Index: configure =================================================================== RCS file: /cvsroot/xsrc/external/mit/xorg-server/dist/configure,v retrieving revision 1.1.1.9 diff -p -u -p -r1.1.1.9 configure --- configure 3 Jun 2013 07:34:19 -0000 1.1.1.9 +++ configure 6 Dec 2014 23:40:01 -0000 @@ -39376,7 +39376,7 @@ DIX_CFLAGS="-DHAVE_DIX_CONFIG_H $XSERVER ac_config_commands="$ac_config_commands sdksyms" -ac_config_files="$ac_config_files Makefile glx/Makefile include/Makefile composite/Makefile damageext/Makefile dbe/Makefile dix/Makefile doc/Makefile doc/man/Makefile doc/xml/Makefile doc/xml/dtrace/Makefile doc/xml/xserver.ent fb/Makefile record/Makefile config/Makefile mi/Makefile miext/Makefile miext/sync/Makefile miext/damage/Makefile miext/shadow/Makefile miext/cw/Makefile miext/rootless/Makefile os/Makefile randr/Makefile render/Makefile xkb/Makefile Xext/Makefile Xi/Makefile xfixes/Makefile exa/Makefile hw/Makefile hw/xfree86/Makefile hw/xfree86/common/Makefile hw/xfree86/common/xf86Build.h hw/xfree86/ddc/Makefile hw/xfree86/dixmods/Makefile hw/xfree86/dixmods/extmod/Makefile hw/xfree86/doc/Makefile hw/xfree86/doc/devel/Makefile hw/xfree86/doc/man/Makefile hw/xfree86/doc/sgml/Makefile hw/xfree86/dri/Makefile hw/xfree86/dri2/Makefile hw/xfree86/exa/Makefile hw/xfree86/exa/man/Makefile hw/xfree86/fbdevhw/Makefile hw/xfree86/fbdevhw/man/Makefile hw/xfree86/i2c/Makefile hw/xfree86/int10/Makefile hw/xfree86/loader/Makefile hw/xfree86/modes/Makefile hw/xfree86/os-support/Makefile hw/xfree86/os-support/bsd/Makefile hw/xfree86/os-support/bus/Makefile hw/xfree86/os-support/hurd/Makefile hw/xfree86/os-support/misc/Makefile hw/xfree86/os-support/linux/Makefile hw/xfree86/os-support/solaris/Makefile hw/xfree86/parser/Makefile hw/xfree86/ramdac/Makefile hw/xfree86/shadowfb/Makefile hw/xfree86/vbe/Makefile hw/xfree86/vgahw/Makefile hw/xfree86/x86emu/Makefile hw/xfree86/xaa/Makefile hw/xfree86/utils/Makefile hw/xfree86/utils/man/Makefile hw/xfree86/utils/cvt/Makefile hw/xfree86/utils/gtf/Makefile hw/dmx/config/Makefile hw/dmx/config/man/Makefile hw/dmx/doc/Makefile hw/dmx/doc/doxygen.conf hw/dmx/examples/Makefile hw/dmx/input/Makefile hw/dmx/glxProxy/Makefile hw/dmx/Makefile hw/dmx/man/Makefile hw/vfb/Makefile hw/vfb/man/Makefile hw/xnest/Makefile hw/xnest/man/Makefile hw/xwin/Makefile hw/xwin/glx/Makefile hw/xwin/man/Makefile hw/xquartz/Makefile hw/xquartz/GL/Makefile hw/xquartz/bundle/Makefile hw/xquartz/man/Makefile hw/xquartz/mach-startup/Makefile hw/xquartz/pbproxy/Makefile hw/xquartz/xpr/Makefile hw/kdrive/Makefile hw/kdrive/ephyr/Makefile hw/kdrive/ephyr/man/Makefile hw/kdrive/fake/Makefile hw/kdrive/fbdev/Makefile hw/kdrive/linux/Makefile hw/kdrive/src/Makefile test/Makefile test/xi2/Makefile xorg-server.pc" +ac_config_files="$ac_config_files Makefile glx/Makefile include/Makefile composite/Makefile damageext/Makefile dbe/Makefile dix/Makefile doc/Makefile doc/man/Makefile doc/xml/Makefile doc/xml/dtrace/Makefile doc/xml/xserver.ent fb/Makefile record/Makefile config/Makefile mi/Makefile miext/Makefile miext/sync/Makefile miext/damage/Makefile miext/shadow/Makefile miext/cw/Makefile miext/rootless/Makefile os/Makefile randr/Makefile render/Makefile xkb/Makefile Xext/Makefile Xi/Makefile xfixes/Makefile exa/Makefile hw/Makefile hw/xfree86/Makefile hw/xfree86/common/Makefile hw/xfree86/common/xf86Build.h hw/xfree86/ddc/Makefile hw/xfree86/dixmods/Makefile hw/xfree86/dixmods/extmod/Makefile hw/xfree86/doc/Makefile hw/xfree86/doc/devel/Makefile hw/xfree86/doc/man/Makefile hw/xfree86/doc/sgml/Makefile hw/xfree86/dri/Makefile hw/xfree86/dri2/Makefile hw/xfree86/exa/Makefile hw/xfree86/exa/man/Makefile hw/xfree86/fbdevhw/Makefile hw/xfree86/fbdevhw/man/Makefile hw/xfree86/i2c/Makefile hw/xfree86/int10/Makefile hw/xfree86/loader/Makefile hw/xfree86/modes/Makefile hw/xfree86/os-support/Makefile hw/xfree86/os-support/bsd/Makefile hw/xfree86/os-support/bus/Makefile hw/xfree86/os-support/hurd/Makefile hw/xfree86/os-support/misc/Makefile hw/xfree86/os-support/linux/Makefile hw/xfree86/os-support/solaris/Makefile hw/xfree86/parser/Makefile hw/xfree86/ramdac/Makefile hw/xfree86/shadowfb/Makefile hw/xfree86/vbe/Makefile hw/xfree86/vgahw/Makefile hw/xfree86/x86emu/Makefile hw/xfree86/xaa/Makefile hw/xfree86/utils/Makefile hw/xfree86/utils/man/Makefile hw/xfree86/utils/cvt/Makefile hw/xfree86/utils/gtf/Makefile hw/dmx/config/Makefile hw/dmx/config/man/Makefile hw/dmx/doc/Makefile hw/dmx/doc/doxygen.conf hw/dmx/examples/Makefile hw/dmx/input/Makefile hw/dmx/glxProxy/Makefile hw/dmx/Makefile hw/dmx/man/Makefile hw/vfb/Makefile hw/vfb/man/Makefile hw/xnest/Makefile hw/xnest/man/Makefile hw/xwin/Makefile hw/xwin/glx/Makefile hw/xwin/man/Makefile hw/xquartz/Makefile hw/xquartz/GL/Makefile hw/xquartz/bundle/Makefile hw/xquartz/man/Makefile hw/xquartz/mach-startup/Makefile hw/xquartz/pbproxy/Makefile hw/xquartz/xpr/Makefile hw/kdrive/Makefile hw/kdrive/ephyr/Makefile hw/kdrive/ephyr/man/Makefile hw/kdrive/fake/Makefile hw/kdrive/fbdev/Makefile hw/kdrive/linux/Makefile hw/kdrive/src/Makefile test/Makefile test/xi1/Makefile test/xi2/Makefile xorg-server.pc" cat >confcache <<\_ACEOF # This file is a shell script that caches the results of configure @@ -41058,6 +41058,7 @@ do "hw/kdrive/linux/Makefile") CONFIG_FILES="$CONFIG_FILES hw/kdrive/linux/Makefile" ;; "hw/kdrive/src/Makefile") CONFIG_FILES="$CONFIG_FILES hw/kdrive/src/Makefile" ;; "test/Makefile") CONFIG_FILES="$CONFIG_FILES test/Makefile" ;; + "test/xi1/Makefile") CONFIG_FILES="$CONFIG_FILES test/xi1/Makefile" ;; "test/xi2/Makefile") CONFIG_FILES="$CONFIG_FILES test/xi2/Makefile" ;; "xorg-server.pc") CONFIG_FILES="$CONFIG_FILES xorg-server.pc" ;; Index: configure.ac =================================================================== RCS file: /cvsroot/xsrc/external/mit/xorg-server/dist/configure.ac,v retrieving revision 1.1.1.9 diff -p -u -p -r1.1.1.9 configure.ac --- configure.ac 3 Jun 2013 07:34:19 -0000 1.1.1.9 +++ configure.ac 6 Dec 2014 23:40:01 -0000 @@ -2264,6 +2264,7 @@ hw/kdrive/fbdev/Makefile hw/kdrive/linux/Makefile hw/kdrive/src/Makefile test/Makefile +test/xi1/Makefile test/xi2/Makefile xorg-server.pc ]) Index: Xext/xcmisc.c =================================================================== RCS file: /cvsroot/xsrc/external/mit/xorg-server/dist/Xext/xcmisc.c,v retrieving revision 1.1.1.4 diff -p -u -p -r1.1.1.4 xcmisc.c --- Xext/xcmisc.c 2 Aug 2011 06:57:06 -0000 1.1.1.4 +++ Xext/xcmisc.c 6 Dec 2014 23:40:01 -0000 @@ -175,6 +175,7 @@ SProcXCMiscGetXIDList(ClientPtr client) { int n; REQUEST(xXCMiscGetXIDListReq); + REQUEST_SIZE_MATCH(xXCMiscGetXIDListReq); swaps(&stuff->length, n); swapl(&stuff->count, n); Index: Xext/xvdisp.c =================================================================== RCS file: /cvsroot/xsrc/external/mit/xorg-server/dist/Xext/xvdisp.c,v retrieving revision 1.4 diff -p -u -p -r1.4 xvdisp.c --- Xext/xvdisp.c 3 Jun 2013 07:38:40 -0000 1.4 +++ Xext/xvdisp.c 6 Dec 2014 23:40:01 -0000 @@ -1280,6 +1280,7 @@ SProcXvQueryExtension(ClientPtr client) { char n; REQUEST(xvQueryExtensionReq); + REQUEST_SIZE_MATCH(xvQueryExtensionReq); swaps(&stuff->length, n); return XvProcVector[xv_QueryExtension](client); } @@ -1289,6 +1290,7 @@ SProcXvQueryAdaptors(ClientPtr client) { char n; REQUEST(xvQueryAdaptorsReq); + REQUEST_SIZE_MATCH(xvQueryAdaptorsReq); swaps(&stuff->length, n); swapl(&stuff->window, n); return XvProcVector[xv_QueryAdaptors](client); @@ -1299,6 +1301,7 @@ SProcXvQueryEncodings(ClientPtr client) { char n; REQUEST(xvQueryEncodingsReq); + REQUEST_SIZE_MATCH(xvQueryEncodingsReq); swaps(&stuff->length, n); swapl(&stuff->port, n); return XvProcVector[xv_QueryEncodings](client); @@ -1309,6 +1312,7 @@ SProcXvGrabPort(ClientPtr client) { char n; REQUEST(xvGrabPortReq); + REQUEST_SIZE_MATCH(xvGrabPortReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->time, n); @@ -1320,6 +1324,7 @@ SProcXvUngrabPort(ClientPtr client) { char n; REQUEST(xvUngrabPortReq); + REQUEST_SIZE_MATCH(xvUngrabPortReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->time, n); @@ -1331,6 +1336,7 @@ SProcXvPutVideo(ClientPtr client) { char n; REQUEST(xvPutVideoReq); + REQUEST_SIZE_MATCH(xvPutVideoReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->drawable, n); @@ -1351,6 +1357,7 @@ SProcXvPutStill(ClientPtr client) { char n; REQUEST(xvPutStillReq); + REQUEST_SIZE_MATCH(xvPutStillReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->drawable, n); @@ -1371,6 +1378,7 @@ SProcXvGetVideo(ClientPtr client) { char n; REQUEST(xvGetVideoReq); + REQUEST_SIZE_MATCH(xvGetVideoReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->drawable, n); @@ -1391,6 +1399,7 @@ SProcXvGetStill(ClientPtr client) { char n; REQUEST(xvGetStillReq); + REQUEST_SIZE_MATCH(xvGetStillReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->drawable, n); @@ -1411,6 +1420,7 @@ SProcXvPutImage(ClientPtr client) { char n; REQUEST(xvPutImageReq); + REQUEST_AT_LEAST_SIZE(xvPutImageReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->drawable, n); @@ -1435,6 +1445,7 @@ SProcXvShmPutImage(ClientPtr client) { char n; REQUEST(xvShmPutImageReq); + REQUEST_SIZE_MATCH(xvShmPutImageReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->drawable, n); @@ -1463,6 +1474,7 @@ SProcXvSelectVideoNotify(ClientPtr clien { char n; REQUEST(xvSelectVideoNotifyReq); + REQUEST_SIZE_MATCH(xvSelectVideoNotifyReq); swaps(&stuff->length, n); swapl(&stuff->drawable, n); return XvProcVector[xv_SelectVideoNotify](client); @@ -1473,6 +1485,7 @@ SProcXvSelectPortNotify(ClientPtr client { char n; REQUEST(xvSelectPortNotifyReq); + REQUEST_SIZE_MATCH(xvSelectPortNotifyReq); swaps(&stuff->length, n); swapl(&stuff->port, n); return XvProcVector[xv_SelectPortNotify](client); @@ -1483,6 +1496,7 @@ SProcXvStopVideo(ClientPtr client) { char n; REQUEST(xvStopVideoReq); + REQUEST_SIZE_MATCH(xvStopVideoReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->drawable, n); @@ -1494,6 +1508,7 @@ SProcXvSetPortAttribute(ClientPtr client { char n; REQUEST(xvSetPortAttributeReq); + REQUEST_SIZE_MATCH(xvSetPortAttributeReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->attribute, n); @@ -1506,6 +1521,7 @@ SProcXvGetPortAttribute(ClientPtr client { char n; REQUEST(xvGetPortAttributeReq); + REQUEST_SIZE_MATCH(xvGetPortAttributeReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->attribute, n); @@ -1517,6 +1533,7 @@ SProcXvQueryBestSize(ClientPtr client) { char n; REQUEST(xvQueryBestSizeReq); + REQUEST_SIZE_MATCH(xvQueryBestSizeReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swaps(&stuff->vid_w, n); @@ -1531,6 +1548,7 @@ SProcXvQueryPortAttributes(ClientPtr cli { char n; REQUEST(xvQueryPortAttributesReq); + REQUEST_SIZE_MATCH(xvQueryPortAttributesReq); swaps(&stuff->length, n); swapl(&stuff->port, n); return XvProcVector[xv_QueryPortAttributes](client); @@ -1541,6 +1559,7 @@ SProcXvQueryImageAttributes(ClientPtr cl { char n; REQUEST(xvQueryImageAttributesReq); + REQUEST_SIZE_MATCH(xvQueryImageAttributesReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->id, n); @@ -1554,6 +1573,7 @@ SProcXvListImageFormats(ClientPtr client { char n; REQUEST(xvListImageFormatsReq); + REQUEST_SIZE_MATCH(xvListImageFormatsReq); swaps(&stuff->length, n); swapl(&stuff->port, n); return XvProcVector[xv_ListImageFormats](client); Index: Xi/chgdctl.c =================================================================== RCS file: /cvsroot/xsrc/external/mit/xorg-server/dist/Xi/chgdctl.c,v retrieving revision 1.1.1.3 diff -p -u -p -r1.1.1.3 chgdctl.c --- Xi/chgdctl.c 23 Nov 2010 05:22:10 -0000 1.1.1.3 +++ Xi/chgdctl.c 6 Dec 2014 23:40:01 -0000 @@ -81,7 +81,7 @@ SProcXChangeDeviceControl(ClientPtr clie REQUEST(xChangeDeviceControlReq); swaps(&stuff->length, n); - REQUEST_AT_LEAST_SIZE(xChangeDeviceControlReq); + REQUEST_AT_LEAST_EXTRA_SIZE(xChangeDeviceControlReq, sizeof(xDeviceCtl)); swaps(&stuff->control, n); ctl = (xDeviceCtl*)&stuff[1]; swaps(&ctl->control, n); @@ -140,7 +140,7 @@ ProcXChangeDeviceControl(ClientPtr clien devicePresenceNotify dpn; REQUEST(xChangeDeviceControlReq); - REQUEST_AT_LEAST_SIZE(xChangeDeviceControlReq); + REQUEST_AT_LEAST_EXTRA_SIZE(xChangeDeviceControlReq, sizeof(xDeviceCtl)); len = stuff->length - bytes_to_int32(sizeof(xChangeDeviceControlReq)); ret = dixLookupDevice(&dev, stuff->deviceid, client, DixManageAccess); @@ -248,6 +248,10 @@ ProcXChangeDeviceControl(ClientPtr clien break; case DEVICE_ENABLE: e = (xDeviceEnableCtl *)&stuff[1]; + if ((len != bytes_to_int32(sizeof(xDeviceEnableCtl)))) { + ret = BadLength; + goto out; + } status = ChangeDeviceControl(client, dev, (xDeviceCtl *) e); Index: Xi/chgfctl.c =================================================================== RCS file: /cvsroot/xsrc/external/mit/xorg-server/dist/Xi/chgfctl.c,v retrieving revision 1.1.1.3 diff -p -u -p -r1.1.1.3 chgfctl.c --- Xi/chgfctl.c 23 Nov 2010 05:22:10 -0000 1.1.1.3 +++ Xi/chgfctl.c 6 Dec 2014 23:40:01 -0000 @@ -471,6 +471,8 @@ ProcXChangeFeedbackControl(ClientPtr cli xStringFeedbackCtl *f = ((xStringFeedbackCtl *) & stuff[1]); if (client->swapped) { + if (len < bytes_to_int32(sizeof(xStringFeedbackCtl))) + return BadLength; swaps(&f->num_keysyms, n); } if (len != (bytes_to_int32(sizeof(xStringFeedbackCtl)) + f->num_keysyms)) Index: Xi/sendexev.c =================================================================== RCS file: /cvsroot/xsrc/external/mit/xorg-server/dist/Xi/sendexev.c,v retrieving revision 1.1.1.3 diff -p -u -p -r1.1.1.3 sendexev.c --- Xi/sendexev.c 23 Nov 2010 05:22:11 -0000 1.1.1.3 +++ Xi/sendexev.c 6 Dec 2014 23:40:01 -0000 @@ -134,6 +134,9 @@ ProcXSendExtensionEvent(ClientPtr client if (ret != Success) return ret; + if (stuff->num_events == 0) + return ret; + /* The client's event type must be one defined by an extension. */ first = ((xEvent *) & stuff[1]); Index: Xi/xiallowev.c =================================================================== RCS file: /cvsroot/xsrc/external/mit/xorg-server/dist/Xi/xiallowev.c,v retrieving revision 1.1.1.1 diff -p -u -p -r1.1.1.1 xiallowev.c --- Xi/xiallowev.c 23 Nov 2010 05:22:11 -0000 1.1.1.1 +++ Xi/xiallowev.c 6 Dec 2014 23:40:01 -0000 @@ -47,6 +47,7 @@ SProcXIAllowEvents(ClientPtr