From 1cf702fe998ad145b5ebd846d8559b469a5055b4 Mon Sep 17 00:00:00 2001 From: Julien Cristau Date: Sat, 3 Jul 2010 19:47:55 +0100 Subject: [PATCH 3/5] glx: validate request lengths Signed-off-by: Julien Cristau --- glx/glxcmds.c | 159 +++++++++++++++++++++++++++++++++++++++++++++++++++++---- glx/xfont.c | 2 + 2 files changed, 151 insertions(+), 10 deletions(-) diff --git a/glx/glxcmds.c b/glx/glxcmds.c index 37f9136..70c766c 100644 --- a/glx/glxcmds.c +++ b/glx/glxcmds.c @@ -315,11 +315,14 @@ DoCreateContext(__GLXclientState *cl, GLXContextID gcId, int __glXDisp_CreateContext(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXCreateContextReq *req = (xGLXCreateContextReq *) pc; __GLXconfig *config; __GLXscreen *pGlxScreen; int err; + REQUEST_SIZE_MATCH(xGLXCreateContextReq); + if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err)) return err; if (!validGlxVisual(cl->client, pGlxScreen, req->visual, &config, &err)) @@ -331,11 +334,14 @@ int __glXDisp_CreateContext(__GLXclientState *cl, GLbyte *pc) int __glXDisp_CreateNewContext(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXCreateNewContextReq *req = (xGLXCreateNewContextReq *) pc; __GLXconfig *config; __GLXscreen *pGlxScreen; int err; + REQUEST_SIZE_MATCH(xGLXCreateNewContextReq); + if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err)) return err; if (!validGlxFBConfig(cl->client, pGlxScreen, req->fbconfig, &config, &err)) @@ -347,12 +353,15 @@ int __glXDisp_CreateNewContext(__GLXclientState *cl, GLbyte *pc) int __glXDisp_CreateContextWithConfigSGIX(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXCreateContextWithConfigSGIXReq *req = (xGLXCreateContextWithConfigSGIXReq *) pc; __GLXconfig *config; __GLXscreen *pGlxScreen; int err; + REQUEST_SIZE_MATCH(xGLXCreateContextWithConfigSGIXReq); + if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err)) return err; if (!validGlxFBConfig(cl->client, pGlxScreen, req->fbconfig, &config, &err)) @@ -363,10 +372,13 @@ int __glXDisp_CreateContextWithConfigSGIX(__GLXclientState *cl, GLbyte *pc) } int __glXDisp_DestroyContext(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXDestroyContextReq *req = (xGLXDestroyContextReq *) pc; __GLXcontext *glxc; int err; + REQUEST_SIZE_MATCH(xGLXDestroyContextReq); + if (!validGlxContext(cl->client, req->context, DixDestroyAccess, &glxc, &err)) return err; @@ -686,24 +698,33 @@ DoMakeCurrent(__GLXclientState *cl, int __glXDisp_MakeCurrent(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXMakeCurrentReq *req = (xGLXMakeCurrentReq *) pc; + REQUEST_SIZE_MATCH(xGLXMakeCurrentReq); + return DoMakeCurrent( cl, req->drawable, req->drawable, req->context, req->oldContextTag ); } int __glXDisp_MakeContextCurrent(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXMakeContextCurrentReq *req = (xGLXMakeContextCurrentReq *) pc; + REQUEST_SIZE_MATCH(xGLXMakeContextCurrentReq); + return DoMakeCurrent( cl, req->drawable, req->readdrawable, req->context, req->oldContextTag ); } int __glXDisp_MakeCurrentReadSGI(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXMakeCurrentReadSGIReq *req = (xGLXMakeCurrentReadSGIReq *) pc; + REQUEST_SIZE_MATCH(xGLXMakeCurrentReadSGIReq); + return DoMakeCurrent( cl, req->drawable, req->readable, req->context, req->oldContextTag ); } @@ -716,6 +737,8 @@ int __glXDisp_IsDirect(__GLXclientState *cl, GLbyte *pc) __GLXcontext *glxc; int err; + REQUEST_SIZE_MATCH(xGLXIsDirectReq); + if (!validGlxContext(cl->client, req->context, DixReadAccess, &glxc, &err)) return err; @@ -740,6 +763,8 @@ int __glXDisp_QueryVersion(__GLXclientState *cl, GLbyte *pc) xGLXQueryVersionReply reply; GLuint