From ef5aab4cc998f423bbe9db0c1a7aba563acb295d Mon Sep 17 00:00:00 2001
From: Julien Cristau <jcristau@debian.org>
Date: Wed, 26 Jan 2011 13:06:53 +0100
Subject: [PATCH 2/3] glx: fix BindTexImageEXT length check

The request is followed by a list of attributes.

Signed-off-by: Julien Cristau <jcristau@debian.org>
---
 glx/glxcmds.c |    9 ++++++++-
 1 files changed, 8 insertions(+), 1 deletions(-)

diff --git a/glx/glxcmds.c b/glx/glxcmds.c
index 0b375c3..685b40d 100644
--- a/glx/glxcmds.c
+++ b/glx/glxcmds.c
@@ -1697,13 +1697,20 @@ int __glXDisp_BindTexImageEXT(__GLXclientState *cl, GLbyte *pc)
     GLXDrawable		 drawId;
     int			 buffer;
     int			 error;
+    CARD32		 num_attribs;
 
-    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 8);
+    REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateReq, 12);
 
     pc += __GLX_VENDPRIV_HDR_SIZE;
 
     drawId = *((CARD32 *) (pc));
     buffer = *((INT32 *)  (pc + 4));
+    num_attribs = *((CARD32 *) (pc + 8));
+    if (num_attribs > (UINT32_MAX >> 3)) {
+	client->errorValue = num_attribs;
+	return BadValue;
+    }
+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 12 + (num_attribs << 3));
 
     if (buffer != GLX_FRONT_LEFT_EXT)
 	return __glXError(GLXBadPixmap);
-- 
1.7.2.3