCE_ALPHA_INTEGER_EXT:
             elementsPerGroup = 2;
             break;
         case GL_RGB:
         case GL_BGR:
+        case GL_RGB_INTEGER_EXT:
+        case GL_BGR_INTEGER_EXT:
             elementsPerGroup = 3;
             break;
         case GL_RGBA:
         case GL_BGRA:
+        case GL_RGBA_INTEGER_EXT:
+        case GL_BGRA_INTEGER_EXT:
         case GL_ABGR_EXT:
             elementsPerGroup = 4;
             break;
@@ -297,6 +310,7 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
         default:
             return -1;
         }
+        /* known safe by the switches above, not checked */
         groupSize = bytesPerElement * elementsPerGroup;
         if (rowLength > 0) {
             groupsPerRow = rowLength;
@@ -304,18 +318,21 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
         else {
             groupsPerRow = w;
         }
-        rowSize = groupsPerRow * groupSize;
+
+        if ((rowSize = safe_mul(groupsPerRow, groupSize)) < 0)
+            return -1;
         padding = (rowSize % alignment);
         if (padding) {
             rowSize += alignment - padding;
         }
-        if (imageHeight > 0) {
-            imageSize = (imageHeight + skipRows) * rowSize;
-        }
-        else {
-            imageSize = (h + skipRows) * rowSize;
-        }
-        return ((d + skipImages) * imageSize);
+
+        if (imageHeight > 0)
+            h = imageHeight;
+        h = safe_add(h, skipRows);
+
+        imageSize = safe_mul(h, rowSize);
+
+        return safe_mul(safe_add(d, skipImages), imageSize);
     }
 }
 
@@ -346,13 +363,14 @@ __glXTypeSize(GLenum enm)
 }
 
 int
-__glXDrawArraysReqSize(const GLbyte * pc, Bool swap)
+__glXDrawArraysReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
     __GLXdispatchDrawArraysHeader *hdr = (__GLXdispatchDrawArraysHeader *) pc;
     __GLXdispatchDrawArraysComponentHeader *compHeader;
     GLint numVertexes = hdr->numVertexes;
     GLint numComponents = hdr->numComponents;
     GLint arrayElementSize = 0;
+    GLint x, size;
     int i;
 
     if (swap) {
@@ -361,6 +379,13 @@ __glXDrawArraysReqSize(const GLbyte * pc, Bool swap)
     }
 
     pc += sizeof(__GLXdispatchDrawArraysHeader);
+    reqlen -= sizeof(__GLXdispatchDrawArraysHeader);
+
+    size = safe_mul(sizeof(__GLXdispatchDrawArraysComponentHeader),
+                    numComponents);
+    if (size < 0 || reqlen < 0 || reqlen < size)
+        return -1;
+
     compHeader = (__GLXdispatchDrawArraysComponentHeader *) pc;
 
     for (i = 0; i < numComponents; i++) {
@@ -404,17 +429,18 @@ __glXDrawArraysReqSize(const GLbyte * pc, Bool swap)
             return -1;
         }
 
-        arrayElementSize += __GLX_PAD(numVals * __glXTypeSize(datatype));
+        x = safe_pad(safe_mul(numVals, __glXTypeSize(datatype)));
+        if ((arrayElementSize = safe_add(arrayElementSize, x)) < 0)
+            return -1;
 
         pc += sizeof(__GLXdispatchDrawArraysComponentHeader);
     }
 
-    return ((numComponents * sizeof(__GLXdispatchDrawArraysComponentHeader)) +
-            (numVertexes * arrayElementSize));
+    return safe_add(size, safe_mul(numVertexes, arrayElementSize));
 }
 
 int
-__glXSeparableFilter2DReqSize(const GLbyte * pc, Bool swap)
+__glXSeparableFilter2DReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
     __GLXdispatchConvolutionFilterHeader *hdr =
         (__GLXdispatchConvolutionFilterHeader *) pc;
@@ -439,9 +465,7 @@ __glXSeparableFilter2DReqSize(const GLbyte * pc, Bool swap)
     /* XXX Should rowLength be used for either or both image? */
     image1size = __glXImageSize(format, type, 0, w, 1, 1,
                                 0, rowLength, 0, 0, alignment);
-    image1size = __GLX_PAD(image1size);
     image2size = __glXImageSize(format, type, 0, h, 1, 1,
                                 0, rowLength, 0, 0, alignment);
-    return image1size + image2size;
-
+    return safe_add(safe_pad(image1size), image2size);
 }
diff --git a/xorg-server/glx/single2.c b/xorg-server/glx/single2.c
index 8d4d1d0..cd35932 100644
--- a/xorg-server/glx/single2.c
+++ b/xorg-server/glx/single2.c
@@ -48,11 +48,14 @@
 int
 __glXDisp_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
 {
+    ClientPtr client = cl->client;
     GLsizei size;
     GLenum type;
     __GLXcontext *cx;
     int error;
 
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
+
     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
     if (!cx) {
         return error;
@@ -79,10 +82,13 @@ __glXDisp_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
 int
 __glXDisp_SelectBuffer(__GLXclientState * cl, GLbyte * pc)
 {
+    ClientPtr client = cl->client;
     __GLXcontext *cx;
     GLsizei size;
     int error;
 
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
     if (!cx) {
         return error;
@@ -107,7 +113,7 @@ __glXDisp_SelectBuffer(__GLXclientState * cl, GLbyte * pc)
 int
 __glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc)
 {
-    ClientPtr client;
+    ClientPtr client = cl->client;
     xGLXRenderModeReply reply;
     __GLXcontext *cx;
     GLint nitems = 0, retBytes = 0, retval, newModeCheck;
@@ -115,6 +121,8 @@ __glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc)
     GLenum newMode;
     int error;
 
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
     if (!cx) {
         return error;
@@ -191,7 +199,6 @@ __glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc)
      ** selection array, as per the API for glRenderMode itself.
      */
  noChangeAllowed:;
-    client = cl->client;
     reply = (xGLXRenderModeReply) {
         .type = X_Reply,
         .sequenceNumber = client->sequence,
@@ -210,9 +217,12 @@ __glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc)
 int
 __glXDisp_Flush(__GLXclientState * cl, GLbyte * pc)
 {
+    ClientPtr client = cl->client;
     __GLXcontext *cx;
     int error;
 
