1426N/ABackport to 1.14 of security patches from X.Org Security Advisory 2014-12-09
1426N/A( http://www.x.org/wiki/Development/Security/Advisory-2014-12-09/ )
1426N/Aplus some additional patches they depend on.
1426N/A
1426N/AFrom 76b3be75b62657e346731444736f7e4d200beb5b Mon Sep 17 00:00:00 2001
1426N/AFrom: Peter Hutterer <peter.hutterer@who-t.net>
1426N/ADate: Fri, 24 Jan 2014 16:51:02 +1000
1426N/ASubject: [PATCH 1/40] Xi: fix modifier offset in XIPassiveGrab swapping
1426N/A function
1426N/A
1426N/AThe request is followed by mask_len 4-byte units, then followed by the actual
1426N/Amodifiers.
1426N/A
1426N/AAlso fix up the swapping test, which had the same issue.
1426N/A
1426N/AReported-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1426N/ASigned-off-by: Peter Hutterer <peter.hutterer@who-t.net>
1426N/AReviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1426N/A---
1426N/A Xi/xipassivegrab.c | 2 +-
1426N/A test/xi2/protocol-xipassivegrabdevice.c | 9 ++++++++-
1426N/A 2 files changed, 9 insertions(+), 2 deletions(-)
1426N/A
1426N/Adiff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c
1426N/Aindex eccec0a..8aba977 100644
1426N/A--- a/Xi/xipassivegrab.c
1426N/A+++ b/Xi/xipassivegrab.c
1426N/A@@ -63,7 +63,7 @@ SProcXIPassiveGrabDevice(ClientPtr client)
1426N/A swaps(&stuff->mask_len);
1426N/A swaps(&stuff->num_modifiers);
1426N/A
1426N/A- mods = (uint32_t *) &stuff[1];
1426N/A+ mods = (uint32_t *) &stuff[1] + stuff->mask_len;
1426N/A
1426N/A for (i = 0; i < stuff->num_modifiers; i++, mods++) {
1426N/A swapl(mods);
1426N/Adiff --git a/test/xi2/protocol-xipassivegrabdevice.c b/test/xi2/protocol-xipassivegrabdevice.c
1426N/Aindex 1e2341e..c747ddf 100644
1426N/A--- a/test/xi2/protocol-xipassivegrabdevice.c
1426N/A+++ b/test/xi2/protocol-xipassivegrabdevice.c
1426N/A@@ -137,6 +137,7 @@ request_XIPassiveGrabDevice(ClientPtr client, xXIPassiveGrabDeviceReq * req,
1426N/A {
1426N/A int rc;
1426N/A int modifiers;
1426N/A+ int mask_len;
1426N/A
1426N/A rc = ProcXIPassiveGrabDevice(&client_request);
1426N/A assert(rc == error);
1426N/A@@ -153,10 +154,11 @@ request_XIPassiveGrabDevice(ClientPtr client, xXIPassiveGrabDeviceReq * req,
1426N/A swaps(&req->deviceid);
1426N/A modifiers = req->num_modifiers;
1426N/A swaps(&req->num_modifiers);
1426N/A+ mask_len = req->mask_len;
1426N/A swaps(&req->mask_len);
1426N/A
1426N/A while (modifiers--) {
1426N/A- CARD32 *mod = ((CARD32 *) (req + 1)) + modifiers;
1426N/A+ CARD32 *mod = (CARD32 *) (req + 1) + mask_len + modifiers;
1426N/A
1426N/A swapl(mod);
1426N/A }
1426N/A@@ -228,6 +230,11 @@ test_XIPassiveGrabDevice(void)
1426N/A request->detail = XIAnyButton;
1426N/A request_XIPassiveGrabDevice(&client_request, request, Success, 0);
1426N/A
1426N/A+ /* Set a few random masks to make sure we handle modifiers correctly */
1426N/A+ SetBit(mask, XI_ButtonPress);
1426N/A+ SetBit(mask, XI_KeyPress);
1426N/A+ SetBit(mask, XI_Enter);
1426N/A+
1426N/A /* some modifiers */
1426N/A request->num_modifiers = N_MODS;
1426N/A request->length += N_MODS;
1426N/A--
1426N/A1.7.9.2
1426N/A
1426N/AFrom 995ecfb51d4ab8197e4591d5c0957e08a0bd6a59 Mon Sep 17 00:00:00 2001
1426N/AFrom: Peter Hutterer <peter.hutterer@who-t.net>
1426N/ADate: Thu, 30 Oct 2014 09:00:21 +1000
1426N/ASubject: [PATCH 2/40] include: change RegionSize() to take a size_t
1426N/A
1426N/A/usr/include/xorg/regionstr.h:130:36: warning: implicit conversion changes
1426N/Asignedness: 'int' to 'unsigned long' [-Wsign-conversion]
1426N/A return (sizeof(RegDataRec) + ((n) * sizeof(BoxRec)));
1426N/A ^ ~
1426N/A
1426N/AReally only just pushes the problem to the caller, but maybe that motivates
1426N/Asomeone to fix it.
1426N/A
1426N/ASigned-off-by: Peter Hutterer <peter.hutterer@who-t.net>
1426N/A---
1426N/A include/regionstr.h | 2 +-
1426N/A 1 file changed, 1 insertion(+), 1 deletion(-)
1426N/A
1426N/Adiff --git a/include/regionstr.h b/include/regionstr.h
1426N/Aindex 4a0725d..515e93f 100644
1426N/A--- a/include/regionstr.h
1426N/A+++ b/include/regionstr.h
1426N/A@@ -125,7 +125,7 @@ RegionEnd(RegionPtr reg)
1426N/A }
1426N/A
1426N/A static inline size_t
1426N/A-RegionSizeof(int n)
1426N/A+RegionSizeof(size_t n)
1426N/A {
1426N/A return (sizeof(RegDataRec) + ((n) * sizeof(BoxRec)));
1426N/A }
1426N/A--
1426N/A1.7.9.2
1426N/A
1426N/AFrom 61a292adf45405641de1c522a04c148e0a152acd Mon Sep 17 00:00:00 2001
1426N/AFrom: Keith Packard <keithp@keithp.com>
1426N/ADate: Thu, 9 Oct 2014 15:17:17 +0200
1426N/ASubject: [PATCH 3/40] glx: check return from __glXGetAnswerBuffer
1426N/A
1426N/AThis function can return NULL; make sure every caller tests for that.
1426N/A
1426N/AReviewed-by: Adam Jackson <ajax@redhat.com>
1426N/ASigned-off-by: Keith Packard <keithp@keithp.com>
1426N/A---
1426N/A glx/indirect_dispatch.c | 25 +++++++++++++++++++++++++
1426N/A glx/indirect_dispatch_swap.c | 26 ++++++++++++++++++++++++++
1426N/A 2 files changed, 51 insertions(+)
1426N/A
1426N/Adiff --git a/glx/indirect_dispatch.c b/glx/indirect_dispatch.c
1426N/Aindex 329b2e6..f6cabef 100644
1426N/A--- a/glx/indirect_dispatch.c
1426N/A+++ b/glx/indirect_dispatch.c
1426N/A@@ -2464,6 +2464,9 @@ __glXDisp_AreTexturesResident(__GLXclientState * cl, GLbyte * pc)
1426N/A GLboolean answerBuffer[200];
1426N/A GLboolean *residences =
1426N/A __glXGetAnswerBuffer(cl, n, answerBuffer, sizeof(answerBuffer), 1);
1426N/A+
1426N/A+ if (residences == NULL)
1426N/A+ return BadAlloc;
1426N/A retval =
1426N/A CALL_AreTexturesResident(GET_DISPATCH(),
1426N/A (n, (const GLuint *) (pc + 4),
1426N/A@@ -2488,6 +2491,9 @@ __glXDisp_AreTexturesResidentEXT(__GLXclientState * cl, GLbyte * pc)
1426N/A GLboolean answerBuffer[200];
1426N/A GLboolean *residences =
1426N/A __glXGetAnswerBuffer(cl, n, answerBuffer, sizeof(answerBuffer), 1);
1426N/A+
1426N/A+ if (residences == NULL)
1426N/A+ return BadAlloc;
1426N/A retval =
1426N/A CALL_AreTexturesResident(GET_DISPATCH(),
1426N/A (n, (const GLuint *) (pc + 4),
1426N/A@@ -2593,6 +2599,9 @@ __glXDisp_GenTextures(__GLXclientState * cl, GLbyte * pc)
1426N/A GLuint *textures =
1426N/A __glXGetAnswerBuffer(cl, n * 4, answerBuffer, sizeof(answerBuffer),
1426N/A 4);
1426N/A+
1426N/A+ if (textures == NULL)
1426N/A+ return BadAlloc;
1426N/A CALL_GenTextures(GET_DISPATCH(), (n, textures));
1426N/A __glXSendReply(cl->client, textures, n, 4, GL_TRUE, 0);
1426N/A error = Success;
1426N/A@@ -2616,6 +2625,9 @@ __glXDisp_GenTexturesEXT(__GLXclientState * cl, GLbyte * pc)
1426N/A GLuint *textures =
1426N/A __glXGetAnswerBuffer(cl, n * 4, answerBuffer, sizeof(answerBuffer),
1426N/A 4);
1426N/A+
1426N/A+ if (textures == NULL)
1426N/A+ return BadAlloc;
1426N/A CALL_GenTextures(GET_DISPATCH(), (n, textures));
1426N/A __glXSendReply(cl->client, textures, n, 4, GL_TRUE, 0);
1426N/A error = Success;
1426N/A@@ -3883,6 +3895,9 @@ __glXDisp_GenQueries(__GLXclientState * cl, GLbyte * pc)
1426N/A GLuint *ids =
1426N/A __glXGetAnswerBuffer(cl, n * 4, answerBuffer, sizeof(answerBuffer),
1426N/A 4);
1426N/A+
1426N/A+ if (ids == NULL)
1426N/A+ return BadAlloc;
1426N/A CALL_GenQueriesARB(GET_DISPATCH(), (n, ids));
1426N/A __glXSendReply(cl->client, ids, n, 4, GL_TRUE, 0);
1426N/A error = Success;
1426N/A@@ -4253,6 +4268,9 @@ __glXDisp_GenProgramsARB(__GLXclientState * cl, GLbyte * pc)
1426N/A GLuint *programs =
1426N/A __glXGetAnswerBuffer(cl, n * 4, answerBuffer, sizeof(answerBuffer),
1426N/A 4);
1426N/A+
1426N/A+ if (programs == NULL)
1426N/A+ return BadAlloc;
1426N/A CALL_GenProgramsNV(GET_DISPATCH(), (n, programs));
1426N/A __glXSendReply(cl->client, programs, n, 4, GL_TRUE, 0);
1426N/A error = Success;
1426N/A@@ -4630,6 +4648,10 @@ __glXDisp_GenFramebuffers(__GLXclientState * cl, GLbyte * pc)
1426N/A GLuint *framebuffers =
1426N/A __glXGetAnswerBuffer(cl, n * 4, answerBuffer, sizeof(answerBuffer),
1426N/A 4);
1426N/A+
1426N/A+ if (framebuffers == NULL)
1426N/A+ return BadAlloc;
1426N/A+
1426N/A CALL_GenFramebuffersEXT(GET_DISPATCH(), (n, framebuffers));
1426N/A __glXSendReply(cl->client, framebuffers, n, 4, GL_TRUE, 0);
1426N/A error = Success;
1426N/A@@ -4655,6 +4677,9 @@ __glXDisp_GenRenderbuffers(__GLXclientState * cl, GLbyte * pc)
1426N/A GLuint *renderbuffers =
1426N/A __glXGetAnswerBuffer(cl, n * 4, answerBuffer, sizeof(answerBuffer),
1426N/A 4);
1426N/A+
1426N/A+ if (renderbuffers == NULL)
1426N/A+ return BadAlloc;
1426N/A CALL_GenRenderbuffersEXT(GET_DISPATCH(), (n, renderbuffers));
1426N/A __glXSendReply(cl->client, renderbuffers, n, 4, GL_TRUE, 0);
1426N/A error = Success;
1426N/Adiff --git a/glx/indirect_dispatch_swap.c b/glx/indirect_dispatch_swap.c
1426N/Aindex 647d0c9..c0bb64d 100644
1426N/A--- a/glx/indirect_dispatch_swap.c
1426N/A+++ b/glx/indirect_dispatch_swap.c
1426N/A@@ -2731,6 +2731,9 @@ __glXDispSwap_AreTexturesResident(__GLXclientState * cl, GLbyte * pc)
1426N/A GLboolean answerBuffer[200];
1426N/A GLboolean *residences =
1426N/A __glXGetAnswerBuffer(cl, n, answerBuffer, sizeof(answerBuffer), 1);
1426N/A+
1426N/A+ if (residences == NULL)
1426N/A+ return BadAlloc;
1426N/A retval =
1426N/A CALL_AreTexturesResident(GET_DISPATCH(),
1426N/A (n,
1426N/A@@ -2759,6 +2762,9 @@ __glXDispSwap_AreTexturesResidentEXT(__GLXclientState * cl, GLbyte * pc)
1426N/A GLboolean answerBuffer[200];
1426N/A GLboolean *residences =
1426N/A __glXGetAnswerBuffer(cl, n, answerBuffer, sizeof(answerBuffer), 1);
1426N/A+
1426N/A+ if (residences == NULL)
1426N/A+ return BadAlloc;
1426N/A retval =
1426N/A CALL_AreTexturesResident(GET_DISPATCH(),
1426N/A (n,
1426N/A@@ -2878,6 +2884,9 @@ __glXDispSwap_GenTextures(__GLXclientState * cl, GLbyte * pc)
1426N/A GLuint *textures =
1426N/A __glXGetAnswerBuffer(cl, n * 4, answerBuffer, sizeof(answerBuffer),
1426N/A 4);
1426N/A+
1426N/A+ if (textures == NULL)
1426N/A+ return BadAlloc;
1426N/A CALL_GenTextures(GET_DISPATCH(), (n, textures));
1426N/A (void) bswap_32_array((uint32_t *) textures, n);
1426N/A __glXSendReplySwap(cl->client, textures, n, 4, GL_TRUE, 0);
1426N/A@@ -2903,6 +2912,9 @@ __glXDispSwap_GenTexturesEXT(__GLXclientState * cl, GLbyte * pc)
1426N/A GLuint *textures =
1426N/A __glXGetAnswerBuffer(cl, n * 4, answerBuffer, sizeof(answerBuffer),
1426N/A 4);
1426N/A+
1426N/A+ if (textures == NULL)
1426N/A+ return BadAlloc;
1426N/A CALL_GenTextures(GET_DISPATCH(), (n, textures));
1426N/A (void) bswap_32_array((uint32_t *) textures, n);
1426N/A __glXSendReplySwap(cl->client, textures, n, 4, GL_TRUE, 0);
1426N/A@@ -4290,6 +4302,9 @@ __glXDispSwap_GenQueries(__GLXclientState * cl, GLbyte * pc)
1426N/A GLuint *ids =
1426N/A __glXGetAnswerBuffer(cl, n * 4, answerBuffer, sizeof(answerBuffer),
1426N/A 4);
1426N/A+ if (ids == NULL)
1426N/A+ return BadAlloc;
1426N/A+
1426N/A CALL_GenQueriesARB(GET_DISPATCH(), (n, ids));
1426N/A (void) bswap_32_array((uint32_t *) ids, n);
1426N/A __glXSendReplySwap(cl->client, ids, n, 4, GL_TRUE, 0);
1426N/A@@ -4697,6 +4712,9 @@ __glXDispSwap_GenProgramsARB(__GLXclientState * cl, GLbyte * pc)
1426N/A GLuint *programs =
1426N/A __glXGetAnswerBuffer(cl, n * 4, answerBuffer, sizeof(answerBuffer),
1426N/A 4);
1426N/A+ if (programs == NULL)
1426N/A+ return BadAlloc;
1426N/A+
1426N/A CALL_GenProgramsNV(GET_DISPATCH(), (n, programs));
1426N/A (void) bswap_32_array((uint32_t *) programs, n);
1426N/A __glXSendReplySwap(cl->client, programs, n, 4, GL_TRUE, 0);
1426N/A@@ -5122,6 +5140,10 @@ __glXDispSwap_GenFramebuffers(__GLXclientState * cl, GLbyte * pc)
1426N/A GLuint *framebuffers =
1426N/A __glXGetAnswerBuffer(cl, n * 4, answerBuffer, sizeof(answerBuffer),
1426N/A 4);
1426N/A+
1426N/A+ if (framebuffers == NULL)
1426N/A+ return BadAlloc;
1426N/A+
1426N/A CALL_GenFramebuffersEXT(GET_DISPATCH(), (n, framebuffers));
1426N/A (void) bswap_32_array((uint32_t *) framebuffers, n);
1426N/A __glXSendReplySwap(cl->client, framebuffers, n, 4, GL_TRUE, 0);
1426N/A@@ -5149,6 +5171,10 @@ __glXDispSwap_GenRenderbuffers(__GLXclientState * cl, GLbyte * pc)
1426N/A GLuint *renderbuffers =
1426N/A __glXGetAnswerBuffer(cl, n * 4, answerBuffer, sizeof(answerBuffer),
1426N/A 4);
1426N/A+
1426N/A+ if (renderbuffers == NULL)
1426N/A+ return BadAlloc;
1426N/A+
1426N/A CALL_GenRenderbuffersEXT(GET_DISPATCH(), (n, renderbuffers));
1426N/A (void) bswap_32_array((uint32_t *) renderbuffers, n);
1426N/A __glXSendReplySwap(cl->client, renderbuffers, n, 4, GL_TRUE, 0);
1426N/A--
1426N/A1.7.9.2
1426N/A
1426N/AFrom 90cc925c5991fcb203f72d00b04419cd754a9b2c Mon Sep 17 00:00:00 2001
1426N/AFrom: Alan Coopersmith <alan.coopersmith@oracle.com>
1426N/ADate: Fri, 17 Jan 2014 18:54:03 -0800
1426N/ASubject: [PATCH 04/40] unchecked malloc may allow unauthed client to crash
1426N/A Xserver [CVE-2014-8091]
1426N/A
1426N/Aauthdes_ezdecode() calls malloc() using a length provided by the
1426N/Aconnection handshake sent by a newly connected client in order
1426N/Ato authenticate to the server, so should be treated as untrusted.
1426N/A
1426N/AIt didn't check if malloc() failed before writing to the newly
1426N/Aallocated buffer, so could lead to a server crash if the server
1426N/Afails to allocate memory (up to UINT16_MAX bytes, since the len
1426N/Afield is a CARD16 in the X protocol).
