From 5020328ae9c11ca1b924fc13f108fab3f941f25d Mon Sep 17 00:00:00 2001
From: Julien Cristau <jcristau@debian.org>
Date: Sat, 3 Jul 2010 19:51:15 +0100
Subject: [PATCH 2/3] glx: validate client-provided screen number

---
 glx/glxcmds.c |   20 ++++++++++++++++----
 1 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/glx/glxcmds.c b/glx/glxcmds.c
index 1756029..6238b15 100644
--- a/glx/glxcmds.c
+++ b/glx/glxcmds.c
@@ -2126,6 +2126,7 @@ int __glXDisp_QueryHyperpipeNetworkSGIX(__GLXclientState *cl, GLbyte *pc)
     xGLXQueryHyperpipeNetworkSGIXReq * req = (xGLXQueryHyperpipeNetworkSGIXReq *) pc;
     xGLXQueryHyperpipeNetworkSGIXReply reply;
     int screen = req->screen;
+    int err;
     void *rdata = NULL;
 
     int length=0;
@@ -2134,7 +2135,9 @@ int __glXDisp_QueryHyperpipeNetworkSGIX(__GLXclientState *cl, GLbyte *pc)
     int n= 0;
     __GLXscreen *pGlxScreen;
 
-    pGlxScreen = glxGetScreen(screenInfo.screens[screen]);
+    if (!validGlxScreen(client, screen, &pGlxScreen, &err))
+	return err;
+
     if (pGlxScreen->hyperpipeFuncs) {
         rdata =
             (pGlxScreen->hyperpipeFuncs->queryHyperpipeNetworkFunc(screen, &npipes, &n));
@@ -2168,13 +2171,16 @@ int __glXDisp_DestroyHyperpipeConfigSGIX (__GLXclientState *cl, GLbyte *pc)
         (xGLXDestroyHyperpipeConfigSGIXReq *) pc;
     xGLXDestroyHyperpipeConfigSGIXReply reply;
     int screen = req->screen;
+    int err;
     int  success = GLX_BAD_HYPERPIPE_SGIX;
     int hpId ;
     __GLXscreen *pGlxScreen;
 
     hpId = req->hpId;
 
-    pGlxScreen = glxGetScreen(screenInfo.screens[screen]);
+    if (!validGlxScreen(client, screen, &pGlxScreen, &err))
+	return err;
+
     if (pGlxScreen->hyperpipeFuncs) {
         success = pGlxScreen->hyperpipeFuncs->destroyHyperpipeConfigFunc(screen, hpId);
     }
@@ -2203,6 +2209,7 @@ int __glXDisp_QueryHyperpipeConfigSGIX(__GLXclientState *cl, GLbyte *pc)
         (xGLXQueryHyperpipeConfigSGIXReq *) pc;
     xGLXQueryHyperpipeConfigSGIXReply reply;
     int screen = req->screen;
+    int err;
     void *rdata = NULL;
     int length;
     int npipes=0;
@@ -2212,7 +2219,9 @@ int __glXDisp_QueryHyperpipeConfigSGIX(__GLXclientState *cl, GLbyte *pc)
 
     hpId = req->hpId;
 
-    pGlxScreen = glxGetScreen(screenInfo.screens[screen]);
+    if (!validGlxScreen(client, screen, &pGlxScreen, &err))
+	return err;
+
     if (pGlxScreen->hyperpipeFuncs) {
         rdata = pGlxScreen->hyperpipeFuncs->queryHyperpipeConfigFunc(screen, hpId,&npipes, &n);
     }
@@ -2248,13 +2257,16 @@ int __glXDisp_HyperpipeConfigSGIX(__GLXclientState *cl, GLbyte *pc)
         (xGLXHyperpipeConfigSGIXReq *) pc;
     xGLXHyperpipeConfigSGIXReply reply;
     int screen = req->screen;
+    int err;
     void *rdata;
 
     int npipes=0, networkId;
     int hpId=-1;
     __GLXscreen *pGlxScreen;
 
-    pGlxScreen = glxGetScreen(screenInfo.screens[screen]);
+    if (!validGlxScreen(client, screen, &pGlxScreen, &err))
+	return err;
+
     networkId = (int)req->networkId;
     npipes = (int)req->npipes;
     rdata = (void *)(req +1);
-- 
1.7.1