+    REQUEST_SIZE_MATCH(xGLXSingleReq);
+
     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
     if (!cx) {
         return error;
@@ -226,10 +236,12 @@ __glXDisp_Flush(__GLXclientState * cl, GLbyte * pc)
 int
 __glXDisp_Finish(__GLXclientState * cl, GLbyte * pc)
 {
+    ClientPtr client = cl->client;
     __GLXcontext *cx;
-    ClientPtr client;
     int error;
 
+    REQUEST_SIZE_MATCH(xGLXSingleReq);
+
     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
     if (!cx) {
         return error;
@@ -320,7 +332,7 @@ __glXcombine_strings(const char *cext_string, const char *sext_string)
 int
 DoGetString(__GLXclientState * cl, GLbyte * pc, GLboolean need_swap)
 {
-    ClientPtr client;
+    ClientPtr client = cl->client;
     __GLXcontext *cx;
     GLenum name;
     const char *string;
@@ -330,6 +342,8 @@ DoGetString(__GLXclientState * cl, GLbyte * pc, GLboolean need_swap)
     char *buf = NULL, *buf1 = NULL;
     GLint length = 0;
 
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
     /* If the client has the opposite byte order, swap the contextTag and
      * the name.
      */
@@ -346,7 +360,6 @@ DoGetString(__GLXclientState * cl, GLbyte * pc, GLboolean need_swap)
     pc += __GLX_SINGLE_HDR_SIZE;
     name = *(GLenum *) (pc + 0);
     string = (const char *) glGetString(name);
-    client = cl->client;
 
     if (string == NULL)
         string = "";
diff --git a/xorg-server/glx/single2swap.c b/xorg-server/glx/single2swap.c
index 90387a2..a35767f 100644
--- a/xorg-server/glx/single2swap.c
+++ b/xorg-server/glx/single2swap.c
@@ -44,6 +44,7 @@
 int
 __glXDispSwap_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
 {
+    ClientPtr client = cl->client;
     GLsizei size;
     GLenum type;
 
@@ -51,6 +52,8 @@ __glXDispSwap_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
     __GLXcontext *cx;
     int error;
 
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
+
     __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
     if (!cx) {
@@ -80,12 +83,15 @@ __glXDispSwap_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
 int
 __glXDispSwap_SelectBuffer(__GLXclientState * cl, GLbyte * pc)
 {
+    ClientPtr client = cl->client;
     __GLXcontext *cx;
     GLsizei size;
 
     __GLX_DECLARE_SWAP_VARIABLES;
     int error;
 
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
     __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
     if (!cx) {
@@ -112,7 +118,7 @@ __glXDispSwap_SelectBuffer(__GLXclientState * cl, GLbyte * pc)
 int
 __glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc)
 {
-    ClientPtr client;
+    ClientPtr client = cl->client;
     __GLXcontext *cx;
     xGLXRenderModeReply reply;
     GLint nitems = 0, retBytes = 0, retval, newModeCheck;
@@ -123,6 +129,8 @@ __glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc)
     __GLX_DECLARE_SWAP_ARRAY_VARIABLES;
     int error;
 
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
     __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
     if (!cx) {
@@ -203,7 +211,6 @@ __glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc)
      ** selection array, as per the API for glRenderMode itself.
      */
  noChangeAllowed:;
-    client = cl->client;
     reply = (xGLXRenderModeReply) {
         .type = X_Reply,
         .sequenceNumber = client->sequence,
@@ -227,11 +234,14 @@ __glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc)
 int
 __glXDispSwap_Flush(__GLXclientState * cl, GLbyte * pc)
 {
+    ClientPtr client = cl->client;
     __GLXcontext *cx;
     int error;
 
     __GLX_DECLARE_SWAP_VARIABLES;
 
+    REQUEST_SIZE_MATCH(xGLXSingleReq);
+
     __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
     if (!cx) {
@@ -246,12 +256,14 @@ __glXDispSwap_Flush(__GLXclientState * cl, GLbyte * pc)
 int
 __glXDispSwap_Finish(__GLXclientState * cl, GLbyte * pc)
 {
+    ClientPtr client = cl->client;
     __GLXcontext *cx;
-    ClientPtr client;
     int error;
 
     __GLX_DECLARE_SWAP_VARIABLES;
 
+    REQUEST_SIZE_MATCH(xGLXSingleReq);
+
     __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
     if (!cx) {
@@ -263,7 +275,6 @@ __glXDispSwap_Finish(__GLXclientState * cl, GLbyte * pc)
     cx->hasUnflushedCommands = GL_FALSE;
 
     /* Send empty reply packet to indicate finish is finished */
-    client = cl->client;
     __GLX_BEGIN_REPLY(0);
     __GLX_PUT_RETVAL(0);
     __GLX_SWAP_REPLY_HEADER();
diff --git a/xorg-server/glx/singlepix.c b/xorg-server/glx/singlepix.c
index 06c0ad6..96c0e9f 100644
--- a/xorg-server/glx/singlepix.c
+++ b/xorg-server/glx/singlepix.c
@@ -54,6 +54,8 @@ __glXDisp_ReadPixels(__GLXclientState * cl, GLbyte * pc)
     int error;
     char *answer, answerBuffer[200];
 
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 28);
+
     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
     if (!cx) {
         return error;
@@ -68,7 +70,7 @@ __glXDisp_ReadPixels(__GLXclientState * cl, GLbyte * pc)
     lsbFirst = *(GLboolean *) (pc + 25);
     compsize = __glReadPixels_size(format, type, width, height);
     if (compsize < 0)
-        compsize = 0;
+        return BadLength;
 
     glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
     glPixelStorei(GL_PACK_LSB_FIRST, lsbFirst);
@@ -103,6 +105,8 @@ __glXDisp_GetTexImage(__GLXclientState * cl, GLbyte * pc)
     char *answer, answerBuffer[200];
     GLint width = 0, height = 0, depth = 1;
 
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 20);
+
     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
     if (!cx) {
         return error;
@@ -127,7 +131,7 @@ __glXDisp_GetTexImage(__GLXclientState * cl, GLbyte * pc)
     compsize =
         __glGetTexImage_size(target, level, format, type, width, height, depth);
     if (compsize < 0)
-        compsize = 0;
+        return BadLength;
 
     glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
     __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
@@ -160,6 +164,8 @@ __glXDisp_GetPolygonStipple(__GLXclientState * cl, GLbyte * pc)
     GLubyte answerBuffer[200];
     char *answer;
 