1426N/A
1426N/AReported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
1426N/ASigned-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1426N/AReviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
1426N/A---
1426N/A os/rpcauth.c | 4 ++++
1426N/A 1 file changed, 4 insertions(+)
1426N/A
1426N/Adiff --git a/os/rpcauth.c b/os/rpcauth.c
1426N/Aindex d60ea35..413cc61 100644
1426N/A--- a/os/rpcauth.c
1426N/A+++ b/os/rpcauth.c
1426N/A@@ -66,6 +66,10 @@ authdes_ezdecode(const char *inmsg, int len)
1426N/A SVCXPRT xprt;
1426N/A
1426N/A temp_inmsg = malloc(len);
1426N/A+ if (temp_inmsg == NULL) {
1426N/A+ why = AUTH_FAILED; /* generic error, since there is no AUTH_BADALLOC */
1426N/A+ return NULL;
1426N/A+ }
1426N/A memmove(temp_inmsg, inmsg, len);
1426N/A
1426N/A memset((char *) &msg, 0, sizeof(msg));
1426N/A--
1426N/A1.7.9.2
1426N/A
1426N/AFrom eeae42d60bf3d5663ea088581f6c28a82cd17829 Mon Sep 17 00:00:00 2001
1426N/AFrom: Alan Coopersmith <alan.coopersmith@oracle.com>
1426N/ADate: Wed, 22 Jan 2014 21:11:16 -0800
1426N/ASubject: [PATCH 05/40] dix: integer overflow in ProcPutImage() [CVE-2014-8092
1426N/A 1/4]
1426N/A
1426N/AProcPutImage() calculates a length field from a width, left pad and depth
1426N/Aspecified by the client (if the specified format is XYPixmap).
1426N/A
1426N/AThe calculations for the total amount of memory the server needs for the
1426N/Apixmap can overflow a 32-bit number, causing out-of-bounds memory writes
1426N/Aon 32-bit systems (since the length is stored in a long int variable).
1426N/A
1426N/AReported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
1426N/ASigned-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1426N/AReviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
1426N/A---
1426N/A dix/dispatch.c | 3 +++
1426N/A 1 file changed, 3 insertions(+)
1426N/A
1426N/Adiff --git a/dix/dispatch.c b/dix/dispatch.c
1426N/Aindex d844a09..55b978d 100644
1426N/A--- a/dix/dispatch.c
1426N/A+++ b/dix/dispatch.c
1426N/A@@ -2000,6 +2000,9 @@ ProcPutImage(ClientPtr client)
1426N/A tmpImage = (char *) &stuff[1];
1426N/A lengthProto = length;
1426N/A
1426N/A+ if (lengthProto >= (INT32_MAX / stuff->height))
1426N/A+ return BadLength;
1426N/A+
1426N/A if ((bytes_to_int32(lengthProto * stuff->height) +
1426N/A bytes_to_int32(sizeof(xPutImageReq))) != client->req_len)
1426N/A return BadLength;
1426N/A--
1426N/A1.7.9.2
1426N/A
1426N/AFrom bc8e20430b6f6378daf6ce4329029248a88af08b Mon Sep 17 00:00:00 2001
1426N/AFrom: Alan Coopersmith <alan.coopersmith@oracle.com>
1426N/ADate: Mon, 6 Jan 2014 23:30:14 -0800
1426N/ASubject: [PATCH 06/40] dix: integer overflow in GetHosts() [CVE-2014-8092
1426N/A 2/4]
1426N/A
1426N/AGetHosts() iterates over all the hosts it has in memory, and copies
1426N/Athem to a buffer. The buffer length is calculated by iterating over
1426N/Aall the hosts and adding up all of their combined length. There is a
1426N/Apotential integer overflow, if there are lots and lots of hosts (with
1426N/Aa combined length of > ~4 gig). This should be possible by repeatedly
1426N/Acalling ProcChangeHosts() on 64bit machines with enough memory.
1426N/A
1426N/AThis patch caps the list at 1mb, because multi-megabyte hostname
1426N/Alists for X access control are insane.
1426N/A
1426N/AReported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
1426N/ASigned-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1426N/AReviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
1426N/A---
1426N/A os/access.c | 6 ++++++
1426N/A 1 file changed, 6 insertions(+)
1426N/A
1426N/Adiff --git a/os/access.c b/os/access.c
1426N/Aindex 5c510de..f393c8d 100644
1426N/A--- a/os/access.c
1426N/A+++ b/os/access.c
1426N/A@@ -1296,6 +1296,10 @@ GetHosts(void **data, int *pnHosts, int *pLen, BOOL * pEnabled)
1426N/A for (host = validhosts; host; host = host->next) {
1426N/A nHosts++;
1426N/A n += pad_to_int32(host->len) + sizeof(xHostEntry);
1426N/A+ /* Could check for INT_MAX, but in reality having more than 1mb of
1426N/A+ hostnames in the access list is ridiculous */
1426N/A+ if (n >= 1048576)
1426N/A+ break;
1426N/A }
1426N/A if (n) {
1426N/A *data = ptr = malloc(n);
1426N/A@@ -1304,6 +1308,8 @@ GetHosts(void **data, int *pnHosts, int *pLen, BOOL * pEnabled)
1426N/A }
1426N/A for (host = validhosts; host; host = host->next) {
1426N/A len = host->len;
1426N/A+ if ((ptr + sizeof(xHostEntry) + len) > (data + n))
1426N/A+ break;
1426N/A ((xHostEntry *) ptr)->family = host->family;
1426N/A ((xHostEntry *) ptr)->length = len;
1426N/A ptr += sizeof(xHostEntry);
1426N/A--
1426N/A1.7.9.2
1426N/A
1426N/AFrom 97015a07b9e15d8ec5608b95d95ec0eb51202acb Mon Sep 17 00:00:00 2001
1426N/AFrom: Alan Coopersmith <alan.coopersmith@oracle.com>
1426N/ADate: Wed, 22 Jan 2014 22:37:15 -0800
1426N/ASubject: [PATCH 07/40] dix: integer overflow in RegionSizeof() [CVE-2014-8092
1426N/A 3/4]
1426N/A
1426N/ARegionSizeof contains several integer overflows if a large length
1426N/Avalue is passed in. Once we fix it to return 0 on overflow, we
1426N/Aalso have to fix the callers to handle this error condition
1426N/A
1426N/Av2: Fixed limit calculation in RegionSizeof as pointed out by jcristau.
1426N/A
1426N/AReported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
1426N/ASigned-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1426N/AReviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
1426N/AReviewed-by: Julien Cristau <jcristau@debian.org>
1426N/A---
1426N/A dix/region.c | 20 +++++++++++++-------
1426N/A include/regionstr.h | 10 +++++++---
1426N/A 2 files changed, 20 insertions(+), 10 deletions(-)
1426N/A
1426N/Adiff --git a/dix/region.c b/dix/region.c
1426N/Aindex ce1014e..04e5901 100644
1426N/A--- a/dix/region.c
1426N/A+++ b/dix/region.c
1426N/A@@ -169,7 +169,6 @@ Equipment Corporation.
1426N/A ((r1)->y1 <= (r2)->y1) && \
1426N/A ((r1)->y2 >= (r2)->y2) )
1426N/A
1426N/A-#define xallocData(n) malloc(RegionSizeof(n))
1426N/A #define xfreeData(reg) if ((reg)->data && (reg)->data->size) free((reg)->data)
1426N/A
1426N/A #define RECTALLOC_BAIL(pReg,n,bail) \
1426N/A@@ -205,8 +204,9 @@ if (!(pReg)->data || (((pReg)->data->numRects + (n)) > (pReg)->data->size)) \
1426N/A #define DOWNSIZE(reg,numRects) \
1426N/A if (((numRects) < ((reg)->data->size >> 1)) && ((reg)->data->size > 50)) \
1426N/A { \
1426N/A- RegDataPtr NewData; \
1426N/A- NewData = (RegDataPtr)realloc((reg)->data, RegionSizeof(numRects)); \
1426N/A+ size_t NewSize = RegionSizeof(numRects); \
1426N/A+ RegDataPtr NewData = \
1426N/A+ (NewSize > 0) ? realloc((reg)->data, NewSize) : NULL ; \
1426N/A if (NewData) \
1426N/A { \
1426N/A NewData->size = (numRects); \
1426N/A@@ -345,17 +345,20 @@ Bool
1426N/A RegionRectAlloc(RegionPtr pRgn, int n)
1426N/A {
1426N/A RegDataPtr data;
1426N/A+ size_t rgnSize;
1426N/A
1426N/A if (!pRgn->data) {
1426N/A n++;
1426N/A- pRgn->data = xallocData(n);
1426N/A+ rgnSize = RegionSizeof(n);
1426N/A+ pRgn->data = (rgnSize > 0) ? malloc(rgnSize) : NULL;
1426N/A if (!pRgn->data)
1426N/A return RegionBreak(pRgn);
1426N/A pRgn->data->numRects = 1;
1426N/A *RegionBoxptr(pRgn) = pRgn->extents;
1426N/A }
1426N/A else if (!pRgn->data->size) {
1426N/A- pRgn->data = xallocData(n);
1426N/A+ rgnSize = RegionSizeof(n);
1426N/A+ pRgn->data = (rgnSize > 0) ? malloc(rgnSize) : NULL;
1426N/A if (!pRgn->data)
1426N/A return RegionBreak(pRgn);
1426N/A pRgn->data->numRects = 0;
1426N/A@@ -367,7 +370,8 @@ RegionRectAlloc(RegionPtr pRgn, int n)
1426N/A n = 250;
1426N/A }
1426N/A n += pRgn->data->numRects;
1426N/A- data = (RegDataPtr) realloc(pRgn->data, RegionSizeof(n));
1426N/A+ rgnSize = RegionSizeof(n);
1426N/A+ data = (rgnSize > 0) ? realloc(pRgn->data, rgnSize) : NULL;
1426N/A if (!data)
1426N/A return RegionBreak(pRgn);
1426N/A pRgn->data = data;
1426N/A@@ -1312,6 +1316,7 @@ RegionFromRects(int nrects, xRectangle *prect, int ctype)
1426N/A {
1426N/A
1426N/A RegionPtr pRgn;
1426N/A+ size_t rgnSize;
1426N/A RegDataPtr pData;
1426N/A BoxPtr pBox;
1426N/A int i;
1426N/A@@ -1338,7 +1343,8 @@ RegionFromRects(int nrects, xRectangle *prect, int ctype)
1426N/A }
1426N/A return pRgn;
1426N/A }
1426N/A- pData = xallocData(nrects);
1426N/A+ rgnSize = RegionSizeof(nrects);
1426N/A+ pData = (rgnSize > 0) ? malloc(rgnSize) : NULL;
1426N/A if (!pData) {
1426N/A RegionBreak(pRgn);
1426N/A return pRgn;
1426N/Adiff --git a/include/regionstr.h b/include/regionstr.h
1426N/Aindex 515e93f..079375d 100644
1426N/A--- a/include/regionstr.h
1426N/A+++ b/include/regionstr.h
1426N/A@@ -127,7 +127,10 @@ RegionEnd(RegionPtr reg)
1426N/A static inline size_t
1426N/A RegionSizeof(size_t n)
1426N/A {
1426N/A- return (sizeof(RegDataRec) + ((n) * sizeof(BoxRec)));
1426N/A+ if (n < ((INT_MAX - sizeof(RegDataRec)) / sizeof(BoxRec)))
1426N/A+ return (sizeof(RegDataRec) + ((n) * sizeof(BoxRec)));
1426N/A+ else
1426N/A+ return 0;
1426N/A }
1426N/A
1426N/A static inline void
1426N/A@@ -138,9 +141,10 @@ RegionInit(RegionPtr _pReg, BoxPtr _rect, int _size)
1426N/A (_pReg)->data = (RegDataPtr) NULL;
1426N/A }
1426N/A else {
1426N/A+ size_t rgnSize;
1426N/A (_pReg)->extents = RegionEmptyBox;
1426N/A- if (((_size) > 1) && ((_pReg)->data =
1426N/A- (RegDataPtr) malloc(RegionSizeof(_size)))) {
1426N/A+ if (((_size) > 1) && ((rgnSize = RegionSizeof(_size)) > 0) &&
1426N/A+ (((_pReg)->data = (RegDataPtr) malloc(rgnSize)) != NULL)) {
1426N/A (_pReg)->data->size = (_size);
1426N/A (_pReg)->data->numRects = 0;
1426N/A }
1426N/A
1426N/A--
1426N/A1.7.9.2
1426N/A
1426N/AFrom e0e11644622a589129a01e11e5d105dc74a098de Mon Sep 17 00:00:00 2001
1426N/AFrom: Alan Coopersmith <alan.coopersmith@oracle.com>
1426N/ADate: Wed, 22 Jan 2014 23:44:46 -0800
1426N/ASubject: [PATCH 08/40] dix: integer overflow in REQUEST_FIXED_SIZE()
1426N/A [CVE-2014-8092 4/4]
1426N/A
1426N/AForce use of 64-bit integers when evaluating data provided by clients
1426N/Ain 32-bit fields which can overflow when added or multiplied during
1426N/Achecks.
1426N/A
1426N/AReported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
1426N/ASigned-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1426N/AReviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
1426N/A---
1426N/A include/dix.h | 3 ++-
1426N/A 1 file changed, 2 insertions(+), 1 deletion(-)
1426N/A
1426N/Adiff --git a/include/dix.h b/include/dix.h
1426N/Aindex 991a3ce..e0c6ed8 100644
1426N/A--- a/include/dix.h
1426N/A+++ b/include/dix.h
1426N/A@@ -76,7 +76,8 @@ SOFTWARE.
1426N/A
1426N/A #define REQUEST_FIXED_SIZE(req, n)\
1426N/A if (((sizeof(req) >> 2) > client->req_len) || \
1426N/A- (((sizeof(req) + (n) + 3) >> 2) != client->req_len)) \
1426N/A+ ((n >> 2) >= client->req_len) || \
1426N/A+ ((((uint64_t) sizeof(req) + (n) + 3) >> 2) != (uint64_t) client->req_len)) \
1426N/A return(BadLength)
1426N/A
1426N/A #define LEGAL_NEW_RESOURCE(id,client)\
1426N/A--
1426N/A1.7.9.2
1426N/A
1426N/AFrom 6692670fde081bbfe9313f17d84037ae9116702a Mon Sep 17 00:00:00 2001
1426N/AFrom: Alan Coopersmith <alan.coopersmith@oracle.com>
1426N/ADate: Wed, 22 Jan 2014 23:40:18 -0800
1426N/ASubject: [PATCH 09/40] dri2: integer overflow in ProcDRI2GetBuffers()
1426N/A [CVE-2014-8094]
1426N/A
1426N/AProcDRI2GetBuffers() tries to validate a length field (count).
1426N/AThere is an integer overflow in the validation. This can cause
1426N/Aout of bound reads and memory corruption later on.
1426N/A
1426N/AReported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
1426N/ASigned-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1426N/AReviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
1426N/AReviewed-by: Julien Cristau <jcristau@debian.org>
1426N/A---
1426N/A hw/xfree86/dri2/dri2ext.c | 3 +++
1426N/A 1 file changed, 3 insertions(+)
1426N/A
1426N/Adiff --git a/hw/xfree86/dri2/dri2ext.c b/hw/xfree86/dri2/dri2ext.c
1426N/Aindex ffd66fa..221ec53 100644
1426N/A--- a/hw/xfree86/dri2/dri2ext.c
1426N/A+++ b/hw/xfree86/dri2/dri2ext.c
1426N/A@@ -270,6 +270,9 @@ ProcDRI2GetBuffers(ClientPtr client)
1426N/A unsigned int *attachments;
1426N/A
1426N/A REQUEST_FIXED_SIZE(xDRI2GetBuffersReq, stuff->count * 4);
1426N/A+ if (stuff->count > (INT_MAX / 4))
1426N/A+ return BadLength;
1426N/A+
1426N/A if (!validDrawable(client, stuff->drawable, DixReadAccess | DixWriteAccess,
1426N/A &pDrawable, &status))
1426N/A return status;
1426N/A--
1426N/A1.7.9.2
1426N/A
1426N/AFrom 2ef42519c41e793579c9cea699c866fee3d9321f Mon Sep 17 00:00:00 2001
1426N/AFrom: Alan Coopersmith <alan.coopersmith@oracle.com>
1426N/ADate: Wed, 22 Jan 2014 23:12:04 -0800
1426N/ASubject: [PATCH 10/40] dbe: unvalidated lengths in DbeSwapBuffers calls
1426N/A [CVE-2014-8097]
1426N/A
1426N/AProcDbeSwapBuffers() has a 32bit (n) length value that it uses to read
1426N/Afrom a buffer. The length is never validated, which can lead to out of
1426N/Abound reads, and possibly returning the data read from out of bounds to
1426N/Athe misbehaving client via an X Error packet.
1426N/A
1426N/ASProcDbeSwapBuffers() swaps data (for correct endianness) before
1426N/Ahanding it off to the real proc. While doing the swapping, the
1426N/Alength field is not validated, which can cause memory corruption.
1426N/A
1426N/Av2: reorder checks to avoid compilers optimizing out checks for overflow
1426N/Athat happen after we'd already have done the overflowing multiplications.
1426N/A
1426N/AReported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
1426N/ASigned-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1426N/AReviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
1426N/A---
1426N/A dbe/dbe.c | 11 ++++++++---
1426N/A 1 file changed, 8 insertions(+), 3 deletions(-)
1426N/A
1426N/Adiff --git a/dbe/dbe.c b/dbe/dbe.c
1426N/Aindex 527588c..df2ad5c 100644
1426N/A--- a/dbe/dbe.c
1426N/A+++ b/dbe/dbe.c
1426N/A@@ -450,18 +450,20 @@ ProcDbeSwapBuffers(ClientPtr client)
1426N/A DbeSwapInfoPtr swapInfo;
1426N/A xDbeSwapInfo *dbeSwapInfo;
1426N/A int error;
1426N/A- register int i, j;
1426N/A- int nStuff;
1426N/A+ unsigned int i, j;
1426N/A+ unsigned int nStuff;
1426N/A
1426N/A REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq);
1426N/A nStuff = stuff->n; /* use local variable for performance. */
1426N/A
1426N/A if (nStuff == 0) {
1426N/A+ REQUEST_SIZE_MATCH(xDbeSwapBuffersReq);
1426N/A return Success;
1426N/A }
1426N/A
1426N/A if (nStuff > UINT32_MAX / sizeof(DbeSwapInfoRec))
1426N/A return BadAlloc;
1426N/A+ REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, nStuff * sizeof(xDbeSwapInfo));
1426N/A
1426N/A /* Get to the swap info appended to the end of the request. */
1426N/A dbeSwapInfo = (xDbeSwapInfo *) &stuff[1];
1426N/A@@ -914,13 +916,16 @@ static int
1426N/A SProcDbeSwapBuffers(ClientPtr client)
1426N/A {
1426N/A REQUEST(xDbeSwapBuffersReq);
1426N/A- register int i;
1426N/A+ unsigned int i;
1426N/A xDbeSwapInfo *pSwapInfo;
1426N/A
1426N/A swaps(&stuff->length);
1426N/A REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq);
1426N/A
1426N/A swapl(&stuff->n);
1426N/A+ if (stuff->n > UINT32_MAX / sizeof(DbeSwapInfoRec))
1426N/A+ return BadAlloc;
1426N/A+ REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, stuff->n * sizeof(xDbeSwapInfo));
1426N/A
1426N/A if (stuff->n != 0) {
1426N/A pSwapInfo = (xDbeSwapInfo *) stuff + 1;
1426N/A--
1426N/A1.7.9.2
1426N/A
1426N/AFrom 73c63afb93c0af1bfd1969bf6e71c9edca586c77 Mon Sep 17 00:00:00 2001
1426N/AFrom: Alan Coopersmith <alan.coopersmith@oracle.com>
1426N/ADate: Sun, 26 Jan 2014 10:54:41 -0800
1426N/ASubject: [PATCH 11/40] Xi: unvalidated lengths in Xinput extension
1426N/A [CVE-2014-8095]
1426N/A
1426N/AMultiple functions in the Xinput extension handling of requests from
1426N/Aclients failed to check that the length of the request sent by the
1426N/Aclient was large enough to perform all the required operations and
1426N/Athus could read or write to memory outside the bounds of the request
1426N/Abuffer.