client) char n; REQUEST(xXIAllowEventsReq); + REQUEST_AT_LEAST_SIZE(xXIAllowEventsReq); swaps(&stuff->length, n); swaps(&stuff->deviceid, n); Index: Xi/xichangecursor.c =================================================================== RCS file: /cvsroot/xsrc/external/mit/xorg-server/dist/Xi/xichangecursor.c,v retrieving revision 1.1.1.1 diff -p -u -p -r1.1.1.1 xichangecursor.c --- Xi/xichangecursor.c 23 Nov 2010 05:22:10 -0000 1.1.1.1 +++ Xi/xichangecursor.c 6 Dec 2014 23:40:01 -0000 @@ -59,11 +59,11 @@ SProcXIChangeCursor(ClientPtr client) char n; REQUEST(xXIChangeCursorReq); + REQUEST_SIZE_MATCH(xXIChangeCursorReq); swaps(&stuff->length, n); swapl(&stuff->win, n); swapl(&stuff->cursor, n); swaps(&stuff->deviceid, n); - REQUEST_SIZE_MATCH(xXIChangeCursorReq); return (ProcXIChangeCursor(client)); } Index: Xi/xichangehierarchy.c =================================================================== RCS file: /cvsroot/xsrc/external/mit/xorg-server/dist/Xi/xichangehierarchy.c,v retrieving revision 1.1.1.3 diff -p -u -p -r1.1.1.3 xichangehierarchy.c --- Xi/xichangehierarchy.c 3 Jun 2013 07:34:29 -0000 1.1.1.3 +++ Xi/xichangehierarchy.c 6 Dec 2014 23:40:01 -0000 @@ -436,7 +436,7 @@ int ProcXIChangeHierarchy(ClientPtr client) { xXIAnyHierarchyChangeInfo *any; - int required_len = sizeof(xXIChangeHierarchyReq); + size_t len; /* length of data remaining in request */ char n; int rc = Success; int flags[MAXDEVICES] = {0}; @@ -447,22 +447,47 @@ ProcXIChangeHierarchy(ClientPtr client) if (!stuff->num_changes) return rc; + if (stuff->length > (INT_MAX >> 2)) + return BadAlloc; + len = (stuff->length << 2) - sizeof(xXIAnyHierarchyChangeInfo); + any = (xXIAnyHierarchyChangeInfo*)&stuff[1]; while(stuff->num_changes--) { + if (len < sizeof(xXIAnyHierarchyChangeInfo)) { + rc = BadLength; + goto unwind; + } + SWAPIF(swapl(&any->type, n)); SWAPIF(swaps(&any->length, n)); - required_len += any->length; - if ((stuff->length * 4) < required_len) + if ((any->length > (INT_MAX >> 2)) || (len < (any->length << 2))) return BadLength; +#define CHANGE_SIZE_MATCH(type) \ + do { \ + if ((len < sizeof(type)) || (any->length != (sizeof(type) >> 2))) { \ + rc = BadLength; \ + goto unwind; \ + } \ + } while(0) + switch(any->type) { case XIAddMaster: { xXIAddMasterInfo* c = (xXIAddMasterInfo*)any; + /* Variable length, due to appended name string */ + if (len < sizeof(xXIAddMasterInfo)) { + rc = BadLength; + goto unwind; + } SWAPIF(swaps(&c->name_len, n)); + if (c->name_len > (len - sizeof(xXIAddMasterInfo))) { + rc = BadLength; + goto unwind; + } rc = add_master(client, c, flags); if (rc != Success) @@ -473,6 +498,7 @@ ProcXIChangeHierarchy(ClientPtr client) { xXIRemoveMasterInfo* r = (xXIRemoveMasterInfo*)any; + CHANGE_SIZE_MATCH(xXIRemoveMasterInfo); rc = remove_master(client, r, flags); if (rc != Success) goto unwind; @@ -482,6 +508,7 @@ ProcXIChangeHierarchy(ClientPtr client) { xXIDetachSlaveInfo* c = (xXIDetachSlaveInfo*)any; + CHANGE_SIZE_MATCH(xXIDetachSlaveInfo); rc = detach_slave(client, c, flags); if (rc != Success) goto unwind; @@ -491,6 +518,7 @@ ProcXIChangeHierarchy(ClientPtr client) { xXIAttachSlaveInfo* c = (xXIAttachSlaveInfo*)any; + CHANGE_SIZE_MATCH(xXIAttachSlaveInfo); rc = attach_slave(client, c, flags); if (rc != Success) goto unwind; @@ -498,6 +526,7 @@ ProcXIChangeHierarchy(ClientPtr client) break; } + len -= any->length * 4; any = (xXIAnyHierarchyChangeInfo*)((char*)any + any->length * 4); } Index: Xi/xigetclientpointer.c =================================================================== RCS file: /cvsroot/xsrc/external/mit/xorg-server/dist/Xi/xigetclientpointer.c,v retrieving revision 1.1.1.1 diff -p -u -p -r1.1.1.1 xigetclientpointer.c --- Xi/xigetclientpointer.c 23 Nov 2010 05:22:11 -0000 1.1.1.1 +++ Xi/xigetclientpointer.c 6 Dec 2014 23:40:01 -0000 @@ -51,6 +51,7 @@ SProcXIGetClientPointer(ClientPtr client { char n; REQUEST(xXIGetClientPointerReq); + REQUEST_SIZE_MATCH(xXIGetClientPointerReq); swaps(&stuff->length, n); swapl(&stuff->win, n); Index: Xi/xigrabdev.c =================================================================== RCS file: /cvsroot/xsrc/external/mit/xorg-server/dist/Xi/xigrabdev.c,v retrieving revision 1.1.1.2 diff -p -u -p -r1.1.1.2 xigrabdev.c --- Xi/xigrabdev.c 2 Aug 2011 06:57:05 -0000 1.1.1.2 +++ Xi/xigrabdev.c 6 Dec 2014 23:40:01 -0000 @@ -48,6 +48,11 @@ SProcXIGrabDevice(ClientPtr client) char n; REQUEST(xXIGrabDeviceReq); + /* + * Check here for at least the length of the struct we swap, then + * let ProcXIGrabDevice check the full size after we swap mask_len. + */ + REQUEST_AT_LEAST_SIZE(xXIGrabDeviceReq); swaps(&stuff->length, n); swaps(&stuff->deviceid, n); @@ -70,7 +75,7 @@ ProcXIGrabDevice(ClientPtr client) int mask_len; REQUEST(xXIGrabDeviceReq); - REQUEST_AT_LEAST_SIZE(xXIGrabDeviceReq); + REQUEST_FIXED_SIZE(xXIGrabDeviceReq, ((size_t) stuff->mask_len) * 4); ret = dixLookupDevice(&dev, stuff->deviceid, client, DixGrabAccess); if (ret != Success) @@ -135,6 +140,8 @@ ProcXIUngrabDevice(ClientPtr client) TimeStamp time; REQUEST(xXIUngrabDeviceReq); + REQUEST_SIZE_MATCH(xXIUngrabDeviceReq); + REQUEST_SIZE_MATCH(xXIUngrabDeviceReq); ret = dixLookupDevice(&dev, stuff->deviceid, client, DixGetAttrAccess); if (ret != Success) Index: Xi/xipassivegrab.c =================================================================== RCS file: /cvsroot/xsrc/external/mit/xorg-server/dist/Xi/xipassivegrab.c,v retrieving revision 1.1.1.3 diff -p -u -p -r1.1.1.3 xipassivegrab.c --- Xi/xipassivegrab.c 3 Jun 2013 07:34:29 -0000 1.1.1.3 +++ Xi/xipassivegrab.c 6 Dec 2014 23:40:01 -0000 @@ -53,6 +53,7 @@ SProcXIPassiveGrabDevice(ClientPtr clien xXIModifierInfo *mods; REQUEST(xXIPassiveGrabDeviceReq); + REQUEST_AT_LEAST_SIZE(xXIPassiveGrabDeviceReq); swaps(&stuff->length, n); swaps(&stuff->deviceid, n); @@ -63,6 +64,8 @@ SProcXIPassiveGrabDevice(ClientPtr clien swaps(&stuff->mask_len, n); swaps(&stuff->num_modifiers, n); + REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq, + ((uint32_t) stuff->mask_len + stuff->num_modifiers) *4); mods = (xXIModifierInfo*)&stuff[1]; for (i = 0; i < stuff->num_modifiers; i++, mods++) @@ -91,7 +94,8 @@ ProcXIPassiveGrabDevice(ClientPtr client int n; REQUEST(xXIPassiveGrabDeviceReq); - REQUEST_AT_LEAST_SIZE(xXIPassiveGrabDeviceReq); + REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq, + ((uint32_t) stuff->mask_len + stuff->num_modifiers) * 4); if (stuff->deviceid == XIAllDevices) dev = inputInfo.all_devices; @@ -243,6 +247,7 @@ SProcXIPassiveUngrabDevice(ClientPtr cli uint32_t *modifiers; REQUEST(xXIPassiveUngrabDeviceReq); + REQUEST_AT_LEAST_SIZE(xXIPassiveUngrabDeviceReq); swaps(&stuff->length, n); swapl(&stuff->grab_window, n); @@ -250,6 +255,8 @@ SProcXIPassiveUngrabDevice(ClientPtr cli swapl(&stuff->detail, n); swaps(&stuff->num_modifiers, n); + REQUEST_FIXED_SIZE(xXIPassiveUngrabDeviceReq, + ((uint32_t) stuff->num_modifiers) << 2); modifiers = (uint32_t*)&stuff[1]; for (i = 0; i < stuff->num_modifiers; i++, modifiers++) @@ -268,7 +275,8 @@ ProcXIPassiveUngrabDevice(ClientPtr clie int i, rc; REQUEST(xXIPassiveUngrabDeviceReq); - REQUEST_AT_LEAST_SIZE(xXIPassiveUngrabDeviceReq); + REQUEST_FIXED_SIZE(xXIPassiveUngrabDeviceReq, + ((uint32_t) stuff->num_modifiers) << 2); if (stuff->deviceid == XIAllDevices) dev = inputInfo.all_devices; Index: Xi/xiproperty.c =================================================================== RCS file: /cvsroot/xsrc/external/mit/xorg-server/dist/Xi/xiproperty.c,v retrieving revision 1.1.1.4 diff -p -u -p -r1.1.1.4 xiproperty.c --- Xi/xiproperty.c 2 Aug 2011 06:57:05 -0000 1.1.1.4 +++ Xi/xiproperty.c 6 Dec 2014 23:40:01 -0000 @@ -1038,10 +1038,9 @@ SProcXListDeviceProperties (ClientPtr cl { char n; REQUEST(xListDevicePropertiesReq); + REQUEST_SIZE_MATCH(xListDevicePropertiesReq); swaps(&stuff->length, n); - - REQUEST_SIZE_MATCH(xListDevicePropertiesReq); return (ProcXListDeviceProperties(client)); } @@ -1064,10 +1063,10 @@ SProcXDeleteDeviceProperty (ClientPtr cl { char n; REQUEST(xDeleteDevicePropertyReq); + REQUEST_SIZE_MATCH(xDeleteDevicePropertyReq); swaps(&stuff->length, n); swapl(&stuff->property, n); - REQUEST_SIZE_MATCH(xDeleteDevicePropertyReq); return (ProcXDeleteDeviceProperty(client)); } @@ -1076,13 +1075,13 @@ SProcXGetDeviceProperty (ClientPtr clien { char n; REQUEST(xGetDevicePropertyReq); + REQUEST_SIZE_MATCH(xGetDevicePropertyReq); swaps(&stuff->length, n); swapl(&stuff->property, n); swapl(&stuff->type, n); swapl(&stuff->longOffset, n); swapl(&stuff->longLength, n); - REQUEST_SIZE_MATCH(xGetDevicePropertyReq); return (ProcXGetDeviceProperty(client)); } @@ -1281,11 +1280,10 @@ SProcXIListProperties(ClientPtr client) { char n; REQUEST(xXIListPropertiesReq); + REQUEST_SIZE_MATCH(xXIListPropertiesReq); swaps(&stuff->length, n); swaps(&stuff->deviceid, n); - - REQUEST_SIZE_MATCH(xXIListPropertiesReq); return (ProcXIListProperties(client)); } @@ -1309,11 +1307,11 @@ SProcXIDeleteProperty(ClientPtr client) { char n; REQUEST(xXIDeletePropertyReq); + REQUEST_SIZE_MATCH(xXIDeletePropertyReq); swaps(&stuff->length, n); swaps(&stuff->deviceid, n); swapl(&stuff->property, n); - REQUEST_SIZE_MATCH(xXIDeletePropertyReq); return (ProcXIDeleteProperty(client)); } @@ -1322,6 +1320,7 @@ SProcXIGetProperty(ClientPtr client) { char n; REQUEST(xXIGetPropertyReq); + REQUEST_SIZE_MATCH(xXIGetPropertyReq); swaps(&stuff->length, n); swaps(&stuff->deviceid, n); @@ -1329,7 +1328,6 @@ SProcXIGetProperty(ClientPtr client) swapl(&stuff->type, n); swapl(&stuff->offset, n); swapl(&stuff->len, n); - REQUEST_SIZE_MATCH(xXIGetPropertyReq); return (ProcXIGetProperty(client)); } Index: Xi/xiquerydevice.c =================================================================== RCS file: /cvsroot/xsrc/external/mit/xorg-server/dist/Xi/xiquerydevice.c,v retrieving revision 1.1.1.2 diff -p -u -p -r1.1.1.2 xiquerydevice.c --- Xi/xiquerydevice.c 2 Aug 2011 06:57:05 -0000 1.1.1.2 +++ Xi/xiquerydevice.c 6 Dec 2014 23:40:01 -0000 @@ -55,6 +55,7 @@ SProcXIQueryDevice(ClientPtr client) char n; REQUEST(xXIQueryDeviceReq); + REQUEST_SIZE_MATCH(xXIQueryDeviceReq); swaps(&stuff->length, n); swaps(&stuff->deviceid, n); Index: Xi/xiquerypointer.c =================================================================== RCS file: /cvsroot/xsrc/external/mit/xorg-server/dist/Xi/xiquerypointer.c,v retrieving revision 1.1.1.2 diff -p -u -p -r1.1.1.2 xiquerypointer.c --- Xi/xiquerypointer.c 2 Aug 2011 06:57:05 -0000 1.1.1.2 +++ Xi/xiquerypointer.c 6 Dec 2014 23:40:01 -0000 @@ -64,6 +64,8 @@ SProcXIQueryPointer(ClientPtr client) char n; REQUEST(xXIQueryPointerReq); + REQUEST_SIZE_MATCH(xXIQueryPointerReq); + swaps(&stuff->length, n); swaps(&stuff->deviceid, n); swapl(&stuff->win, n); Index: Xi/xiselectev.c =================================================================== RCS file: /cvsroot/xsrc/external/mit/xorg-server/dist/Xi/xiselectev.c,v retrieving revision 1.1.1.2 diff -p -u -p -r1.1.1.2 xiselectev.c --- Xi/xiselectev.c 2 Aug 2011 06:57:05 -0000 1.1.1.2 +++ Xi/xiselectev.c 6 Dec 2014 23:40:01 -0000 @@ -65,6 +65,7 @@ SProcXISelectEvents(ClientPtr client) { char n; int i; + int len; xXIEventMask* evmask; REQUEST(xXISelectEventsReq); @@ -73,11 +74,18 @@ SProcXISelectEvents(ClientPtr client) swapl(&stuff->win, n); swaps(&stuff->num_masks, n); + len = stuff->length - bytes_to_int32(sizeof(xXISelectEventsReq)); evmask = (xXIEventMask*)&stuff[1]; for (i = 0; i < stuff->num_masks; i++) { + if (len < bytes_to_int32(sizeof(xXIEventMask))) + return BadLength; + len -= bytes_to_int32(sizeof(xXIEventMask)); swaps(&evmask->deviceid, n); swaps(&evmask->mask_len, n); + if (len < evmask->mask_len) + return BadLength; + len -= evmask->mask_len; evmask = (xXIEventMask*)(((char*)&evmask[1]) + evmask->mask_len * 4); } Index: Xi/xisetclientpointer.c =================================================================== RCS file: /cvsroot/xsrc/external/mit/xorg-server/dist/Xi/xisetclientpointer.c,v retrieving revision 1.1.1.1 diff -p -u -p -r1.1.1.1 xisetclientpointer.c --- Xi/xisetclientpointer.c 23 Nov 2010 05:22:11 -0000 1.1.1.1 +++ Xi/xisetclientpointer.c 6 Dec 2014 23:40:01 -0000 @@ -54,10 +54,11 @@ SProcXISetClientPointer(ClientPtr client char n; REQUEST(xXISetClientPointerReq); + REQUEST_SIZE_MATCH(xXISetClientPointerReq); + swaps(&stuff->length, n); swapl(&stuff->win, n); swaps(&stuff->deviceid, n); - REQUEST_SIZE_MATCH(xXISetClientPointerReq); return (ProcXISetClientPointer(client)); } Index: Xi/xisetdevfocus.c =================================================================== RCS file: /cvsroot/xsrc/external/mit/xorg-server/dist/Xi/xisetdevfocus.c,v retrieving revision 1.1.1.1 diff -p -u -p -r1.1.1.1 xisetdevfocus.c --- Xi/xisetdevfocus.c 23 Nov 2010 05:22:11 -0000 1.1.1.1 +++ Xi/xisetdevfocus.c 6 Dec 2014 23:40:01 -0000 @@ -46,6 +46,8 @@ SProcXISetFocus(ClientPtr client) char n; REQUEST(xXISetFocusReq); + REQUEST_AT_LEAST_SIZE(xXISetFocusReq); + swaps(&stuff->length, n); swaps(&stuff->deviceid, n); swapl(&stuff->focus, n); @@ -60,6 +62,8 @@ SProcXIGetFocus(ClientPtr client) char n; REQUEST(xXIGetFocusReq); + REQUEST_AT_LEAST_SIZE(xXIGetFocusReq); + swaps(&stuff->length, n); swaps(&stuff->deviceid, n); Index: Xi/xiwarppointer.c =================================================================== RCS file: /cvsroot/xsrc/external/mit/xorg-server/dist/Xi/xiwarppointer.c,v retrieving revision 1.1.1.2 diff -p -u -p -r1.1.1.2 xiwarppointer.c --- Xi/xiwarppointer.c 2 Aug 2011 06:57:05 -0000 1.1.1.2 +++ Xi/xiwarppointer.c 6 Dec 2014 23:40:01 -0000 @@ -59,6 +59,8 @@ SProcXIWarpPointer(ClientPtr client) char n; REQUEST(xXIWarpPointerReq); + REQUEST_SIZE_MATCH(xXIWarpPointerReq); + swaps(&stuff->length, n); swapl(&stuff->src_win, n); swapl(&stuff->dst_win, n); Index: dbe/dbe.c =================================================================== RCS file: /cvsroot/xsrc/external/mit/xorg-server/dist/dbe/dbe.c,v retrieving revision 1.1.1.4 diff -p -u -p -r1.1.1.4 dbe.c --- dbe/dbe.c 2 Aug 2011 06:56:45 -0000 1.1.1.4 +++ dbe/dbe.c 6 Dec 2014 23:40:01 -0000 @@ -487,8 +487,8 @@ ProcDbeSwapBuffers(ClientPtr client) DbeSwapInfoPtr swapInfo; xDbeSwapInfo *dbeSwapInfo; int error; - register int i, j; - int