From 840518e1664b273e1e2b74a68297f1f17a13d934 Mon Sep 17 00:00:00 2001 From: Julien Cristau Date: Sat, 3 Jul 2010 19:47:55 +0100 Subject: [PATCH 3/3] glx: validate request lengths --- glx/glxcmds.c | 159 +++++++++++++++++++++++++++++++++++++++++++++++++++++---- 1 files changed, 149 insertions(+), 10 deletions(-) diff --git a/glx/glxcmds.c b/glx/glxcmds.c index 6238b15..29859f9 100644 --- a/glx/glxcmds.c +++ b/glx/glxcmds.c @@ -315,11 +315,14 @@ DoCreateContext(__GLXclientState *cl, GLXContextID gcId, int __glXDisp_CreateContext(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXCreateContextReq *req = (xGLXCreateContextReq *) pc; __GLXconfig *config; __GLXscreen *pGlxScreen; int err; + REQUEST_SIZE_MATCH(xGLXCreateContextReq); + if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err)) return err; if (!validGlxVisual(cl->client, pGlxScreen, req->visual, &config, &err)) @@ -331,11 +334,14 @@ int __glXDisp_CreateContext(__GLXclientState *cl, GLbyte *pc) int __glXDisp_CreateNewContext(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXCreateNewContextReq *req = (xGLXCreateNewContextReq *) pc; __GLXconfig *config; __GLXscreen *pGlxScreen; int err; + REQUEST_SIZE_MATCH(xGLXCreateNewContextReq); + if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err)) return err; if (!validGlxFBConfig(cl->client, pGlxScreen, req->fbconfig, &config, &err)) @@ -347,12 +353,15 @@ int __glXDisp_CreateNewContext(__GLXclientState *cl, GLbyte *pc) int __glXDisp_CreateContextWithConfigSGIX(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXCreateContextWithConfigSGIXReq *req = (xGLXCreateContextWithConfigSGIXReq *) pc; __GLXconfig *config; __GLXscreen *pGlxScreen; int err; + REQUEST_SIZE_MATCH(xGLXCreateContextWithConfigSGIXReq); + if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err)) return err; if (!validGlxFBConfig(cl->client, pGlxScreen, req->fbconfig, &config, &err)) @@ -363,10 +372,13 @@ int __glXDisp_CreateContextWithConfigSGIX(__GLXclientState *cl, GLbyte *pc) } int __glXDisp_DestroyContext(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXDestroyContextReq *req = (xGLXDestroyContextReq *) pc; __GLXcontext *glxc; int err; + REQUEST_SIZE_MATCH(xGLXDestroyContextReq); + if (!validGlxContext(cl->client, req->context, DixDestroyAccess, &glxc, &err)) return err; @@ -679,24 +691,33 @@ DoMakeCurrent(__GLXclientState *cl, int __glXDisp_MakeCurrent(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXMakeCurrentReq *req = (xGLXMakeCurrentReq *) pc; + REQUEST_SIZE_MATCH(xGLXMakeCurrentReq); + return DoMakeCurrent( cl, req->drawable, req->drawable, req->context, req->oldContextTag ); } int __glXDisp_MakeContextCurrent(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXMakeContextCurrentReq *req = (xGLXMakeContextCurrentReq *) pc; + REQUEST_SIZE_MATCH(xGLXMakeContextCurrentReq); + return DoMakeCurrent( cl, req->drawable, req->readdrawable, req->context, req->oldContextTag ); } int __glXDisp_MakeCurrentReadSGI(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXMakeCurrentReadSGIReq *req = (xGLXMakeCurrentReadSGIReq *) pc; + REQUEST_SIZE_MATCH(xGLXMakeCurrentReadSGIReq); + return DoMakeCurrent( cl, req->drawable, req->readable, req->context, req->oldContextTag ); } @@ -709,6 +730,8 @@ int __glXDisp_IsDirect(__GLXclientState *cl, GLbyte *pc) __GLXcontext *glxc; int err; + REQUEST_SIZE_MATCH(xGLXIsDirectReq); + if (!validGlxContext(cl->client, req->context, DixReadAccess, &glxc, &err)) return err; @@ -733,6 +756,8 @@ int __glXDisp_QueryVersion(__GLXclientState *cl, GLbyte *pc) xGLXQueryVersionReply