1426N/A
1426N/AThis commit includes the creation of a new REQUEST_AT_LEAST_EXTRA_SIZE
1426N/Amacro in include/dix.h for the common case of needing to ensure a
1426N/Arequest is large enough to include both the request itself and a
1426N/Aminimum amount of extra data following the request header.
1426N/A
1426N/ASigned-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1426N/AReviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
1426N/A---
1426N/A Xi/chgdctl.c | 8 ++++++--
1426N/A Xi/chgfctl.c | 2 ++
1426N/A Xi/sendexev.c | 3 +++
1426N/A Xi/xiallowev.c | 2 ++
1426N/A Xi/xichangecursor.c | 2 +-
1426N/A Xi/xichangehierarchy.c | 35 ++++++++++++++++++++++++++++++++---
1426N/A Xi/xigetclientpointer.c | 1 +
1426N/A Xi/xigrabdev.c | 9 ++++++++-
1426N/A Xi/xipassivegrab.c | 12 ++++++++++--
1426N/A Xi/xiproperty.c | 14 ++++++--------
1426N/A Xi/xiquerydevice.c | 1 +
1426N/A Xi/xiquerypointer.c | 2 ++
1426N/A Xi/xiselectev.c | 8 ++++++++
1426N/A Xi/xisetclientpointer.c | 3 ++-
1426N/A Xi/xisetdevfocus.c | 4 ++++
1426N/A Xi/xiwarppointer.c | 2 ++
1426N/A include/dix.h | 4 ++++
1426N/A 17 files changed, 94 insertions(+), 18 deletions(-)
1426N/A
1426N/Adiff --git a/Xi/chgdctl.c b/Xi/chgdctl.c
1426N/Aindex d078aa2..b3ee867 100644
1426N/A--- a/Xi/chgdctl.c
1426N/A+++ b/Xi/chgdctl.c
1426N/A@@ -78,7 +78,7 @@ SProcXChangeDeviceControl(ClientPtr client)
1426N/A
1426N/A REQUEST(xChangeDeviceControlReq);
1426N/A swaps(&stuff->length);
1426N/A- REQUEST_AT_LEAST_SIZE(xChangeDeviceControlReq);
1426N/A+ REQUEST_AT_LEAST_EXTRA_SIZE(xChangeDeviceControlReq, sizeof(xDeviceCtl));
1426N/A swaps(&stuff->control);
1426N/A ctl = (xDeviceCtl *) &stuff[1];
1426N/A swaps(&ctl->control);
1426N/A@@ -115,7 +115,7 @@ ProcXChangeDeviceControl(ClientPtr client)
1426N/A xDeviceEnableCtl *e;
1426N/A
1426N/A REQUEST(xChangeDeviceControlReq);
1426N/A- REQUEST_AT_LEAST_SIZE(xChangeDeviceControlReq);
1426N/A+ REQUEST_AT_LEAST_EXTRA_SIZE(xChangeDeviceControlReq, sizeof(xDeviceCtl));
1426N/A
1426N/A len = stuff->length - bytes_to_int32(sizeof(xChangeDeviceControlReq));
1426N/A ret = dixLookupDevice(&dev, stuff->deviceid, client, DixManageAccess);
1426N/A@@ -192,6 +192,10 @@ ProcXChangeDeviceControl(ClientPtr client)
1426N/A break;
1426N/A case DEVICE_ENABLE:
1426N/A e = (xDeviceEnableCtl *) &stuff[1];
1426N/A+ if ((len != bytes_to_int32(sizeof(xDeviceEnableCtl)))) {
1426N/A+ ret = BadLength;
1426N/A+ goto out;
1426N/A+ }
1426N/A
1426N/A if (IsXTestDevice(dev, NULL))
1426N/A status = !Success;
1426N/Adiff --git a/Xi/chgfctl.c b/Xi/chgfctl.c
1426N/Aindex 6dcf60c..224c2ba 100644
1426N/A--- a/Xi/chgfctl.c
1426N/A+++ b/Xi/chgfctl.c
1426N/A@@ -467,6 +467,8 @@ ProcXChangeFeedbackControl(ClientPtr client)
1426N/A xStringFeedbackCtl *f = ((xStringFeedbackCtl *) &stuff[1]);
1426N/A
1426N/A if (client->swapped) {
1426N/A+ if (len < bytes_to_int32(sizeof(xStringFeedbackCtl)))
1426N/A+ return BadLength;
1426N/A swaps(&f->num_keysyms);
1426N/A }
1426N/A if (len !=
1426N/Adiff --git a/Xi/sendexev.c b/Xi/sendexev.c
1426N/Aindex 3c21386..183f88d 100644
1426N/A--- a/Xi/sendexev.c
1426N/A+++ b/Xi/sendexev.c
1426N/A@@ -135,6 +135,9 @@ ProcXSendExtensionEvent(ClientPtr client)
1426N/A if (ret != Success)
1426N/A return ret;
1426N/A
1426N/A+ if (stuff->num_events == 0)
1426N/A+ return ret;
1426N/A+
1426N/A /* The client's event type must be one defined by an extension. */
1426N/A
1426N/A first = ((xEvent *) &stuff[1]);
1426N/Adiff --git a/Xi/xiallowev.c b/Xi/xiallowev.c
1426N/Aindex ebef233..ca263ef 100644
1426N/A--- a/Xi/xiallowev.c
1426N/A+++ b/Xi/xiallowev.c
1426N/A@@ -48,6 +48,7 @@ int
1426N/A SProcXIAllowEvents(ClientPtr client)
1426N/A {
1426N/A REQUEST(xXIAllowEventsReq);
1426N/A+ REQUEST_AT_LEAST_SIZE(xXIAllowEventsReq);
1426N/A
1426N/A swaps(&stuff->length);
1426N/A swaps(&stuff->deviceid);
1426N/A@@ -55,6 +56,7 @@ SProcXIAllowEvents(ClientPtr client)
1426N/A if (stuff->length > 3) {
1426N/A xXI2_2AllowEventsReq *req_xi22 = (xXI2_2AllowEventsReq *) stuff;
1426N/A
1426N/A+ REQUEST_AT_LEAST_SIZE(xXI2_2AllowEventsReq);
1426N/A swapl(&req_xi22->touchid);
1426N/A swapl(&req_xi22->grab_window);
1426N/A }
1426N/Adiff --git a/Xi/xichangecursor.c b/Xi/xichangecursor.c
1426N/Aindex 7a1bb7a..8e6255b 100644
1426N/A--- a/Xi/xichangecursor.c
1426N/A+++ b/Xi/xichangecursor.c
1426N/A@@ -57,11 +57,11 @@ int
1426N/A SProcXIChangeCursor(ClientPtr client)
1426N/A {
1426N/A REQUEST(xXIChangeCursorReq);
1426N/A+ REQUEST_SIZE_MATCH(xXIChangeCursorReq);
1426N/A swaps(&stuff->length);
1426N/A swapl(&stuff->win);
1426N/A swapl(&stuff->cursor);
1426N/A swaps(&stuff->deviceid);
1426N/A- REQUEST_SIZE_MATCH(xXIChangeCursorReq);
1426N/A return (ProcXIChangeCursor(client));
1426N/A }
1426N/A
1426N/Adiff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c
1426N/Aindex 9e36354..2732445 100644
1426N/A--- a/Xi/xichangehierarchy.c
1426N/A+++ b/Xi/xichangehierarchy.c
1426N/A@@ -411,7 +411,7 @@ int
1426N/A ProcXIChangeHierarchy(ClientPtr client)
1426N/A {
1426N/A xXIAnyHierarchyChangeInfo *any;
1426N/A- int required_len = sizeof(xXIChangeHierarchyReq);
1426N/A+ size_t len; /* length of data remaining in request */
1426N/A int rc = Success;
1426N/A int flags[MAXDEVICES] = { 0 };
1426N/A
1426N/A@@ -421,21 +421,46 @@ ProcXIChangeHierarchy(ClientPtr client)
1426N/A if (!stuff->num_changes)
1426N/A return rc;
1426N/A
1426N/A+ if (stuff->length > (INT_MAX >> 2))
1426N/A+ return BadAlloc;
1426N/A+ len = (stuff->length << 2) - sizeof(xXIAnyHierarchyChangeInfo);
1426N/A+
1426N/A any = (xXIAnyHierarchyChangeInfo *) &stuff[1];
1426N/A while (stuff->num_changes--) {
1426N/A+ if (len < sizeof(xXIAnyHierarchyChangeInfo)) {
1426N/A+ rc = BadLength;
1426N/A+ goto unwind;
1426N/A+ }
1426N/A+
1426N/A SWAPIF(swaps(&any->type));
1426N/A SWAPIF(swaps(&any->length));
1426N/A
1426N/A- required_len += any->length;
1426N/A- if ((stuff->length * 4) < required_len)
1426N/A+ if ((any->length > (INT_MAX >> 2)) || (len < (any->length << 2)))
1426N/A return BadLength;
1426N/A
1426N/A+#define CHANGE_SIZE_MATCH(type) \
1426N/A+ do { \
1426N/A+ if ((len < sizeof(type)) || (any->length != (sizeof(type) >> 2))) { \
1426N/A+ rc = BadLength; \
1426N/A+ goto unwind; \
1426N/A+ } \
1426N/A+ } while(0)
1426N/A+
1426N/A switch (any->type) {
1426N/A case XIAddMaster:
1426N/A {
1426N/A xXIAddMasterInfo *c = (xXIAddMasterInfo *) any;
1426N/A
1426N/A+ /* Variable length, due to appended name string */
1426N/A+ if (len < sizeof(xXIAddMasterInfo)) {
1426N/A+ rc = BadLength;
1426N/A+ goto unwind;
1426N/A+ }
1426N/A SWAPIF(swaps(&c->name_len));
1426N/A+ if (c->name_len > (len - sizeof(xXIAddMasterInfo))) {
1426N/A+ rc = BadLength;
1426N/A+ goto unwind;
1426N/A+ }
1426N/A
1426N/A rc = add_master(client, c, flags);
1426N/A if (rc != Success)
1426N/A@@ -446,6 +471,7 @@ ProcXIChangeHierarchy(ClientPtr client)
1426N/A {
1426N/A xXIRemoveMasterInfo *r = (xXIRemoveMasterInfo *) any;
1426N/A
1426N/A+ CHANGE_SIZE_MATCH(xXIRemoveMasterInfo);
1426N/A rc = remove_master(client, r, flags);
1426N/A if (rc != Success)
1426N/A goto unwind;
1426N/A@@ -455,6 +481,7 @@ ProcXIChangeHierarchy(ClientPtr client)
1426N/A {
1426N/A xXIDetachSlaveInfo *c = (xXIDetachSlaveInfo *) any;
1426N/A
1426N/A+ CHANGE_SIZE_MATCH(xXIDetachSlaveInfo);
1426N/A rc = detach_slave(client, c, flags);
1426N/A if (rc != Success)
1426N/A goto unwind;
1426N/A@@ -464,6 +491,7 @@ ProcXIChangeHierarchy(ClientPtr client)
1426N/A {
1426N/A xXIAttachSlaveInfo *c = (xXIAttachSlaveInfo *) any;
1426N/A
1426N/A+ CHANGE_SIZE_MATCH(xXIAttachSlaveInfo);
1426N/A rc = attach_slave(client, c, flags);
1426N/A if (rc != Success)
1426N/A goto unwind;
1426N/A@@ -471,6 +499,7 @@ ProcXIChangeHierarchy(ClientPtr client)
1426N/A break;
1426N/A }
1426N/A
1426N/A+ len -= any->length * 4;
1426N/A any = (xXIAnyHierarchyChangeInfo *) ((char *) any + any->length * 4);
1426N/A }
1426N/A
1426N/Adiff --git a/Xi/xigetclientpointer.c b/Xi/xigetclientpointer.c
1426N/Aindex 3c90d58..306dd39 100644
1426N/A--- a/Xi/xigetclientpointer.c
1426N/A+++ b/Xi/xigetclientpointer.c
1426N/A@@ -50,6 +50,7 @@ int
1426N/A SProcXIGetClientPointer(ClientPtr client)
1426N/A {
1426N/A REQUEST(xXIGetClientPointerReq);
1426N/A+ REQUEST_SIZE_MATCH(xXIGetClientPointerReq);
1426N/A
1426N/A swaps(&stuff->length);
1426N/A swapl(&stuff->win);
1426N/Adiff --git a/Xi/xigrabdev.c b/Xi/xigrabdev.c
1426N/Aindex 63d95bc..e2a2ae3 100644
1426N/A--- a/Xi/xigrabdev.c
1426N/A+++ b/Xi/xigrabdev.c
1426N/A@@ -47,6 +47,11 @@ int
1426N/A SProcXIGrabDevice(ClientPtr client)
1426N/A {
1426N/A REQUEST(xXIGrabDeviceReq);
1426N/A+ /*
1426N/A+ * Check here for at least the length of the struct we swap, then
1426N/A+ * let ProcXIGrabDevice check the full size after we swap mask_len.