nStuff; + unsigned int i, j; + unsigned int nStuff; REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq); @@ -496,11 +496,13 @@ ProcDbeSwapBuffers(ClientPtr client) if (nStuff == 0) { + REQUEST_SIZE_MATCH(xDbeSwapBuffersReq); return Success; } if (nStuff > UINT32_MAX / sizeof(DbeSwapInfoRec)) return BadAlloc; + REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, nStuff * sizeof(xDbeSwapInfo)); /* Get to the swap info appended to the end of the request. */ dbeSwapInfo = (xDbeSwapInfo *)&stuff[1]; @@ -1035,7 +1037,7 @@ static int SProcDbeSwapBuffers(ClientPtr client) { REQUEST(xDbeSwapBuffersReq); - register int i, n; + unsigned int i, n; xDbeSwapInfo *pSwapInfo; @@ -1043,6 +1045,9 @@ SProcDbeSwapBuffers(ClientPtr client) REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq); swapl(&stuff->n, n); + if (stuff->n > UINT32_MAX / sizeof(DbeSwapInfoRec)) + return BadAlloc; + REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, stuff->n * sizeof(xDbeSwapInfo)); if (stuff->n != 0) { Index: dix/dispatch.c =================================================================== RCS file: /cvsroot/xsrc/external/mit/xorg-server/dist/dix/dispatch.c,v retrieving revision 1.1.1.7 diff -p -u -p -r1.1.1.7 dispatch.c --- dix/dispatch.c 3 Jun 2013 07:34:19 -0000 1.1.1.7 +++ dix/dispatch.c 6 Dec 2014 23:40:01 -0000 @@ -1973,6 +1973,9 @@ ProcPutImage(ClientPtr client) tmpImage = (char *)&stuff[1]; lengthProto = length; + + if (lengthProto >= (INT32_MAX / stuff->height)) + return BadLength; if ((bytes_to_int32(lengthProto * stuff->height) + bytes_to_int32(sizeof(xPutImageReq))) != client->req_len) Index: dix/region.c =================================================================== RCS file: /cvsroot/xsrc/external/mit/xorg-server/dist/dix/region.c,v retrieving revision 1.1.1.1 diff -p -u -p -r1.1.1.1 region.c --- dix/region.c 23 Nov 2010 05:21:00 -0000 1.1.1.1 +++ dix/region.c 6 Dec 2014 23:40:01 -0000 @@ -169,7 +169,6 @@ Equipment Corporation. ((r1)->y1 <= (r2)->y1) && \ ((r1)->y2 >= (r2)->y2) ) -#define xallocData(n) malloc(RegionSizeof(n)) #define xfreeData(reg) if ((reg)->data && (reg)->data->size) free((reg)->data) #define RECTALLOC_BAIL(pReg,n,bail) \ @@ -206,8 +205,9 @@ if (!(pReg)->data || (((pReg)->data->num #define DOWNSIZE(reg,numRects) \ if (((numRects) < ((reg)->data->size >> 1)) && ((reg)->data->size > 50)) \ { \ - RegDataPtr NewData; \ - NewData = (RegDataPtr)realloc((reg)->data, RegionSizeof(numRects)); \ + size_t NewSize = RegionSizeof(numRects); \ + RegDataPtr NewData = \ + (NewSize > 0) ? realloc((reg)->data, NewSize) : NULL ; \ if (NewData) \ { \ NewData->size = (numRects); \ @@ -335,11 +335,13 @@ Bool RegionRectAlloc(RegionPtr pRgn, int n) { RegDataPtr data; + size_t rgnSize; if (!pRgn->data) { n++; - pRgn->data = xallocData(n); + rgnSize = RegionSizeof(n); + pRgn->data = (rgnSize > 0) ? malloc(rgnSize) : NULL; if (!pRgn->data) return RegionBreak (pRgn); pRgn->data->numRects = 1; @@ -347,7 +349,8 @@ RegionRectAlloc(RegionPtr pRgn, int n) } else if (!pRgn->data->size) { - pRgn->data = xallocData(n); + rgnSize = RegionSizeof(n); + pRgn->data = (rgnSize > 0) ? malloc(rgnSize) : NULL; if (!pRgn->data) return RegionBreak (pRgn); pRgn->data->numRects = 0; @@ -361,7 +364,8 @@ RegionRectAlloc(RegionPtr pRgn, int n) n = 250; } n += pRgn->data->numRects; - data = (RegDataPtr)realloc(pRgn->data, RegionSizeof(n)); + rgnSize = RegionSizeof(n); + data = (rgnSize > 0) ? realloc(pRgn->data, rgnSize) : NULL; if (!data) return RegionBreak (pRgn); pRgn->data = data; @@ -1350,6 +1354,7 @@ RegionFromRects(int nrects, xRectangle * { RegionPtr pRgn; + size_t rgnSize; RegDataPtr pData; BoxPtr pBox; int i; @@ -1378,7 +1383,8 @@ RegionFromRects(int nrects, xRectangle * } return pRgn; } - pData = xallocData(nrects); + rgnSize = RegionSizeof(nrects); + pData = (rgnSize > 0) ? malloc(rgnSize) : NULL; if (!pData) { RegionBreak (pRgn); Index: glx/glxcmds.c =================================================================== RCS file: /cvsroot/xsrc/external/mit/xorg-server/dist/glx/glxcmds.c,v retrieving revision 1.6 diff -p -u -p -r1.6 glxcmds.c --- glx/glxcmds.c 2 Aug 2011 07:16:36 -0000 1.6 +++ glx/glxcmds.c 6 Dec 2014 23:40:01 -0000 @@ -1895,7 +1895,7 @@ int __glXDisp_Render(__GLXclientState *c left = (req->length << 2) - sz_xGLXRenderReq; while (left > 0) { __GLXrenderSizeData entry; - int extra; + int extra = 0; __GLXdispatchRenderProcPtr proc; int err; @@ -1914,6 +1914,9 @@ int __glXDisp_Render(__GLXclientState *c cmdlen = hdr->length; opcode = hdr->opcode; + if (left < cmdlen) + return BadLength; + /* ** Check for core opcodes and grab entry data. */ @@ -1927,23 +1930,21 @@ int __glXDisp_Render(__GLXclientState *c return __glXError(GLXBadRenderRequest); } + if (cmdlen < entry.bytes) { + return BadLength; + } + if (entry.varsize) { /* variable size command */ extra = (*entry.varsize)(pc + __GLX_RENDER_HDR_SIZE, - client->swapped); + client->swapped, + left - __GLX_RENDER_LARGE_HDR_SIZE); if (extra < 0) { - extra = 0; - } - if (cmdlen != __GLX_PAD(entry.bytes + extra)) { - return BadLength; - } - } else { - /* constant size command */ - if (cmdlen != __GLX_PAD(entry.bytes)) { return BadLength; } } - if (left < cmdlen) { + + if (cmdlen != safe_pad(safe_add(entry.bytes, extra))) { return BadLength; } @@ -1978,6 +1979,8 @@ int __glXDisp_RenderLarge(__GLXclientSta CARD16 opcode; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_AT_LEAST_SIZE(xGLXRenderLargeReq); + req = (xGLXRenderLargeReq *) pc; if (client->swapped) { __GLX_SWAP_SHORT(&req->length); @@ -1993,12 +1996,14 @@ int __glXDisp_RenderLarge(__GLXclientSta __glXResetLargeCommandStatus(cl); return error; } + if (safe_pad(req->dataBytes) < 0) + return BadLength; dataBytes = req->dataBytes; /* ** Check the request length. */ - if ((req->length << 2) != __GLX_PAD(dataBytes) + sz_xGLXRenderLargeReq) { + if ((req->length << 2) != safe_pad(dataBytes) + sz_xGLXRenderLargeReq) { client->errorValue = req->length; /* Reset in case this isn't 1st request. */ __glXResetLargeCommandStatus(cl); @@ -2008,7 +2013,8 @@ int __glXDisp_RenderLarge(__GLXclientSta if (cl->largeCmdRequestsSoFar == 0) { __GLXrenderSizeData entry; - int extra; + int extra = 0; + int left = (req->length << 2) - sz_xGLXRenderLargeReq; size_t cmdlen; int err; @@ -2021,13 +2027,17 @@ int __glXDisp_RenderLarge(__GLXclientSta return __glXError(GLXBadLargeRequest); } + if (dataBytes < __GLX_RENDER_LARGE_HDR_SIZE) + return BadLength; + hdr = (__GLXrenderLargeHeader *) pc; if (client->swapped) { __GLX_SWAP_INT(&hdr->length); __GLX_SWAP_INT(&hdr->opcode); } - cmdlen = hdr->length; opcode = hdr->opcode; + if ((cmdlen = safe_pad(hdr->length)) < 0) + return BadLength; /* ** Check for core opcodes and grab entry data. @@ -2045,20 +2055,18 @@ int __glXDisp_RenderLarge(__GLXclientSta ** will be in the 1st request, so it's okay to do this. */ extra = (*entry.varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, - client->swapped); + client->swapped, + left - __GLX_RENDER_HDR_SIZE); if (extra < 0) { - extra = 0; - } - /* large command's header is 4 bytes longer, so add 4 */ - if (cmdlen != __GLX_PAD(entry.bytes + 4 + extra)) { - return BadLength; - } - } else { - /* constant size command */ - if (cmdlen != __GLX_PAD(entry.bytes + 4)) { - return BadLength; + return BadLength; } } + + /* the +4 is safe because we know entry.bytes is small */ + if (cmdlen != safe_pad(safe_add(entry.bytes + 4, extra))) { + return BadLength; + } + /* ** Make enough space in the buffer, then copy the entire request. */ @@ -2086,6 +2094,7 @@ int __glXDisp_RenderLarge(__GLXclientSta ** We are receiving subsequent (i.e. not the first) requests of a ** multi request command. */ + int bytesSoFar; /* including this packet */ /* ** Check the request number and the total request count. @@ -2104,11 +2113,18 @@ int __glXDisp_RenderLarge(__GLXclientSta /* ** Check that we didn't get too much data. */ - if ((cl->largeCmdBytesSoFar + dataBytes) > cl->largeCmdBytesTotal) { + if ((bytesSoFar = safe_add(cl->largeCmdBytesSoFar, dataBytes)) < 0) { client->errorValue = dataBytes; __glXResetLargeCommandStatus(cl); return __glXError(GLXBadLargeRequest); } + + if (bytesSoFar > cl->largeCmdBytesTotal) { + client->errorValue = dataBytes; + __glXResetLargeCommandStatus(cl); + return __glXError(GLXBadLargeRequest); + } + memcpy(cl->largeCmdBuf + cl->largeCmdBytesSoFar, pc, dataBytes); cl->largeCmdBytesSoFar += dataBytes; cl->largeCmdRequestsSoFar++; @@ -2120,17 +2136,16 @@ int __glXDisp_RenderLarge(__GLXclientSta ** This is the last request; it must have enough bytes to complete ** the command. */ - /* NOTE: the two pad macros have been added below; they are needed - ** because the client library pads the total byte count, but not - ** the per-request byte counts. The Protocol Encoding says the - ** total byte count should not be padded, so a proposal will be - ** made to the ARB to relax the padding constraint on the total - ** byte count, thus preserving backward compatibility. Meanwhile, - ** the padding done below fixes a bug that did not allow - ** large commands of odd sizes to be accepted by the server. + /* NOTE: the pad macro below is needed because the client library + ** pads the total byte count, but not the per-request byte counts. + ** The Protocol Encoding says the total byte count should not be + ** padded, so a proposal will be made to the ARB to relax the + ** padding constraint on the total byte count, thus preserving + ** backward compatibility. Meanwhile, the padding done below + ** fixes a bug that did not allow large commands of odd sizes to + ** be accepted by the server. */ - if (__GLX_PAD(cl->largeCmdBytesSoFar) != - __GLX_PAD(cl->largeCmdBytesTotal)) { + if (safe_pad(cl->largeCmdBytesSoFar) != cl->largeCmdBytesTotal) { client->errorValue = dataBytes; __glXResetLargeCommandStatus(cl); return __glXError(GLXBadLargeRequest); Index: glx/glxcmdsswap.c =================================================================== RCS file: /cvsroot/xsrc/external/mit/xorg-server/dist/glx/glxcmdsswap.c,v retrieving revision 1.1.1.3 diff -p -u -p -r1.1.1.3 glxcmdsswap.c --- glx/glxcmdsswap.c 2 Aug 2011 06:56:47 -0000 1.1.1.3 +++ glx/glxcmdsswap.c 6 Dec 2014 23:40:01 -0000 @@ -870,11 +870,13 @@ int __glXDispSwap_RenderLarge(__GLXclien int __glXDispSwap_VendorPrivate(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXVendorPrivateReq *req; GLint vendorcode; __GLXdispatchVendorPrivProcPtr proc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateReq); req = (xGLXVendorPrivateReq *) pc; __GLX_SWAP_SHORT(&req->length); @@ -897,11 +899,13 @@ int __glXDispSwap_VendorPrivate(__GLXcli int __glXDispSwap_VendorPrivateWithReply(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXVendorPrivateWithReplyReq *req; GLint vendorcode; __GLXdispatchVendorPrivProcPtr proc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateWithReplyReq); req = (xGLXVendorPrivateWithReplyReq *) pc; __GLX_SWAP_SHORT(&req->length); Index: glx/glxserver.h =================================================================== RCS file: /cvsroot/xsrc/external/mit/xorg-server/dist/glx/glxserver.h,v retrieving revision 1.1.1.3 diff -p -u -p -r1.1.1.3 glxserver.h --- glx/glxserver.h 2 Aug 2011 06:56:47 -0000 1.1.1.3 +++ glx/glxserver.h 6 Dec 2014 23:40:01 -0000 @@ -183,7 +183,7 @@ typedef int (*__GLXprocPtr)(__GLXclientS /* * Tables for computing the size of each rendering command. */ -typedef int (*gl_proto_size_func)(const GLbyte *, Bool); +typedef int (*gl_proto_size_func)(const GLbyte *, Bool, int); typedef struct { int bytes; @@ -233,6 +233,47 @@ extern void glxSwapQueryServerStringRepl * Routines for computing the size of variably-sized rendering commands. */ +static _X_INLINE int +safe_add(int a, int b) +{ + if (a < 0 || b < 0) + return -1; + + if (INT_MAX - a < b) + return -1; + + return a + b; +} + +static _X_INLINE int +safe_mul(int a, int b) +{ + if (a < 0 || b < 0) + return -1; + + if (a == 0 || b == 0) + return 0; + + if (a > INT_MAX / b) + return -1; + + return a * b; +} + +static _X_INLINE int +safe_pad(int a) +{ + int ret; + + if (a < 0) + return -1; + + if ((ret = safe_add(a, 3)) < 0) + return -1; + + return ret & (GLuint)~3; +} + extern int __glXTypeSize(GLenum enm); extern int __glXImageSize(GLenum format, GLenum type, GLenum target, GLsizei w, GLsizei h, GLsizei d, Index: glx/indirect_program.c =================================================================== RCS file: /cvsroot/xsrc/external/mit/xorg-server/dist/glx/indirect_program.c,v retrieving revision 1.1.1.2 diff -p -u -p -r1.1.1.2 indirect_program.c --- glx/indirect_program.c 23 Nov 2010 05:21:09 -0000 1.1.1.2 +++ glx/indirect_program.c 6 Dec 2014 23:40:01 -0000 @@ -71,6 +71,8 @@ int DoGetProgramString(struct __GLXclien ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXVendorPrivateWithReplyReq, 8); + pc += __GLX_VENDPRIV_HDR_SIZE; if (cx != NULL) { GLenum target; Index: glx/indirect_reqsize.c =================================================================== RCS file: /cvsroot/xsrc/external/mit/xorg-server/dist/glx/indirect_reqsize.c,v retrieving revision 1.1.1.2 diff -p -u -p -r1.1.1.2 indirect_reqsize.c --- glx/indirect_reqsize.c 23 Nov 2010 05:21:09 -0000 1.1.1.2 +++ glx/indirect_reqsize.c 6 Dec 2014 23:40:01 -0000 @@ -32,25 +32,23 @@ #include "indirect_size.h" #include "indirect_reqsize.h" -#define __GLX_PAD(x) (((x) + 3) & ~3) - #if defined(__CYGWIN__) || defined(__MINGW32__) # undef HAVE_ALIAS #endif #ifdef HAVE_ALIAS # define ALIAS2(from,to) \ - int __glX ## from ## ReqSize( const GLbyte * pc, Bool swap ) \ + int __glX ## from ## ReqSize( const GLbyte * pc, Bool swap, int reqlen ) \ __attribute__ ((alias( # to ))); # define ALIAS(from,to) ALIAS2( from, __glX ## to ## ReqSize ) #else # define ALIAS(from,to) \ - int __glX ## from ## ReqSize( const GLbyte * pc, Bool swap ) \ - { return __glX ## to ## ReqSize( pc, swap ); } + int __glX ## from ## ReqSize( const GLbyte * pc, Bool swap, int reqlen ) \ + { return __glX ## to ## ReqSize( pc, swap, reqlen ); } #endif int -__glXCallListsReqSize(const GLbyte *pc, Bool swap) +__glXCallListsReqSize(const GLbyte *pc, Bool swap, int reqlen) { GLsizei n = *(GLsizei *) (pc + 0); GLenum type = *(GLenum *) (pc + 4); @@ -62,11 +60,11 @@ __glXCallListsReqSize(const GLbyte *pc, } compsize = __glCallLists_size(type); - return __GLX_PAD((compsize * n)); + return safe_pad(safe_mul(compsize, n)); } int -__glXBitmapReqSize(const GLbyte *pc, Bool swap) +__glXBitmapReqSize(const GLbyte *pc, Bool swap, int reqlen) { GLint row_length = *(GLint *) (pc + 4); GLint image_height = 0; @@ -90,7 +88,7 @@ __glXBitmapReqSize(const GLbyte *pc, Boo } int -__glXFogfvReqSize(const GLbyte *pc, Bool swap) +__glXFogfvReqSize(const GLbyte *pc, Bool swap, int reqlen) { GLenum pname = *(GLenum *) (pc + 0); GLsizei compsize; @@ -100,11 +98,11 @@ __glXFogfvReqSize(const GLbyte *pc, Bool } compsize = __glFogfv_size(pname); - return __GLX_PAD((compsize * 4)); + return safe_pad(safe_mul(compsize, 4)); } int -__glXLightfvReqSize(const GLbyte *pc, Bool swap) +__glXLightfvReqSize(const GLbyte *pc, Bool swap, int reqlen) { GLenum pname = *(GLenum *) (pc + 4); GLsizei compsize; @@ -114,11 +112,11 @@ __glXLightfvReqSize(const GLbyte *pc, Bo } compsize = __glLightfv_size(pname); - return __GLX_PAD((compsize * 4)); + return safe_pad(safe_mul(compsize, 4)); } int -__glXLightModelfvReqSize(const GLbyte *pc, Bool swap) +__glXLightModelfvReqSize(const GLbyte * pc, Bool swap, int reqlen) { GLenum pname = *(GLenum *) (pc + 0); GLsizei compsize; @@ -128,11 +126,11 @@ __glXLightModelfvReqSize(const GLbyte *p } compsize = __glLightModelfv_size(pname); - return __GLX_PAD((compsize * 4)); + return safe_pad(safe_mul(compsize, 4)); } int -__glXMaterialfvReqSize(const GLbyte *pc, Bool swap) +__glXMaterialfvReqSize(const GLbyte *pc, Bool swap, int reqlen) { GLenum pname = *(GLenum *) (pc + 4); GLsizei compsize; @@ -142,11 +140,11 @@ __glXMaterialfvReqSize(const GLbyte *pc, } compsize = __glMaterialfv_size(pname); - return __GLX_PAD((compsize * 4)); + return safe_pad(safe_mul(compsize, 4)); } int -__glXPolygonStippleReqSize(const GLbyte *pc, Bool swap) +__glXPolygonStippleReqSize(const GLbyte *pc, Bool swap, int reqlen) { GLint row_length = *(GLint *) (pc + 4); GLint image_height = 0; @@ -166,7 +164,7 @@ __glXPolygonStippleReqSize(const GLbyte } int -__glXTexParameterfvReqSize(const GLbyte *pc, Bool swap) +__glXTexParameterfvReqSize(const GLbyte *pc, Bool swap, int reqlen) { GLenum pname = *(GLenum *) (pc + 4); GLsizei compsize; @@ -176,11 +174,11 @@ __glXTexParameterfvReqSize(const GLbyte } compsize = __glTexParameterfv_size(pname); - return __GLX_PAD((compsize * 4)); + return safe_pad(safe_mul(compsize, 4)); } int -__glXTexImage1DReqSize(const GLbyte *pc, Bool swap) +__glXTexImage1DReqSize(const GLbyte *pc, Bool swap, int reqlen) { GLint row_length = *(GLint *) (pc + 4); GLint image_height = 0; @@ -208,7 +206,7 @@ __glXTexImage1DReqSize(const GLbyte *pc, } int -__glXTexImage2DReqSize(const GLbyte *pc, Bool swap) +__glXTexImage2DReqSize(const GLbyte *pc, Bool swap, int reqlen) { GLint row_length = *(GLint *) (pc + 4); GLint image_height = 0; @@ -238,7 +236,7 @@ __glXTexImage2DReqSize(const GLbyte *pc, } int -__glXTexEnvfvReqSize(const GLbyte *pc, Bool swap) +__glXTexEnvfvReqSize(const GLbyte *pc, Bool swap, int reqlen) { GLenum pname = *(GLenum *) (pc + 4); GLsizei compsize; @@ -248,11 +246,11 @@ __glXTexEnvfvReqSize(const GLbyte *pc, B } compsize = __glTexEnvfv_size(pname); - return __GLX_PAD((compsize * 4)); + return safe_pad(safe_mul(compsize, 4)); } int -__glXTexGendvReqSize(const GLbyte *pc, Bool swap) +__glXTexGendvReqSize(const GLbyte *pc, Bool swap, int reqlen) { GLenum pname = *(GLenum *) (pc + 4); GLsizei compsize; @@ -262,11 +260,11 @@ __glXTexGendvReqSize(const GLbyte *pc, B } compsize = __glTexGendv_size(pname); - return __GLX_PAD((compsize * 8)); + return safe_pad(safe_mul(compsize, 8)); } int -__glXTexGenfvReqSize(const GLbyte *pc, Bool swap) +__glXTexGenfvReqSize(const GLbyte *pc, Bool swap, int reqlen) { GLenum pname = *(GLenum *) (pc + 4); GLsizei compsize; @@ -276,11 +274,11 @@ __glXTexGenfvReqSize(const GLbyte *pc, B } compsize = __glTexGenfv_size(pname); - return __GLX_PAD((compsize * 4)); + return safe_pad(safe_mul(compsize, 4)); } int -__glXPixelMapfvReqSize(const GLbyte *pc, Bool swap) +__glXPixelMapfvReqSize(const GLbyte *pc, Bool swap, int reqlen) { GLsizei mapsize = *(GLsizei *) (pc + 4); @@ -288,11 +286,11 @@ __glXPixelMapfvReqSize(const GLbyte *pc, mapsize = bswap_32(mapsize); } - return __GLX_PAD((mapsize * 4)); + return safe_pad(safe_mul(mapsize, 4)); } int -__glXPixelMapusvReqSize(const GLbyte *pc, Bool swap) +__glXPixelMapusvReqSize(const GLbyte *pc, Bool swap, int reqlen) { GLsizei mapsize = *(GLsizei *) (pc + 4); @@ -300,11 +298,11 @@ __glXPixelMapusvReqSize(const GLbyte *pc mapsize = bswap_32(mapsize); } - return __GLX_PAD((mapsize * 2)); + return safe_pad(safe_mul(mapsize, 2)); } int -__glXDrawPixelsReqSize(const GLbyte *pc, Bool swap) +__glXDrawPixelsReqSize(const GLbyte *pc, Bool swap, int reqlen) { GLint row_length = *(GLint *) (pc + 4); GLint image_height = 0; @@ -332,7 +330,7 @@ __glXDrawPixelsReqSize(const GLbyte *pc, } int -__glXPrioritizeTexturesReqSize(const GLbyte *pc, Bool swap) +__glXPrioritizeTexturesReqSize(const GLbyte *pc, Bool swap, int reqlen) { GLsizei n = *(GLsizei *) (pc + 0); @@ -340,11 +338,11 @@ __glXPrioritizeTexturesReqSize(const GLb n = bswap_32(n); } - return __GLX_PAD((n * 4) + (n * 4)); + return safe_pad(safe_add(safe_mul(n, 4), safe_mul(n, 4))); } int -__glXTexSubImage1DReqSize(const GLbyte *pc, Bool swap) +__glXTexSubImage1DReqSize(const GLbyte *pc, Bool swap, int reqlen) { GLint row_length = *(GLint *) (pc + 4); GLint image_height = 0; @@ -372,7 +370,7 @@ __glXTexSubImage1DReqSize(const GLbyte * } int -__glXTexSubImage2DReqSize(const GLbyte *pc, Bool swap) +__glXTexSubImage2DReqSize(const GLbyte *pc, Bool swap, int reqlen) { GLint row_length = *(GLint *) (pc + 4); GLint image_height = 0; @@ -402,7 +400,7 @@ __glXTexSubImage2DReqSize(const GLbyte * } int -__glXColorTableReqSize(const GLbyte *pc, Bool swap) +__glXColorTableReqSize(const GLbyte *pc, Bool swap, int reqlen) { GLint row_length = *(GLint *) (pc + 4); GLint image_height = 0; @@ -430,7 +428,7 @@ __glXColorTableReqSize(const GLbyte *pc, } int -__glXColorTableParameterfvReqSize(const GLbyte *pc, Bool swap) +__glXColorTableParameterfvReqSize(const GLbyte *pc, Bool swap, int reqlen) { GLenum pname = *(GLenum *) (pc + 4); GLsizei compsize; @@ -440,11 +438,11 @@ __glXColorTableParameterfvReqSize(const } compsize = __glColorTableParameterfv_size(pname); - return __GLX_PAD((compsize * 4)); + return safe_pad(safe_mul(compsize, 4)); } int -__glXColorSubTableReqSize(const GLbyte *pc, Bool swap) +__glXColorSubTableReqSize(const GLbyte *pc, Bool swap, int reqlen) { GLint row_length = *(GLint *) (pc + 4); GLint image_height = 0; @@ -472,7 +470,7 @@ __glXColorSubTableReqSize(const GLbyte * } int -__glXConvolutionFilter1DReqSize(const GLbyte *pc, Bool swap) +__glXConvolutionFilter1DReqSize(const GLbyte *pc, Bool swap, int reqlen) { GLint row_length = *(GLint *) (pc + 4); GLint image_height = 0; @@ -500,7 +498,7 @@ __glXConvolutionFilter1DReqSize(const GL } int -__glXConvolutionFilter2DReqSize(const GLbyte *pc, Bool swap) +__glXConvolutionFilter2DReqSize(const GLbyte *pc, Bool swap, int reqlen) { GLint row_length = *(GLint *) (pc + 4); GLint image_height = 0; @@ -530,7 +528,7 @@ __glXConvolutionFilter2DReqSize(const GL } int -__glXConvolutionParameterfvReqSize(const GLbyte *pc, Bool swap) +__glXConvolutionParameterfvReqSize(const GLbyte *pc, Bool swap, int reqlen) { GLenum pname = *(GLenum *) (pc + 4); GLsizei compsize; @@ -540,11 +538,11 @@ __glXConvolutionParameterfvReqSize(const } compsize = __glConvolutionParameterfv_size(pname); - return __GLX_PAD((compsize * 4)); + return safe_pad(safe_mul(compsize, 4)); } int -__glXTexImage3DReqSize(const GLbyte *pc, Bool swap) +__glXTexImage3DReqSize(const GLbyte *pc, Bool swap, int reqlen) { GLint row_length = *(GLint *) (pc + 4); GLint image_height = *(GLint *) (pc + 8); @@ -581,7 +579,7 @@ __glXTexImage3DReqSize(const GLbyte *pc, } int -__glXTexSubImage3DReqSize(const GLbyte *pc, Bool swap) +__glXTexSubImage3DReqSize(const GLbyte *pc, Bool swap, int reqlen) { GLint row_length = *(GLint *) (pc + 4); GLint image_height = *(GLint *) (pc + 8); @@ -615,7 +613,7 @@ __glXTexSubImage3DReqSize(const GLbyte * } int -__glXCompressedTexImage1DARBReqSize(const GLbyte *pc, Bool swap) +__glXCompressedTexImage1DARBReqSize(const GLbyte *pc, Bool swap, int reqlen) { GLsizei imageSize = *(GLsizei *) (pc + 20); @@ -623,11 +621,11 @@ __glXCompressedTexImage1DARBReqSize(cons imageSize = bswap_32(imageSize); } - return __GLX_PAD(imageSize); + return safe_pad(imageSize); } int -__glXCompressedTexImage2DARBReqSize(const GLbyte *pc, Bool swap) +__glXCompressedTexImage2DARBReqSize(const GLbyte *pc, Bool swap, int reqlen) { GLsizei imageSize = *(GLsizei *) (pc + 24); @@ -635,11 +633,11 @@ __glXCompressedTexImage2DARBReqSize(cons imageSize = bswap_32(imageSize); } - return __GLX_PAD(imageSize); + return safe_pad(imageSize); } int -__glXCompressedTexImage3DARBReqSize(const GLbyte *pc, Bool swap) +__glXCompressedTexImage3DARBReqSize(const GLbyte *pc, Bool swap, int reqlen) { GLsizei imageSize = *(GLsizei *) (pc + 28); @@ -647,11 +645,11 @@ __glXCompressedTexImage3DARBReqSize(cons imageSize = bswap_32(imageSize); } - return __GLX_PAD(imageSize); + return safe_pad(imageSize); } int -__glXCompressedTexSubImage3DARBReqSize(const GLbyte *pc, Bool swap) +__glXCompressedTexSubImage3DARBReqSize(const GLbyte *pc, Bool swap, int reqlen) { GLsizei imageSize = *(GLsizei *) (pc + 36); @@ -659,11 +657,11 @@ __glXCompressedTexSubImage3DARBReqSize(c imageSize = bswap_32(imageSize); } - return __GLX_PAD(imageSize); + return safe_pad(imageSize); } int -__glXProgramStringARBReqSize(const GLbyte *pc, Bool swap) +__glXProgramStringARBReqSize(const GLbyte *pc, Bool swap, int reqlen) { GLsizei len = *(GLsizei *) (pc + 8); @@ -671,11 +669,11 @@ __glXProgramStringARBReqSize(const GLbyt len = bswap_32(len); } - return __GLX_PAD(len); + return safe_pad(len); } int -__glXDrawBuffersARBReqSize(const GLbyte *pc, Bool swap) +__glXDrawBuffersARBReqSize(const GLbyte *pc, Bool swap, int reqlen) { GLsizei n = *(GLsizei *) (pc + 0); @@ -683,11 +681,11 @@ __glXDrawBuffersARBReqSize(const GLbyte n = bswap_32(n); } - return __GLX_PAD((n * 4)); + return safe_pad(safe_mul(n, 4)); } int -__glXPointParameterfvEXTReqSize(const GLbyte *pc, Bool swap) +__glXPointParameterfvEXTReqSize(const GLbyte *pc, Bool swap, int reqlen) { GLenum pname = *(GLenum *) (pc + 0); GLsizei compsize; @@ -697,11 +695,11 @@ __glXPointParameterfvEXTReqSize(const GL } compsize = __glPointParameterfvEXT_size(pname); - return __GLX_PAD((compsize * 4)); + return safe_pad(safe_mul(compsize, 4)); } int -__glXProgramParameters4dvNVReqSize(const GLbyte *pc, Bool swap) +__glXProgramParameters4dvNVReqSize(const GLbyte *pc, Bool swap, int reqlen) { GLuint num = *(GLuint *) (pc + 8); @@ -709,11 +707,11 @@ __glXProgramParameters4dvNVReqSize(const num = bswap_32(num); } - return __GLX_PAD((num * 32)); + return safe_pad(safe_mul(num, 32)); } int -__glXProgramParameters4fvNVReqSize(const GLbyte *pc, Bool swap) +__glXProgramParameters4fvNVReqSize(const GLbyte *pc, Bool swap, int reqlen) { GLuint num = *(GLuint *) (pc + 8); @@ -721,11 +719,11 @@ __glXProgramParameters4fvNVReqSize(const num = bswap_32(num); } - return __GLX_PAD((num * 16)); + return safe_pad(safe_mul(num, 16)); } int -__glXVertexAttribs1dvNVReqSize(const GLbyte *pc, Bool swap) +__glXVertexAttribs1dvNVReqSize(const GLbyte *pc, Bool swap, int reqlen) { GLsizei n = *(GLsizei *) (pc + 4); @@ -733,11 +731,11 @@ __glXVertexAttribs1dvNVReqSize(const GLb n = bswap_32(n); } - return __GLX_PAD((n * 8)); + return safe_pad(safe_mul(n, 8)); } int -__glXVertexAttribs2dvNVReqSize(const GLbyte *pc, Bool swap) +__glXVertexAttribs2dvNVReqSize(const GLbyte *pc, Bool swap, int reqlen) { GLsizei n = *(GLsizei *) (pc + 4); @@ -745,11 +743,11 @@ __glXVertexAttribs2dvNVReqSize(const GLb n = bswap_32(n); } - return __GLX_PAD((n * 16)); + return safe_pad(safe_mul(n, 16)); } int -__glXVertexAttribs3dvNVReqSize(const GLbyte *pc, Bool swap) +__glXVertexAttribs3dvNVReqSize(const GLbyte *pc, Bool swap, int reqlen) { GLsizei n = *(GLsizei *) (pc + 4); @@ -757,11 +755,11 @@ __glXVertexAttribs3dvNVReqSize(const GLb n = bswap_32(n); } - return __GLX_PAD((n * 24)); + return safe_pad(safe_mul(n, 24)); } int -__glXVertexAttribs3fvNVReqSize(const GLbyte *pc, Bool swap) +__glXVertexAttribs3fvNVReqSize(const GLbyte *pc, Bool swap, int reqlen) { GLsizei n = *(GLsizei *) (pc + 4); @@ -769,11 +767,11 @@ __glXVertexAttribs3fvNVReqSize(const GLb n = bswap_32(n); } - return __GLX_PAD((n * 12)); + return safe_pad(safe_mul(n, 12)); } int -__glXVertexAttribs3svNVReqSize(const GLbyte *pc, Bool swap) +__glXVertexAttribs3svNVReqSize(const GLbyte *pc, Bool swap, int reqlen) { GLsizei n = *(GLsizei *) (pc + 4); @@ -781,11 +779,11 @@ __glXVertexAttribs3svNVReqSize(const GLb n = bswap_32(n); } - return __GLX_PAD((n * 6)); + return safe_pad(safe_mul(n, 6)); } int -__glXVertexAttribs4dvNVReqSize(const GLbyte *pc, Bool swap) +__glXVertexAttribs4dvNVReqSize(const GLbyte *pc, Bool swap, int reqlen) { GLsizei n = *(GLsizei *) (pc + 4); @@ -793,11 +791,11 @@ __glXVertexAttribs4dvNVReqSize(const GLb n = bswap_32(n); } - return __GLX_PAD((n * 32)); + return safe_pad(safe_mul(n, 32)); } int -__glXProgramNamedParameter4fvNVReqSize(const GLbyte *pc, Bool swap) +__glXProgramNamedParameter4fvNVReqSize(const GLbyte *pc, Bool swap, int reqlen) { GLsizei len = *(GLsizei *) (pc + 4); @@ -805,7 +803,7 @@ __glXProgramNamedParameter4fvNVReqSize(c len = bswap_32(len); } - return __GLX_PAD(len); + return safe_pad(len); } ALIAS(Fogiv, Fogfv) Index: glx/indirect_reqsize.h =================================================================== RCS file: /cvsroot/xsrc/external/mit/xorg-server/dist/glx/indirect_reqsize.h,v retrieving revision 1.1.1.2 diff -p -u -p -r1.1.1.2 indirect_reqsize.h --- glx/indirect_reqsize.h 23 Nov 2010 05:21:09 -0000 1.1.1.2 +++ glx/indirect_reqsize.h 6 Dec 2014 23:40:01 -0000 @@ -40,80 +40,80 @@ # define PURE # endif -extern PURE HIDDEN int __glXCallListsReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXBitmapReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXFogfvReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXFogivReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXLightfvReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXLightivReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXLightModelfvReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXLightModelivReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXMaterialfvReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXMaterialivReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXPolygonStippleReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXTexParameterfvReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXTexParameterivReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXTexImage1DReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXTexImage2DReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXTexEnvfvReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXTexEnvivReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXTexGendvReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXTexGenfvReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXTexGenivReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXMap1dReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXMap1fReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXMap2dReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXMap2fReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXPixelMapfvReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXPixelMapuivReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXPixelMapusvReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXDrawPixelsReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXDrawArraysReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXPrioritizeTexturesReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXTexSubImage1DReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXTexSubImage2DReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXColorTableReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXColorTableParameterfvReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXColorTableParameterivReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXColorSubTableReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXConvolutionFilter1DReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXConvolutionFilter2DReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXConvolutionParameterfvReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXConvolutionParameterivReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXSeparableFilter2DReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXTexImage3DReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXTexSubImage3DReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXCompressedTexImage1DARBReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXCompressedTexImage2DARBReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXCompressedTexImage3DARBReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXCompressedTexSubImage1DARBReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXCompressedTexSubImage2DARBReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXCompressedTexSubImage3DARBReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXProgramStringARBReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXDrawBuffersARBReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXPointParameterfvEXTReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXLoadProgramNVReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXProgramParameters4dvNVReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXProgramParameters4fvNVReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXRequestResidentProgramsNVReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXVertexAttribs1dvNVReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXVertexAttribs1fvNVReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXVertexAttribs1svNVReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXVertexAttribs2dvNVReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXVertexAttribs2fvNVReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXVertexAttribs2svNVReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXVertexAttribs3dvNVReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXVertexAttribs3fvNVReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXVertexAttribs3svNVReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXVertexAttribs4dvNVReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXVertexAttribs4fvNVReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXVertexAttribs4svNVReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXVertexAttribs4ubvNVReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXPointParameterivNVReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXProgramNamedParameter4dvNVReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXProgramNamedParameter4fvNVReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXDeleteFramebuffersEXTReqSize(const GLbyte *pc, Bool swap); -extern PURE HIDDEN int __glXDeleteRenderbuffersEXTReqSize(const GLbyte *pc, Bool swap); +extern PURE HIDDEN int __glXCallListsReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXBitmapReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXFogfvReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXFogivReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXLightfvReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXLightivReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXLightModelfvReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXLightModelivReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXMaterialfvReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXMaterialivReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXPolygonStippleReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXTexParameterfvReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXTexParameterivReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXTexImage1DReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXTexImage2DReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXTexEnvfvReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXTexEnvivReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXTexGendvReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXTexGenfvReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXTexGenivReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXMap1dReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXMap1fReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXMap2dReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXMap2fReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXPixelMapfvReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXPixelMapuivReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXPixelMapusvReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXDrawPixelsReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXDrawArraysReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXPrioritizeTexturesReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXTexSubImage1DReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXTexSubImage2DReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXColorTableReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXColorTableParameterfvReqSize(const GLbyte *pc, Bool swa, int reqlenp); +extern PURE HIDDEN int __glXColorTableParameterivReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXColorSubTableReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXConvolutionFilter1DReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXConvolutionFilter2DReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXConvolutionParameterfvReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXConvolutionParameterivReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXSeparableFilter2DReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXTexImage3DReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXTexSubImage3DReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXCompressedTexImage1DARBReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXCompressedTexImage2DARBReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXCompressedTexImage3DARBReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXCompressedTexSubImage1DARBReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXCompressedTexSubImage2DARBReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXCompressedTexSubImage3DARBReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXProgramStringARBReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXDrawBuffersARBReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXPointParameterfvEXTReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXLoadProgramNVReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXProgramParameters4dvNVReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXProgramParameters4fvNVReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXRequestResidentProgramsNVReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXVertexAttribs1dvNVReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXVertexAttribs1fvNVReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXVertexAttribs1svNVReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXVertexAttribs2dvNVReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXVertexAttribs2fvNVReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXVertexAttribs2svNVReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXVertexAttribs3dvNVReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXVertexAttribs3fvNVReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXVertexAttribs3svNVReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXVertexAttribs4dvNVReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXVertexAttribs4fvNVReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXVertexAttribs4svNVReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXVertexAttribs4ubvNVReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXPointParameterivNVReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXProgramNamedParameter4dvNVReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXProgramNamedParameter4fvNVReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXDeleteFramebuffersEXTReqSize(const GLbyte *pc, Bool swap, int reqlen); +extern PURE HIDDEN int __glXDeleteRenderbuffersEXTReqSize(const GLbyte *pc, Bool swap, int reqlen); # undef HIDDEN # undef PURE Index: glx/indirect_texture_compression.c =================================================================== RCS file: /cvsroot/xsrc/external/mit/xorg-server/dist/glx/indirect_texture_compression.c,v retrieving revision 1.1.1.2 diff -p -u -p -r1.1.1.2 indirect_texture_compression.c --- glx/indirect_texture_compression.c 23 Nov 2010 05:21:09 -0000 1.1.1.2 +++ glx/indirect_texture_compression.c 6 Dec 2014 23:40:01 -0000 @@ -47,6 +47,8 @@ int __glXDisp_GetCompressedTexImageARB(s ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXSingleReq, 8); + pc += __GLX_SINGLE_HDR_SIZE; if ( cx != NULL ) { const GLenum target = *(GLenum *)(pc + 0); @@ -87,6 +89,8 @@ int __glXDispSwap_GetCompressedTexImageA ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXSingleReq, 8); + pc += __GLX_SINGLE_HDR_SIZE; if ( cx != NULL ) { const GLenum target = (GLenum) bswap_32( *(int *)(pc + 0) ); Index: glx/indirect_util.c =================================================================== RCS file: /cvsroot/xsrc/external/mit/xorg-server/dist/glx/indirect_util.c,v retrieving revision 1.1.1.2 diff -p -u -p -r1.1.1.2 indirect_util.c --- glx/indirect_util.c 23 Nov 2010 05:21:09 -0000 1.1.1.2 +++ glx/indirect_util.c 6 Dec 2014 23:40:01 -0000 @@ -81,12 +81,17 @@ __glXGetAnswerBuffer( __GLXclientState * void * local_buffer, size_t local_size, unsigned alignment ) { void * buffer = local_buffer; - const unsigned mask = alignment - 1; + const intptr_t mask = alignment - 1; if ( local_size < required_size ) { - const size_t worst_case_size = required_size + alignment; + size_t worst_case_size; intptr_t temp_buf; + if (required_size < SIZE_MAX - alignment) + worst_case_size = required_size + alignment; + else + return NULL; + if ( cl->returnBufSize < worst_case_size ) { void * temp = realloc( cl->returnBuf, worst_case_size ); Index: glx/rensize.c =================================================================== RCS file: /cvsroot/xsrc/external/mit/xorg-server/dist/glx/rensize.c,v retrieving revision 1.1.1.2 diff -p -u -p -r1.1.1.2 rensize.c --- glx/rensize.c 23 Nov 2010 05:21:09 -0000 1.1.1.2 +++ glx/rensize.c 6 Dec 2014 23:40:01 -0000 @@ -43,16 +43,10 @@ (((a & 0xff000000U)>>24) | ((a & 0xff0000U)>>8) | \ ((a & 0xff00U)<<8) | ((a & 0xffU)<<24)) -static int Map1Size( GLint k, GLint order) -{ - if (order <= 0 || k < 0) return -1; - return k * order; -} - -int __glXMap1dReqSize( const GLbyte *pc, Bool swap ) +int __glXMap1dReqSize( const GLbyte *pc, Bool swap, int reqlen ) { GLenum target; - GLint order, k; + GLint order; target = *(GLenum*) (pc + 16); order = *(GLint*) (pc + 20); @@ -60,14 +54,15 @@ int __glXMap1dReqSize( const GLbyte *pc, target = SWAPL( target ); order = SWAPL( order ); } - k = __glMap1d_size( target ); - return 8 * Map1Size( k, order ); + if (order < 1) + return -1; + return safe_mul(8, safe_mul(__glMap1d_size(target), order)); } -int __glXMap1fReqSize( const GLbyte *pc, Bool swap ) +int __glXMap1fReqSize( const GLbyte *pc, Bool swap, int reqlen ) { GLenum target; - GLint order, k; + GLint order; target = *(GLenum *)(pc + 0); order = *(GLint *)(pc + 12); @@ -75,20 +70,22 @@ int __glXMap1fReqSize( const GLbyte *pc, target = SWAPL( target ); order = SWAPL( order ); } - k = __glMap1f_size(target); - return 4 * Map1Size(k, order); + if (order < 1) + return -1; + return safe_mul(4, safe_mul(__glMap1f_size(target), order)); } static int Map2Size(int k, int majorOrder, int minorOrder) { - if (majorOrder <= 0 || minorOrder <= 0 || k < 0) return -1; - return k * majorOrder * minorOrder; + if (majorOrder < 1 || minorOrder < 1) + return -1; + return