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
     if (!cx) {
         return error;
@@ -220,15 +226,13 @@ GetSeparableFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
     compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
     compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1);
 
-    if (compsize < 0)
-        compsize = 0;
-    if (compsize2 < 0)
-        compsize2 = 0;
-    compsize = __GLX_PAD(compsize);
-    compsize2 = __GLX_PAD(compsize2);
+    if ((compsize = safe_pad(compsize)) < 0)
+        return BadLength;
+    if ((compsize2 = safe_pad(compsize2)) < 0)
+        return BadLength;
 
     glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
-    __GLX_GET_ANSWER_BUFFER(answer, cl, compsize + compsize2, 1);
+    __GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1);
     __glXClearErrorOccured();
     glGetSeparableFilter(*(GLenum *) (pc + 0), *(GLenum *) (pc + 4),
                          *(GLenum *) (pc + 8), answer, answer + compsize, NULL);
@@ -252,7 +256,8 @@ int
 __glXDisp_GetSeparableFilter(__GLXclientState * cl, GLbyte * pc)
 {
     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
-
+    ClientPtr client = cl->client;
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
     return GetSeparableFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
 }
 
@@ -260,7 +265,8 @@ int
 __glXDisp_GetSeparableFilterEXT(__GLXclientState * cl, GLbyte * pc)
 {
     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
-
+    ClientPtr client = cl->client;
+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
     return GetSeparableFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
 }
 
@@ -299,7 +305,7 @@ GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
      */
     compsize = __glGetTexImage_size(target, 1, format, type, width, height, 1);
     if (compsize < 0)
-        compsize = 0;
+        return BadLength;
 
     glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
     __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
@@ -326,7 +332,8 @@ int
 __glXDisp_GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc)
 {
     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
-
+    ClientPtr client = cl->client;
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
     return GetConvolutionFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
 }
 
@@ -334,7 +341,8 @@ int
 __glXDisp_GetConvolutionFilterEXT(__GLXclientState * cl, GLbyte * pc)
 {
     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
-
+    ClientPtr client = cl->client;
+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
     return GetConvolutionFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
 }
 
@@ -368,7 +376,7 @@ GetHistogram(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
      */
     compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
     if (compsize < 0)
-        compsize = 0;
+        return BadLength;
 
     glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
     __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
@@ -393,7 +401,8 @@ int
 __glXDisp_GetHistogram(__GLXclientState * cl, GLbyte * pc)
 {
     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
-
+    ClientPtr client = cl->client;
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
     return GetHistogram(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
 }
 
@@ -401,7 +410,8 @@ int
 __glXDisp_GetHistogramEXT(__GLXclientState * cl, GLbyte * pc)
 {
     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
-
+    ClientPtr client = cl->client;
+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
     return GetHistogram(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
 }
 
@@ -429,7 +439,7 @@ GetMinmax(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
 
     compsize = __glGetTexImage_size(target, 1, format, type, 2, 1, 1);
     if (compsize < 0)
-        compsize = 0;
+        return BadLength;
 
     glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
     __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
@@ -453,7 +463,8 @@ int
 __glXDisp_GetMinmax(__GLXclientState * cl, GLbyte * pc)
 {
     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
-
+    ClientPtr client = cl->client;
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
     return GetMinmax(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
 }
 
@@ -461,7 +472,8 @@ int
 __glXDisp_GetMinmaxEXT(__GLXclientState * cl, GLbyte * pc)
 {
     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
-
+    ClientPtr client = cl->client;
+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
     return GetMinmax(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
 }
 
@@ -494,7 +506,7 @@ GetColorTable(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
      */
     compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
     if (compsize < 0)
-        compsize = 0;
+        return BadLength;
 
     glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
     __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
@@ -520,7 +532,8 @@ int
 __glXDisp_GetColorTable(__GLXclientState * cl, GLbyte * pc)
 {
     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
-
+    ClientPtr client = cl->client;
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
     return GetColorTable(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
 }
 
@@ -528,6 +541,7 @@ int
 __glXDisp_GetColorTableSGI(__GLXclientState * cl, GLbyte * pc)
 {
     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
-
+    ClientPtr client = cl->client;
+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
     return GetColorTable(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
 }
diff --git a/xorg-server/glx/singlepixswap.c b/xorg-server/glx/singlepixswap.c
index b1ed6ce..fa373fa 100644
--- a/xorg-server/glx/singlepixswap.c
+++ b/xorg-server/glx/singlepixswap.c
@@ -56,6 +56,8 @@ __glXDispSwap_ReadPixels(__GLXclientState * cl, GLbyte * pc)
     int error;
     char *answer, answerBuffer[200];
 
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 28);
+
     __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
     if (!cx) {
@@ -78,7 +80,7 @@ __glXDispSwap_ReadPixels(__GLXclientState * cl, GLbyte * pc)
     lsbFirst = *(GLboolean *) (pc + 25);
     compsize = __glReadPixels_size(format, type, width, height);
     if (compsize < 0)
-        compsize = 0;
+        return BadLength;
 
     glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
     glPixelStorei(GL_PACK_LSB_FIRST, lsbFirst);
@@ -117,6 +119,8 @@ __glXDispSwap_GetTexImage(__GLXclientState * cl, GLbyte * pc)
     char *answer, answerBuffer[200];
     GLint width = 0, height = 0, depth = 1;
 
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 20);
+
     __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
     if (!cx) {
@@ -147,7 +151,7 @@ __glXDispSwap_GetTexImage(__GLXclientState * cl, GLbyte * pc)
     compsize =
         __glGetTexImage_size(target, level, format, type, width, height, depth);
     if (compsize < 0)
-        compsize = 0;
+        return BadLength;
 
     glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
     __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
@@ -187,6 +191,8 @@ __glXDispSwap_GetPolygonStipple(__GLXclientState * cl, GLbyte * pc)
 
     __GLX_DECLARE_SWAP_VARIABLES;
 
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
     __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
     if (!cx) {
@@ -254,15 +260,13 @@ GetSeparableFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
     compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
     compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1);
 