1426N/A+ */
1426N/A+ REQUEST_AT_LEAST_SIZE(xXIGrabDeviceReq);
1426N/A
1426N/A swaps(&stuff->length);
1426N/A swaps(&stuff->deviceid);
1426N/A@@ -71,7 +76,7 @@ ProcXIGrabDevice(ClientPtr client)
1426N/A unsigned int pointer_mode;
1426N/A
1426N/A REQUEST(xXIGrabDeviceReq);
1426N/A- REQUEST_AT_LEAST_SIZE(xXIGrabDeviceReq);
1426N/A+ REQUEST_FIXED_SIZE(xXIGrabDeviceReq, ((size_t) stuff->mask_len) * 4);
1426N/A
1426N/A ret = dixLookupDevice(&dev, stuff->deviceid, client, DixGrabAccess);
1426N/A if (ret != Success)
1426N/A@@ -131,6 +136,7 @@ int
1426N/A SProcXIUngrabDevice(ClientPtr client)
1426N/A {
1426N/A REQUEST(xXIUngrabDeviceReq);
1426N/A+ REQUEST_SIZE_MATCH(xXIUngrabDeviceReq);
1426N/A
1426N/A swaps(&stuff->length);
1426N/A swaps(&stuff->deviceid);
1426N/A@@ -148,6 +154,7 @@ ProcXIUngrabDevice(ClientPtr client)
1426N/A TimeStamp time;
1426N/A
1426N/A REQUEST(xXIUngrabDeviceReq);
1426N/A+ REQUEST_SIZE_MATCH(xXIUngrabDeviceReq);
1426N/A
1426N/A ret = dixLookupDevice(&dev, stuff->deviceid, client, DixGetAttrAccess);
1426N/A if (ret != Success)
1426N/Adiff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c
1426N/Aindex 700622d..9241ffd 100644
1426N/A--- a/Xi/xipassivegrab.c
1426N/A+++ b/Xi/xipassivegrab.c
1426N/A@@ -53,6 +53,7 @@ SProcXIPassiveGrabDevice(ClientPtr client)
1426N/A uint32_t *mods;
1426N/A
1426N/A REQUEST(xXIPassiveGrabDeviceReq);
1426N/A+ REQUEST_AT_LEAST_SIZE(xXIPassiveGrabDeviceReq);
1426N/A
1426N/A swaps(&stuff->length);
1426N/A swaps(&stuff->deviceid);
1426N/A@@ -63,6 +64,8 @@ SProcXIPassiveGrabDevice(ClientPtr client)
1426N/A swaps(&stuff->mask_len);
1426N/A swaps(&stuff->num_modifiers);
1426N/A
1426N/A+ REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq,
1426N/A+ ((uint32_t) stuff->mask_len + stuff->num_modifiers) *4);
1426N/A mods = (uint32_t *) &stuff[1] + stuff->mask_len;
1426N/A
1426N/A for (i = 0; i < stuff->num_modifiers; i++, mods++) {
1426N/A@@ -92,7 +95,8 @@ ProcXIPassiveGrabDevice(ClientPtr client)
1426N/A int mask_len;
1426N/A
1426N/A REQUEST(xXIPassiveGrabDeviceReq);
1426N/A- REQUEST_AT_LEAST_SIZE(xXIPassiveGrabDeviceReq);
1426N/A+ REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq,
1426N/A+ ((uint32_t) stuff->mask_len + stuff->num_modifiers) * 4);
1426N/A
1426N/A if (stuff->deviceid == XIAllDevices)
1426N/A dev = inputInfo.all_devices;
1426N/A@@ -252,6 +256,7 @@ SProcXIPassiveUngrabDevice(ClientPtr client)
1426N/A uint32_t *modifiers;
1426N/A
1426N/A REQUEST(xXIPassiveUngrabDeviceReq);
1426N/A+ REQUEST_AT_LEAST_SIZE(xXIPassiveUngrabDeviceReq);
1426N/A
1426N/A swaps(&stuff->length);
1426N/A swapl(&stuff->grab_window);
1426N/A@@ -259,6 +264,8 @@ SProcXIPassiveUngrabDevice(ClientPtr client)
1426N/A swapl(&stuff->detail);
1426N/A swaps(&stuff->num_modifiers);
1426N/A
1426N/A+ REQUEST_FIXED_SIZE(xXIPassiveUngrabDeviceReq,
1426N/A+ ((uint32_t) stuff->num_modifiers) << 2);
1426N/A modifiers = (uint32_t *) &stuff[1];
1426N/A
1426N/A for (i = 0; i < stuff->num_modifiers; i++, modifiers++)
1426N/A@@ -277,7 +284,8 @@ ProcXIPassiveUngrabDevice(ClientPtr client)
1426N/A int i, rc;
1426N/A
1426N/A REQUEST(xXIPassiveUngrabDeviceReq);
1426N/A- REQUEST_AT_LEAST_SIZE(xXIPassiveUngrabDeviceReq);
1426N/A+ REQUEST_FIXED_SIZE(xXIPassiveUngrabDeviceReq,
1426N/A+ ((uint32_t) stuff->num_modifiers) << 2);
1426N/A
1426N/A if (stuff->deviceid == XIAllDevices)
1426N/A dev = inputInfo.all_devices;
1426N/Adiff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
1426N/Aindex 463607d..8e8e4b0 100644
1426N/A--- a/Xi/xiproperty.c
1426N/A+++ b/Xi/xiproperty.c
1426N/A@@ -1013,10 +1013,9 @@ int
1426N/A SProcXListDeviceProperties(ClientPtr client)
1426N/A {
1426N/A REQUEST(xListDevicePropertiesReq);
1426N/A+ REQUEST_SIZE_MATCH(xListDevicePropertiesReq);
1426N/A
1426N/A swaps(&stuff->length);
1426N/A-
1426N/A- REQUEST_SIZE_MATCH(xListDevicePropertiesReq);
1426N/A return (ProcXListDeviceProperties(client));
1426N/A }
1426N/A
1426N/A@@ -1037,10 +1036,10 @@ int
1426N/A SProcXDeleteDeviceProperty(ClientPtr client)
1426N/A {
1426N/A REQUEST(xDeleteDevicePropertyReq);
1426N/A+ REQUEST_SIZE_MATCH(xDeleteDevicePropertyReq);
1426N/A
1426N/A swaps(&stuff->length);
1426N/A swapl(&stuff->property);
1426N/A- REQUEST_SIZE_MATCH(xDeleteDevicePropertyReq);
1426N/A return (ProcXDeleteDeviceProperty(client));
1426N/A }
1426N/A
1426N/A@@ -1048,13 +1047,13 @@ int
1426N/A SProcXGetDeviceProperty(ClientPtr client)
1426N/A {
1426N/A REQUEST(xGetDevicePropertyReq);
1426N/A+ REQUEST_SIZE_MATCH(xGetDevicePropertyReq);
1426N/A
1426N/A swaps(&stuff->length);
1426N/A swapl(&stuff->property);
1426N/A swapl(&stuff->type);
1426N/A swapl(&stuff->longOffset);
1426N/A swapl(&stuff->longLength);
1426N/A- REQUEST_SIZE_MATCH(xGetDevicePropertyReq);
1426N/A return (ProcXGetDeviceProperty(client));
1426N/A }
1426N/A
1426N/A@@ -1253,11 +1252,10 @@ int
1426N/A SProcXIListProperties(ClientPtr client)
1426N/A {
1426N/A REQUEST(xXIListPropertiesReq);
1426N/A+ REQUEST_SIZE_MATCH(xXIListPropertiesReq);
1426N/A
1426N/A swaps(&stuff->length);
1426N/A swaps(&stuff->deviceid);
1426N/A-
1426N/A- REQUEST_SIZE_MATCH(xXIListPropertiesReq);
1426N/A return (ProcXIListProperties(client));
1426N/A }
1426N/A
1426N/A@@ -1279,11 +1277,11 @@ int
1426N/A SProcXIDeleteProperty(ClientPtr client)
1426N/A {
1426N/A REQUEST(xXIDeletePropertyReq);
1426N/A+ REQUEST_SIZE_MATCH(xXIDeletePropertyReq);
1426N/A
1426N/A swaps(&stuff->length);
1426N/A swaps(&stuff->deviceid);
1426N/A swapl(&stuff->property);
1426N/A- REQUEST_SIZE_MATCH(xXIDeletePropertyReq);
1426N/A return (ProcXIDeleteProperty(client));
1426N/A }
1426N/A
1426N/A@@ -1291,6 +1289,7 @@ int
1426N/A SProcXIGetProperty(ClientPtr client)
1426N/A {
1426N/A REQUEST(xXIGetPropertyReq);
1426N/A+ REQUEST_SIZE_MATCH(xXIGetPropertyReq);
1426N/A
1426N/A swaps(&stuff->length);
1426N/A swaps(&stuff->deviceid);
1426N/A@@ -1298,7 +1297,6 @@ SProcXIGetProperty(ClientPtr client)
1426N/A swapl(&stuff->type);
1426N/A swapl(&stuff->offset);
1426N/A swapl(&stuff->len);
1426N/A- REQUEST_SIZE_MATCH(xXIGetPropertyReq);
1426N/A return (ProcXIGetProperty(client));
1426N/A }
1426N/A
1426N/Adiff --git a/Xi/xiquerydevice.c b/Xi/xiquerydevice.c
1426N/Aindex 4e544f0..67a9a4f 100644
1426N/A--- a/Xi/xiquerydevice.c
1426N/A+++ b/Xi/xiquerydevice.c
1426N/A@@ -54,6 +54,7 @@ int
1426N/A SProcXIQueryDevice(ClientPtr client)
1426N/A {
1426N/A REQUEST(xXIQueryDeviceReq);
1426N/A+ REQUEST_SIZE_MATCH(xXIQueryDeviceReq);
1426N/A
1426N/A swaps(&stuff->length);
1426N/A swaps(&stuff->deviceid);
1426N/Adiff --git a/Xi/xiquerypointer.c b/Xi/xiquerypointer.c
1426N/Aindex e9bdd42..7ec0c85 100644
1426N/A--- a/Xi/xiquerypointer.c
1426N/A+++ b/Xi/xiquerypointer.c
1426N/A@@ -63,6 +63,8 @@ int
1426N/A SProcXIQueryPointer(ClientPtr client)
1426N/A {
1426N/A REQUEST(xXIQueryPointerReq);
1426N/A+ REQUEST_SIZE_MATCH(xXIQueryPointerReq);
1426N/A+
1426N/A swaps(&stuff->length);
1426N/A swaps(&stuff->deviceid);
1426N/A swapl(&stuff->win);
1426N/Adiff --git a/Xi/xiselectev.c b/Xi/xiselectev.c
1426N/Aindex 45a996e..168579f 100644
1426N/A--- a/Xi/xiselectev.c
1426N/A+++ b/Xi/xiselectev.c
1426N/A@@ -114,6 +114,7 @@ int
1426N/A SProcXISelectEvents(ClientPtr client)
1426N/A {
1426N/A int i;
1426N/A+ int len;
1426N/A xXIEventMask *evmask;
1426N/A
1426N/A REQUEST(xXISelectEventsReq);
1426N/A@@ -122,10 +123,17 @@ SProcXISelectEvents(ClientPtr client)
1426N/A swapl(&stuff->win);
1426N/A swaps(&stuff->num_masks);
1426N/A
1426N/A+ len = stuff->length - bytes_to_int32(sizeof(xXISelectEventsReq));
1426N/A evmask = (xXIEventMask *) &stuff[1];
1426N/A for (i = 0; i < stuff->num_masks; i++) {
1426N/A+ if (len < bytes_to_int32(sizeof(xXIEventMask)))
1426N/A+ return BadLength;
1426N/A+ len -= bytes_to_int32(sizeof(xXIEventMask));
1426N/A swaps(&evmask->deviceid);
1426N/A swaps(&evmask->mask_len);
1426N/A+ if (len < evmask->mask_len)
1426N/A+ return BadLength;
1426N/A+ len -= evmask->mask_len;
1426N/A evmask =
1426N/A (xXIEventMask *) (((char *) &evmask[1]) + evmask->mask_len * 4);
1426N/A }
1426N/Adiff --git a/Xi/xisetclientpointer.c b/Xi/xisetclientpointer.c
1426N/Aindex 38ff51e..24d4a53 100644
1426N/A--- a/Xi/xisetclientpointer.c
1426N/A+++ b/Xi/xisetclientpointer.c
1426N/A@@ -51,10 +51,11 @@ int
1426N/A SProcXISetClientPointer(ClientPtr client)
1426N/A {
1426N/A REQUEST(xXISetClientPointerReq);
1426N/A+ REQUEST_SIZE_MATCH(xXISetClientPointerReq);
1426N/A+
1426N/A swaps(&stuff->length);
1426N/A swapl(&stuff->win);
1426N/A swaps(&stuff->deviceid);
1426N/A- REQUEST_SIZE_MATCH(xXISetClientPointerReq);
1426N/A return (ProcXISetClientPointer(client));
1426N/A }
1426N/A
1426N/Adiff --git a/Xi/xisetdevfocus.c b/Xi/xisetdevfocus.c
1426N/Aindex 372ec24..96a9a16 100644
1426N/A--- a/Xi/xisetdevfocus.c
1426N/A+++ b/Xi/xisetdevfocus.c
1426N/A@@ -44,6 +44,8 @@ int
1426N/A SProcXISetFocus(ClientPtr client)
1426N/A {
1426N/A REQUEST(xXISetFocusReq);
1426N/A+ REQUEST_AT_LEAST_SIZE(xXISetFocusReq);
1426N/A+
1426N/A swaps(&stuff->length);
1426N/A swaps(&stuff->deviceid);
1426N/A swapl(&stuff->focus);
1426N/A@@ -56,6 +58,8 @@ int
1426N/A SProcXIGetFocus(ClientPtr client)
1426N/A {
1426N/A REQUEST(xXIGetFocusReq);
1426N/A+ REQUEST_AT_LEAST_SIZE(xXIGetFocusReq);
1426N/A+
1426N/A swaps(&stuff->length);
1426N/A swaps(&stuff->deviceid);
1426N/A
1426N/Adiff --git a/Xi/xiwarppointer.c b/Xi/xiwarppointer.c
1426N/Aindex 3f051f7..780758a 100644
1426N/A--- a/Xi/xiwarppointer.c
1426N/A+++ b/Xi/xiwarppointer.c
1426N/A@@ -56,6 +56,8 @@ int
1426N/A SProcXIWarpPointer(ClientPtr client)
1426N/A {
1426N/A REQUEST(xXIWarpPointerReq);
1426N/A+ REQUEST_SIZE_MATCH(xXIWarpPointerReq);
1426N/A+
1426N/A swaps(&stuff->length);
1426N/A swapl(&stuff->src_win);
1426N/A swapl(&stuff->dst_win);
1426N/Adiff --git a/include/dix.h b/include/dix.h
1426N/Aindex e0c6ed8..21176a8 100644
1426N/A--- a/include/dix.h
1426N/A+++ b/include/dix.h
1426N/A@@ -74,6 +74,10 @@ SOFTWARE.
1426N/A if ((sizeof(req) >> 2) > client->req_len )\
1426N/A return(BadLength)
1426N/A
1426N/A+#define REQUEST_AT_LEAST_EXTRA_SIZE(req, extra) \
1426N/A+ if (((sizeof(req) + ((uint64_t) extra)) >> 2) > client->req_len ) \
1426N/A+ return(BadLength)
1426N/A+
1426N/A #define REQUEST_FIXED_SIZE(req, n)\
1426N/A if (((sizeof(req) >> 2) > client->req_len) || \
1426N/A ((n >> 2) >= client->req_len) || \
1426N/A--
1426N/A1.7.9.2
1426N/A
1426N/AFrom 7553082b9b883b5f130044f3d53bce2f0b660e52 Mon Sep 17 00:00:00 2001
1426N/AFrom: Alan Coopersmith <alan.coopersmith@oracle.com>
1426N/ADate: Sun, 26 Jan 2014 17:18:54 -0800
1426N/ASubject: [PATCH 12/40] xcmisc: unvalidated length in SProcXCMiscGetXIDList()
1426N/A [CVE-2014-8096]
1426N/A
1426N/ASigned-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1426N/AReviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
1426N/A---
1426N/A Xext/xcmisc.c | 1 +
1426N/A 1 file changed, 1 insertion(+)
1426N/A
1426N/Adiff --git a/Xext/xcmisc.c b/Xext/xcmisc.c
1426N/Aindex 034bfb6..1e91010 100644
1426N/A--- a/Xext/xcmisc.c
1426N/A+++ b/Xext/xcmisc.c
1426N/A@@ -167,6 +167,7 @@ static int
1426N/A SProcXCMiscGetXIDList(ClientPtr client)
1426N/A {
1426N/A REQUEST(xXCMiscGetXIDListReq);
1426N/A+ REQUEST_SIZE_MATCH(xXCMiscGetXIDListReq);
1426N/A
1426N/A swaps(&stuff->length);
1426N/A swapl(&stuff->count);
1426N/A--
1426N/A1.7.9.2
1426N/A
1426N/AFrom 32a95fb7c7dbe22c9441c62762dfa4a8ec54d6c3 Mon Sep 17 00:00:00 2001
1426N/AFrom: Alan Coopersmith <alan.coopersmith@oracle.com>
1426N/ADate: Sun, 26 Jan 2014 19:23:17 -0800
1426N/ASubject: [PATCH 13/40] Xv: unvalidated lengths in XVideo extension swapped
1426N/A procs [CVE-2014-8099]
1426N/A
1426N/ASigned-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1426N/AReviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
1426N/A---
1426N/A Xext/xvdisp.c | 20 ++++++++++++++++++++
1426N/A 1 file changed, 20 insertions(+)
1426N/A
1426N/Adiff --git a/Xext/xvdisp.c b/Xext/xvdisp.c
1426N/Aindex 86f982a..c2d0fc9 100644
1426N/A--- a/Xext/xvdisp.c
1426N/A+++ b/Xext/xvdisp.c
1426N/A@@ -1121,6 +1121,7 @@ static int
1426N/A SProcXvQueryExtension(ClientPtr client)
1426N/A {
1426N/A REQUEST(xvQueryExtensionReq);
1426N/A+ REQUEST_SIZE_MATCH(xvQueryExtensionReq);
1426N/A swaps(&stuff->length);
1426N/A return XvProcVector[xv_QueryExtension] (client);
1426N/A }
1426N/A@@ -1129,6 +1130,7 @@ static int
1426N/A SProcXvQueryAdaptors(ClientPtr client)
1426N/A {
1426N/A REQUEST(xvQueryAdaptorsReq);
1426N/A+ REQUEST_SIZE_MATCH(xvQueryAdaptorsReq);
1426N/A swaps(&stuff->length);
1426N/A swapl(&stuff->window);
1426N/A return XvProcVector[xv_QueryAdaptors] (client);
1426N/A@@ -1138,6 +1140,7 @@ static int
1426N/A SProcXvQueryEncodings(ClientPtr client)
1426N/A {
1426N/A REQUEST(xvQueryEncodingsReq);
1426N/A+ REQUEST_SIZE_MATCH(xvQueryEncodingsReq);
1426N/A swaps(&stuff->length);
1426N/A swapl(&stuff->port);
1426N/A return XvProcVector[xv_QueryEncodings] (client);
1426N/A@@ -1147,6 +1150,7 @@ static int
1426N/A SProcXvGrabPort(ClientPtr client)
1426N/A {
1426N/A REQUEST(xvGrabPortReq);
1426N/A+ REQUEST_SIZE_MATCH(xvGrabPortReq);
1426N/A swaps(&stuff->length);
1426N/A swapl(&stuff->port);
1426N/A swapl(&stuff->time);
1426N/A@@ -1157,6 +1161,7 @@ static int
1426N/A SProcXvUngrabPort(ClientPtr client)
1426N/A {
1426N/A REQUEST(xvUngrabPortReq);
1426N/A+ REQUEST_SIZE_MATCH(xvUngrabPortReq);
1426N/A swaps(&stuff->length);
1426N/A swapl(&stuff->port);
1426N/A swapl(&stuff->time);
1426N/A@@ -1167,6 +1172,7 @@ static int
1426N/A SProcXvPutVideo(ClientPtr client)
1426N/A {
1426N/A REQUEST(xvPutVideoReq);
1426N/A+ REQUEST_SIZE_MATCH(xvPutVideoReq);
1426N/A swaps(&stuff->length);
1426N/A swapl(&stuff->port);
1426N/A swapl(&stuff->drawable);
1426N/A@@ -1186,6 +1192,7 @@ static int
1426N/A SProcXvPutStill(ClientPtr client)
1426N/A {
1426N/A REQUEST(xvPutStillReq);
1426N/A+ REQUEST_SIZE_MATCH(xvPutStillReq);
1426N/A swaps(&stuff->length);
1426N/A swapl(&stuff->port);
1426N/A swapl(&stuff->drawable);
1426N/A@@ -1205,6 +1212,7 @@ static int
1426N/A SProcXvGetVideo(ClientPtr client)
1426N/A {
1426N/A REQUEST(xvGetVideoReq);
1426N/A+ REQUEST_SIZE_MATCH(xvGetVideoReq);
1426N/A swaps(&stuff->length);
1426N/A swapl(&stuff->port);
1426N/A swapl(&stuff->drawable);
1426N/A@@ -1224,6 +1232,7 @@ static int
1426N/A SProcXvGetStill(ClientPtr client)
1426N/A {
1426N/A REQUEST(xvGetStillReq);
1426N/A+ REQUEST_SIZE_MATCH(xvGetStillReq);
1426N/A swaps(&stuff->length);
1426N/A swapl(&stuff->port);
1426N/A swapl(&stuff->drawable);
1426N/A@@ -1243,6 +1252,7 @@ static int
1426N/A SProcXvPutImage(ClientPtr client)
1426N/A {
1426N/A REQUEST(xvPutImageReq);
1426N/A+ REQUEST_AT_LEAST_SIZE(xvPutImageReq);
1426N/A swaps(&stuff->length);
1426N/A swapl(&stuff->port);
1426N/A swapl(&stuff->drawable);
1426N/A@@ -1266,6 +1276,7 @@ static int
1426N/A SProcXvShmPutImage(ClientPtr client)
1426N/A {
1426N/A REQUEST(xvShmPutImageReq);
1426N/A+ REQUEST_SIZE_MATCH(xvShmPutImageReq);
1426N/A swaps(&stuff->length);
1426N/A swapl(&stuff->port);
1426N/A swapl(&stuff->drawable);
1426N/A@@ -1293,6 +1304,7 @@ static int
1426N/A SProcXvSelectVideoNotify(ClientPtr client)
1426N/A {
1426N/A REQUEST(xvSelectVideoNotifyReq);
1426N/A+ REQUEST_SIZE_MATCH(xvSelectVideoNotifyReq);
1426N/A swaps(&stuff->length);
1426N/A swapl(&stuff->drawable);
1426N/A return XvProcVector[xv_SelectVideoNotify] (client);
1426N/A@@ -1302,6 +1314,7 @@ static int
1426N/A SProcXvSelectPortNotify(ClientPtr client)
1426N/A {
1426N/A REQUEST(xvSelectPortNotifyReq);
1426N/A+ REQUEST_SIZE_MATCH(xvSelectPortNotifyReq);
1426N/A swaps(&stuff->length);
1426N/A swapl(&stuff->port);
1426N/A return XvProcVector[xv_SelectPortNotify] (client);