safe_mul(k, safe_mul(majorOrder, minorOrder)); } -int __glXMap2dReqSize( const GLbyte *pc, Bool swap ) +int __glXMap2dReqSize( const GLbyte *pc, Bool swap, int reqlen ) { GLenum target; - GLint uorder, vorder, k; + GLint uorder, vorder; target = *(GLenum *)(pc + 32); uorder = *(GLint *)(pc + 36); @@ -98,14 +95,13 @@ int __glXMap2dReqSize( const GLbyte *pc, uorder = SWAPL( uorder ); vorder = SWAPL( vorder ); } - k = __glMap2d_size( target ); - return 8 * Map2Size( k, uorder, vorder ); + return safe_mul(8, Map2Size(__glMap2d_size(target), uorder, vorder)); } -int __glXMap2fReqSize( const GLbyte *pc, Bool swap ) +int __glXMap2fReqSize( const GLbyte *pc, Bool swap, int reqlen ) { GLenum target; - GLint uorder, vorder, k; + GLint uorder, vorder; target = *(GLenum *)(pc + 0); uorder = *(GLint *)(pc + 12); @@ -115,8 +111,7 @@ int __glXMap2fReqSize( const GLbyte *pc, uorder = SWAPL( uorder ); vorder = SWAPL( vorder ); } - k = __glMap2f_size( target ); - return 4 * Map2Size( k, uorder, vorder ); + return safe_mul(4, Map2Size(__glMap2f_size(target), uorder, vorder)); } /** @@ -166,13 +161,16 @@ int __glXImageSize( GLenum format, GLenu GLint bytesPerElement, elementsPerGroup, groupsPerRow; GLint groupSize, rowSize, padding, imageSize; + if (w == 0 || h == 0 || d == 0) + return 0; + if (w < 0 || h < 0 || d < 0 || (type == GL_BITMAP && (format != GL_COLOR_INDEX && format != GL_STENCIL_INDEX))) { return -1; } - if (w==0 || h==0 || d == 0) return 0; + /* proxy targets have no data */ switch( target ) { case GL_PROXY_TEXTURE_1D: case GL_PROXY_TEXTURE_2D: @@ -189,6 +187,12 @@ int __glXImageSize( GLenum format, GLenu return 0; } + /* real data has to have real sizes */ + if (imageHeight < 0 || rowLength < 0 || skipImages < 0 || skipRows < 0) + return -1; + if (alignment != 1 && alignment != 2 && alignment != 4 && alignment != 8) + return -1; + if (type == GL_BITMAP) { if (rowLength > 0) { groupsPerRow = rowLength; @@ -196,11 +200,14 @@ int __glXImageSize( GLenum format, GLenu groupsPerRow = w; } rowSize = bits_to_bytes(groupsPerRow); + if (rowSize < 0) + return -1; padding = (rowSize % alignment); if (padding) { rowSize += alignment - padding; } - return ((h + skipRows) * rowSize); + + return safe_mul(safe_add(h, skipRows), rowSize); } else { switch(format) { case GL_COLOR_INDEX: @@ -212,6 +219,11 @@ int __glXImageSize( GLenum format, GLenu case GL_ALPHA: case GL_LUMINANCE: case GL_INTENSITY: + case GL_RED_INTEGER_EXT: + case GL_GREEN_INTEGER_EXT: + case GL_BLUE_INTEGER_EXT: + case GL_ALPHA_INTEGER_EXT: + case GL_LUMINANCE_INTEGER_EXT: elementsPerGroup = 1; break; case GL_422_EXT: @@ -222,14 +234,19 @@ int __glXImageSize( GLenum format, GLenu case GL_DEPTH_STENCIL_MESA: case GL_YCBCR_MESA: case GL_LUMINANCE_ALPHA: + case GL_LUMINANCE_ALPHA_INTEGER_EXT: elementsPerGroup = 2; break; case GL_RGB: case GL_BGR: + case GL_RGB_INTEGER_EXT: + case GL_BGR_INTEGER_EXT: elementsPerGroup = 3; break; case GL_RGBA: case GL_BGRA: + case GL_RGBA_INTEGER_EXT: + case GL_BGRA_INTEGER_EXT: case GL_ABGR_EXT: elementsPerGroup = 4; break; @@ -281,23 +298,27 @@ int __glXImageSize( GLenum format, GLenu default: return -1; } + /* known safe by the switches above, not checked */ groupSize = bytesPerElement * elementsPerGroup; if (rowLength > 0) { groupsPerRow = rowLength; } else { groupsPerRow = w; } - rowSize = groupsPerRow * groupSize; + if ((rowSize = safe_mul(groupsPerRow, groupSize)) < 0) + return -1; padding = (rowSize % alignment); if (padding) { rowSize += alignment - padding; } - if (imageHeight > 0) { - imageSize = (imageHeight + skipRows) * rowSize; - } else { - imageSize = (h + skipRows) * rowSize; - } - return ((d + skipImages) * imageSize); + + if (imageHeight > 0) + h = imageHeight; + h = safe_add(h, skipRows); + + imageSize = safe_mul(h, rowSize); + + return safe_mul(safe_add(d, skipImages), imageSize); } } @@ -318,13 +339,14 @@ int __glXTypeSize(GLenum enm) } } -int __glXDrawArraysReqSize( const GLbyte *pc, Bool swap ) +int __glXDrawArraysReqSize( const GLbyte *pc, Bool swap, int reqlen ) { __GLXdispatchDrawArraysHeader *hdr = (__GLXdispatchDrawArraysHeader *) pc; __GLXdispatchDrawArraysComponentHeader *compHeader; GLint numVertexes = hdr->numVertexes; GLint numComponents = hdr->numComponents; GLint arrayElementSize = 0; + GLint x, size; int i; if (swap) { @@ -333,6 +355,13 @@ int __glXDrawArraysReqSize( const GLbyte } pc += sizeof(__GLXdispatchDrawArraysHeader); + reqlen -= sizeof(__GLXdispatchDrawArraysHeader); + + size = safe_mul(sizeof(__GLXdispatchDrawArraysComponentHeader), + numComponents); + if (size < 0 || reqlen < 0 || reqlen < size) + return -1; + compHeader = (__GLXdispatchDrawArraysComponentHeader *) pc; for (i=0; iclient; GLsizei size; GLenum type; __GLXcontext *cx; int error; + REQUEST_FIXED_SIZE(xGLXSingleReq, 8); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { return error; @@ -78,10 +81,13 @@ int __glXDisp_FeedbackBuffer(__GLXclient int __glXDisp_SelectBuffer(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; __GLXcontext *cx; GLsizei size; int error; + REQUEST_FIXED_SIZE(xGLXSingleReq, 4); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { return error; @@ -106,7 +112,7 @@ int __glXDisp_SelectBuffer(__GLXclientSt int __glXDisp_RenderMode(__GLXclientState *cl, GLbyte *pc) { - ClientPtr client; + ClientPtr client = cl->client; xGLXRenderModeReply reply; __GLXcontext *cx; GLint nitems=0, retBytes=0, retval, newModeCheck; @@ -114,6 +120,8 @@ int __glXDisp_RenderMode(__GLXclientStat GLenum newMode; int error; + REQUEST_FIXED_SIZE(xGLXSingleReq, 4); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { return error; @@ -188,7 +196,6 @@ int __glXDisp_RenderMode(__GLXclientStat ** selection array, as per the API for glRenderMode itself. */ noChangeAllowed:; - client = cl->client; reply.length = nitems; reply.type = X_Reply; reply.sequenceNumber = client->sequence; @@ -204,9 +211,12 @@ int __glXDisp_RenderMode(__GLXclientStat int __glXDisp_Flush(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; __GLXcontext *cx; int error; + REQUEST_SIZE_MATCH(xGLXSingleReq); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { return error; @@ -219,10 +229,12 @@ int __glXDisp_Flush(__GLXclientState *cl int __glXDisp_Finish(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; __GLXcontext *cx; - ClientPtr client; int error; + REQUEST_SIZE_MATCH(xGLXSingleReq); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { return error; @@ -306,7 +318,7 @@ char *__glXcombine_strings(const char *c int DoGetString(__GLXclientState *cl, GLbyte *pc, GLboolean need_swap) { - ClientPtr client; + ClientPtr client = cl->client; __GLXcontext *cx; GLenum name; const char *string; @@ -315,6 +327,8 @@ int DoGetString(__GLXclientState *cl, GL char *buf = NULL, *buf1 = NULL; GLint length = 0; + REQUEST_FIXED_SIZE(xGLXSingleReq, 4); + /* If the client has the opposite byte order, swap the contextTag and * the name. */ @@ -331,7 +345,6 @@ int DoGetString(__GLXclientState *cl, GL pc += __GLX_SINGLE_HDR_SIZE; name = *(GLenum *)(pc + 0); string = (const char *) CALL_GetString( GET_DISPATCH(), (name) ); - client = cl->client; if (string == NULL) string = ""; Index: glx/single2swap.c =================================================================== RCS file: /cvsroot/xsrc/external/mit/xorg-server/dist/glx/single2swap.c,v retrieving revision 1.1.1.2 diff -p -u -p -r1.1.1.2 single2swap.c --- glx/single2swap.c 23 Nov 2010 05:21:09 -0000 1.1.1.2 +++ glx/single2swap.c 6 Dec 2014 23:40:01 -0000 @@ -44,12 +44,15 @@ int __glXDispSwap_FeedbackBuffer(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; GLsizei size; GLenum type; __GLX_DECLARE_SWAP_VARIABLES; __GLXcontext *cx; int error; + REQUEST_FIXED_SIZE(xGLXSingleReq, 8); + __GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag); cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { @@ -78,11 +81,14 @@ int __glXDispSwap_FeedbackBuffer(__GLXcl int __glXDispSwap_SelectBuffer(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; __GLXcontext *cx; GLsizei size; __GLX_DECLARE_SWAP_VARIABLES; int error; + REQUEST_FIXED_SIZE(xGLXSingleReq, 4); + __GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag); cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { @@ -109,7 +115,7 @@ int __glXDispSwap_SelectBuffer(__GLXclie int __glXDispSwap_RenderMode(__GLXclientState *cl, GLbyte *pc) { - ClientPtr client; + ClientPtr client = cl->client; __GLXcontext *cx; xGLXRenderModeReply reply; GLint nitems=0, retBytes=0, retval, newModeCheck; @@ -119,6 +125,8 @@ int __glXDispSwap_RenderMode(__GLXclient __GLX_DECLARE_SWAP_ARRAY_VARIABLES; int error; + REQUEST_FIXED_SIZE(xGLXSingleReq, 4); + __GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag); cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { @@ -197,7 +205,6 @@ int __glXDispSwap_RenderMode(__GLXclient ** selection array, as per the API for glRenderMode itself. */ noChangeAllowed:; - client = cl->client; reply.length = nitems; reply.type = X_Reply; reply.sequenceNumber = client->sequence; @@ -218,10 +225,13 @@ int __glXDispSwap_RenderMode(__GLXclient int __glXDispSwap_Flush(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; __GLXcontext *cx; int error; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXSingleReq); + __GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag); cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { @@ -235,11 +245,13 @@ int __glXDispSwap_Flush(__GLXclientState int __glXDispSwap_Finish(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; __GLXcontext *cx; - ClientPtr client; int error; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXSingleReq); + __GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag); cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { @@ -251,7 +263,6 @@ int __glXDispSwap_Finish(__GLXclientStat __GLX_NOTE_FLUSHED_CMDS(cx); /* Send empty reply packet to indicate finish is finished */ - client = cl->client; __GLX_BEGIN_REPLY(0); __GLX_PUT_RETVAL(0); __GLX_SWAP_REPLY_HEADER(); Index: glx/singlepix.c =================================================================== RCS file: /cvsroot/xsrc/external/mit/xorg-server/dist/glx/singlepix.c,v retrieving revision 1.1.1.2 diff -p -u -p -r1.1.1.2 singlepix.c --- glx/singlepix.c 23 Nov 2010 05:21:09 -0000 1.1.1.2 +++ glx/singlepix.c 6 Dec 2014 23:40:01 -0000 @@ -54,6 +54,8 @@ int __glXDisp_ReadPixels(__GLXclientStat int error; char *answer, answerBuffer[200]; + REQUEST_FIXED_SIZE(xGLXSingleReq, 28); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { return error; @@ -67,7 +69,8 @@ int __glXDisp_ReadPixels(__GLXclientStat swapBytes = *(GLboolean *)(pc + 24); lsbFirst = *(GLboolean *)(pc + 25); compsize = __glReadPixels_size(format,type,width,height); - if (compsize < 0) compsize = 0; + if (compsize < 0) + return BadLength; CALL_PixelStorei( GET_DISPATCH(), (GL_PACK_SWAP_BYTES, swapBytes) ); CALL_PixelStorei( GET_DISPATCH(), (GL_PACK_LSB_FIRST, lsbFirst) ); @@ -106,6 +109,8 @@ int __glXDisp_GetTexImage(__GLXclientSta char *answer, answerBuffer[200]; GLint width=0, height=0, depth=1; + REQUEST_FIXED_SIZE(xGLXSingleReq, 20); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { return error; @@ -128,7 +133,8 @@ int __glXDisp_GetTexImage(__GLXclientSta * are illegal, but then width, height, and depth would still be zero anyway. */ compsize = __glGetTexImage_size(target,level,format,type,width,height,depth); - if (compsize < 0) compsize = 0; + if (compsize < 0) + return BadLength; CALL_PixelStorei( GET_DISPATCH(), (GL_PACK_SWAP_BYTES, swapBytes) ); __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1); @@ -164,6 +170,8 @@ int __glXDisp_GetPolygonStipple(__GLXcli GLubyte answerBuffer[200]; char *answer; + REQUEST_FIXED_SIZE(xGLXSingleReq, 4); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { return error; @@ -222,13 +230,13 @@ static int GetSeparableFilter(__GLXclien compsize = __glGetTexImage_size(target,1,format,type,width,1,1); compsize2 = __glGetTexImage_size(target,1,format,type,height,1,1); - if (compsize < 0) compsize = 0; - if (compsize2 < 0) compsize2 = 0; - compsize = __GLX_PAD(compsize); - compsize2 = __GLX_PAD(compsize2); + if ((compsize = safe_pad(compsize)) < 0) + return BadLength; + if ((compsize2 = safe_pad(compsize2)) < 0) + return BadLength; CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, swapBytes)); - __GLX_GET_ANSWER_BUFFER(answer,cl,compsize + compsize2,1); + __GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1); __glXClearErrorOccured(); CALL_GetSeparableFilter( GET_DISPATCH(), ( *(GLenum *)(pc + 0), @@ -256,14 +264,16 @@ static int GetSeparableFilter(__GLXclien int __glXDisp_GetSeparableFilter(__GLXclientState *cl, GLbyte *pc) { const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); - + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); return GetSeparableFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); } int __glXDisp_GetSeparableFilterEXT(__GLXclientState *cl, GLbyte *pc) { const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); - + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); return GetSeparableFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); } @@ -302,7 +312,8 @@ static int GetConvolutionFilter(__GLXcli * are illegal, but then width and height would still be zero anyway. */ compsize = __glGetTexImage_size(target,1,format,type,width,height,1); - if (compsize < 0) compsize = 0; + if (compsize < 0) + return BadLength; CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, swapBytes)); __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1); @@ -331,14 +342,16 @@ static int GetConvolutionFilter(__GLXcli int __glXDisp_GetConvolutionFilter(__GLXclientState *cl, GLbyte *pc) { const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); - + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); return GetConvolutionFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); } int __glXDisp_GetConvolutionFilterEXT(__GLXclientState *cl, GLbyte *pc) { const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); - + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); return GetConvolutionFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); } @@ -371,7 +384,8 @@ static int