-    if (compsize < 0)
-        compsize = 0;
-    if (compsize2 < 0)
-        compsize2 = 0;
-    compsize = __GLX_PAD(compsize);
-    compsize2 = __GLX_PAD(compsize2);
+    if ((compsize = safe_pad(compsize)) < 0)
+        return BadLength;
+    if ((compsize2 = safe_pad(compsize2)) < 0)
+        return BadLength;
 
     glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
-    __GLX_GET_ANSWER_BUFFER(answer, cl, compsize + compsize2, 1);
+    __GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1);
     __glXClearErrorOccured();
     glGetSeparableFilter(*(GLenum *) (pc + 0), *(GLenum *) (pc + 4),
                          *(GLenum *) (pc + 8), answer, answer + compsize, NULL);
@@ -288,7 +292,9 @@ int
 __glXDispSwap_GetSeparableFilter(__GLXclientState * cl, GLbyte * pc)
 {
     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
+    ClientPtr client = cl->client;
 
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
     return GetSeparableFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
 }
 
@@ -296,7 +302,9 @@ int
 __glXDispSwap_GetSeparableFilterEXT(__GLXclientState * cl, GLbyte * pc)
 {
     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
+    ClientPtr client = cl->client;
 
+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
     return GetSeparableFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
 }
 
@@ -341,7 +349,7 @@ GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
      */
     compsize = __glGetTexImage_size(target, 1, format, type, width, height, 1);
     if (compsize < 0)
-        compsize = 0;
+        return BadLength;
 
     glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
     __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
@@ -370,7 +378,9 @@ int
 __glXDispSwap_GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc)
 {
     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
+    ClientPtr client = cl->client;
 
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
     return GetConvolutionFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
 }
 
@@ -378,7 +388,9 @@ int
 __glXDispSwap_GetConvolutionFilterEXT(__GLXclientState * cl, GLbyte * pc)
 {
     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
+    ClientPtr client = cl->client;
 
+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
     return GetConvolutionFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
 }
 
@@ -418,7 +430,7 @@ GetHistogram(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
      */
     compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
     if (compsize < 0)
-        compsize = 0;
+        return BadLength;
 
     glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
     __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
@@ -444,7 +456,9 @@ int
 __glXDispSwap_GetHistogram(__GLXclientState * cl, GLbyte * pc)
 {
     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
+    ClientPtr client = cl->client;
 
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
     return GetHistogram(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
 }
 
@@ -452,7 +466,9 @@ int
 __glXDispSwap_GetHistogramEXT(__GLXclientState * cl, GLbyte * pc)
 {
     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
+    ClientPtr client = cl->client;
 
+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
     return GetHistogram(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
 }
 
@@ -486,7 +502,7 @@ GetMinmax(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
 
     compsize = __glGetTexImage_size(target, 1, format, type, 2, 1, 1);
     if (compsize < 0)
-        compsize = 0;
+        return BadLength;
 
     glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
     __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
@@ -510,7 +526,9 @@ int
 __glXDispSwap_GetMinmax(__GLXclientState * cl, GLbyte * pc)
 {
     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
+    ClientPtr client = cl->client;
 
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
     return GetMinmax(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
 }
 
@@ -518,7 +536,9 @@ int
 __glXDispSwap_GetMinmaxEXT(__GLXclientState * cl, GLbyte * pc)
 {
     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
+    ClientPtr client = cl->client;
 
+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
     return GetMinmax(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
 }
 
@@ -557,7 +577,7 @@ GetColorTable(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
      */
     compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
     if (compsize < 0)
-        compsize = 0;
+        return BadLength;
 
     glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
     __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
@@ -584,7 +604,9 @@ int
 __glXDispSwap_GetColorTable(__GLXclientState * cl, GLbyte * pc)
 {
     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
+    ClientPtr client = cl->client;
 
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
     return GetColorTable(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
 }
 
@@ -592,6 +614,8 @@ int
 __glXDispSwap_GetColorTableSGI(__GLXclientState * cl, GLbyte * pc)
 {
     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
+    ClientPtr client = cl->client;
 
+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
     return GetColorTable(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
 }
diff --git a/xorg-server/glx/swap_interval.c b/xorg-server/glx/swap_interval.c
index 80d8b94..d82e63f 100644
--- a/xorg-server/glx/swap_interval.c
+++ b/xorg-server/glx/swap_interval.c
@@ -47,6 +47,8 @@ DoSwapInterval(__GLXclientState * cl, GLbyte * pc, int do_swap)
     __GLXcontext *cx;
     GLint interval;
 
+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 4);
+
     cx = __glXLookupContextByTag(cl, tag);
 
     if ((cx == NULL) || (cx->pGlxScreen == NULL)) {
diff --git a/xorg-server/glx/unpack.h b/xorg-server/glx/unpack.h
index 52fba74..2b1ebcf 100644
--- a/xorg-server/glx/unpack.h
+++ b/xorg-server/glx/unpack.h
@@ -83,7 +83,8 @@ extern xGLXSingleReply __glXReply;
 ** pointer.
 */
 #define __GLX_GET_ANSWER_BUFFER(res,cl,size,align)			 \
-    if ((size) > sizeof(answerBuffer)) {				 \
+    if (size < 0) return BadLength;                                      \
+    else if ((size) > sizeof(answerBuffer)) {				 \
 	int bump;							 \
 	if ((cl)->returnBufSize < (size)+(align)) {			 \
 	    (cl)->returnBuf = (GLbyte*)realloc((cl)->returnBuf,	 	 \
diff --git a/xorg-server/hw/xfree86/dri2/dri2ext.c b/xorg-server/hw/xfree86/dri2/dri2ext.c
index ffd66fa..221ec53 100644
--- a/xorg-server/hw/xfree86/dri2/dri2ext.c
+++ b/xorg-server/hw/xfree86/dri2/dri2ext.c
@@ -270,6 +270,9 @@ ProcDRI2GetBuffers(ClientPtr client)
     unsigned int *attachments;
 
     REQUEST_FIXED_SIZE(xDRI2GetBuffersReq, stuff->count * 4);
+    if (stuff->count > (INT_MAX / 4))
+        return BadLength;
+
     if (!validDrawable(client, stuff->drawable, DixReadAccess | DixWriteAccess,
                        &pDrawable, &status))
         return status;
diff --git a/xorg-server/include/dix.h b/xorg-server/include/dix.h
index 82bb58c..821b0ed 100644
--- a/xorg-server/include/dix.h
+++ b/xorg-server/include/dix.h
@@ -74,9 +74,14 @@ SOFTWARE.
     if ((sizeof(req) >> 2) > client->req_len )\
          return(BadLength)
 