1426N/A@@ -1311,6 +1324,7 @@ static int
1426N/A SProcXvStopVideo(ClientPtr client)
1426N/A {
1426N/A REQUEST(xvStopVideoReq);
1426N/A+ REQUEST_SIZE_MATCH(xvStopVideoReq);
1426N/A swaps(&stuff->length);
1426N/A swapl(&stuff->port);
1426N/A swapl(&stuff->drawable);
1426N/A@@ -1321,6 +1335,7 @@ static int
1426N/A SProcXvSetPortAttribute(ClientPtr client)
1426N/A {
1426N/A REQUEST(xvSetPortAttributeReq);
1426N/A+ REQUEST_SIZE_MATCH(xvSetPortAttributeReq);
1426N/A swaps(&stuff->length);
1426N/A swapl(&stuff->port);
1426N/A swapl(&stuff->attribute);
1426N/A@@ -1332,6 +1347,7 @@ static int
1426N/A SProcXvGetPortAttribute(ClientPtr client)
1426N/A {
1426N/A REQUEST(xvGetPortAttributeReq);
1426N/A+ REQUEST_SIZE_MATCH(xvGetPortAttributeReq);
1426N/A swaps(&stuff->length);
1426N/A swapl(&stuff->port);
1426N/A swapl(&stuff->attribute);
1426N/A@@ -1342,6 +1358,7 @@ static int
1426N/A SProcXvQueryBestSize(ClientPtr client)
1426N/A {
1426N/A REQUEST(xvQueryBestSizeReq);
1426N/A+ REQUEST_SIZE_MATCH(xvQueryBestSizeReq);
1426N/A swaps(&stuff->length);
1426N/A swapl(&stuff->port);
1426N/A swaps(&stuff->vid_w);
1426N/A@@ -1355,6 +1372,7 @@ static int
1426N/A SProcXvQueryPortAttributes(ClientPtr client)
1426N/A {
1426N/A REQUEST(xvQueryPortAttributesReq);
1426N/A+ REQUEST_SIZE_MATCH(xvQueryPortAttributesReq);
1426N/A swaps(&stuff->length);
1426N/A swapl(&stuff->port);
1426N/A return XvProcVector[xv_QueryPortAttributes] (client);
1426N/A@@ -1364,6 +1382,7 @@ static int
1426N/A SProcXvQueryImageAttributes(ClientPtr client)
1426N/A {
1426N/A REQUEST(xvQueryImageAttributesReq);
1426N/A+ REQUEST_SIZE_MATCH(xvQueryImageAttributesReq);
1426N/A swaps(&stuff->length);
1426N/A swapl(&stuff->port);
1426N/A swapl(&stuff->id);
1426N/A@@ -1376,6 +1395,7 @@ static int
1426N/A SProcXvListImageFormats(ClientPtr client)
1426N/A {
1426N/A REQUEST(xvListImageFormatsReq);
1426N/A+ REQUEST_SIZE_MATCH(xvListImageFormatsReq);
1426N/A swaps(&stuff->length);
1426N/A swapl(&stuff->port);
1426N/A return XvProcVector[xv_ListImageFormats] (client);
1426N/A--
1426N/A1.7.9.2
1426N/A
1426N/A### [PATCH 14/40] dri3: unvalidated lengths in DRI3 extension swapped procs
1426N/A### [CVE-2014-8103 1/2]
1426N/A### skipped for 1.14 backport since DRI3 wasn't introduced until 1.15
1426N/A
1426N/A### [PATCH 15/40] present: unvalidated lengths in Present extension procs
1426N/A### [CVE-2014-8103 2/2]
1426N/A### skipped for 1.14 backport since present wasn't introduced until 1.15
1426N/A
1426N/AFrom 3df2fcf12499ebdb26b9b67419ea485a42041f33 Mon Sep 17 00:00:00 2001
1426N/AFrom: Alan Coopersmith <alan.coopersmith@oracle.com>
1426N/ADate: Sun, 26 Jan 2014 19:38:09 -0800
1426N/ASubject: [PATCH 16/40] randr: unvalidated lengths in RandR extension swapped
1426N/A procs [CVE-2014-8101]
1426N/A
1426N/ASigned-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1426N/AReviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
1426N/A---
1426N/A randr/rrsdispatch.c | 4 ++++
1426N/A 1 file changed, 4 insertions(+)
1426N/A
1426N/Adiff --git a/randr/rrsdispatch.c b/randr/rrsdispatch.c
1426N/Aindex 08c3b6a..47558cf 100644
1426N/A--- a/randr/rrsdispatch.c
1426N/A+++ b/randr/rrsdispatch.c
1426N/A@@ -27,6 +27,7 @@ SProcRRQueryVersion(ClientPtr client)
1426N/A {
1426N/A REQUEST(xRRQueryVersionReq);
1426N/A
1426N/A+ REQUEST_SIZE_MATCH(xRRQueryVersionReq);
1426N/A swaps(&stuff->length);
1426N/A swapl(&stuff->majorVersion);
1426N/A swapl(&stuff->minorVersion);
1426N/A@@ -38,6 +39,7 @@ SProcRRGetScreenInfo(ClientPtr client)
1426N/A {
1426N/A REQUEST(xRRGetScreenInfoReq);
1426N/A
1426N/A+ REQUEST_SIZE_MATCH(xRRGetScreenInfoReq);
1426N/A swaps(&stuff->length);
1426N/A swapl(&stuff->window);
1426N/A return (*ProcRandrVector[stuff->randrReqType]) (client);
1426N/A@@ -69,6 +71,7 @@ SProcRRSelectInput(ClientPtr client)
1426N/A {
1426N/A REQUEST(xRRSelectInputReq);
1426N/A
1426N/A+ REQUEST_SIZE_MATCH(xRRSelectInputReq);
1426N/A swaps(&stuff->length);
1426N/A swapl(&stuff->window);
1426N/A swaps(&stuff->enable);
1426N/A@@ -152,6 +155,7 @@ SProcRRConfigureOutputProperty(ClientPtr client)
1426N/A {
1426N/A REQUEST(xRRConfigureOutputPropertyReq);
1426N/A
1426N/A+ REQUEST_AT_LEAST_SIZE(xRRConfigureOutputPropertyReq);
1426N/A swaps(&stuff->length);
1426N/A swapl(&stuff->output);
1426N/A swapl(&stuff->property);
1426N/A--
1426N/A1.7.9.2
1426N/A
1426N/AFrom b5f9ef03df6a650571b29d3d1c1d2b67c6e84336 Mon Sep 17 00:00:00 2001
1426N/AFrom: Julien Cristau <jcristau@debian.org>
1426N/ADate: Tue, 28 Oct 2014 10:30:04 +0100
1426N/ASubject: [PATCH 17/40] render: check request size before reading it
1426N/A [CVE-2014-8100 1/2]
1426N/A
1426N/AOtherwise we may be reading outside of the client request.
1426N/A
1426N/ASigned-off-by: Julien Cristau <jcristau@debian.org>
1426N/AReviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1426N/ASigned-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1426N/A---
1426N/A render/render.c | 4 ++--
1426N/A 1 file changed, 2 insertions(+), 2 deletions(-)
1426N/A
1426N/Adiff --git a/render/render.c b/render/render.c
1426N/Aindex e3031da..200e0c8 100644
1426N/A--- a/render/render.c
1426N/A+++ b/render/render.c
1426N/A@@ -276,11 +276,11 @@ ProcRenderQueryVersion(ClientPtr client)
1426N/A
1426N/A REQUEST(xRenderQueryVersionReq);
1426N/A
1426N/A+ REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
1426N/A+
1426N/A pRenderClient->major_version = stuff->majorVersion;
1426N/A pRenderClient->minor_version = stuff->minorVersion;
1426N/A
1426N/A- REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
1426N/A-
1426N/A if ((stuff->majorVersion * 1000 + stuff->minorVersion) <
1426N/A (SERVER_RENDER_MAJOR_VERSION * 1000 + SERVER_RENDER_MINOR_VERSION)) {
1426N/A rep.majorVersion = stuff->majorVersion;
1426N/A--
1426N/A1.7.9.2
1426N/A
1426N/AFrom 5d3a788aeb2fbd3ca2812747dc18c94a8b981c63 Mon Sep 17 00:00:00 2001
1426N/AFrom: Alan Coopersmith <alan.coopersmith@oracle.com>
1426N/ADate: Sun, 26 Jan 2014 19:51:29 -0800
1426N/ASubject: [PATCH 18/40] render: unvalidated lengths in Render extn. swapped
1426N/A procs [CVE-2014-8100 2/2]
1426N/A
1426N/ASigned-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1426N/AReviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
1426N/A---
1426N/A render/render.c | 16 +++++++++++++++-
1426N/A 1 file changed, 15 insertions(+), 1 deletion(-)
1426N/A
1426N/Adiff --git a/render/render.c b/render/render.c
1426N/Aindex 200e0c8..723f380 100644
1426N/A--- a/render/render.c
1426N/A+++ b/render/render.c
1426N/A@@ -1995,7 +1995,7 @@ static int
1426N/A SProcRenderQueryVersion(ClientPtr client)
1426N/A {
1426N/A REQUEST(xRenderQueryVersionReq);
1426N/A-
1426N/A+ REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
1426N/A swaps(&stuff->length);
1426N/A swapl(&stuff->majorVersion);
1426N/A swapl(&stuff->minorVersion);
1426N/A@@ -2006,6 +2006,7 @@ static int
1426N/A SProcRenderQueryPictFormats(ClientPtr client)
1426N/A {
1426N/A REQUEST(xRenderQueryPictFormatsReq);
1426N/A+ REQUEST_SIZE_MATCH(xRenderQueryPictFormatsReq);
1426N/A swaps(&stuff->length);
1426N/A return (*ProcRenderVector[stuff->renderReqType]) (client);
1426N/A }
1426N/A@@ -2014,6 +2015,7 @@ static int
1426N/A SProcRenderQueryPictIndexValues(ClientPtr client)
1426N/A {
1426N/A REQUEST(xRenderQueryPictIndexValuesReq);
1426N/A+ REQUEST_AT_LEAST_SIZE(xRenderQueryPictIndexValuesReq);
1426N/A swaps(&stuff->length);
1426N/A swapl(&stuff->format);
1426N/A return (*ProcRenderVector[stuff->renderReqType]) (client);
1426N/A@@ -2029,6 +2031,7 @@ static int
1426N/A SProcRenderCreatePicture(ClientPtr client)
1426N/A {
1426N/A REQUEST(xRenderCreatePictureReq);
1426N/A+ REQUEST_AT_LEAST_SIZE(xRenderCreatePictureReq);
1426N/A swaps(&stuff->length);
1426N/A swapl(&stuff->pid);
1426N/A swapl(&stuff->drawable);
1426N/A@@ -2042,6 +2045,7 @@ static int
1426N/A SProcRenderChangePicture(ClientPtr client)
1426N/A {
1426N/A REQUEST(xRenderChangePictureReq);
1426N/A+ REQUEST_AT_LEAST_SIZE(xRenderChangePictureReq);
1426N/A swaps(&stuff->length);
1426N/A swapl(&stuff->picture);
1426N/A swapl(&stuff->mask);
1426N/A@@ -2053,6 +2057,7 @@ static int
1426N/A SProcRenderSetPictureClipRectangles(ClientPtr client)
1426N/A {
1426N/A REQUEST(xRenderSetPictureClipRectanglesReq);
1426N/A+ REQUEST_AT_LEAST_SIZE(xRenderSetPictureClipRectanglesReq);
1426N/A swaps(&stuff->length);
1426N/A swapl(&stuff->picture);
1426N/A swaps(&stuff->xOrigin);
1426N/A@@ -2065,6 +2070,7 @@ static int
1426N/A SProcRenderFreePicture(ClientPtr client)
1426N/A {
1426N/A REQUEST(xRenderFreePictureReq);
1426N/A+ REQUEST_SIZE_MATCH(xRenderFreePictureReq);
1426N/A swaps(&stuff->length);
1426N/A swapl(&stuff->picture);
1426N/A return (*ProcRenderVector[stuff->renderReqType]) (client);
1426N/A@@ -2074,6 +2080,7 @@ static int
1426N/A SProcRenderComposite(ClientPtr client)
1426N/A {
1426N/A REQUEST(xRenderCompositeReq);
1426N/A+ REQUEST_SIZE_MATCH(xRenderCompositeReq);
1426N/A swaps(&stuff->length);
1426N/A swapl(&stuff->src);
1426N/A swapl(&stuff->mask);
1426N/A@@ -2093,6 +2100,7 @@ static int
1426N/A SProcRenderScale(ClientPtr client)
1426N/A {
1426N/A REQUEST(xRenderScaleReq);
1426N/A+ REQUEST_SIZE_MATCH(xRenderScaleReq);
1426N/A swaps(&stuff->length);
1426N/A swapl(&stuff->src);
1426N/A swapl(&stuff->dst);
1426N/A@@ -2193,6 +2201,7 @@ static int
1426N/A SProcRenderCreateGlyphSet(ClientPtr client)
1426N/A {
1426N/A REQUEST(xRenderCreateGlyphSetReq);
1426N/A+ REQUEST_SIZE_MATCH(xRenderCreateGlyphSetReq);
1426N/A swaps(&stuff->length);
1426N/A swapl(&stuff->gsid);
1426N/A swapl(&stuff->format);
1426N/A@@ -2203,6 +2212,7 @@ static int
1426N/A SProcRenderReferenceGlyphSet(ClientPtr client)
1426N/A {
1426N/A REQUEST(xRenderReferenceGlyphSetReq);
1426N/A+ REQUEST_SIZE_MATCH(xRenderReferenceGlyphSetReq);
1426N/A swaps(&stuff->length);
1426N/A swapl(&stuff->gsid);
1426N/A swapl(&stuff->existing);
1426N/A@@ -2213,6 +2223,7 @@ static int
1426N/A SProcRenderFreeGlyphSet(ClientPtr client)
1426N/A {
1426N/A REQUEST(xRenderFreeGlyphSetReq);
1426N/A+ REQUEST_SIZE_MATCH(xRenderFreeGlyphSetReq);
1426N/A swaps(&stuff->length);
1426N/A swapl(&stuff->glyphset);
1426N/A return (*ProcRenderVector[stuff->renderReqType]) (client);
1426N/A@@ -2227,6 +2238,7 @@ SProcRenderAddGlyphs(ClientPtr client)
1426N/A xGlyphInfo *gi;
1426N/A
1426N/A REQUEST(xRenderAddGlyphsReq);
1426N/A+ REQUEST_AT_LEAST_SIZE(xRenderAddGlyphsReq);
1426N/A swaps(&stuff->length);
1426N/A swapl(&stuff->glyphset);
1426N/A swapl(&stuff->nglyphs);
1426N/A@@ -2261,6 +2273,7 @@ static int
1426N/A SProcRenderFreeGlyphs(ClientPtr client)
1426N/A {
1426N/A REQUEST(xRenderFreeGlyphsReq);
1426N/A+ REQUEST_AT_LEAST_SIZE(xRenderFreeGlyphsReq);
1426N/A swaps(&stuff->length);
1426N/A swapl(&stuff->glyphset);
1426N/A SwapRestL(stuff);
1426N/A@@ -2278,6 +2291,7 @@ SProcRenderCompositeGlyphs(ClientPtr client)
1426N/A int size;
1426N/A
1426N/A REQUEST(xRenderCompositeGlyphsReq);
1426N/A+ REQUEST_AT_LEAST_SIZE(xRenderCompositeGlyphsReq);
1426N/A
1426N/A switch (stuff->renderReqType) {
1426N/A default:
1426N/A--
1426N/A1.7.9.2
1426N/A
1426N/AFrom a0ece23a8bd300c8be10812d368dc8058c97c63e Mon Sep 17 00:00:00 2001
1426N/AFrom: Alan Coopersmith <alan.coopersmith@oracle.com>
1426N/ADate: Sun, 26 Jan 2014 20:02:20 -0800
1426N/ASubject: [PATCH 19/40] xfixes: unvalidated length in
1426N/A SProcXFixesSelectSelectionInput [CVE-2014-8102]
1426N/A
1426N/ASigned-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1426N/AReviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
1426N/A---
1426N/A xfixes/select.c | 1 +
1426N/A 1 file changed, 1 insertion(+)
1426N/A
1426N/Adiff --git a/xfixes/select.c b/xfixes/select.c
1426N/Aindex c088ed3..e964d58 100644
1426N/A--- a/xfixes/select.c
1426N/A+++ b/xfixes/select.c
1426N/A@@ -201,6 +201,7 @@ SProcXFixesSelectSelectionInput(ClientPtr client)
1426N/A {
1426N/A REQUEST(xXFixesSelectSelectionInputReq);
1426N/A
1426N/A+ REQUEST_SIZE_MATCH(xXFixesSelectSelectionInputReq);
1426N/A swaps(&stuff->length);
1426N/A swapl(&stuff->window);
1426N/A swapl(&stuff->selection);
1426N/A--
1426N/A1.7.9.2
1426N/A
1426N/AFrom d153a85f7478a7a67ccb02fbca6390b0ab1732ee Mon Sep 17 00:00:00 2001
1426N/AFrom: Alan Coopersmith <alan.coopersmith@oracle.com>
1426N/ADate: Sun, 9 Feb 2014 21:27:27 -0800
1426N/ASubject: [PATCH 20/40] Add request length checking test cases for some Xinput
1426N/A 1.x requests
1426N/A
1426N/ASigned-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1426N/AReviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
1426N/A---
1426N/A configure.ac | 1 +
1426N/A test/Makefile.am | 2 +-
1426N/A test/xi1/Makefile.am | 34 +++++++++
1426N/A test/xi1/protocol-xchangedevicecontrol.c | 122 ++++++++++++++++++++++++++++++
1426N/A 4 files changed, 158 insertions(+), 1 deletion(-)
1426N/A create mode 100644 test/xi1/Makefile.am
1426N/A create mode 100644 test/xi1/protocol-xchangedevicecontrol.c
1426N/A
1426N/Adiff --git a/configure.ac b/configure.ac
1426N/Aindex 140e33e..96524c5 100644
1426N/A--- a/configure.ac
1426N/A+++ b/configure.ac
1426N/A@@ -2621,6 +2621,7 @@ hw/kdrive/linux/Makefile
1426N/A hw/kdrive/linux/Makefile
1426N/A hw/kdrive/src/Makefile
1426N/A test/Makefile
1426N/A+test/xi1/Makefile
1426N/A test/xi2/Makefile
1426N/A xserver.ent
1426N/A xorg-server.pc
1426N/Adiff --git a/test/Makefile.am b/test/Makefile.am
1426N/Aindex 8344276..82578d9 100644
1426N/A--- a/test/Makefile.am
1426N/A+++ b/test/Makefile.am
1426N/A@@ -4,7 +4,7 @@ noinst_PROGRAMS = list string
1426N/A if XORG
1426N/A # Tests that require at least some DDX functions in order to fully link
1426N/A # For now, requires xf86 ddx, could be adjusted to use another
1426N/A-SUBDIRS += xi2
1426N/A+SUBDIRS += xi1 xi2
1426N/A noinst_PROGRAMS += xkb input xtest misc fixes xfree86 hashtabletest os signal-logging
1426N/A endif
1426N/A check_LTLIBRARIES = libxservertest.la
1426N/Adiff --git a/test/xi1/Makefile.am b/test/xi1/Makefile.am
1426N/Anew file mode 100644
1426N/Aindex 0000000..907fa7a
1426N/A--- /dev/null
1426N/A+++ b/test/xi1/Makefile.am
1426N/A@@ -0,0 +1,34 @@
1426N/A+if ENABLE_UNIT_TESTS
1426N/A+if HAVE_LD_WRAP
1426N/A+noinst_PROGRAMS = \
1426N/A+ protocol-xchangedevicecontrol
1426N/A+
1426N/A+TESTS=$(noinst_PROGRAMS)
1426N/A+TESTS_ENVIRONMENT = $(XORG_MALLOC_DEBUG_ENV)
1426N/A+
1426N/A+AM_CFLAGS = $(DIX_CFLAGS) @XORG_CFLAGS@
1426N/A+AM_CPPFLAGS = @XORG_INCS@ -I$(srcdir)/../xi2
1426N/A+TEST_LDADD=../libxservertest.la $(XORG_SYS_LIBS) $(XSERVER_SYS_LIBS) $(GLX_SYS_LIBS)
1426N/A+COMMON_SOURCES=$(srcdir)/../xi2/protocol-common.c
1426N/A+
1426N/A+if SPECIAL_DTRACE_OBJECTS
1426N/A+TEST_LDADD += $(OS_LIB) $(DIX_LIB)
1426N/A+endif
1426N/A+
1426N/A+protocol_xchangedevicecontrol_LDADD=$(TEST_LDADD)
1426N/A+
1426N/A+protocol_xchangedevicecontrol_LDFLAGS=$(AM_LDFLAGS) -Wl,-wrap,WriteToClient
1426N/A+
1426N/A+protocol_xchangedevicecontrol_SOURCES=$(COMMON_SOURCES) protocol-xchangedevicecontrol.c
1426N/A+
1426N/A+else
1426N/A+# Print that xi1-tests were skipped (exit code 77 for automake test harness)
1426N/A+TESTS = xi1-tests
1426N/A+CLEANFILES = $(TESTS)
1426N/A+
1426N/A+xi1-tests:
1426N/A+ @echo 'echo "ld -wrap support required for xi1 unit tests, skipping"' > $@
1426N/A+ @echo 'exit 77' >> $@
1426N/A+ $(AM_V_GEN)chmod +x $@
1426N/A+endif
1426N/A+endif
1426N/Adiff --git a/test/xi1/protocol-xchangedevicecontrol.c b/test/xi1/protocol-xchangedevicecontrol.c
1426N/Anew file mode 100644
1426N/Aindex 0000000..8e638b2
1426N/A--- /dev/null
1426N/A+++ b/test/xi1/protocol-xchangedevicecontrol.c
1426N/A@@ -0,0 +1,122 @@
1426N/A+/**
1426N/A+ * Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved.