GetHistogram(__GLXclientState * are illegal, but then width would still be zero anyway. */ compsize = __glGetTexImage_size(target,1,format,type,width,1,1); - if (compsize < 0) compsize = 0; + if (compsize < 0) + return BadLength; CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, swapBytes)); __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1); @@ -394,14 +408,16 @@ static int GetHistogram(__GLXclientState int __glXDisp_GetHistogram(__GLXclientState *cl, GLbyte *pc) { const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); - + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); return GetHistogram(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); } int __glXDisp_GetHistogramEXT(__GLXclientState *cl, GLbyte *pc) { const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); - + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); return GetHistogram(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); } @@ -427,7 +443,8 @@ static int GetMinmax(__GLXclientState *c reset = *(GLboolean *)(pc + 13); compsize = __glGetTexImage_size(target,1,format,type,2,1,1); - if (compsize < 0) compsize = 0; + if (compsize < 0) + return BadLength; CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, swapBytes)); __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1); @@ -449,14 +466,16 @@ static int GetMinmax(__GLXclientState *c int __glXDisp_GetMinmax(__GLXclientState *cl, GLbyte *pc) { const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); - + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); return GetMinmax(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); } int __glXDisp_GetMinmaxEXT(__GLXclientState *cl, GLbyte *pc) { const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); - + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); return GetMinmax(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); } @@ -488,7 +507,8 @@ static int GetColorTable(__GLXclientStat * are illegal, but then width would still be zero anyway. */ compsize = __glGetTexImage_size(target,1,format,type,width,1,1); - if (compsize < 0) compsize = 0; + if (compsize < 0) + return BadLength; CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, swapBytes)); __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1); @@ -516,13 +536,15 @@ static int GetColorTable(__GLXclientStat int __glXDisp_GetColorTable(__GLXclientState *cl, GLbyte *pc) { const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); - + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); return GetColorTable(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); } int __glXDisp_GetColorTableSGI(__GLXclientState *cl, GLbyte *pc) { const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); - + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); return GetColorTable(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); } Index: glx/singlepixswap.c =================================================================== RCS file: /cvsroot/xsrc/external/mit/xorg-server/dist/glx/singlepixswap.c,v retrieving revision 1.1.1.2 diff -p -u -p -r1.1.1.2 singlepixswap.c --- glx/singlepixswap.c 23 Nov 2010 05:21:09 -0000 1.1.1.2 +++ glx/singlepixswap.c 6 Dec 2014 23:40:01 -0000 @@ -55,6 +55,8 @@ int __glXDispSwap_ReadPixels(__GLXclient int error; char *answer, answerBuffer[200]; + REQUEST_FIXED_SIZE(xGLXSingleReq, 28); + __GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag); cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { @@ -76,7 +78,8 @@ int __glXDispSwap_ReadPixels(__GLXclient swapBytes = *(GLboolean *)(pc + 24); lsbFirst = *(GLboolean *)(pc + 25); compsize = __glReadPixels_size(format,type,width,height); - if (compsize < 0) compsize = 0; + if (compsize < 0) + return BadLength; CALL_PixelStorei( GET_DISPATCH(), (GL_PACK_SWAP_BYTES, !swapBytes) ); CALL_PixelStorei( GET_DISPATCH(), (GL_PACK_LSB_FIRST, lsbFirst) ); @@ -118,6 +121,8 @@ int __glXDispSwap_GetTexImage(__GLXclien char *answer, answerBuffer[200]; GLint width=0, height=0, depth=1; + REQUEST_FIXED_SIZE(xGLXSingleReq, 20); + __GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag); cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { @@ -146,7 +151,8 @@ int __glXDispSwap_GetTexImage(__GLXclien * are illegal, but then width, height, and depth would still be zero anyway. */ compsize = __glGetTexImage_size(target,level,format,type,width,height,depth); - if (compsize < 0) compsize = 0; + if (compsize < 0) + return BadLength; CALL_PixelStorei( GET_DISPATCH(), (GL_PACK_SWAP_BYTES, !swapBytes) ); __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1); @@ -188,6 +194,8 @@ int __glXDispSwap_GetPolygonStipple(__GL char *answer; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_FIXED_SIZE(xGLXSingleReq, 4); + __GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag); cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { @@ -252,13 +260,13 @@ static int GetSeparableFilter(__GLXclien compsize = __glGetTexImage_size(target,1,format,type,width,1,1); compsize2 = __glGetTexImage_size(target,1,format,type,height,1,1); - if (compsize < 0) compsize = 0; - if (compsize2 < 0) compsize2 = 0; - compsize = __GLX_PAD(compsize); - compsize2 = __GLX_PAD(compsize2); + if ((compsize = safe_pad(compsize)) < 0) + return BadLength; + if ((compsize2 = safe_pad(compsize2)) < 0) + return BadLength; CALL_PixelStorei( GET_DISPATCH(), (GL_PACK_SWAP_BYTES, !swapBytes) ); - __GLX_GET_ANSWER_BUFFER(answer,cl,compsize + compsize2,1); + __GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1); __glXClearErrorOccured(); CALL_GetSeparableFilter( GET_DISPATCH(), ( *(GLenum *)(pc + 0), @@ -288,14 +296,18 @@ static int GetSeparableFilter(__GLXclien int __glXDispSwap_GetSeparableFilter(__GLXclientState *cl, GLbyte *pc) { const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); return GetSeparableFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); } int __glXDispSwap_GetSeparableFilterEXT(__GLXclientState *cl, GLbyte *pc) { const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); return GetSeparableFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); } @@ -336,7 +348,8 @@ static int GetConvolutionFilter(__GLXcli * are illegal, but then width and height would still be zero anyway. */ compsize = __glGetTexImage_size(target,1,format,type,width,height,1); - if (compsize < 0) compsize = 0; + if (compsize < 0) + return BadLength; CALL_PixelStorei( GET_DISPATCH(), (GL_PACK_SWAP_BYTES, !swapBytes) ); __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1); @@ -367,14 +380,18 @@ static int GetConvolutionFilter(__GLXcli int __glXDispSwap_GetConvolutionFilter(__GLXclientState *cl, GLbyte *pc) { const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); return GetConvolutionFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); } int __glXDispSwap_GetConvolutionFilterEXT(__GLXclientState *cl, GLbyte *pc) { const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); return GetConvolutionFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); } @@ -411,7 +428,8 @@ static int GetHistogram(__GLXclientState * are illegal, but then width would still be zero anyway. */ compsize = __glGetTexImage_size(target,1,format,type,width,1,1); - if (compsize < 0) compsize = 0; + if (compsize < 0) + return BadLength; CALL_PixelStorei( GET_DISPATCH(), (GL_PACK_SWAP_BYTES, !swapBytes) ); __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1); @@ -435,14 +453,18 @@ static int GetHistogram(__GLXclientState int __glXDispSwap_GetHistogram(__GLXclientState *cl, GLbyte *pc) { const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); return GetHistogram(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); } int __glXDispSwap_GetHistogramEXT(__GLXclientState *cl, GLbyte *pc) { const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); return GetHistogram(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); } @@ -473,7 +495,8 @@ static int GetMinmax(__GLXclientState *c reset = *(GLboolean *)(pc + 13); compsize = __glGetTexImage_size(target,1,format,type,2,1,1); - if (compsize < 0) compsize = 0; + if (compsize < 0) + return BadLength; CALL_PixelStorei( GET_DISPATCH(), (GL_PACK_SWAP_BYTES, !swapBytes) ); __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1); @@ -495,14 +518,18 @@ static int GetMinmax(__GLXclientState *c int __glXDispSwap_GetMinmax(__GLXclientState *cl, GLbyte *pc) { const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); return GetMinmax(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); } int __glXDispSwap_GetMinmaxEXT(__GLXclientState *cl, GLbyte *pc) { const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); return GetMinmax(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); } @@ -538,7 +565,8 @@ static int GetColorTable(__GLXclientStat * are illegal, but then width would still be zero anyway. */ compsize = __glGetTexImage_size(target,1,format,type,width,1,1); - if (compsize < 0) compsize = 0; + if (compsize < 0) + return BadLength; CALL_PixelStorei( GET_DISPATCH(), (GL_PACK_SWAP_BYTES, !swapBytes) ); __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1); @@ -567,13 +595,17 @@ static int GetColorTable(__GLXclientStat int __glXDispSwap_GetColorTable(__GLXclientState *cl, GLbyte *pc) { const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); return GetColorTable(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); } int __glXDispSwap_GetColorTableSGI(__GLXclientState *cl, GLbyte *pc) { const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); return GetColorTable(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); } Index: glx/swap_interval.c =================================================================== RCS file: /cvsroot/xsrc/external/mit/xorg-server/dist/glx/swap_interval.c,v retrieving revision 1.1.1.2 diff -p -u -p -r1.1.1.2 swap_interval.c --- glx/swap_interval.c 23 Nov 2010 05:21:09 -0000 1.1.1.2 +++ glx/swap_interval.c 6 Dec 2014 23:40:01 -0000 @@ -51,6 +51,8 @@ int DoSwapInterval(__GLXclientState *cl, GLint interval; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 4); + cx = __glXLookupContextByTag(cl, tag); if ((cx == NULL) || (cx->pGlxScreen == NULL)) { Index: glx/unpack.h =================================================================== RCS file: /cvsroot/xsrc/external/mit/xorg-server/dist/glx/unpack.h,v retrieving revision 1.1.1.3 diff -p -u -p -r1.1.1.3 unpack.h --- glx/unpack.h 2 Aug 2011 06:56:48 -0000 1.1.1.3 +++ glx/unpack.h 6 Dec 2014 23:40:01 -0000 @@ -83,7 +83,8 @@ extern xGLXSingleReply __glXReply; ** pointer. */ #define __GLX_GET_ANSWER_BUFFER(res,cl,size,align) \ - if ((size) > sizeof(answerBuffer)) { \ + if (size < 0) return BadLength; \ + else if ((size) > sizeof(answerBuffer)) { \ int bump; \ if ((cl)->returnBufSize < (size)+(align)) { \ (cl)->returnBuf = (GLbyte*)realloc((cl)->returnBuf, \ Index: hw/xfree86/dri2/dri2ext.c =================================================================== RCS file: /cvsroot/xsrc/external/mit/xorg-server/dist/hw/xfree86/dri2/dri2ext.c,v retrieving revision 1.1.1.4 diff -p -u -p -r1.1.1.4 dri2ext.c --- hw/xfree86/dri2/dri2ext.c 3 Jun 2013 07:34:24 -0000 1.1.1.4 +++ hw/xfree86/dri2/dri2ext.c 6 Dec 2014 23:40:01 -0000 @@ -266,6 +266,9 @@ ProcDRI2GetBuffers(ClientPtr client) unsigned int *attachments; REQUEST_FIXED_SIZE(xDRI2GetBuffersReq, stuff->count * 4); + if (stuff->count > (INT_MAX / 4)) + return BadLength; + if (!validDrawable(client, stuff->drawable, DixReadAccess | DixWriteAccess, &pDrawable, &status)) return status; Index: include/dix.h =================================================================== RCS file: /cvsroot/xsrc/external/mit/xorg-server/dist/include/dix.h,v retrieving revision 1.1.1.5 diff -p -u -p -r1.1.1.5 dix.h --- include/dix.h 2 Aug 2011 06:57:02 -0000 1.1.1.5 +++ include/dix.h 6 Dec 2014 23:40:01 -0000 @@ -74,9 +74,14 @@ SOFTWARE. if ((sizeof(req) >> 2) > client->req_len )\ return(BadLength) +#define REQUEST_AT_LEAST_EXTRA_SIZE(req, extra) \ + if (((sizeof(req) + ((uint64_t) extra)) >> 2) > client->req_len ) \ + return(BadLength) + #define REQUEST_FIXED_SIZE(req, n)\ if (((sizeof(req) >> 2) > client->req_len) || \ - (((sizeof(req) + (n) + 3) >> 2) != client->req_len)) \ + ((n >> 2) >= client->req_len) || \ + ((((uint64_t) sizeof(req) + (n) + 3) >> 2) != (uint64_t) client->req_len)) \ return(BadLength) #define LEGAL_NEW_RESOURCE(id,client)\ Index: include/regionstr.h =================================================================== RCS file: /cvsroot/xsrc/external/mit/xorg-server/dist/include/regionstr.h,v retrieving revision 1.1.1.3 diff -p -u -p -r1.1.1.3 regionstr.h --- include/regionstr.h 23 Nov 2010 05:22:05 -0000 1.1.1.3 +++ include/regionstr.h 6 Dec 2014 23:40:01 -0000 @@ -108,7 +108,10 @@ static inline BoxPtr RegionEnd(RegionPtr } static inline size_t RegionSizeof(int n) { - return (sizeof(RegDataRec) + ((n) * sizeof(BoxRec))); + if (n < ((INT_MAX - sizeof(RegDataRec)) / sizeof(BoxRec))) + return (sizeof(RegDataRec) + ((n) * sizeof(BoxRec))); + else + return 0; } static inline void RegionInit(RegionPtr _pReg, BoxPtr _rect, int _size) @@ -120,10 +123,10 @@ static inline void RegionInit(RegionPtr } else { + size_t rgnSize; (_pReg)->extents = RegionEmptyBox; - if (((_size) > 1) && ((_pReg)->data = - (RegDataPtr)malloc(RegionSizeof(_size)))) - { + if (((_size) > 1) && ((rgnSize = RegionSizeof(_size)) > 0) && + (((_pReg)->data = malloc(rgnSize)) != NULL)) { (_pReg)->data->size = (_size); (_pReg)->data->numRects = 0; } Index: os/access.c =================================================================== RCS file: /cvsroot/xsrc/external/mit/xorg-server/dist/os/access.c,v retrieving revision 1.1.1.5 diff -p -u -p -r1.1.1.5 access.c --- os/access.c 2 Aug 2011 06:57:04 -0000 1.1.1.5 +++ os/access.c 6 Dec 2014 23:40:01 -0000 @@ -1405,6 +1405,10 @@ GetHosts ( { nHosts++; n += pad_to_int32(host->len) + sizeof(xHostEntry); + /* Could check for INT_MAX, but in reality having more than 1mb of + hostnames in the access list is ridiculous */ + if (n >= 1048576) + break; } if (n) { @@ -1416,6 +1420,8 @@ GetHosts ( for (host = validhosts; host; host = host->next) { len = host->len; + if ((ptr + sizeof(xHostEntry) + len) > (data + n)) + break; ((xHostEntry *)ptr)->family = host->family; ((xHostEntry *)ptr)->length = len; ptr += sizeof(xHostEntry); Index: os/rpcauth.c =================================================================== RCS file: /cvsroot/xsrc/external/mit/xorg-server/dist/os/rpcauth.c,v retrieving revision 1.1.1.3 diff -p -u -p -r1.1.1.3 rpcauth.c --- os/rpcauth.c 23 Nov 2010 05:22:09 -0000 1.1.1.3 +++ os/rpcauth.c 6 Dec 2014 23:40:01 -0000 @@ -67,6 +67,10 @@ authdes_ezdecode(const char *inmsg, int SVCXPRT xprt; temp_inmsg = malloc(len); + if (temp_inmsg == NULL) { + why = AUTH_FAILED; /* generic error, since there is no AUTH_BADALLOC */ + return NULL; + } memmove(temp_inmsg, inmsg, len); memset((char *)&msg, 0, sizeof(msg)); Index: randr/rrsdispatch.c =================================================================== RCS file: /cvsroot/xsrc/external/mit/xorg-server/dist/randr/rrsdispatch.c,v retrieving revision 1.1.1.3 diff -p -u -p -r1.1.1.3 rrsdispatch.c --- randr/rrsdispatch.c 23 Nov 2010 05:22:11 -0000 1.1.1.3 +++ randr/rrsdispatch.c 6 Dec 2014 23:40:01 -0000 @@ -28,6 +28,7 @@ SProcRRQueryVersion (ClientPtr client) register int n; REQUEST(xRRQueryVersionReq); + REQUEST_SIZE_MATCH(xRRQueryVersionReq); swaps(&stuff->length, n); swapl(&stuff->majorVersion, n); swapl(&stuff->minorVersion, n); @@ -40,6 +41,7 @@ SProcRRGetScreenInfo (ClientPtr client) register int n; REQUEST(xRRGetScreenInfoReq); + REQUEST_SIZE_MATCH(xRRGetScreenInfoReq); swaps(&stuff->length, n); swapl(&stuff->window, n); return (*ProcRandrVector[stuff->randrReqType]) (client); @@ -75,6 +77,7 @@ SProcRRSelectInput (ClientPtr client) register int n; REQUEST(xRRSelectInputReq); + REQUEST_SIZE_MATCH(xRRSelectInputReq); swaps(&stuff->length, n); swapl(&stuff->window, n); swaps(&stuff->enable, n); @@ -165,6 +168,7 @@ SProcRRConfigureOutputProperty (ClientPt int n; REQUEST(xRRConfigureOutputPropertyReq); + REQUEST_AT_LEAST_SIZE(xRRConfigureOutputPropertyReq); swaps(&stuff->length, n); swapl(&stuff->output, n); swapl(&stuff->property, n); Index: render/render.c =================================================================== RCS file: /cvsroot/xsrc/external/mit/xorg-server/dist/render/render.c,v retrieving revision 1.1.1.7 diff -p -u -p -r1.1.1.7 render.c --- render/render.c 2 Aug 2011 06:57:05 -0000 1.1.1.7 +++ render/render.c 6 Dec 2014 23:40:01 -0000 @@ -278,11 +278,11 @@ ProcRenderQueryVersion (ClientPtr client xRenderQueryVersionReply rep; register int n; REQUEST(xRenderQueryVersionReq); + REQUEST_SIZE_MATCH(xRenderQueryVersionReq); pRenderClient->major_version = stuff->majorVersion; pRenderClient->minor_version = stuff->minorVersion; - REQUEST_SIZE_MATCH(xRenderQueryVersionReq); memset(&rep, 0, sizeof(xRenderQueryVersionReply)); rep.type = X_Reply; rep.length = 0; @@ -2064,6 +2064,7 @@ SProcRenderQueryVersion (ClientPtr clien { register int n; REQUEST(xRenderQueryVersionReq); + REQUEST_SIZE_MATCH(xRenderQueryVersionReq); swaps(&stuff->length, n); swapl(&stuff->majorVersion, n); @@ -2076,6 +2077,7 @@ SProcRenderQueryPictFormats (ClientPtr c { register int n; REQUEST(xRenderQueryPictFormatsReq); + REQUEST_SIZE_MATCH(xRenderQueryPictFormatsReq); swaps(&stuff->length, n); return (*ProcRenderVector[stuff->renderReqType]) (client); } @@ -2085,6 +2087,7 @@ SProcRenderQueryPictIndexValues (ClientP { register int n; REQUEST(xRenderQueryPictIndexValuesReq); + REQUEST_AT_LEAST_SIZE(xRenderQueryPictIndexValuesReq); swaps(&stuff->length, n); swapl(&stuff->format, n); return (*ProcRenderVector[stuff->renderReqType]) (client); @@ -2101,6 +2104,7 @@ SProcRenderCreatePicture (ClientPtr clie { register int n; REQUEST(xRenderCreatePictureReq); + REQUEST_AT_LEAST_SIZE(xRenderCreatePictureReq); swaps(&stuff->length, n); swapl(&stuff->pid, n); swapl(&stuff->drawable, n); @@ -2115,6 +2119,7 @@ SProcRenderChangePicture (ClientPtr clie { register int n; REQUEST(xRenderChangePictureReq); + REQUEST_AT_LEAST_SIZE(xRenderChangePictureReq); swaps(&stuff->length, n); swapl(&stuff->picture, n); swapl(&stuff->mask, n); @@ -2127,6 +2132,7 @@ SProcRenderSetPictureClipRectangles (Cli { register int n; REQUEST(xRenderSetPictureClipRectanglesReq); + REQUEST_AT_LEAST_SIZE(xRenderSetPictureClipRectanglesReq); swaps(&stuff->length, n); swapl(&stuff->picture, n); swaps(&stuff->xOrigin, n); @@ -2140,6 +2146,7 @@ SProcRenderFreePicture (ClientPtr client { register int n; REQUEST(xRenderFreePictureReq); + REQUEST_SIZE_MATCH(xRenderFreePictureReq); swaps(&stuff->length, n); swapl(&stuff->picture, n); return (*ProcRenderVector[stuff->renderReqType]) (client); @@ -2150,6 +2157,7 @@ SProcRenderComposite (ClientPtr client) { register int n; REQUEST(xRenderCompositeReq); + REQUEST_SIZE_MATCH(xRenderCompositeReq); swaps(&stuff->length, n); swapl(&stuff->src, n); swapl(&stuff->mask, n); @@ -2170,6 +2178,7 @@ SProcRenderScale (ClientPtr client) { register int n; REQUEST(xRenderScaleReq); + REQUEST_SIZE_MATCH(xRenderScaleReq); swaps(&stuff->length, n); swapl(&stuff->src, n); swapl(&stuff->dst, n); @@ -2275,6 +2284,7 @@ SProcRenderCreateGlyphSet (ClientPtr cli { register int n; REQUEST(xRenderCreateGlyphSetReq); + REQUEST_SIZE_MATCH(xRenderCreateGlyphSetReq); swaps(&stuff->length, n); swapl(&stuff->gsid, n); swapl(&stuff->format, n); @@ -2286,6 +2296,7 @@ SProcRenderReferenceGlyphSet (ClientPtr { register int n; REQUEST(xRenderReferenceGlyphSetReq); + REQUEST_SIZE_MATCH(xRenderReferenceGlyphSetReq); swaps(&stuff->length, n); swapl(&stuff->gsid, n); swapl(&stuff->existing, n); @@ -2297,6 +2308,7 @@ SProcRenderFreeGlyphSet (ClientPtr clien { register int n; REQUEST(xRenderFreeGlyphSetReq); + REQUEST_SIZE_MATCH(xRenderFreeGlyphSetReq); swaps(&stuff->length, n); swapl(&stuff->glyphset, n); return (*ProcRenderVector[stuff->renderReqType]) (client); @@ -2311,6 +2323,7 @@ SProcRenderAddGlyphs (ClientPtr client) void *end; xGlyphInfo *gi; REQUEST(xRenderAddGlyphsReq); + REQUEST_AT_LEAST_SIZE(xRenderAddGlyphsReq); swaps(&stuff->length, n); swapl(&stuff->glyphset, n); swapl(&stuff->nglyphs, n); @@ -2347,6 +2360,7 @@ SProcRenderFreeGlyphs (ClientPtr client) { register int n; REQUEST(xRenderFreeGlyphsReq); + REQUEST_AT_LEAST_SIZE(xRenderFreeGlyphsReq); swaps(&stuff->length, n); swapl(&stuff->glyphset, n); SwapRestL(stuff); @@ -2365,6 +2379,7 @@ SProcRenderCompositeGlyphs (ClientPtr cl int size; REQUEST(xRenderCompositeGlyphsReq); + REQUEST_AT_LEAST_SIZE(xRenderCompositeGlyphsReq); switch (stuff->renderReqType) { default: size = 1; break; Index: test/Makefile.am =================================================================== RCS file: /cvsroot/xsrc/external/mit/xorg-server/dist/test/Makefile.am,v retrieving revision 1.1.1.1 diff -p -u -p -r1.1.1.1 Makefile.am --- test/Makefile.am 23 Nov 2010 05:22:13 -0000 1.1.1.1 +++ test/Makefile.am 6 Dec 2014 23:40:01 -0000 @@ -1,5 +1,5 @@ if UNITTESTS -SUBDIRS= . xi2 +SUBDIRS= . xi1 xi2 check_PROGRAMS = xkb input xtest check_LTLIBRARIES = libxservertest.la Index: test/xi1/Makefile.am =================================================================== RCS file: test/xi1/Makefile.am diff -N test/xi1/Makefile.am --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ test/xi1/Makefile.am 6 Dec 2014 23:40:01 -0000 @@ -0,0 +1,34 @@ +if ENABLE_UNIT_TESTS +if HAVE_LD_WRAP +noinst_PROGRAMS = \ + protocol-xchangedevicecontrol + +TESTS=$(noinst_PROGRAMS) +TESTS_ENVIRONMENT = $(XORG_MALLOC_DEBUG_ENV) + +AM_CFLAGS = $(DIX_CFLAGS) @XORG_CFLAGS@ +AM_CPPFLAGS = @XORG_INCS@ -I$(srcdir)/../xi2 +TEST_LDADD=../libxservertest.la $(XORG_SYS_LIBS) $(XSERVER_SYS_LIBS) $(GLX_SYS_LIBS) +COMMON_SOURCES=$(srcdir)/../xi2/protocol-common.c + +if SPECIAL_DTRACE_OBJECTS +TEST_LDADD += $(OS_LIB) $(DIX_LIB) +endif + +protocol_xchangedevicecontrol_LDADD=$(TEST_LDADD) + +protocol_xchangedevicecontrol_LDFLAGS=$(AM_LDFLAGS) -Wl,-wrap,WriteToClient + +protocol_xchangedevicecontrol_SOURCES=$(COMMON_SOURCES) protocol-xchangedevicecontrol.c + +else +# Print that xi1-tests were skipped (exit code 77 for automake test harness) +TESTS = xi1-tests +CLEANFILES = $(TESTS) + +xi1-tests: + @echo 'echo "ld -wrap support required for xi1 unit tests, skipping"' > $@ + @echo 'exit 77' >> $@ + $(AM_V_GEN)chmod +x $@ +endif +endif Index: test/xi1/protocol-xchangedevicecontrol.c =================================================================== RCS file: test/xi1/protocol-xchangedevicecontrol.c diff -N test/xi1/protocol-xchangedevicecontrol.c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ test/xi1/protocol-xchangedevicecontrol.c 6 Dec 2014 23:40:01 -0000 @@ -0,0 +1,122 @@ +/** + * Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice (including the next + * paragraph) shall be included in all copies or substantial portions of the + * Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL + * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifdef HAVE_DIX_CONFIG_H +#include +#endif + +/* + * Protocol testing for ChangeDeviceControl request. + */ +#include +#include +#include +#include +#include "inputstr.h" +#include "chgdctl.h" + +#include "protocol-common.h" + +static ClientRec client_request; + +static void +reply_ChangeDeviceControl(ClientPtr client, int len, char *data, void *userdata) +{ + xChangeDeviceControlReply *rep = (xChangeDeviceControlReply *) data; + + if (client->swapped) { + swapl(&rep->length); + swaps(&rep->sequenceNumber); + } + + reply_check_defaults(rep, len, ChangeDeviceControl); + + /* XXX: check status code in reply */ +} + +static void +request_ChangeDeviceControl(ClientPtr client, xChangeDeviceControlReq * req, + xDeviceCtl *ctl, int error) +{ + int rc; + + client_request.req_len = req->length; + rc = ProcXChangeDeviceControl(&client_request); + assert(rc == error); + + /* XXX: ChangeDeviceControl doesn't seem to fill in errorValue to check */ + + client_request.swapped = TRUE; + swaps(&req->length); + swaps(&req->control); + swaps(&ctl->length); + swaps(&ctl->control); + /* XXX: swap other contents of ctl, depending on type */ + rc = SProcXChangeDeviceControl(&client_request); + assert(rc == error); +} + +static unsigned char *data[4096]; /* the request buffer */ + +static void +test_ChangeDeviceControl(void) +{ + xChangeDeviceControlReq *request = (xChangeDeviceControlReq *) data; + xDeviceCtl *control = (xDeviceCtl *) (&request[1]); + + request_init(request, ChangeDeviceControl); + + reply_handler = reply_ChangeDeviceControl; + + client_request = init_client(request->length, request); + + printf("Testing invalid lengths:\n"); + printf(" -- no control struct\n"); + request_ChangeDeviceControl(&client_request, request, control, BadLength); + + printf(" -- xDeviceResolutionCtl\n"); + request_init(request, ChangeDeviceControl); + request->control = DEVICE_RESOLUTION; + control->length = (sizeof(xDeviceResolutionCtl) >> 2); + request->length += control->length - 2; + request_ChangeDeviceControl(&client_request, request, control, BadLength); + + printf(" -- xDeviceEnableCtl\n"); + request_init(request, ChangeDeviceControl); + request->control = DEVICE_ENABLE; + control->length = (sizeof(xDeviceEnableCtl) >> 2); + request->length += control->length - 2; + request_ChangeDeviceControl(&client_request, request, control, BadLength); + + /* XXX: Test functionality! */ +} + +int +main(int argc, char **argv) +{ + init_simple(); + + test_ChangeDeviceControl(); + + return 0; +} Index: test/xi2/protocol-xigetclientpointer.c =================================================================== RCS file: /cvsroot/xsrc/external/mit/xorg-server/dist/test/xi2/protocol-xigetclientpointer.c,v retrieving revision 1.1.1.1 diff -p -u -p -r1.1.1.1 protocol-xigetclientpointer.c --- test/xi2/protocol-xigetclientpointer.c 23 Nov 2010 05:22:14 -0000 1.1.1.1 +++ test/xi2/protocol-xigetclientpointer.c 6 Dec 2014 23:40:01 -0000 @@ -125,6 +125,11 @@ static void test_XIGetClientPointer(void request.win = INVALID_WINDOW_ID; request_XIGetClientPointer(&client_request, &request, BadWindow); + printf("Testing invalid length\n"); + client_request.req_len -= 4; + request_XIGetClientPointer(&client_request, &request, BadLength); + client_request.req_len += 4; + test_data.cp_is_set = FALSE; g_test_message("Testing window None, unset ClientPointer."); Index: test/xi2/protocol-xiquerypointer.c =================================================================== RCS file: /cvsroot/xsrc/external/mit/xorg-server/dist/test/xi2/protocol-xiquerypointer.c,v retrieving revision 1.1.1.1 diff -p -u -p -r1.1.1.1 protocol-xiquerypointer.c --- test/xi2/protocol-xiquerypointer.c 23 Nov 2010 05:22:14 -0000 1.1.1.1 +++ test/xi2/protocol-xiquerypointer.c 6 Dec 2014 23:40:01 -0000 @@ -205,6 +205,10 @@ static void test_XIQueryPointer(void) test_data.dev = devices.mouse; request.deviceid = devices.mouse->id; request_XIQueryPointer(&client_request, &request, Success); + + /* test REQUEST_SIZE_MATCH */ + client_request.req_len -= 4; + request_XIQueryPointer(&client_request, &request, BadLength); } int main(int argc, char** argv) Index: test/xi2/protocol-xiwarppointer.c =================================================================== RCS file: /cvsroot/xsrc/external/mit/xorg-server/dist/test/xi2/protocol-xiwarppointer.c,v retrieving revision 1.1.1.1 diff -p -u -p -r1.1.1.1 protocol-xiwarppointer.c --- test/xi2/protocol-xiwarppointer.c 23 Nov 2010 05:22:14 -0000 1.1.1.1 +++ test/xi2/protocol-xiwarppointer.c 6 Dec 2014 23:40:01 -0000 @@ -200,6 +200,9 @@ static void test_XIWarpPointer(void) request_XIWarpPointer(&client_request, &request, Success); /* FIXME: src_x/y checks */ + + client_request.req_len -= 2; /* invalid length */ + request_XIWarpPointer(&client_request, &request, BadLength); } int main(int argc, char** argv) Index: xfixes/select.c =================================================================== RCS file: /cvsroot/xsrc/external/mit/xorg-server/dist/xfixes/select.c,v retrieving revision 1.1.1.3 diff -p -u -p -r1.1.1.3 select.c --- xfixes/select.c 23 Nov 2010 05:22:16 -0000 1.1.1.3 +++ xfixes/select.c 6 Dec 2014 23:40:01 -0000 @@ -223,6 +223,7 @@ SProcXFixesSelectSelectionInput (ClientP register int n; REQUEST(xXFixesSelectSelectionInputReq); + REQUEST_SIZE_MATCH(xXFixesSelectSelectionInputReq); swaps(&stuff->length, n); swapl(&stuff->window, n); swapl(&stuff->selection, n);