+#define REQUEST_AT_LEAST_EXTRA_SIZE(req, extra)  \
+    if (((sizeof(req) + ((uint64_t) extra)) >> 2) > client->req_len ) \
+         return(BadLength)
+
 #define REQUEST_FIXED_SIZE(req, n)\
     if (((sizeof(req) >> 2) > client->req_len) || \
-        (((sizeof(req) + (n) + 3) >> 2) != client->req_len)) \
+        (((n) >> 2) >= client->req_len) ||                              \
+        ((((uint64_t) sizeof(req) + (n) + 3) >> 2) != (uint64_t) client->req_len))  \
          return(BadLength)
 
 #define LEGAL_NEW_RESOURCE(id,client)\
diff --git a/xorg-server/include/regionstr.h b/xorg-server/include/regionstr.h
index 4a0725d..079375d 100644
--- a/xorg-server/include/regionstr.h
+++ b/xorg-server/include/regionstr.h
@@ -125,9 +125,12 @@ RegionEnd(RegionPtr reg)
 }
 
 static inline size_t
-RegionSizeof(int n)
+RegionSizeof(size_t n)
 {
-    return (sizeof(RegDataRec) + ((n) * sizeof(BoxRec)));
+    if (n < ((INT_MAX - sizeof(RegDataRec)) / sizeof(BoxRec)))
+        return (sizeof(RegDataRec) + ((n) * sizeof(BoxRec)));
+    else
+        return 0;
 }
 
 static inline void
@@ -138,9 +141,10 @@ RegionInit(RegionPtr _pReg, BoxPtr _rect, int _size)
         (_pReg)->data = (RegDataPtr) NULL;
     }
     else {
+        size_t rgnSize;
         (_pReg)->extents = RegionEmptyBox;
-        if (((_size) > 1) && ((_pReg)->data =
-                              (RegDataPtr) malloc(RegionSizeof(_size)))) {
+        if (((_size) > 1) && ((rgnSize = RegionSizeof(_size)) > 0) &&
+            (((_pReg)->data = malloc(rgnSize)) != NULL)) {
             (_pReg)->data->size = (_size);
             (_pReg)->data->numRects = 0;
         }
diff --git a/xorg-server/os/access.c b/xorg-server/os/access.c
index 62c3d99..1caedf6 100644
--- a/xorg-server/os/access.c
+++ b/xorg-server/os/access.c
@@ -1500,6 +1500,10 @@ GetHosts(void **data, int *pnHosts, int *pLen, BOOL * pEnabled)
     for (host = validhosts; host; host = host->next) {
         nHosts++;
         n += pad_to_int32(host->len) + sizeof(xHostEntry);
+        /* Could check for INT_MAX, but in reality having more than 1mb of
+           hostnames in the access list is ridiculous */
+        if (n >= 1048576)
+            break;
     }
     if (n) {
         *data = ptr = malloc(n);
@@ -1508,6 +1512,8 @@ GetHosts(void **data, int *pnHosts, int *pLen, BOOL * pEnabled)
         }
         for (host = validhosts; host; host = host->next) {
             len = host->len;
+            if ((ptr + sizeof(xHostEntry) + len) > ((unsigned char *) *data + n))
+                break;
             ((xHostEntry *) ptr)->family = host->family;
             ((xHostEntry *) ptr)->length = len;
             ptr += sizeof(xHostEntry);
diff --git a/xorg-server/os/rpcauth.c b/xorg-server/os/rpcauth.c
index d60ea35..413cc61 100644
--- a/xorg-server/os/rpcauth.c
+++ b/xorg-server/os/rpcauth.c
@@ -66,6 +66,10 @@ authdes_ezdecode(const char *inmsg, int len)
     SVCXPRT xprt;
 
     temp_inmsg = malloc(len);
+    if (temp_inmsg == NULL) {
+        why = AUTH_FAILED; /* generic error, since there is no AUTH_BADALLOC */
+        return NULL;
+    }
     memmove(temp_inmsg, inmsg, len);
 
     memset((char *) &msg, 0, sizeof(msg));
diff --git a/xorg-server/present/present_request.c b/xorg-server/present/present_request.c
index c69e683..68076ed 100644
--- a/xorg-server/present/present_request.c
+++ b/xorg-server/present/present_request.c
@@ -210,6 +210,7 @@ proc_present_query_capabilities (ClientPtr client)
         rep.sequenceNumber = client->sequence;
         rep.length = 0;
 
+    REQUEST_SIZE_MATCH(xPresentQueryCapabilitiesReq);
     r = dixLookupWindow(&window, stuff->target, client, DixGetAttrAccess);
     switch (r) {
     case Success:
@@ -254,6 +255,7 @@ static int
 sproc_present_query_version(ClientPtr client)
 {
     REQUEST(xPresentQueryVersionReq);
+    REQUEST_SIZE_MATCH(xPresentQueryVersionReq);
 
     swaps(&stuff->length);
     swapl(&stuff->majorVersion);
@@ -265,6 +267,7 @@ static int
 sproc_present_pixmap(ClientPtr client)
 {
     REQUEST(xPresentPixmapReq);
+    REQUEST_AT_LEAST_SIZE(xPresentPixmapReq);
 
     swaps(&stuff->length);
     swapl(&stuff->window);
@@ -284,6 +287,7 @@ static int
 sproc_present_notify_msc(ClientPtr client)
 {
     REQUEST(xPresentNotifyMSCReq);
+    REQUEST_SIZE_MATCH(xPresentNotifyMSCReq);
 
     swaps(&stuff->length);
     swapl(&stuff->window);
@@ -297,6 +301,7 @@ static int
 sproc_present_select_input (ClientPtr client)
 {
     REQUEST(xPresentSelectInputReq);
+    REQUEST_SIZE_MATCH(xPresentSelectInputReq);
 
     swaps(&stuff->length);
     swapl(&stuff->window);
@@ -308,6 +313,7 @@ static int
 sproc_present_query_capabilities (ClientPtr client)
 {
     REQUEST(xPresentQueryCapabilitiesReq);
+    REQUEST_SIZE_MATCH(xPresentQueryCapabilitiesReq);
     swaps(&stuff->length);
     swapl(&stuff->target);
     return (*proc_present_vector[stuff->presentReqType]) (client);
diff --git a/xorg-server/randr/rrsdispatch.c b/xorg-server/randr/rrsdispatch.c
index 08c3b6a..47558cf 100644
--- a/xorg-server/randr/rrsdispatch.c
+++ b/xorg-server/randr/rrsdispatch.c
@@ -27,6 +27,7 @@ SProcRRQueryVersion(ClientPtr client)
 {
     REQUEST(xRRQueryVersionReq);
 