1426N/A+ *
1426N/A+ * Permission is hereby granted, free of charge, to any person obtaining a
1426N/A+ * copy of this software and associated documentation files (the "Software"),
1426N/A+ * to deal in the Software without restriction, including without limitation
1426N/A+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
1426N/A+ * and/or sell copies of the Software, and to permit persons to whom the
1426N/A+ * Software is furnished to do so, subject to the following conditions:
1426N/A+ *
1426N/A+ * The above copyright notice and this permission notice (including the next
1426N/A+ * paragraph) shall be included in all copies or substantial portions of the
1426N/A+ * Software.
1426N/A+ *
1426N/A+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
1426N/A+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
1426N/A+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
1426N/A+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
1426N/A+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
1426N/A+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
1426N/A+ * DEALINGS IN THE SOFTWARE.
1426N/A+ */
1426N/A+
1426N/A+#ifdef HAVE_DIX_CONFIG_H
1426N/A+#include <dix-config.h>
1426N/A+#endif
1426N/A+
1426N/A+/*
1426N/A+ * Protocol testing for ChangeDeviceControl request.
1426N/A+ */
1426N/A+#include <stdint.h>
1426N/A+#include <X11/X.h>
1426N/A+#include <X11/Xproto.h>
1426N/A+#include <X11/extensions/XIproto.h>
1426N/A+#include "inputstr.h"
1426N/A+#include "chgdctl.h"
1426N/A+
1426N/A+#include "protocol-common.h"
1426N/A+
1426N/A+static ClientRec client_request;
1426N/A+
1426N/A+static void
1426N/A+reply_ChangeDeviceControl(ClientPtr client, int len, char *data, void *userdata)
1426N/A+{
1426N/A+ xChangeDeviceControlReply *rep = (xChangeDeviceControlReply *) data;
1426N/A+
1426N/A+ if (client->swapped) {
1426N/A+ swapl(&rep->length);
1426N/A+ swaps(&rep->sequenceNumber);
1426N/A+ }
1426N/A+
1426N/A+ reply_check_defaults(rep, len, ChangeDeviceControl);
1426N/A+
1426N/A+ /* XXX: check status code in reply */
1426N/A+}
1426N/A+
1426N/A+static void
1426N/A+request_ChangeDeviceControl(ClientPtr client, xChangeDeviceControlReq * req,
1426N/A+ xDeviceCtl *ctl, int error)
1426N/A+{
1426N/A+ int rc;
1426N/A+
1426N/A+ client_request.req_len = req->length;
1426N/A+ rc = ProcXChangeDeviceControl(&client_request);
1426N/A+ assert(rc == error);
1426N/A+
1426N/A+ /* XXX: ChangeDeviceControl doesn't seem to fill in errorValue to check */
1426N/A+
1426N/A+ client_request.swapped = TRUE;
1426N/A+ swaps(&req->length);
1426N/A+ swaps(&req->control);
1426N/A+ swaps(&ctl->length);
1426N/A+ swaps(&ctl->control);
1426N/A+ /* XXX: swap other contents of ctl, depending on type */
1426N/A+ rc = SProcXChangeDeviceControl(&client_request);
1426N/A+ assert(rc == error);
1426N/A+}
1426N/A+
1426N/A+static unsigned char *data[4096]; /* the request buffer */
1426N/A+
1426N/A+static void
1426N/A+test_ChangeDeviceControl(void)
1426N/A+{
1426N/A+ xChangeDeviceControlReq *request = (xChangeDeviceControlReq *) data;
1426N/A+ xDeviceCtl *control = (xDeviceCtl *) (&request[1]);
1426N/A+
1426N/A+ request_init(request, ChangeDeviceControl);
1426N/A+
1426N/A+ reply_handler = reply_ChangeDeviceControl;
1426N/A+
1426N/A+ client_request = init_client(request->length, request);
1426N/A+
1426N/A+ printf("Testing invalid lengths:\n");
1426N/A+ printf(" -- no control struct\n");
1426N/A+ request_ChangeDeviceControl(&client_request, request, control, BadLength);
1426N/A+
1426N/A+ printf(" -- xDeviceResolutionCtl\n");
1426N/A+ request_init(request, ChangeDeviceControl);
1426N/A+ request->control = DEVICE_RESOLUTION;
1426N/A+ control->length = (sizeof(xDeviceResolutionCtl) >> 2);
1426N/A+ request->length += control->length - 2;
1426N/A+ request_ChangeDeviceControl(&client_request, request, control, BadLength);
1426N/A+
1426N/A+ printf(" -- xDeviceEnableCtl\n");
1426N/A+ request_init(request, ChangeDeviceControl);
1426N/A+ request->control = DEVICE_ENABLE;
1426N/A+ control->length = (sizeof(xDeviceEnableCtl) >> 2);
1426N/A+ request->length += control->length - 2;
1426N/A+ request_ChangeDeviceControl(&client_request, request, control, BadLength);
1426N/A+
1426N/A+ /* XXX: Test functionality! */
1426N/A+}
1426N/A+
1426N/A+int
1426N/A+main(int argc, char **argv)
1426N/A+{
1426N/A+ init_simple();
1426N/A+
1426N/A+ test_ChangeDeviceControl();
1426N/A+
1426N/A+ return 0;
1426N/A+}
1426N/A--
1426N/A1.7.9.2
1426N/A
1426N/AFrom 2df83bb122debc3c20cfc3d3b0edc85cd0270f79 Mon Sep 17 00:00:00 2001
1426N/AFrom: Alan Coopersmith <alan.coopersmith@oracle.com>
1426N/ADate: Sun, 9 Feb 2014 21:28:05 -0800
1426N/ASubject: [PATCH 21/40] Add request length checking test cases for some Xinput
1426N/A 2.x requests
1426N/A
1426N/ASigned-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1426N/AReviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
1426N/A---
1426N/A test/xi2/protocol-xigetclientpointer.c | 5 +++++
1426N/A test/xi2/protocol-xipassivegrabdevice.c | 8 ++++++++
1426N/A test/xi2/protocol-xiquerypointer.c | 4 ++++
1426N/A test/xi2/protocol-xiwarppointer.c | 3 +++
1426N/A 4 files changed, 20 insertions(+)
1426N/A
1426N/Adiff --git a/test/xi2/protocol-xigetclientpointer.c b/test/xi2/protocol-xigetclientpointer.c
1426N/Aindex 28eb8d3..570c53e 100644
1426N/A--- a/test/xi2/protocol-xigetclientpointer.c
1426N/A+++ b/test/xi2/protocol-xigetclientpointer.c
1426N/A@@ -124,6 +124,11 @@ test_XIGetClientPointer(void)
1426N/A request.win = INVALID_WINDOW_ID;
1426N/A request_XIGetClientPointer(&client_request, &request, BadWindow);
1426N/A
1426N/A+ printf("Testing invalid length\n");
1426N/A+ client_request.req_len -= 4;
1426N/A+ request_XIGetClientPointer(&client_request, &request, BadLength);
1426N/A+ client_request.req_len += 4;
1426N/A+
1426N/A test_data.cp_is_set = FALSE;
1426N/A
1426N/A printf("Testing window None, unset ClientPointer.\n");
1426N/Adiff --git a/test/xi2/protocol-xipassivegrabdevice.c b/test/xi2/protocol-xipassivegrabdevice.c
1426N/Aindex c747ddf..95d8ebf 100644
1426N/A--- a/test/xi2/protocol-xipassivegrabdevice.c
1426N/A+++ b/test/xi2/protocol-xipassivegrabdevice.c
1426N/A@@ -139,6 +139,7 @@ request_XIPassiveGrabDevice(ClientPtr client, xXIPassiveGrabDeviceReq * req,
1426N/A int modifiers;
1426N/A int mask_len;
1426N/A
1426N/A+ client_request.req_len = req->length;
1426N/A rc = ProcXIPassiveGrabDevice(&client_request);
1426N/A assert(rc == error);
1426N/A
1426N/A@@ -190,6 +191,13 @@ test_XIPassiveGrabDevice(void)
1426N/A request_XIPassiveGrabDevice(&client_request, request, BadDevice,
1426N/A request->deviceid);
1426N/A
1426N/A+ printf("Testing invalid length\n");
1426N/A+ request->length -= 2;
1426N/A+ request_XIPassiveGrabDevice(&client_request, request, BadLength,
1426N/A+ client_request.errorValue);
1426N/A+ /* re-init request since swapped length test leaves some values swapped */
1426N/A+ request_init(request, XIPassiveGrabDevice);
1426N/A+ request->grab_window = CLIENT_WINDOW_ID;
1426N/A request->deviceid = XIAllMasterDevices;
1426N/A
1426N/A printf("Testing invalid grab types\n");
1426N/Adiff --git a/test/xi2/protocol-xiquerypointer.c b/test/xi2/protocol-xiquerypointer.c
1426N/Aindex fc66b64..c0421f6 100644
1426N/A--- a/test/xi2/protocol-xiquerypointer.c
1426N/A+++ b/test/xi2/protocol-xiquerypointer.c
1426N/A@@ -201,6 +201,10 @@ test_XIQueryPointer(void)
1426N/A test_data.dev = devices.mouse;
1426N/A request.deviceid = devices.mouse->id;
1426N/A request_XIQueryPointer(&client_request, &request, Success);
1426N/A+
1426N/A+ /* test REQUEST_SIZE_MATCH */
1426N/A+ client_request.req_len -= 4;
1426N/A+ request_XIQueryPointer(&client_request, &request, BadLength);
1426N/A }
1426N/A
1426N/A int
1426N/Adiff --git a/test/xi2/protocol-xiwarppointer.c b/test/xi2/protocol-xiwarppointer.c
1426N/Aindex f7986c1..3aaaae6 100644
1426N/A--- a/test/xi2/protocol-xiwarppointer.c
1426N/A+++ b/test/xi2/protocol-xiwarppointer.c
1426N/A@@ -198,6 +198,9 @@ test_XIWarpPointer(void)
1426N/A request_XIWarpPointer(&client_request, &request, Success);
1426N/A
1426N/A /* FIXME: src_x/y checks */
1426N/A+
1426N/A+ client_request.req_len -= 2; /* invalid length */
1426N/A+ request_XIWarpPointer(&client_request, &request, BadLength);
1426N/A }
1426N/A
1426N/A int
1426N/A--
1426N/A1.7.9.2
1426N/A
1426N/AFrom f4afd53f2aeaddf509bf9f71d1716dd273fd6e14 Mon Sep 17 00:00:00 2001
1426N/AFrom: Alan Coopersmith <alan.coopersmith@oracle.com>
1426N/ADate: Sun, 9 Feb 2014 22:42:47 -0800
1426N/ASubject: [PATCH 22/40] Add REQUEST_FIXED_SIZE testcases to test/misc.c
1426N/A
1426N/ASigned-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1426N/AReviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
1426N/A---
1426N/A test/misc.c | 37 +++++++++++++++++++++++++++++++++++++
1426N/A 1 file changed, 37 insertions(+)
1426N/A
1426N/Adiff --git a/test/misc.c b/test/misc.c
1426N/Aindex dd792e6..66330a1 100644
1426N/A--- a/test/misc.c
1426N/A+++ b/test/misc.c
1426N/A@@ -28,6 +28,8 @@
1426N/A #include <stdint.h>
1426N/A #include "misc.h"
1426N/A #include "scrnintstr.h"
1426N/A+#include "dix.h"
1426N/A+#include "dixstruct.h"
1426N/A
1426N/A ScreenInfo screenInfo;
1426N/A
1426N/A@@ -155,11 +157,46 @@ dix_update_desktop_dimensions(void)
1426N/A assert_dimensions(-w2, -h2, w2, h2);
1426N/A }
1426N/A
1426N/A+static int
1426N/A+dix_request_fixed_size_overflow(ClientRec *client)
1426N/A+{
1426N/A+ xReq req = { 0 };
1426N/A+
1426N/A+ client->req_len = req.length = 1;
1426N/A+ REQUEST_FIXED_SIZE(req, SIZE_MAX);
1426N/A+ return Success;
1426N/A+}
1426N/A+
1426N/A+static int
1426N/A+dix_request_fixed_size_match(ClientRec *client)
1426N/A+{
1426N/A+ xReq req = { 0 };
1426N/A+
1426N/A+ client->req_len = req.length = 9;
1426N/A+ REQUEST_FIXED_SIZE(req, 30);
1426N/A+ return Success;
1426N/A+}
1426N/A+
1426N/A+static void
1426N/A+dix_request_size_checks(void)
1426N/A+{
1426N/A+ ClientRec client = { 0 };
1426N/A+ int rc;
1426N/A+
1426N/A+ rc = dix_request_fixed_size_overflow(&client);
1426N/A+ assert(rc == BadLength);
1426N/A+
1426N/A+ rc = dix_request_fixed_size_match(&client);
1426N/A+ assert(rc == Success);
1426N/A+}
1426N/A+
1426N/A+
1426N/A int
1426N/A main(int argc, char **argv)
1426N/A {
1426N/A dix_version_compare();
1426N/A dix_update_desktop_dimensions();
1426N/A+ dix_request_size_checks();
1426N/A
1426N/A return 0;
1426N/A }
1426N/A--
1426N/A1.7.9.2
1426N/A
1426N/AFrom 23fe7718bb171e71db2d1a30505c2ca2988799d9 Mon Sep 17 00:00:00 2001
1426N/AFrom: Adam Jackson <ajax@redhat.com>
1426N/ADate: Mon, 10 Nov 2014 12:13:36 -0500
1426N/ASubject: [PATCH 23/40] glx: Be more paranoid about variable-length requests
1426N/A [CVE-2014-8093 1/6]
1426N/A
1426N/AIf the size computation routine returns -1 we should just reject the
1426N/Arequest outright. Clamping it to zero could give an attacker the
1426N/Aopportunity to also mangle cmdlen in such a way that the subsequent
1426N/Alength check passes, and the request would get executed, thus passing
1426N/Adata we wanted to reject to the renderer.
1426N/A
1426N/AReviewed-by: Keith Packard <keithp@keithp.com>
1426N/AReviewed-by: Julien Cristau <jcristau@debian.org>
1426N/AReviewed-by: Michal Srb <msrb@suse.com>
1426N/AReviewed-by: Andy Ritger <aritger@nvidia.com>
1426N/ASigned-off-by: Adam Jackson <ajax@redhat.com>
1426N/ASigned-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1426N/A---
1426N/A glx/glxcmds.c | 4 ++--
1426N/A 1 file changed, 2 insertions(+), 2 deletions(-)
1426N/A
1426N/Adiff --git a/glx/glxcmds.c b/glx/glxcmds.c
1426N/Aindex 009fd9b..ea42e2a 100644
1426N/A--- a/glx/glxcmds.c
1426N/A+++ b/glx/glxcmds.c
1426N/A@@ -2062,7 +2062,7 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
1426N/A extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE,
1426N/A client->swapped);
1426N/A if (extra < 0) {
1426N/A- extra = 0;
1426N/A+ return BadLength;
1426N/A }
1426N/A if (cmdlen != __GLX_PAD(entry.bytes + extra)) {
1426N/A return BadLength;
1426N/A@@ -2179,7 +2179,7 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
1426N/A extra = (*entry.varsize) (pc + __GLX_RENDER_LARGE_HDR_SIZE,
1426N/A client->swapped);
1426N/A if (extra < 0) {
1426N/A- extra = 0;
1426N/A+ return BadLength;
1426N/A }
1426N/A /* large command's header is 4 bytes longer, so add 4 */
1426N/A if (cmdlen != __GLX_PAD(entry.bytes + 4 + extra)) {
1426N/A--
1426N/A1.7.9.2
1426N/A
1426N/AFrom ab2ba9338aa5e85b4487bc7fbe69985c76483e01 Mon Sep 17 00:00:00 2001
1426N/AFrom: Adam Jackson <ajax@redhat.com>
1426N/ADate: Mon, 10 Nov 2014 12:13:37 -0500
1426N/ASubject: [PATCH 24/40] glx: Be more strict about rejecting invalid image
1426N/A sizes [CVE-2014-8093 2/6]
1426N/A
1426N/ABefore this we'd just clamp the image size to 0, which was just
1426N/Ahideously stupid; if the parameters were such that they'd overflow an
1426N/Ainteger, you'd allocate a small buffer, then pass huge values into (say)
1426N/AReadPixels, and now you're scribbling over arbitrary server memory.