major, minor; + REQUEST_SIZE_MATCH(xGLXQueryVersionReq); + major = req->majorVersion; minor = req->minorVersion; (void)major; @@ -766,11 +791,15 @@ int __glXDisp_QueryVersion(__GLXclientState *cl, GLbyte *pc) int __glXDisp_WaitGL(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXWaitGLReq *req = (xGLXWaitGLReq *)pc; - GLXContextTag tag = req->contextTag; + GLXContextTag tag; __GLXcontext *glxc = NULL; int error; + REQUEST_SIZE_MATCH(xGLXWaitGLReq); + + tag = req->contextTag; if (tag) { glxc = __glXLookupContextByTag(cl, tag); if (!glxc) @@ -790,11 +819,15 @@ int __glXDisp_WaitGL(__GLXclientState *cl, GLbyte *pc) int __glXDisp_WaitX(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXWaitXReq *req = (xGLXWaitXReq *)pc; - GLXContextTag tag = req->contextTag; + GLXContextTag tag; __GLXcontext *glxc = NULL; int error; + REQUEST_SIZE_MATCH(xGLXWaitXReq); + + tag = req->contextTag; if (tag) { glxc = __glXLookupContextByTag(cl, tag); if (!glxc) @@ -814,13 +847,19 @@ int __glXDisp_CopyContext(__GLXclientState *cl, GLbyte *pc) { ClientPtr client = cl->client; xGLXCopyContextReq *req = (xGLXCopyContextReq *) pc; - GLXContextID source = req->source; - GLXContextID dest = req->dest; - GLXContextTag tag = req->contextTag; - unsigned long mask = req->mask; + GLXContextID source; + GLXContextID dest; + GLXContextTag tag; + unsigned long mask; __GLXcontext *src, *dst; int error; + REQUEST_SIZE_MATCH(xGLXCopyContextReq); + + source = req->source; + dest = req->dest; + tag = req->contextTag; + mask = req->mask; if (!validGlxContext(cl->client, source, DixReadAccess, &src, &error)) return error; if (!validGlxContext(cl->client, dest, DixWriteAccess, &dst, &error)) @@ -903,6 +942,8 @@ int __glXDisp_GetVisualConfigs(__GLXclientState *cl, GLbyte *pc) __GLX_DECLARE_SWAP_VARIABLES; __GLX_DECLARE_SWAP_ARRAY_VARIABLES; + REQUEST_SIZE_MATCH(xGLXGetVisualConfigsReq); + if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err)) return err; @@ -1082,13 +1123,17 @@ DoGetFBConfigs(__GLXclientState *cl, unsigned screen) int __glXDisp_GetFBConfigs(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXGetFBConfigsReq *req = (xGLXGetFBConfigsReq *) pc; + REQUEST_SIZE_MATCH(xGLXGetFBConfigsReq); return DoGetFBConfigs(cl, req->screen); } int __glXDisp_GetFBConfigsSGIX(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXGetFBConfigsSGIXReq *req = (xGLXGetFBConfigsSGIXReq *) pc; + REQUEST_SIZE_MATCH(xGLXGetFBConfigsSGIXReq); return DoGetFBConfigs(cl, req->screen); } @@ -1214,11 +1259,14 @@ determineTextureTarget(ClientPtr client, XID glxDrawableID, int __glXDisp_CreateGLXPixmap(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXCreateGLXPixmapReq *req = (xGLXCreateGLXPixmapReq *) pc; __GLXconfig *config; __GLXscreen *pGlxScreen; int err; + REQUEST_SIZE_MATCH(xGLXCreateGLXPixmapReq); + if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err)) return err; if (!validGlxVisual(cl->client, pGlxScreen, req->visual, &config, &err)) @@ -1230,11 +1278,14 @@ int __glXDisp_CreateGLXPixmap(__GLXclientState *cl, GLbyte *pc) int __glXDisp_CreatePixmap(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXCreatePixmapReq *req = (xGLXCreatePixmapReq *) pc; __GLXconfig *config; __GLXscreen *pGlxScreen; int err; + REQUEST_FIXED_SIZE(xGLXCreatePixmapReq, req->numAttribs << 3); + if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err)) return err; if (!validGlxFBConfig(cl->client, pGlxScreen, req->fbconfig, &config, &err)) @@ -1253,12 +1304,15 @@ int __glXDisp_CreatePixmap(__GLXclientState *cl, GLbyte *pc) int __glXDisp_CreateGLXPixmapWithConfigSGIX(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXCreateGLXPixmapWithConfigSGIXReq *req = (xGLXCreateGLXPixmapWithConfigSGIXReq *) pc; __GLXconfig *config; __GLXscreen *pGlxScreen; int err; + REQUEST_SIZE_MATCH(xGLXCreateGLXPixmapWithConfigSGIXReq); + if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err)) return err; if (!validGlxFBConfig(cl->client, pGlxScreen, req->fbconfig, &config, &err)) @@ -1285,15 +1339,21 @@ static int DoDestroyDrawable(__GLXclientState *cl, XID glxdrawable, int type) int __glXDisp_DestroyGLXPixmap(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXDestroyGLXPixmapReq *req = (xGLXDestroyGLXPixmapReq *) pc; + REQUEST_SIZE_MATCH(xGLXDestroyGLXPixmapReq); + return DoDestroyDrawable(cl, req->glxpixmap, GLX_DRAWABLE_PIXMAP); } int __glXDisp_DestroyPixmap(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXDestroyPixmapReq *req = (xGLXDestroyPixmapReq *) pc; + REQUEST_SIZE_MATCH(xGLXDestroyPixmapReq); + return DoDestroyDrawable(cl, req->glxpixmap, GLX_DRAWABLE_PIXMAP); } @@ -1332,10 +1392,13 @@ DoCreatePbuffer(ClientPtr client, int screenNum, XID fbconfigId, int __glXDisp_CreatePbuffer(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXCreatePbufferReq *req = (xGLXCreatePbufferReq *) pc; CARD32 *attrs; int width, height, i; + REQUEST_FIXED_SIZE(xGLXCreatePbufferReq, req->numAttribs << 3); + attrs = (CARD32 *) (req + 1); width = 0; height = 0; @@ -1361,23 +1424,32 @@ int __glXDisp_CreatePbuffer(__GLXclientState *cl, GLbyte *pc) int __glXDisp_CreateGLXPbufferSGIX(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXCreateGLXPbufferSGIXReq *req = (xGLXCreateGLXPbufferSGIXReq *) pc; + REQUEST_SIZE_MATCH(xGLXCreateGLXPbufferSGIXReq); + return DoCreatePbuffer(cl->client, req->screen, req->fbconfig, req->width, req->height, req->pbuffer); } int __glXDisp_DestroyPbuffer(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXDestroyPbufferReq *req = (xGLXDestroyPbufferReq *) pc; + REQUEST_SIZE_MATCH(xGLXDestroyPbufferReq); + return DoDestroyDrawable(cl, req->pbuffer, GLX_DRAWABLE_PBUFFER); } int __glXDisp_DestroyGLXPbufferSGIX(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXDestroyGLXPbufferSGIXReq *req = (xGLXDestroyGLXPbufferSGIXReq *) pc; + REQUEST_SIZE_MATCH(xGLXDestroyGLXPbufferSGIXReq); + return DoDestroyDrawable(cl, req->pbuffer, GLX_DRAWABLE_PBUFFER); } @@ -1408,18 +1480,24 @@ DoChangeDrawableAttributes(ClientPtr client, XID glxdrawable, int __glXDisp_ChangeDrawableAttributes(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXChangeDrawableAttributesReq *req = (xGLXChangeDrawableAttributesReq *) pc; + REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3); + return DoChangeDrawableAttributes(cl->client, req->drawable, req->numAttribs, (CARD32 *) (req + 1)); } int __glXDisp_ChangeDrawableAttributesSGIX(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXChangeDrawableAttributesSGIXReq *req = (xGLXChangeDrawableAttributesSGIXReq *)pc; + REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesSGIXReq, req->numAttribs << 3); + return DoChangeDrawableAttributes(cl->client, req->drawable, req->numAttribs, (CARD32 *) (req + 1)); } @@ -1433,6 +1511,8 @@ int __glXDisp_CreateWindow(__GLXclientState *cl, GLbyte *pc) DrawablePtr pDraw; int err; + REQUEST_FIXED_SIZE(xGLXCreateWindowReq, req->numAttribs << 3); + LEGAL_NEW_RESOURCE(req->glxwindow, client); if (!validGlxScreen(client, req->screen, &pGlxScreen, &err)) @@ -1456,8 +1536,11 @@ int __glXDisp_CreateWindow(__GLXclientState *cl, GLbyte *pc) int __glXDisp_DestroyWindow(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXDestroyWindowReq *req = (xGLXDestroyWindowReq *) pc; + REQUEST_SIZE_MATCH(xGLXDestroyWindowReq); + return