+    REQUEST_SIZE_MATCH(xRRQueryVersionReq);
     swaps(&stuff->length);
     swapl(&stuff->majorVersion);
     swapl(&stuff->minorVersion);
@@ -38,6 +39,7 @@ SProcRRGetScreenInfo(ClientPtr client)
 {
     REQUEST(xRRGetScreenInfoReq);
 
+    REQUEST_SIZE_MATCH(xRRGetScreenInfoReq);
     swaps(&stuff->length);
     swapl(&stuff->window);
     return (*ProcRandrVector[stuff->randrReqType]) (client);
@@ -69,6 +71,7 @@ SProcRRSelectInput(ClientPtr client)
 {
     REQUEST(xRRSelectInputReq);
 
+    REQUEST_SIZE_MATCH(xRRSelectInputReq);
     swaps(&stuff->length);
     swapl(&stuff->window);
     swaps(&stuff->enable);
@@ -152,6 +155,7 @@ SProcRRConfigureOutputProperty(ClientPtr client)
 {
     REQUEST(xRRConfigureOutputPropertyReq);
 
+    REQUEST_AT_LEAST_SIZE(xRRConfigureOutputPropertyReq);
     swaps(&stuff->length);
     swapl(&stuff->output);
     swapl(&stuff->property);
diff --git a/xorg-server/render/render.c b/xorg-server/render/render.c
index db34fdc..93f1145 100644
--- a/xorg-server/render/render.c
+++ b/xorg-server/render/render.c
@@ -272,10 +272,11 @@ ProcRenderQueryVersion(ClientPtr client)
 
     REQUEST(xRenderQueryVersionReq);
 
+    REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
+
     pRenderClient->major_version = stuff->majorVersion;
     pRenderClient->minor_version = stuff->minorVersion;
 
-    REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
     memset(&rep, 0, sizeof(xRenderQueryVersionReply));
     rep.type = X_Reply;
     rep.sequenceNumber = client->sequence;
@@ -1995,7 +1996,7 @@ static int
 SProcRenderQueryVersion(ClientPtr client)
 {
     REQUEST(xRenderQueryVersionReq);
-
+    REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
     swaps(&stuff->length);
     swapl(&stuff->majorVersion);
     swapl(&stuff->minorVersion);
@@ -2006,6 +2007,7 @@ static int
 SProcRenderQueryPictFormats(ClientPtr client)
 {
     REQUEST(xRenderQueryPictFormatsReq);
+    REQUEST_SIZE_MATCH(xRenderQueryPictFormatsReq);
     swaps(&stuff->length);
     return (*ProcRenderVector[stuff->renderReqType]) (client);
 }
@@ -2014,6 +2016,7 @@ static int
 SProcRenderQueryPictIndexValues(ClientPtr client)
 {
     REQUEST(xRenderQueryPictIndexValuesReq);
+    REQUEST_AT_LEAST_SIZE(xRenderQueryPictIndexValuesReq);
     swaps(&stuff->length);
     swapl(&stuff->format);
     return (*ProcRenderVector[stuff->renderReqType]) (client);
@@ -2029,6 +2032,7 @@ static int
 SProcRenderCreatePicture(ClientPtr client)
 {
     REQUEST(xRenderCreatePictureReq);
+    REQUEST_AT_LEAST_SIZE(xRenderCreatePictureReq);
     swaps(&stuff->length);
     swapl(&stuff->pid);
     swapl(&stuff->drawable);
@@ -2042,6 +2046,7 @@ static int
 SProcRenderChangePicture(ClientPtr client)
 {
     REQUEST(xRenderChangePictureReq);
+    REQUEST_AT_LEAST_SIZE(xRenderChangePictureReq);
     swaps(&stuff->length);
     swapl(&stuff->picture);
     swapl(&stuff->mask);
@@ -2053,6 +2058,7 @@ static int
 SProcRenderSetPictureClipRectangles(ClientPtr client)
 {
     REQUEST(xRenderSetPictureClipRectanglesReq);
+    REQUEST_AT_LEAST_SIZE(xRenderSetPictureClipRectanglesReq);
     swaps(&stuff->length);
     swapl(&stuff->picture);
     swaps(&stuff->xOrigin);
@@ -2065,6 +2071,7 @@ static int
 SProcRenderFreePicture(ClientPtr client)
 {
     REQUEST(xRenderFreePictureReq);
+    REQUEST_SIZE_MATCH(xRenderFreePictureReq);
     swaps(&stuff->length);
     swapl(&stuff->picture);
     return (*ProcRenderVector[stuff->renderReqType]) (client);
@@ -2074,6 +2081,7 @@ static int
 SProcRenderComposite(ClientPtr client)
 {
     REQUEST(xRenderCompositeReq);
+    REQUEST_SIZE_MATCH(xRenderCompositeReq);
     swaps(&stuff->length);
     swapl(&stuff->src);
     swapl(&stuff->mask);
@@ -2093,6 +2101,7 @@ static int
 SProcRenderScale(ClientPtr client)
 {
     REQUEST(xRenderScaleReq);
+    REQUEST_SIZE_MATCH(xRenderScaleReq);
     swaps(&stuff->length);
     swapl(&stuff->src);
     swapl(&stuff->dst);
@@ -2193,6 +2202,7 @@ static int
 SProcRenderCreateGlyphSet(ClientPtr client)
 {
     REQUEST(xRenderCreateGlyphSetReq);
+    REQUEST_SIZE_MATCH(xRenderCreateGlyphSetReq);
     swaps(&stuff->length);
     swapl(&stuff->gsid);
     swapl(&stuff->format);
@@ -2203,6 +2213,7 @@ static int
 SProcRenderReferenceGlyphSet(ClientPtr client)
 {
     REQUEST(xRenderReferenceGlyphSetReq);
+    REQUEST_SIZE_MATCH(xRenderReferenceGlyphSetReq);
     swaps(&stuff->length);
     swapl(&stuff->gsid);
     swapl(&stuff->existing);
@@ -2213,6 +2224,7 @@ static int
 SProcRenderFreeGlyphSet(ClientPtr client)
 {
     REQUEST(xRenderFreeGlyphSetReq);
+    REQUEST_SIZE_MATCH(xRenderFreeGlyphSetReq);
     swaps(&stuff->length);
     swapl(&stuff->glyphset);
     return (*ProcRenderVector[stuff->renderReqType]) (client);
@@ -2227,6 +2239,7 @@ SProcRenderAddGlyphs(ClientPtr client)
     xGlyphInfo *gi;
 