1426N/A
1426N/AReviewed-by: Keith Packard <keithp@keithp.com>
1426N/AReviewed-by: Julien Cristau <jcristau@debian.org>
1426N/AReviewed-by: Michal Srb <msrb@suse.com>
1426N/AReviewed-by: Andy Ritger <aritger@nvidia.com>
1426N/ASigned-off-by: Adam Jackson <ajax@redhat.com>
1426N/ASigned-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1426N/A---
1426N/A glx/singlepix.c | 16 ++++++++--------
1426N/A glx/singlepixswap.c | 16 ++++++++--------
1426N/A 2 files changed, 16 insertions(+), 16 deletions(-)
1426N/A
1426N/Adiff --git a/glx/singlepix.c b/glx/singlepix.c
1426N/Aindex 506fdaa..8b6c261 100644
1426N/A--- a/glx/singlepix.c
1426N/A+++ b/glx/singlepix.c
1426N/A@@ -65,7 +65,7 @@ __glXDisp_ReadPixels(__GLXclientState * cl, GLbyte * pc)
1426N/A lsbFirst = *(GLboolean *) (pc + 25);
1426N/A compsize = __glReadPixels_size(format, type, width, height);
1426N/A if (compsize < 0)
1426N/A- compsize = 0;
1426N/A+ return BadLength;
1426N/A
1426N/A CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, swapBytes));
1426N/A CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_LSB_FIRST, lsbFirst));
1426N/A@@ -124,7 +124,7 @@ __glXDisp_GetTexImage(__GLXclientState * cl, GLbyte * pc)
1426N/A compsize =
1426N/A __glGetTexImage_size(target, level, format, type, width, height, depth);
1426N/A if (compsize < 0)
1426N/A- compsize = 0;
1426N/A+ return BadLength;
1426N/A
1426N/A CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, swapBytes));
1426N/A __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
1426N/A@@ -218,9 +218,9 @@ GetSeparableFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
1426N/A compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1);
1426N/A
1426N/A if (compsize < 0)
1426N/A- compsize = 0;
1426N/A+ return BadLength;
1426N/A if (compsize2 < 0)
1426N/A- compsize2 = 0;
1426N/A+ return BadLength;
1426N/A compsize = __GLX_PAD(compsize);
1426N/A compsize2 = __GLX_PAD(compsize2);
1426N/A
1426N/A@@ -296,7 +296,7 @@ GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
1426N/A */
1426N/A compsize = __glGetTexImage_size(target, 1, format, type, width, height, 1);
1426N/A if (compsize < 0)
1426N/A- compsize = 0;
1426N/A+ return BadLength;
1426N/A
1426N/A CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, swapBytes));
1426N/A __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
1426N/A@@ -365,7 +365,7 @@ GetHistogram(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
1426N/A */
1426N/A compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
1426N/A if (compsize < 0)
1426N/A- compsize = 0;
1426N/A+ return BadLength;
1426N/A
1426N/A CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, swapBytes));
1426N/A __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
1426N/A@@ -426,7 +426,7 @@ GetMinmax(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
1426N/A
1426N/A compsize = __glGetTexImage_size(target, 1, format, type, 2, 1, 1);
1426N/A if (compsize < 0)
1426N/A- compsize = 0;
1426N/A+ return BadLength;
1426N/A
1426N/A CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, swapBytes));
1426N/A __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
1426N/A@@ -491,7 +491,7 @@ GetColorTable(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
1426N/A */
1426N/A compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
1426N/A if (compsize < 0)
1426N/A- compsize = 0;
1426N/A+ return BadLength;
1426N/A
1426N/A CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, swapBytes));
1426N/A __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
1426N/Adiff --git a/glx/singlepixswap.c b/glx/singlepixswap.c
1426N/Aindex 8469101..8dc304f 100644
1426N/A--- a/glx/singlepixswap.c
1426N/A+++ b/glx/singlepixswap.c
1426N/A@@ -75,7 +75,7 @@ __glXDispSwap_ReadPixels(__GLXclientState * cl, GLbyte * pc)
1426N/A lsbFirst = *(GLboolean *) (pc + 25);
1426N/A compsize = __glReadPixels_size(format, type, width, height);
1426N/A if (compsize < 0)
1426N/A- compsize = 0;
1426N/A+ return BadLength;
1426N/A
1426N/A CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, !swapBytes));
1426N/A CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_LSB_FIRST, lsbFirst));
1426N/A@@ -144,7 +144,7 @@ __glXDispSwap_GetTexImage(__GLXclientState * cl, GLbyte * pc)
1426N/A compsize =
1426N/A __glGetTexImage_size(target, level, format, type, width, height, depth);
1426N/A if (compsize < 0)
1426N/A- compsize = 0;
1426N/A+ return BadLength;
1426N/A
1426N/A CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, !swapBytes));
1426N/A __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
1426N/A@@ -252,9 +252,9 @@ GetSeparableFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
1426N/A compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1);
1426N/A
1426N/A if (compsize < 0)
1426N/A- compsize = 0;
1426N/A+ return BadLength;
1426N/A if (compsize2 < 0)
1426N/A- compsize2 = 0;
1426N/A+ return BadLength;
1426N/A compsize = __GLX_PAD(compsize);
1426N/A compsize2 = __GLX_PAD(compsize2);
1426N/A
1426N/A@@ -338,7 +338,7 @@ GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
1426N/A */
1426N/A compsize = __glGetTexImage_size(target, 1, format, type, width, height, 1);
1426N/A if (compsize < 0)
1426N/A- compsize = 0;
1426N/A+ return BadLength;
1426N/A
1426N/A CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, !swapBytes));
1426N/A __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
1426N/A@@ -415,7 +415,7 @@ GetHistogram(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
1426N/A */
1426N/A compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
1426N/A if (compsize < 0)
1426N/A- compsize = 0;
1426N/A+ return BadLength;
1426N/A
1426N/A CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, !swapBytes));
1426N/A __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
1426N/A@@ -483,7 +483,7 @@ GetMinmax(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
1426N/A
1426N/A compsize = __glGetTexImage_size(target, 1, format, type, 2, 1, 1);
1426N/A if (compsize < 0)
1426N/A- compsize = 0;
1426N/A+ return BadLength;
1426N/A
1426N/A CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, !swapBytes));
1426N/A __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
1426N/A@@ -554,7 +554,7 @@ GetColorTable(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
1426N/A */
1426N/A compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
1426N/A if (compsize < 0)
1426N/A- compsize = 0;
1426N/A+ return BadLength;
1426N/A
1426N/A CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, !swapBytes));
1426N/A __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
1426N/A
1426N/A--
1426N/A1.7.9.2
1426N/A
1426N/AFrom 717a1b37767b41e14859e5022ae9e679152821a9 Mon Sep 17 00:00:00 2001
1426N/AFrom: Adam Jackson <ajax@redhat.com>
1426N/ADate: Mon, 10 Nov 2014 12:13:38 -0500
1426N/ASubject: [PATCH 25/40] glx: Additional paranoia in __glXGetAnswerBuffer /
1426N/A __GLX_GET_ANSWER_BUFFER (v2) [CVE-2014-8093 3/6]
1426N/A
1426N/AIf the computed reply size is negative, something went wrong, treat it
1426N/Aas an error.
1426N/A
1426N/Av2: Be more careful about size_t being unsigned (Matthieu Herrb)
1426N/Av3: SIZE_MAX not SIZE_T_MAX (Alan Coopersmith)
1426N/A
1426N/AReviewed-by: Julien Cristau <jcristau@debian.org>
1426N/AReviewed-by: Michal Srb <msrb@suse.com>
1426N/AReviewed-by: Andy Ritger <aritger@nvidia.com>
1426N/ASigned-off-by: Adam Jackson <ajax@redhat.com>
1426N/ASigned-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1426N/A---
1426N/A glx/indirect_util.c | 7 ++++++-
1426N/A glx/unpack.h | 3 ++-
1426N/A 2 files changed, 8 insertions(+), 2 deletions(-)
1426N/A
1426N/Adiff --git a/glx/indirect_util.c b/glx/indirect_util.c
1426N/Aindex 926e57c..de81491 100644
1426N/A--- a/glx/indirect_util.c
1426N/A+++ b/glx/indirect_util.c
1426N/A@@ -76,9 +76,14 @@ __glXGetAnswerBuffer(__GLXclientState * cl, size_t required_size,
1426N/A const unsigned mask = alignment - 1;
1426N/A
1426N/A if (local_size < required_size) {
1426N/A- const size_t worst_case_size = required_size + alignment;
1426N/A+ size_t worst_case_size;
1426N/A intptr_t temp_buf;
1426N/A
1426N/A+ if (required_size < SIZE_MAX - alignment)
1426N/A+ worst_case_size = required_size + alignment;
1426N/A+ else
1426N/A+ return NULL;
1426N/A+
1426N/A if (cl->returnBufSize < worst_case_size) {
1426N/A void *temp = realloc(cl->returnBuf, worst_case_size);
1426N/A
1426N/Adiff --git a/glx/unpack.h b/glx/unpack.h
1426N/Aindex 52fba74..2b1ebcf 100644
1426N/A--- a/glx/unpack.h
1426N/A+++ b/glx/unpack.h
1426N/A@@ -83,7 +83,8 @@ extern xGLXSingleReply __glXReply;
1426N/A ** pointer.
1426N/A */
1426N/A #define __GLX_GET_ANSWER_BUFFER(res,cl,size,align) \
1426N/A- if ((size) > sizeof(answerBuffer)) { \
1426N/A+ if (size < 0) return BadLength; \
1426N/A+ else if ((size) > sizeof(answerBuffer)) { \
1426N/A int bump; \
1426N/A if ((cl)->returnBufSize < (size)+(align)) { \
1426N/A (cl)->returnBuf = (GLbyte*)realloc((cl)->returnBuf, \
1426N/A--
1426N/A1.7.9.2
1426N/A
1426N/AFrom 13d36923e0ddb077f4854e354c3d5c80590b5d9d Mon Sep 17 00:00:00 2001
1426N/AFrom: Adam Jackson <ajax@redhat.com>
1426N/ADate: Mon, 10 Nov 2014 12:13:39 -0500
1426N/ASubject: [PATCH 26/40] glx: Fix image size computation for
1426N/A EXT_texture_integer [CVE-2014-8098 1/8]
1426N/A
1426N/AWithout this we'd reject the request with BadLength. Note that some old
1426N/Aversions of Mesa had a bug in the same place, and would _send_ zero
1426N/Abytes of image data; these will now be rejected, correctly.
1426N/A
1426N/AReviewed-by: Keith Packard <keithp@keithp.com>
1426N/AReviewed-by: Julien Cristau <jcristau@debian.org>
1426N/AReviewed-by: Michal Srb <msrb@suse.com>
1426N/AReviewed-by: Andy Ritger <aritger@nvidia.com>
1426N/ASigned-off-by: Adam Jackson <ajax@redhat.com>
1426N/ASigned-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1426N/A---
1426N/A glx/rensize.c | 10 ++++++++++
1426N/A 1 file changed, 10 insertions(+)
1426N/A
1426N/Adiff --git a/glx/rensize.c b/glx/rensize.c
1426N/Aindex ba22d10..9ff73c7 100644
1426N/A--- a/glx/rensize.c
1426N/A+++ b/glx/rensize.c
1426N/A@@ -224,6 +224,11 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
1426N/A case GL_ALPHA:
1426N/A case GL_LUMINANCE:
1426N/A case GL_INTENSITY:
1426N/A+ case GL_RED_INTEGER_EXT:
1426N/A+ case GL_GREEN_INTEGER_EXT:
1426N/A+ case GL_BLUE_INTEGER_EXT:
1426N/A+ case GL_ALPHA_INTEGER_EXT:
1426N/A+ case GL_LUMINANCE_INTEGER_EXT:
1426N/A elementsPerGroup = 1;
1426N/A break;
1426N/A case GL_422_EXT:
1426N/A@@ -234,14 +239,19 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
1426N/A case GL_DEPTH_STENCIL_MESA:
1426N/A case GL_YCBCR_MESA:
1426N/A case GL_LUMINANCE_ALPHA:
1426N/A+ case GL_LUMINANCE_ALPHA_INTEGER_EXT:
1426N/A elementsPerGroup = 2;
1426N/A break;
1426N/A case GL_RGB:
1426N/A case GL_BGR:
1426N/A+ case GL_RGB_INTEGER_EXT:
1426N/A+ case GL_BGR_INTEGER_EXT:
1426N/A elementsPerGroup = 3;
1426N/A break;
1426N/A case GL_RGBA:
1426N/A case GL_BGRA:
1426N/A+ case GL_RGBA_INTEGER_EXT:
1426N/A+ case GL_BGRA_INTEGER_EXT:
1426N/A case GL_ABGR_EXT:
1426N/A elementsPerGroup = 4;
1426N/A break;
1426N/A--
1426N/A1.7.9.2
1426N/A
1426N/AFrom 2a5cbc17fc72185bf0fa06fef26d1f782de72595 Mon Sep 17 00:00:00 2001
1426N/AFrom: Adam Jackson <ajax@redhat.com>
1426N/ADate: Mon, 10 Nov 2014 12:13:40 -0500
1426N/ASubject: [PATCH 27/40] glx: Add safe_{add,mul,pad} (v3) [CVE-2014-8093 4/6]
1426N/A
1426N/AThese are paranoid about integer overflow, and will return -1 if their
1426N/Aoperation would overflow a (signed) integer or if either argument is
1426N/Anegative.
1426N/A
1426N/ANote that RenderLarge requests are sized with a uint32_t so in principle
1426N/Athis could be sketchy there, but dix limits bigreqs to 128M so you
1426N/Ashouldn't ever notice, and honestly if you're sending more than 2G of
1426N/Arendering commands you're already doing something very wrong.
1426N/A
1426N/Av2: Use INT_MAX for consistency with the rest of the server (jcristau)
1426N/Av3: Reject negative arguments (anholt)
1426N/A
1426N/AReviewed-by: Keith Packard <keithp@keithp.com>
1426N/AReviewed-by: Julien Cristau <jcristau@debian.org>
1426N/AReviewed-by: Michal Srb <msrb@suse.com>
1426N/AReviewed-by: Andy Ritger <aritger@nvidia.com>
1426N/ASigned-off-by: Adam Jackson <ajax@redhat.com>
1426N/ASigned-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1426N/A---
1426N/A glx/glxserver.h | 41 +++++++++++++++++++++++++++++++++++++++++
1426N/A 1 file changed, 41 insertions(+)
1426N/A
1426N/Adiff --git a/glx/glxserver.h b/glx/glxserver.h
1426N/Aindex a324b29..9482601 100644
1426N/A--- a/glx/glxserver.h
1426N/A+++ b/glx/glxserver.h
1426N/A@@ -228,6 +228,47 @@ extern void glxSwapQueryServerStringReply(ClientPtr client,
1426N/A * Routines for computing the size of variably-sized rendering commands.
1426N/A */
1426N/A
1426N/A+static _X_INLINE int
1426N/A+safe_add(int a, int b)
1426N/A+{
1426N/A+ if (a < 0 || b < 0)
1426N/A+ return -1;
1426N/A+
1426N/A+ if (INT_MAX - a < b)
1426N/A+ return -1;
1426N/A+
1426N/A+ return a + b;
1426N/A+}
1426N/A+
1426N/A+static _X_INLINE int
1426N/A+safe_mul(int a, int b)
1426N/A+{
1426N/A+ if (a < 0 || b < 0)
1426N/A+ return -1;
1426N/A+
1426N/A+ if (a == 0 || b == 0)
1426N/A+ return 0;
1426N/A+
1426N/A+ if (a > INT_MAX / b)
1426N/A+ return -1;
1426N/A+
1426N/A+ return a * b;
1426N/A+}
1426N/A+
1426N/A+static _X_INLINE int
1426N/A+safe_pad(int a)
1426N/A+{
1426N/A+ int ret;
1426N/A+
1426N/A+ if (a < 0)
1426N/A+ return -1;
1426N/A+
1426N/A+ if ((ret = safe_add(a, 3)) < 0)
1426N/A+ return -1;
1426N/A+
1426N/A+ return ret & (GLuint)~3;
1426N/A+}
1426N/A+
1426N/A extern int __glXTypeSize(GLenum enm);
1426N/A extern int __glXImageSize(GLenum format, GLenum type,
1426N/A GLenum target, GLsizei w, GLsizei h, GLsizei d,
1426N/A--
1426N/A1.7.9.2
1426N/A
1426N/AFrom be09e0c988ffdb0371293af49fb4ea8f49ed324a Mon Sep 17 00:00:00 2001
1426N/AFrom: Julien Cristau <jcristau@debian.org>
1426N/ADate: Mon, 10 Nov 2014 12:13:41 -0500
1426N/ASubject: [PATCH 28/40] glx: Length checking for GLXRender requests (v2)
1426N/A [CVE-2014-8098 2/8]
1426N/A
1426N/Av2:
1426N/ARemove can't-happen comparison for cmdlen < 0 (Michal Srb)
1426N/A
1426N/AReviewed-by: Adam Jackson <ajax@redhat.com>
1426N/AReviewed-by: Michal Srb <msrb@suse.com>
1426N/AReviewed-by: Andy Ritger <aritger@nvidia.com>
1426N/ASigned-off-by: Julien Cristau <jcristau@debian.org>
1426N/ASigned-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1426N/A---
1426N/A glx/glxcmds.c | 21 ++++++++++-----------
1426N/A 1 file changed, 10 insertions(+), 11 deletions(-)
1426N/A
1426N/Adiff --git a/glx/glxcmds.c b/glx/glxcmds.c
1426N/Aindex ea42e2a..ddd9119 100644
1426N/A--- a/glx/glxcmds.c
1426N/A+++ b/glx/glxcmds.c
1426N/A@@ -2025,7 +2025,7 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
1426N/A left = (req->length << 2) - sz_xGLXRenderReq;
1426N/A while (left > 0) {
1426N/A __GLXrenderSizeData entry;
1426N/A- int extra;
1426N/A+ int extra = 0;
1426N/A __GLXdispatchRenderProcPtr proc;
1426N/A int err;
1426N/A
1426N/A@@ -2044,6 +2044,9 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
1426N/A cmdlen = hdr->length;
1426N/A opcode = hdr->opcode;
1426N/A
1426N/A+ if (left < cmdlen)
1426N/A+ return BadLength;
1426N/A+
1426N/A /*
1426N/A ** Check for core opcodes and grab entry data.