DoDestroyDrawable(cl, req->glxwindow, GLX_DRAWABLE_WINDOW); } @@ -1473,12 +1556,16 @@ int __glXDisp_SwapBuffers(__GLXclientState *cl, GLbyte *pc) { ClientPtr client = cl->client; xGLXSwapBuffersReq *req = (xGLXSwapBuffersReq *) pc; - GLXContextTag tag = req->contextTag; - XID drawId = req->drawable; + GLXContextTag tag; + XID drawId; __GLXcontext *glxc = NULL; __GLXdrawable *pGlxDraw; int error; + REQUEST_SIZE_MATCH(xGLXSwapBuffersReq); + + tag = req->contextTag; + drawId = req->drawable; if (tag) { glxc = __glXLookupContextByTag(cl, tag); if (!glxc) { @@ -1559,15 +1646,21 @@ DoQueryContext(__GLXclientState *cl, GLXContextID gcId) int __glXDisp_QueryContextInfoEXT(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXQueryContextInfoEXTReq *req = (xGLXQueryContextInfoEXTReq *) pc; + REQUEST_SIZE_MATCH(xGLXQueryContextInfoEXTReq); + return DoQueryContext(cl, req->context); } int __glXDisp_QueryContext(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXQueryContextReq *req = (xGLXQueryContextReq *) pc; + REQUEST_SIZE_MATCH(xGLXQueryContextReq); + return DoQueryContext(cl, req->context); } @@ -1581,6 +1674,8 @@ int __glXDisp_BindTexImageEXT(__GLXclientState *cl, GLbyte *pc) int buffer; int error; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 8); + pc += __GLX_VENDPRIV_HDR_SIZE; drawId = *((CARD32 *) (pc)); @@ -1615,6 +1710,8 @@ int __glXDisp_ReleaseTexImageEXT(__GLXclientState *cl, GLbyte *pc) int buffer; int error; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 8); + pc += __GLX_VENDPRIV_HDR_SIZE; drawId = *((CARD32 *) (pc)); @@ -1650,6 +1747,8 @@ int __glXDisp_CopySubBufferMESA(__GLXclientState *cl, GLbyte *pc) (void) client; (void) req; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 20); + pc += __GLX_VENDPRIV_HDR_SIZE; drawId = *((CARD32 *) (pc)); @@ -1738,16 +1837,22 @@ DoGetDrawableAttributes(__GLXclientState *cl, XID drawId) int __glXDisp_GetDrawableAttributes(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXGetDrawableAttributesReq *req = (xGLXGetDrawableAttributesReq *)pc; + REQUEST_SIZE_MATCH(xGLXGetDrawableAttributesReq); + return DoGetDrawableAttributes(cl, req->drawable); } int __glXDisp_GetDrawableAttributesSGIX(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXGetDrawableAttributesSGIXReq *req = (xGLXGetDrawableAttributesSGIXReq *)pc; + REQUEST_SIZE_MATCH(xGLXGetDrawableAttributesSGIXReq); + return DoGetDrawableAttributes(cl, req->drawable); } @@ -1772,6 +1877,8 @@ int __glXDisp_Render(__GLXclientState *cl, GLbyte *pc) __GLXcontext *glxc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_AT_LEAST_SIZE(xGLXRenderReq); + req = (xGLXRenderReq *) pc; if (client->swapped) { __GLX_SWAP_SHORT(&req->length); @@ -1792,6 +1899,9 @@ int __glXDisp_Render(__GLXclientState *cl, GLbyte *pc) __GLXdispatchRenderProcPtr proc; int err; + if (left < sizeof(__GLXrenderHeader)) + return BadLength; + /* ** Verify that the header length and the overall length agree. ** Also, each command must be word aligned. @@ -2073,6 +2183,8 @@ int __glXDisp_BindSwapBarrierSGIX(__GLXclientState *cl, GLbyte *pc) int screen, rc; __GLXscreen *pGlxScreen; + REQUEST_SIZE_MATCH(xGLXBindSwapBarrierSGIXReq); + rc = dixLookupDrawable(&pDraw, drawable, client, 0, DixGetAttrAccess); pGlxScreen = glxGetScreen(pDraw->pScreen); if (rc == Success && (pDraw->type == DRAWABLE_WINDOW)) { @@ -2102,9 +2214,14 @@ int __glXDisp_QueryMaxSwapBarriersSGIX(__GLXclientState *cl, GLbyte *pc) (xGLXQueryMaxSwapBarriersSGIXReq *) pc; xGLXQueryMaxSwapBarriersSGIXReply reply; int screen = req->screen; + int err; __GLXscreen *pGlxScreen; - pGlxScreen = glxGetScreen(screenInfo.screens[screen]); + REQUEST_SIZE_MATCH(xGLXQueryMaxSwapBarriersSGIXReq); + + if (!validGlxScreen(client, screen, &pGlxScreen, &err)) + return err; + if (pGlxScreen->swapBarrierFuncs) reply.max = pGlxScreen->swapBarrierFuncs->queryMaxSwapBarriersFunc(screen); else @@ -2142,6 +2259,8 @@ int __glXDisp_QueryHyperpipeNetworkSGIX(__GLXclientState *cl, GLbyte *pc) int n= 0; __GLXscreen *pGlxScreen; + REQUEST_SIZE_MATCH(xGLXQueryHyperpipeNetworkSGIXReq); + if (!validGlxScreen(client, screen, &pGlxScreen, &err)) return err; @@ -2183,6 +2302,8 @@ int __glXDisp_DestroyHyperpipeConfigSGIX (__GLXclientState *cl, GLbyte *pc) int hpId ; __GLXscreen *pGlxScreen; + REQUEST_SIZE_MATCH(xGLXDestroyHyperpipeConfigSGIXReq); + hpId = req->hpId; if (!validGlxScreen(client, screen, &pGlxScreen, &err)) @@ -2224,6 +2345,8 @@ int __glXDisp_QueryHyperpipeConfigSGIX(__GLXclientState *cl, GLbyte *pc) int hpId; __GLXscreen *pGlxScreen; + REQUEST_SIZE_MATCH(xGLXQueryHyperpipeConfigSGIXReq); + hpId = req->hpId; if (!validGlxScreen(client, screen, &pGlxScreen, &err)) @@ -2271,6 +2394,8 @@ int __glXDisp_HyperpipeConfigSGIX(__GLXclientState *cl, GLbyte *pc) int hpId=-1; __GLXscreen *pGlxScreen; + REQUEST_SIZE_MATCH(xGLXHyperpipeConfigSGIXReq); + if (!validGlxScreen(client, screen, &pGlxScreen, &err)) return err; @@ -2314,10 +2439,12 @@ int __glXDisp_HyperpipeConfigSGIX(__GLXclientState *cl, GLbyte *pc) int __glXDisp_VendorPrivate(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXVendorPrivateReq *req = (xGLXVendorPrivateReq *) pc; GLint vendorcode = req->vendorCode; __GLXdispatchVendorPrivProcPtr proc; + REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateReq); proc = (__GLXdispatchVendorPrivProcPtr) __glXGetProtocolDecodeFunction(& VendorPriv_dispatch_info, @@ -2333,10 +2460,12 @@ int __glXDisp_VendorPrivate(__GLXclientState *cl, GLbyte *pc) int __glXDisp_VendorPrivateWithReply(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXVendorPrivateReq *req = (xGLXVendorPrivateReq *) pc; GLint vendorcode = req->vendorCode; __GLXdispatchVendorPrivProcPtr proc; + REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateReq); proc = (__GLXdispatchVendorPrivProcPtr) __glXGetProtocolDecodeFunction(& VendorPriv_dispatch_info, @@ -2359,6 +2488,8 @@ int __glXDisp_QueryExtensionsString(__GLXclientState *cl, GLbyte *pc) char *buf; int err; + REQUEST_SIZE_MATCH(xGLXQueryExtensionsStringReq); + if (!validGlxScreen(client, req->screen, &pGlxScreen, &err)) return err; @@ -2398,6 +2529,8 @@ int __glXDisp_QueryServerString(__GLXclientState *cl, GLbyte *pc) int err; char ver_str[16]; + REQUEST_SIZE_MATCH(xGLXQueryServerStringReq); + if (!validGlxScreen(client, req->screen, &pGlxScreen, &err)) return err; @@ -2445,13 +2578,19 @@ int __glXDisp_QueryServerString(__GLXclientState *cl, GLbyte *pc) int __glXDisp_ClientInfo(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXClientInfoReq *req = (xGLXClientInfoReq *) pc; const char *buf; + REQUEST_AT_LEAST_SIZE(xGLXClientInfoReq); + + buf = (const char *)(req+1); + if (!memchr(buf, 0, (client->req_len << 2) - sizeof(xGLXClientInfoReq))) + return BadLength; + cl->GLClientmajorVersion = req->major; cl->GLClientminorVersion = req->minor; free(cl->GLClientextensions); - buf = (const char *)(req+1); cl->GLClientextensions = strdup(buf); return Success; diff --git a/glx/xfont.c b/glx/xfont.c index b4081cf..eafac01 100644 --- a/glx/xfont.c +++ b/glx/xfont.c @@ -155,6 +155,8 @@ int __glXDisp_UseXFont(__GLXclientState *cl, GLbyte *pc) __GLXcontext *cx; int error; + REQUEST_SIZE_MATCH(xGLXUseXFontReq); + req = (xGLXUseXFontReq *) pc; cx = __glXForceCurrent(cl, req->contextTag, &error); if (!cx) { -- 1.7.1