reply; GLuint major, minor; + REQUEST_SIZE_MATCH(xGLXQueryVersionReq); + major = req->majorVersion; minor = req->minorVersion; (void)major; @@ -759,11 +784,15 @@ int __glXDisp_QueryVersion(__GLXclientState *cl, GLbyte *pc) int __glXDisp_WaitGL(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXWaitGLReq *req = (xGLXWaitGLReq *)pc; - GLXContextTag tag = req->contextTag; + GLXContextTag tag; __GLXcontext *glxc = NULL; int error; + REQUEST_SIZE_MATCH(xGLXWaitGLReq); + + tag = req->contextTag; if (tag) { glxc = __glXLookupContextByTag(cl, tag); if (!glxc) @@ -783,11 +812,15 @@ int __glXDisp_WaitGL(__GLXclientState *cl, GLbyte *pc) int __glXDisp_WaitX(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXWaitXReq *req = (xGLXWaitXReq *)pc; - GLXContextTag tag = req->contextTag; + GLXContextTag tag; __GLXcontext *glxc = NULL; int error; + REQUEST_SIZE_MATCH(xGLXWaitXReq); + + tag = req->contextTag; if (tag) { glxc = __glXLookupContextByTag(cl, tag); if (!glxc) @@ -807,13 +840,19 @@ int __glXDisp_CopyContext(__GLXclientState *cl, GLbyte *pc) { ClientPtr client = cl->client; xGLXCopyContextReq *req = (xGLXCopyContextReq *) pc; - GLXContextID source = req->source; - GLXContextID dest = req->dest; - GLXContextTag tag = req->contextTag; - unsigned long mask = req->mask; + GLXContextID source; + GLXContextID dest; + GLXContextTag tag; + unsigned long mask; __GLXcontext *src, *dst; int error; + REQUEST_SIZE_MATCH(xGLXCopyContextReq); + + source = req->source; + dest = req->dest; + tag = req->contextTag; + mask = req->mask; if (!validGlxContext(cl->client, source, DixReadAccess, &src, &error)) return error; if (!validGlxContext(cl->client, dest, DixWriteAccess, &dst, &error)) @@ -896,6 +935,8 @@ int __glXDisp_GetVisualConfigs(__GLXclientState *cl, GLbyte *pc) __GLX_DECLARE_SWAP_VARIABLES; __GLX_DECLARE_SWAP_ARRAY_VARIABLES; + REQUEST_SIZE_MATCH(xGLXGetVisualConfigsReq); + if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err)) return err; @@ -1075,13 +1116,17 @@ DoGetFBConfigs(__GLXclientState *cl, unsigned screen) int __glXDisp_GetFBConfigs(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXGetFBConfigsReq *req = (xGLXGetFBConfigsReq *) pc; + REQUEST_SIZE_MATCH(xGLXGetFBConfigsReq); return DoGetFBConfigs(cl, req->screen); } int __glXDisp_GetFBConfigsSGIX(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXGetFBConfigsSGIXReq *req = (xGLXGetFBConfigsSGIXReq *) pc; + REQUEST_SIZE_MATCH(xGLXGetFBConfigsSGIXReq); return DoGetFBConfigs(cl, req->screen); } @@ -1207,11 +1252,14 @@ determineTextureTarget(ClientPtr client, XID glxDrawableID, int __glXDisp_CreateGLXPixmap(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXCreateGLXPixmapReq *req = (xGLXCreateGLXPixmapReq *) pc; __GLXconfig *config; __GLXscreen *pGlxScreen; int err; + REQUEST_SIZE_MATCH(xGLXCreateGLXPixmapReq); + if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err)) return err; if (!validGlxVisual(cl->client, pGlxScreen, req->visual, &config, &err)) @@ -1223,11 +1271,14 @@ int __glXDisp_CreateGLXPixmap(__GLXclientState *cl, GLbyte *pc) int __glXDisp_CreatePixmap(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXCreatePixmapReq *req = (xGLXCreatePixmapReq *) pc; __GLXconfig *config; __GLXscreen *pGlxScreen; int err; + REQUEST_FIXED_SIZE(xGLXCreatePixmapReq, req->numAttribs << 3); + if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err)) return err; if (!validGlxFBConfig(cl->client, pGlxScreen, req->fbconfig, &config, &err)) @@ -1246,12 +1297,15 @@ int __glXDisp_CreatePixmap(__GLXclientState *cl, GLbyte *pc) int __glXDisp_CreateGLXPixmapWithConfigSGIX(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXCreateGLXPixmapWithConfigSGIXReq *req = (xGLXCreateGLXPixmapWithConfigSGIXReq *) pc; __GLXconfig *config; __GLXscreen *pGlxScreen; int err; + REQUEST_SIZE_MATCH(xGLXCreateGLXPixmapWithConfigSGIXReq); + if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err)) return err; if (!validGlxFBConfig(cl->client, pGlxScreen, req->fbconfig, &config, &err)) @@ -1278,15 +1332,21 @@ static int DoDestroyDrawable(__GLXclientState *cl, XID glxdrawable, int type) int __glXDisp_DestroyGLXPixmap(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXDestroyGLXPixmapReq *req = (xGLXDestroyGLXPixmapReq *) pc; + REQUEST_SIZE_MATCH(xGLXDestroyGLXPixmapReq); + return DoDestroyDrawable(cl, req->glxpixmap, GLX_DRAWABLE_PIXMAP); } int __glXDisp_DestroyPixmap(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXDestroyPixmapReq *req = (xGLXDestroyPixmapReq *) pc; + REQUEST_SIZE_MATCH(xGLXDestroyPixmapReq); + return DoDestroyDrawable(cl, req->glxpixmap, GLX_DRAWABLE_PIXMAP); } @@ -1325,10 +1385,13 @@ DoCreatePbuffer(ClientPtr client, int screenNum, XID fbconfigId, int __glXDisp_CreatePbuffer(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXCreatePbufferReq *req = (xGLXCreatePbufferReq *) pc; CARD32 *attrs; int width, height, i; + REQUEST_FIXED_SIZE(xGLXCreatePbufferReq, req->numAttribs << 3); + attrs = (CARD32 *) (req + 1); width = 0; height = 0; @@ -1354,23 +1417,32 @@ int __glXDisp_CreatePbuffer(__GLXclientState *cl, GLbyte *pc) int __glXDisp_CreateGLXPbufferSGIX(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXCreateGLXPbufferSGIXReq *req = (xGLXCreateGLXPbufferSGIXReq *) pc; + REQUEST_SIZE_MATCH(xGLXCreateGLXPbufferSGIXReq); + return DoCreatePbuffer(cl->client, req->screen, req->fbconfig, req->width, req->height, req->pbuffer); } int __glXDisp_DestroyPbuffer(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXDestroyPbufferReq *req = (xGLXDestroyPbufferReq *) pc; + REQUEST_SIZE_MATCH(xGLXDestroyPbufferReq); + return DoDestroyDrawable(cl, req->pbuffer, GLX_DRAWABLE_PBUFFER); } int __glXDisp_DestroyGLXPbufferSGIX(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXDestroyGLXPbufferSGIXReq *req = (xGLXDestroyGLXPbufferSGIXReq *) pc; + REQUEST_SIZE_MATCH(xGLXDestroyGLXPbufferSGIXReq); + return DoDestroyDrawable(cl, req->pbuffer, GLX_DRAWABLE_PBUFFER); } @@ -1401,18 +1473,24 @@ DoChangeDrawableAttributes(ClientPtr client, XID glxdrawable, int __glXDisp_ChangeDrawableAttributes(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXChangeDrawableAttributesReq *req = (xGLXChangeDrawableAttributesReq *) pc; + REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3); + return DoChangeDrawableAttributes(cl->client, req->drawable, req->numAttribs, (CARD32 *) (req + 1)); } int __glXDisp_ChangeDrawableAttributesSGIX(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXChangeDrawableAttributesSGIXReq *req = (xGLXChangeDrawableAttributesSGIXReq *)pc; + REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesSGIXReq, req->numAttribs << 3); + return DoChangeDrawableAttributes(cl->client, req->drawable, req->numAttribs, (CARD32 *) (req + 1)); } @@ -1426,6 +1504,8 @@ int __glXDisp_CreateWindow(__GLXclientState *cl, GLbyte *pc) DrawablePtr pDraw; int err; + REQUEST_SIZE_MATCH(xGLXCreateWindowReq); + LEGAL_NEW_RESOURCE(req->glxwindow, client); if (!validGlxScreen(client, req->screen, &pGlxScreen, &err)) @@ -1449,8 +1529,11 @@ int __glXDisp_CreateWindow(__GLXclientState *cl, GLbyte *pc) int __glXDisp_DestroyWindow(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXDestroyWindowReq *req = (xGLXDestroyWindowReq *) pc; + REQUEST_SIZE_MATCH(xGLXDestroyWindowReq); + return DoDestroyDrawable(cl, req->glxwindow, GLX_DRAWABLE_WINDOW); } @@ -1466,12 +1549,16 @@ int __glXDisp_SwapBuffers(__GLXclientState *cl, GLbyte *pc) { ClientPtr client = cl->client; xGLXSwapBuffersReq *req = (xGLXSwapBuffersReq *) pc; - GLXContextTag tag = req->contextTag; - XID drawId = req->drawable; + GLXContextTag tag; + XID drawId; __GLXcontext *glxc = NULL; __GLXdrawable *pGlxDraw; int error; + REQUEST_SIZE_MATCH(xGLXSwapBuffersReq); + + tag = req->contextTag; + drawId = req->drawable; if (tag) { glxc = __glXLookupContextByTag(cl, tag); if (!glxc) { @@ -1552,15 +1639,21 @@ DoQueryContext(__GLXclientState *cl, GLXContextID gcId) int __glXDisp_QueryContextInfoEXT(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXQueryContextInfoEXTReq *req = (xGLXQueryContextInfoEXTReq *) pc; + REQUEST_SIZE_MATCH(xGLXQueryContextInfoEXTReq); + return DoQueryContext(cl, req->context); } int __glXDisp_QueryContext(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXQueryContextReq *req = (xGLXQueryContextReq *) pc; + REQUEST_SIZE_MATCH(xGLXQueryContextReq); + return DoQueryContext(cl, req->context); } @@ -1574,6 +1667,8 @@ int __glXDisp_BindTexImageEXT(__GLXclientState *cl, GLbyte *pc) int buffer; int error; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 8); + pc += __GLX_VENDPRIV_HDR_SIZE; drawId = *((CARD32 *) (pc)); @@ -1608,6 +1703,8 @@ int __glXDisp_ReleaseTexImageEXT(__GLXclientState *cl, GLbyte *pc) int buffer; int error; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 8); + pc += __GLX_VENDPRIV_HDR_SIZE; drawId = *((CARD32 *) (pc)); @@ -1643,6 +1740,8 @@ int __glXDisp_CopySubBufferMESA(__GLXclientState *cl, GLbyte *pc) (void) client; (void) req; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 20); + pc += __GLX_VENDPRIV_HDR_SIZE; drawId = *((CARD32 *) (pc)); @@ -1731,16 +1830,22 @@ DoGetDrawableAttributes(__GLXclientState *cl, XID drawId) int __glXDisp_GetDrawableAttributes(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXGetDrawableAttributesReq *req = (xGLXGetDrawableAttributesReq *)pc; + REQUEST_SIZE_MATCH(xGLXGetDrawableAttributesReq); + return DoGetDrawableAttributes(cl, req->drawable); } int __glXDisp_GetDrawableAttributesSGIX(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXGetDrawableAttributesSGIXReq *req = (xGLXGetDrawableAttributesSGIXReq *)pc; + REQUEST_SIZE_MATCH(xGLXGetDrawableAttributesSGIXReq); + return DoGetDrawableAttributes(cl, req->drawable); } @@ -1765,6 +1870,8 @@ int __glXDisp_Render(__GLXclientState *cl, GLbyte *pc) __GLXcontext *glxc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_AT_LEAST_SIZE(xGLXRenderReq); + req = (xGLXRenderReq *) pc; if (client->swapped) { __GLX_SWAP_SHORT(&req->length); @@ -1785,6 +1892,9 @@ int __glXDisp_Render(__GLXclientState *cl, GLbyte *pc) __GLXdispatchRenderProcPtr proc; int err; + if (left < sizeof(__GLXrenderHeader)) + return BadLength; + /* ** Verify that the header length and the overall length agree. ** Also, each command must be word aligned. @@ -2066,6 +2176,8 @@ int __glXDisp_BindSwapBarrierSGIX(__GLXclientState *cl, GLbyte *pc) int screen, rc; __GLXscreen *pGlxScreen; + REQUEST_SIZE_MATCH(xGLXBindSwapBarrierSGIXReq); + rc = dixLookupDrawable(&pDraw, drawable, client, 0, DixGetAttrAccess); pGlxScreen = glxGetScreen(pDraw->pScreen); if (rc == Success && (pDraw->type == DRAWABLE_WINDOW)) { @@ -2095,9 +2207,14 @@ int __glXDisp_QueryMaxSwapBarriersSGIX(__GLXclientState *cl, GLbyte *pc) (xGLXQueryMaxSwapBarriersSGIXReq *) pc; xGLXQueryMaxSwapBarriersSGIXReply reply; int screen = req->screen; + int err; __GLXscreen *pGlxScreen; - pGlxScreen = glxGetScreen(screenInfo.screens[screen]); + REQUEST_SIZE_MATCH(xGLXQueryMaxSwapBarriersSGIXReq); + + if (!validGlxScreen(client, screen, &pGlxScreen, &err)) + return err; + if (pGlxScreen->swapBarrierFuncs) reply.max = pGlxScreen->swapBarrierFuncs->queryMaxSwapBarriersFunc(screen); else @@ -2135,6 +2252,8 @@ int __glXDisp_QueryHyperpipeNetworkSGIX(__GLXclientState *cl, GLbyte *pc) int n= 0; __GLXscreen *pGlxScreen; + REQUEST_SIZE_MATCH(xGLXQueryHyperpipeNetworkSGIXReq); + if (!validGlxScreen(client, screen, &pGlxScreen, &err)) return err; @@ -2176,6 +2295,8 @@ int __glXDisp_DestroyHyperpipeConfigSGIX (__GLXclientState *cl, GLbyte *pc) int hpId ; __GLXscreen *pGlxScreen; + REQUEST_SIZE_MATCH(xGLXDestroyHyperpipeConfigSGIXReq); + hpId = req->hpId; if (!validGlxScreen(client, screen, &pGlxScreen, &err)) @@ -2217,6 +2338,8 @@ int __glXDisp_QueryHyperpipeConfigSGIX(__GLXclientState *cl, GLbyte *pc) int hpId; __GLXscreen *pGlxScreen; + REQUEST_SIZE_MATCH(xGLXQueryHyperpipeConfigSGIXReq); + hpId = req->hpId; if (!validGlxScreen(client, screen, &pGlxScreen, &err)) @@ -2264,6 +2387,8 @@ int __glXDisp_HyperpipeConfigSGIX(__GLXclientState *cl, GLbyte *pc) int hpId=-1; __GLXscreen *pGlxScreen; + REQUEST_SIZE_MATCH(xGLXHyperpipeConfigSGIXReq); + if (!validGlxScreen(client, screen, &pGlxScreen, &err)) return err; @@ -2307,10 +2432,12 @@ int __glXDisp_HyperpipeConfigSGIX(__GLXclientState *cl, GLbyte *pc) int __glXDisp_VendorPrivate(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXVendorPrivateReq *req = (xGLXVendorPrivateReq *) pc; GLint vendorcode = req->vendorCode; __GLXdispatchVendorPrivProcPtr proc; + REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateReq); proc = (__GLXdispatchVendorPrivProcPtr) __glXGetProtocolDecodeFunction(& VendorPriv_dispatch_info, @@ -2326,10 +2453,12 @@ int __glXDisp_VendorPrivate(__GLXclientState *cl, GLbyte *pc) int __glXDisp_VendorPrivateWithReply(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXVendorPrivateReq *req = (xGLXVendorPrivateReq *) pc; GLint vendorcode = req->vendorCode; __GLXdispatchVendorPrivProcPtr proc; + REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateReq); proc = (__GLXdispatchVendorPrivProcPtr) __glXGetProtocolDecodeFunction(& VendorPriv_dispatch_info, @@ -2352,6 +2481,8 @@ int __glXDisp_QueryExtensionsString(__GLXclientState *cl, GLbyte *pc) char *buf; int err; + REQUEST_SIZE_MATCH(xGLXQueryExtensionsStringReq); + if (!validGlxScreen(client, req->screen, &pGlxScreen, &err)) return err; @@ -2391,6 +2522,8 @@ int __glXDisp_QueryServerString(__GLXclientState *cl, GLbyte *pc) int err; char ver_str[16]; + REQUEST_SIZE_MATCH(xGLXQueryServerStringReq); + if (!validGlxScreen(client, req->screen, &pGlxScreen, &err)) return err; @@ -2438,13 +2571,19 @@ int __glXDisp_QueryServerString(__GLXclientState *cl, GLbyte *pc) int __glXDisp_ClientInfo(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXClientInfoReq *req = (xGLXClientInfoReq *) pc; const char *buf; + REQUEST_AT_LEAST_SIZE(xGLXClientInfoReq); + + buf = (const char *)(req+1); + if (!memchr(buf, 0, (client->req_len << 2) - sizeof(xGLXClientInfoReq))) + return BadLength; + cl->GLClientmajorVersion = req->major; cl->GLClientminorVersion = req->minor; free(cl->GLClientextensions); - buf = (const char *)(req+1); cl->GLClientextensions = strdup(buf); return Success; -- 1.7.1