     REQUEST(xRenderAddGlyphsReq);
+    REQUEST_AT_LEAST_SIZE(xRenderAddGlyphsReq);
     swaps(&stuff->length);
     swapl(&stuff->glyphset);
     swapl(&stuff->nglyphs);
@@ -2261,6 +2274,7 @@ static int
 SProcRenderFreeGlyphs(ClientPtr client)
 {
     REQUEST(xRenderFreeGlyphsReq);
+    REQUEST_AT_LEAST_SIZE(xRenderFreeGlyphsReq);
     swaps(&stuff->length);
     swapl(&stuff->glyphset);
     SwapRestL(stuff);
@@ -2278,6 +2292,7 @@ SProcRenderCompositeGlyphs(ClientPtr client)
     int size;
 
     REQUEST(xRenderCompositeGlyphsReq);
+    REQUEST_AT_LEAST_SIZE(xRenderCompositeGlyphsReq);
 
     switch (stuff->renderReqType) {
     default:
diff --git a/xorg-server/test/misc.c b/xorg-server/test/misc.c
index dd792e6..66330a1 100644
--- a/xorg-server/test/misc.c
+++ b/xorg-server/test/misc.c
@@ -28,6 +28,8 @@
 #include <stdint.h>
 #include "misc.h"
 #include "scrnintstr.h"
+#include "dix.h"
+#include "dixstruct.h"
 
 ScreenInfo screenInfo;
 
@@ -155,11 +157,46 @@ dix_update_desktop_dimensions(void)
     assert_dimensions(-w2, -h2, w2, h2);
 }
 
+static int
+dix_request_fixed_size_overflow(ClientRec *client)
+{
+    xReq req = { 0 };
+
+    client->req_len = req.length = 1;
+    REQUEST_FIXED_SIZE(req, SIZE_MAX);
+    return Success;
+}
+
+static int
+dix_request_fixed_size_match(ClientRec *client)
+{
+    xReq req = { 0 };
+
+    client->req_len = req.length = 9;
+    REQUEST_FIXED_SIZE(req, 30);
+    return Success;
+}
+
+static void
+dix_request_size_checks(void)
+{
+    ClientRec client = { 0 };
+    int rc;
+
+    rc = dix_request_fixed_size_overflow(&client);
+    assert(rc == BadLength);
+
+    rc = dix_request_fixed_size_match(&client);
+    assert(rc == Success);
+}
+
+
 int
 main(int argc, char **argv)
 {
     dix_version_compare();
     dix_update_desktop_dimensions();
+    dix_request_size_checks();
 
     return 0;
 }
diff --git a/xorg-server/test/xi1/Makefile.am b/xorg-server/test/xi1/Makefile.am
new file mode 100644
index 0000000..907fa7a
--- /dev/null
+++ b/xorg-server/test/xi1/Makefile.am
@@ -0,0 +1,34 @@
+if ENABLE_UNIT_TESTS
+if HAVE_LD_WRAP
+noinst_PROGRAMS =  \
+	protocol-xchangedevicecontrol
+
+TESTS=$(noinst_PROGRAMS)
+TESTS_ENVIRONMENT = $(XORG_MALLOC_DEBUG_ENV)
+
+AM_CFLAGS = $(DIX_CFLAGS) @XORG_CFLAGS@
+AM_CPPFLAGS = @XORG_INCS@ -I$(srcdir)/../xi2
+TEST_LDADD=../libxservertest.la $(XORG_SYS_LIBS) $(XSERVER_SYS_LIBS) $(GLX_SYS_LIBS)
+COMMON_SOURCES=$(srcdir)/../xi2/protocol-common.c
+
+if SPECIAL_DTRACE_OBJECTS
+TEST_LDADD += $(OS_LIB) $(DIX_LIB)
+endif
+
+protocol_xchangedevicecontrol_LDADD=$(TEST_LDADD)
+
+protocol_xchangedevicecontrol_LDFLAGS=$(AM_LDFLAGS) -Wl,-wrap,WriteToClient
+
+protocol_xchangedevicecontrol_SOURCES=$(COMMON_SOURCES) protocol-xchangedevicecontrol.c
+
+else
+# Print that xi1-tests were skipped (exit code 77 for automake test harness)
+TESTS = xi1-tests
+CLEANFILES = $(TESTS)
+
+xi1-tests:
+	@echo 'echo "ld -wrap support required for xi1 unit tests, skipping"' > $@
+	@echo 'exit 77' >> $@
+	$(AM_V_GEN)chmod +x $@
+endif
+endif
diff --git a/xorg-server/test/xi1/protocol-xchangedevicecontrol.c b/xorg-server/test/xi1/protocol-xchangedevicecontrol.c
new file mode 100644
index 0000000..8e638b2
--- /dev/null
+++ b/xorg-server/test/xi1/protocol-xchangedevicecontrol.c
@@ -0,0 +1,122 @@
+/**
+ * Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice (including the next
+ * paragraph) shall be included in all copies or substantial portions of the
+ * Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ */
+
+#ifdef HAVE_DIX_CONFIG_H
+#include <dix-config.h>
+#endif
+
+/*
+ * Protocol testing for ChangeDeviceControl request.
+ */
+#include <stdint.h>
+#include <X11/X.h>
+#include <X11/Xproto.h>
+#include <X11/extensions/XIproto.h>
+#include "inputstr.h"
+#include "chgdctl.h"
+
+#include "protocol-common.h"
+
+static ClientRec client_request;
+
+static void
+reply_ChangeDeviceControl(ClientPtr client, int len, char *data, void *userdata)
+{
+    xChangeDeviceControlReply *rep = (xChangeDeviceControlReply *) data;
+
+    if (client->swapped) {
+        swapl(&rep->length);
+        swaps(&rep->sequenceNumber);
+    }
+
+    reply_check_defaults(rep, len, ChangeDeviceControl);
+
+    /* XXX: check status code in reply */
+}
+
+static void
+request_ChangeDeviceControl(ClientPtr client, xChangeDeviceControlReq * req,
+                            xDeviceCtl *ctl, int error)
+{
+    int rc;
+
+    client_request.req_len = req->length;
+    rc = ProcXChangeDeviceControl(&client_request);
+    assert(rc == error);
+
+    /* XXX: ChangeDeviceControl doesn't seem to fill in errorValue to check */
+
+    client_request.swapped = TRUE;
+    swaps(&req->length);
+    swaps(&req->control);
+    swaps(&ctl->length);
+    swaps(&ctl->control);
+    /* XXX: swap other contents of ctl, depending on type */
+    rc = SProcXChangeDeviceControl(&client_request);
+    assert(rc == error);
+}
+
+static unsigned char *data[4096];       /* the request buffer */
+
+static void
+test_ChangeDeviceControl(void)
+{
+    xChangeDeviceControlReq *request = (xChangeDeviceControlReq *) data;
+    xDeviceCtl *control = (xDeviceCtl *) (&request[1]);
+
+    request_init(request, ChangeDeviceControl);
+
+    reply_handler = reply_ChangeDeviceControl;
+
+    client_request = init_client(request->length, request);
+
+    printf("Testing invalid lengths:\n");
+    printf(" -- no control struct\n");
+    request_ChangeDeviceControl(&client_request, request, control, BadLength);
+
+    printf(" -- xDeviceResolutionCtl\n");
+    request_init(request, ChangeDeviceControl);
+    request->control = DEVICE_RESOLUTION;
+    control->length = (sizeof(xDeviceResolutionCtl) >> 2);
+    request->length += control->length - 2;
+    request_ChangeDeviceControl(&client_request, request, control, BadLength);
+
+    printf(" -- xDeviceEnableCtl\n");
+    request_init(request, ChangeDeviceControl);
+    request->control = DEVICE_ENABLE;
+    control->length = (sizeof(xDeviceEnableCtl) >> 2);
+    request->length += control->length - 2;
+    request_ChangeDeviceControl(&client_request, request, control, BadLength);
+
+    /* XXX: Test functionality! */
+}
+
+int
+main(int argc, char **argv)
+{
+    init_simple();
+
+    test_ChangeDeviceControl();
+
+    return 0;
+}
diff --git a/xorg-server/test/xi2/protocol-xigetclientpointer.c b/xorg-server/test/xi2/protocol-xigetclientpointer.c
index 28eb8d3..570c53e 100644
--- a/xorg-server/test/xi2/protocol-xigetclientpointer.c
+++ b/xorg-server/test/xi2/protocol-xigetclientpointer.c
@@ -124,6 +124,11 @@ test_XIGetClientPointer(void)
     request.win = INVALID_WINDOW_ID;
     request_XIGetClientPointer(&client_request, &request, BadWindow);
 
+    printf("Testing invalid length\n");
+    client_request.req_len -= 4;
+    request_XIGetClientPointer(&client_request, &request, BadLength);
+    client_request.req_len += 4;
+
     test_data.cp_is_set = FALSE;
 
     printf("Testing window None, unset ClientPointer.\n");
diff --git a/xorg-server/test/xi2/protocol-xipassivegrabdevice.c b/xorg-server/test/xi2/protocol-xipassivegrabdevice.c
index c747ddf..95d8ebf 100644
--- a/xorg-server/test/xi2/protocol-xipassivegrabdevice.c
+++ b/xorg-server/test/xi2/protocol-xipassivegrabdevice.c
@@ -139,6 +139,7 @@ request_XIPassiveGrabDevice(ClientPtr client, xXIPassiveGrabDeviceReq * req,
     int local_modifiers;
     int mask_len;
 
+    client_request.req_len = req->length;
     rc = ProcXIPassiveGrabDevice(&client_request);
     assert(rc == error);
 
@@ -190,6 +191,13 @@ test_XIPassiveGrabDevice(void)
     request_XIPassiveGrabDevice(&client_request, request, BadDevice,
                                 request->deviceid);
 
+    printf("Testing invalid length\n");
+    request->length -= 2;
+    request_XIPassiveGrabDevice(&client_request, request, BadLength,
+                                client_request.errorValue);
+    /* re-init request since swapped length test leaves some values swapped */
+    request_init(request, XIPassiveGrabDevice);
+    request->grab_window = CLIENT_WINDOW_ID;
     request->deviceid = XIAllMasterDevices;
 
     printf("Testing invalid grab types\n");
diff --git a/xorg-server/test/xi2/protocol-xiquerypointer.c b/xorg-server/test/xi2/protocol-xiquerypointer.c
index fc66b64..c0421f6 100644
--- a/xorg-server/test/xi2/protocol-xiquerypointer.c
+++ b/xorg-server/test/xi2/protocol-xiquerypointer.c
@@ -201,6 +201,10 @@ test_XIQueryPointer(void)
     test_data.dev = devices.mouse;
     request.deviceid = devices.mouse->id;
     request_XIQueryPointer(&client_request, &request, Success);
+
+    /* test REQUEST_SIZE_MATCH */
+    client_request.req_len -= 4;
+    request_XIQueryPointer(&client_request, &request, BadLength);
 }
 
 int
diff --git a/xorg-server/test/xi2/protocol-xiwarppointer.c b/xorg-server/test/xi2/protocol-xiwarppointer.c
index f7986c1..3aaaae6 100644
--- a/xorg-server/test/xi2/protocol-xiwarppointer.c
+++ b/xorg-server/test/xi2/protocol-xiwarppointer.c
@@ -198,6 +198,9 @@ test_XIWarpPointer(void)
     request_XIWarpPointer(&client_request, &request, Success);
 
     /* FIXME: src_x/y checks */
+
+    client_request.req_len -= 2; /* invalid length */
+    request_XIWarpPointer(&client_request, &request, BadLength);
 }
 
 int
diff --git a/xorg-server/xfixes/select.c b/xorg-server/xfixes/select.c
index 5a6be7d..8772b2c 100644
--- a/xorg-server/xfixes/select.c
+++ b/xorg-server/xfixes/select.c
@@ -200,6 +200,7 @@ SProcXFixesSelectSelectionInput(ClientPtr client)
 {
     REQUEST(xXFixesSelectSelectionInputReq);
 
+    REQUEST_SIZE_MATCH(xXFixesSelectSelectionInputReq);
     swaps(&stuff->length);
     swapl(&stuff->window);
     swapl(&stuff->selection);

--
Alioth's /srv/git/code.x2go.org/vcxsrv.git//..//_hooks_/post-receive-email on /srv/git/code.x2go.org/vcxsrv.git


More information about the x2go-commits mailing list