1426N/A */
1426N/A@@ -2057,6 +2060,10 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
1426N/A return __glXError(GLXBadRenderRequest);
1426N/A }
1426N/A
1426N/A+ if (cmdlen < entry.bytes) {
1426N/A+ return BadLength;
1426N/A+ }
1426N/A+
1426N/A if (entry.varsize) {
1426N/A /* variable size command */
1426N/A extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE,
1426N/A@@ -2064,17 +2071,9 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
1426N/A if (extra < 0) {
1426N/A return BadLength;
1426N/A }
1426N/A- if (cmdlen != __GLX_PAD(entry.bytes + extra)) {
1426N/A- return BadLength;
1426N/A- }
1426N/A }
1426N/A- else {
1426N/A- /* constant size command */
1426N/A- if (cmdlen != __GLX_PAD(entry.bytes)) {
1426N/A- return BadLength;
1426N/A- }
1426N/A- }
1426N/A- if (left < cmdlen) {
1426N/A+
1426N/A+ if (cmdlen != safe_pad(safe_add(entry.bytes, extra))) {
1426N/A return BadLength;
1426N/A }
1426N/A
1426N/A--
1426N/A1.7.9.2
1426N/A
1426N/AFrom 698888e6671d54c7ae41e9d456f7f5483a3459d2 Mon Sep 17 00:00:00 2001
1426N/AFrom: Adam Jackson <ajax@redhat.com>
1426N/ADate: Mon, 10 Nov 2014 12:13:42 -0500
1426N/ASubject: [PATCH 29/40] glx: Integer overflow protection for non-generated
1426N/A render requests (v3) [CVE-2014-8093 5/6]
1426N/A
1426N/Av2:
1426N/AFix constants in __glXMap2fReqSize (Michal Srb)
1426N/AValidate w/h/d for proxy targets too (Keith Packard)
1426N/A
1426N/Av3:
1426N/AFix Map[12]Size to correctly reject order == 0 (Julien Cristau)
1426N/A
1426N/AReviewed-by: Keith Packard <keithp@keithp.com>
1426N/AReviewed-by: Michal Srb <msrb@suse.com>
1426N/AReviewed-by: Andy Ritger <aritger@nvidia.com>
1426N/ASigned-off-by: Adam Jackson <ajax@redhat.com>
1426N/ASigned-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1426N/A---
1426N/A glx/rensize.c | 77 ++++++++++++++++++++++++++++++---------------------------
1426N/A 1 file changed, 41 insertions(+), 36 deletions(-)
1426N/A
1426N/Adiff --git a/glx/rensize.c b/glx/rensize.c
1426N/Aindex 9ff73c7..d46334a 100644
1426N/A--- a/glx/rensize.c
1426N/A+++ b/glx/rensize.c
1426N/A@@ -43,19 +43,11 @@
1426N/A (((a & 0xff000000U)>>24) | ((a & 0xff0000U)>>8) | \
1426N/A ((a & 0xff00U)<<8) | ((a & 0xffU)<<24))
1426N/A
1426N/A-static int
1426N/A-Map1Size(GLint k, GLint order)
1426N/A-{
1426N/A- if (order <= 0 || k < 0)
1426N/A- return -1;
1426N/A- return k * order;
1426N/A-}
1426N/A-
1426N/A int
1426N/A __glXMap1dReqSize(const GLbyte * pc, Bool swap)
1426N/A {
1426N/A GLenum target;
1426N/A- GLint order, k;
1426N/A+ GLint order;
1426N/A
1426N/A target = *(GLenum *) (pc + 16);
1426N/A order = *(GLint *) (pc + 20);
1426N/A@@ -63,15 +55,16 @@ __glXMap1dReqSize(const GLbyte * pc, Bool swap)
1426N/A target = SWAPL(target);
1426N/A order = SWAPL(order);
1426N/A }
1426N/A- k = __glMap1d_size(target);
1426N/A- return 8 * Map1Size(k, order);
1426N/A+ if (order < 1)
1426N/A+ return -1;
1426N/A+ return safe_mul(8, safe_mul(__glMap1d_size(target), order));
1426N/A }
1426N/A
1426N/A int
1426N/A __glXMap1fReqSize(const GLbyte * pc, Bool swap)
1426N/A {
1426N/A GLenum target;
1426N/A- GLint order, k;
1426N/A+ GLint order;
1426N/A
1426N/A target = *(GLenum *) (pc + 0);
1426N/A order = *(GLint *) (pc + 12);
1426N/A@@ -79,23 +72,24 @@ __glXMap1fReqSize(const GLbyte * pc, Bool swap)
1426N/A target = SWAPL(target);
1426N/A order = SWAPL(order);
1426N/A }
1426N/A- k = __glMap1f_size(target);
1426N/A- return 4 * Map1Size(k, order);
1426N/A+ if (order < 1)
1426N/A+ return -1;
1426N/A+ return safe_mul(4, safe_mul(__glMap1f_size(target), order));
1426N/A }
1426N/A
1426N/A static int
1426N/A Map2Size(int k, int majorOrder, int minorOrder)
1426N/A {
1426N/A- if (majorOrder <= 0 || minorOrder <= 0 || k < 0)
1426N/A+ if (majorOrder < 1 || minorOrder < 1)
1426N/A return -1;
1426N/A- return k * majorOrder * minorOrder;
1426N/A+ return safe_mul(k, safe_mul(majorOrder, minorOrder));
1426N/A }
1426N/A
1426N/A int
1426N/A __glXMap2dReqSize(const GLbyte * pc, Bool swap)
1426N/A {
1426N/A GLenum target;
1426N/A- GLint uorder, vorder, k;
1426N/A+ GLint uorder, vorder;
1426N/A
1426N/A target = *(GLenum *) (pc + 32);
1426N/A uorder = *(GLint *) (pc + 36);
1426N/A@@ -105,15 +99,14 @@ __glXMap2dReqSize(const GLbyte * pc, Bool swap)
1426N/A uorder = SWAPL(uorder);
1426N/A vorder = SWAPL(vorder);
1426N/A }
1426N/A- k = __glMap2d_size(target);
1426N/A- return 8 * Map2Size(k, uorder, vorder);
1426N/A+ return safe_mul(8, Map2Size(__glMap2d_size(target), uorder, vorder));
1426N/A }
1426N/A
1426N/A int
1426N/A __glXMap2fReqSize(const GLbyte * pc, Bool swap)
1426N/A {
1426N/A GLenum target;
1426N/A- GLint uorder, vorder, k;
1426N/A+ GLint uorder, vorder;
1426N/A
1426N/A target = *(GLenum *) (pc + 0);
1426N/A uorder = *(GLint *) (pc + 12);
1426N/A@@ -123,8 +116,7 @@ __glXMap2fReqSize(const GLbyte * pc, Bool swap)
1426N/A uorder = SWAPL(uorder);
1426N/A vorder = SWAPL(vorder);
1426N/A }
1426N/A- k = __glMap2f_size(target);
1426N/A- return 4 * Map2Size(k, uorder, vorder);
1426N/A+ return safe_mul(4, Map2Size(__glMap2f_size(target), uorder, vorder));
1426N/A }
1426N/A
1426N/A /**
1426N/A@@ -175,14 +167,16 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
1426N/A GLint bytesPerElement, elementsPerGroup, groupsPerRow;
1426N/A GLint groupSize, rowSize, padding, imageSize;
1426N/A
1426N/A+ if (w == 0 || h == 0 || d == 0)
1426N/A+ return 0;
1426N/A+
1426N/A if (w < 0 || h < 0 || d < 0 ||
1426N/A (type == GL_BITMAP &&
1426N/A (format != GL_COLOR_INDEX && format != GL_STENCIL_INDEX))) {
1426N/A return -1;
1426N/A }
1426N/A- if (w == 0 || h == 0 || d == 0)
1426N/A- return 0;
1426N/A
1426N/A+ /* proxy targets have no data */
1426N/A switch (target) {
1426N/A case GL_PROXY_TEXTURE_1D:
1426N/A case GL_PROXY_TEXTURE_2D:
1426N/A@@ -199,6 +193,12 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
1426N/A return 0;
1426N/A }
1426N/A
1426N/A+ /* real data has to have real sizes */
1426N/A+ if (imageHeight < 0 || rowLength < 0 || skipImages < 0 || skipRows < 0)
1426N/A+ return -1;
1426N/A+ if (alignment != 1 && alignment != 2 && alignment != 4 && alignment != 8)
1426N/A+ return -1;
1426N/A+
1426N/A if (type == GL_BITMAP) {
1426N/A if (rowLength > 0) {
1426N/A groupsPerRow = rowLength;
1426N/A@@ -207,11 +207,14 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
1426N/A groupsPerRow = w;
1426N/A }
1426N/A rowSize = bits_to_bytes(groupsPerRow);
1426N/A+ if (rowSize < 0)
1426N/A+ return -1;
1426N/A padding = (rowSize % alignment);
1426N/A if (padding) {
1426N/A rowSize += alignment - padding;
1426N/A }
1426N/A- return ((h + skipRows) * rowSize);
1426N/A+
1426N/A+ return safe_mul(safe_add(h, skipRows), rowSize);
1426N/A }
1426N/A else {
1426N/A switch (format) {
1426N/A@@ -303,6 +306,7 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
1426N/A default:
1426N/A return -1;
1426N/A }
1426N/A+ /* known safe by the switches above, not checked */
1426N/A groupSize = bytesPerElement * elementsPerGroup;
1426N/A if (rowLength > 0) {
1426N/A groupsPerRow = rowLength;
1426N/A@@ -310,18 +314,21 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
1426N/A else {
1426N/A groupsPerRow = w;
1426N/A }
1426N/A- rowSize = groupsPerRow * groupSize;
1426N/A+
1426N/A+ if ((rowSize = safe_mul(groupsPerRow, groupSize)) < 0)
1426N/A+ return -1;
1426N/A padding = (rowSize % alignment);
1426N/A if (padding) {
1426N/A rowSize += alignment - padding;
1426N/A }
1426N/A- if (imageHeight > 0) {
1426N/A- imageSize = (imageHeight + skipRows) * rowSize;
1426N/A- }
1426N/A- else {
1426N/A- imageSize = (h + skipRows) * rowSize;
1426N/A- }
1426N/A- return ((d + skipImages) * imageSize);
1426N/A+
1426N/A+ if (imageHeight > 0)
1426N/A+ h = imageHeight;
1426N/A+ h = safe_add(h, skipRows);
1426N/A+
1426N/A+ imageSize = safe_mul(h, rowSize);
1426N/A+
1426N/A+ return safe_mul(safe_add(d, skipImages), imageSize);
1426N/A }
1426N/A }
1426N/A
1426N/A@@ -445,9 +452,7 @@ __glXSeparableFilter2DReqSize(const GLbyte * pc, Bool swap)
1426N/A /* XXX Should rowLength be used for either or both image? */
1426N/A image1size = __glXImageSize(format, type, 0, w, 1, 1,
1426N/A 0, rowLength, 0, 0, alignment);
1426N/A- image1size = __GLX_PAD(image1size);
1426N/A image2size = __glXImageSize(format, type, 0, h, 1, 1,
1426N/A 0, rowLength, 0, 0, alignment);
1426N/A- return image1size + image2size;
1426N/A-
1426N/A+ return safe_add(safe_pad(image1size), image2size);
1426N/A }
1426N/A--
1426N/A1.7.9.2
1426N/A
1426N/AFrom a33a939e6abb255b14d8dbc85fcbd2c55b958bae Mon Sep 17 00:00:00 2001
1426N/AFrom: Adam Jackson <ajax@redhat.com>
1426N/ADate: Mon, 10 Nov 2014 12:13:43 -0500
1426N/ASubject: [PATCH 30/40] glx: Length checking for RenderLarge requests (v2)
1426N/A [CVE-2014-8098 3/8]
1426N/A
1426N/AThis is a half-measure until we start passing request length into the
1426N/Avarsize function, but it's better than the nothing we had before.
1426N/A
1426N/Av2: Verify that there's at least a large render header's worth of
1426N/AdataBytes (Julien Cristau)
1426N/A
1426N/AReviewed-by: Michal Srb <msrb@suse.com>
1426N/AReviewed-by: Andy Ritger <aritger@nvidia.com>
1426N/ASigned-off-by: Adam Jackson <ajax@redhat.com>
1426N/ASigned-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1426N/A---
1426N/A glx/glxcmds.c | 57 ++++++++++++++++++++++++++++++++++-----------------------
1426N/A 1 file changed, 34 insertions(+), 23 deletions(-)
1426N/A
1426N/Adiff --git a/glx/glxcmds.c b/glx/glxcmds.c
1426N/Aindex ddd9119..a7a5172 100644
1426N/A--- a/glx/glxcmds.c
1426N/A+++ b/glx/glxcmds.c
1426N/A@@ -2109,6 +2109,8 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
1426N/A
1426N/A __GLX_DECLARE_SWAP_VARIABLES;
1426N/A
1426N/A+ REQUEST_AT_LEAST_SIZE(xGLXRenderLargeReq);
1426N/A+
1426N/A req = (xGLXRenderLargeReq *) pc;
1426N/A if (client->swapped) {
1426N/A __GLX_SWAP_SHORT(&req->length);
1426N/A@@ -2124,12 +2126,14 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
1426N/A __glXResetLargeCommandStatus(cl);
1426N/A return error;
1426N/A }
1426N/A+ if (safe_pad(req->dataBytes) < 0)
1426N/A+ return BadLength;
1426N/A dataBytes = req->dataBytes;
1426N/A
1426N/A /*
1426N/A ** Check the request length.
1426N/A */
1426N/A- if ((req->length << 2) != __GLX_PAD(dataBytes) + sz_xGLXRenderLargeReq) {
1426N/A+ if ((req->length << 2) != safe_pad(dataBytes) + sz_xGLXRenderLargeReq) {
1426N/A client->errorValue = req->length;
1426N/A /* Reset in case this isn't 1st request. */
1426N/A __glXResetLargeCommandStatus(cl);
1426N/A@@ -2139,7 +2143,7 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
1426N/A
1426N/A if (cl->largeCmdRequestsSoFar == 0) {
1426N/A __GLXrenderSizeData entry;
1426N/A- int extra;
1426N/A+ int extra = 0;
1426N/A size_t cmdlen;
1426N/A int err;
1426N/A
1426N/A@@ -2152,13 +2156,17 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
1426N/A return __glXError(GLXBadLargeRequest);
1426N/A }
1426N/A
1426N/A+ if (dataBytes < __GLX_RENDER_LARGE_HDR_SIZE)
1426N/A+ return BadLength;
1426N/A+
1426N/A hdr = (__GLXrenderLargeHeader *) pc;
1426N/A if (client->swapped) {
1426N/A __GLX_SWAP_INT(&hdr->length);
1426N/A __GLX_SWAP_INT(&hdr->opcode);
1426N/A }
1426N/A- cmdlen = hdr->length;
1426N/A opcode = hdr->opcode;
1426N/A+ if ((cmdlen = safe_pad(hdr->length)) < 0)
1426N/A+ return BadLength;
1426N/A
1426N/A /*
1426N/A ** Check for core opcodes and grab entry data.
1426N/A@@ -2180,17 +2188,13 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
1426N/A if (extra < 0) {
1426N/A return BadLength;
1426N/A }
1426N/A- /* large command's header is 4 bytes longer, so add 4 */
1426N/A- if (cmdlen != __GLX_PAD(entry.bytes + 4 + extra)) {
1426N/A- return BadLength;
1426N/A- }
1426N/A }
1426N/A- else {
1426N/A- /* constant size command */
1426N/A- if (cmdlen != __GLX_PAD(entry.bytes + 4)) {
1426N/A- return BadLength;
1426N/A- }
1426N/A+
1426N/A+ /* the +4 is safe because we know entry.bytes is small */
1426N/A+ if (cmdlen != safe_pad(safe_add(entry.bytes + 4, extra))) {
1426N/A+ return BadLength;
1426N/A }
1426N/A+
1426N/A /*
1426N/A ** Make enough space in the buffer, then copy the entire request.
1426N/A */
1426N/A@@ -2217,6 +2221,7 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
1426N/A ** We are receiving subsequent (i.e. not the first) requests of a
1426N/A ** multi request command.
1426N/A */
1426N/A+ int bytesSoFar; /* including this packet */
1426N/A
1426N/A /*
1426N/A ** Check the request number and the total request count.
1426N/A@@ -2235,11 +2240,18 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
1426N/A /*
1426N/A ** Check that we didn't get too much data.
1426N/A */
1426N/A- if ((cl->largeCmdBytesSoFar + dataBytes) > cl->largeCmdBytesTotal) {
1426N/A+ if ((bytesSoFar = safe_add(cl->largeCmdBytesSoFar, dataBytes)) < 0) {
1426N/A+ client->errorValue = dataBytes;
1426N/A+ __glXResetLargeCommandStatus(cl);
1426N/A+ return __glXError(GLXBadLargeRequest);
1426N/A+ }
1426N/A+
1426N/A+ if (bytesSoFar > cl->largeCmdBytesTotal) {
1426N/A client->errorValue = dataBytes;
1426N/A __glXResetLargeCommandStatus(cl);
1426N/A return __glXError(GLXBadLargeRequest);
1426N/A }
1426N/A+
1426N/A memcpy(cl->largeCmdBuf + cl->largeCmdBytesSoFar, pc, dataBytes);
1426N/A cl->largeCmdBytesSoFar += dataBytes;
1426N/A cl->largeCmdRequestsSoFar++;
1426N/A@@ -2251,17 +2263,16 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
1426N/A ** This is the last request; it must have enough bytes to complete
1426N/A ** the command.
1426N/A */
1426N/A- /* NOTE: the two pad macros have been added below; they are needed
1426N/A- ** because the client library pads the total byte count, but not
1426N/A- ** the per-request byte counts. The Protocol Encoding says the
1426N/A- ** total byte count should not be padded, so a proposal will be
1426N/A- ** made to the ARB to relax the padding constraint on the total
1426N/A- ** byte count, thus preserving backward compatibility. Meanwhile,
1426N/A- ** the padding done below fixes a bug that did not allow
1426N/A- ** large commands of odd sizes to be accepted by the server.
1426N/A+ /* NOTE: the pad macro below is needed because the client library
1426N/A+ ** pads the total byte count, but not the per-request byte counts.
1426N/A+ ** The Protocol Encoding says the total byte count should not be
1426N/A+ ** padded, so a proposal will be made to the ARB to relax the
1426N/A+ ** padding constraint on the total byte count, thus preserving
1426N/A+ ** backward compatibility. Meanwhile, the padding done below
1426N/A+ ** fixes a bug that did not allow large commands of odd sizes to
1426N/A+ ** be accepted by the server.
1426N/A */
1426N/A- if (__GLX_PAD(cl->largeCmdBytesSoFar) !=
1426N/A- __GLX_PAD(cl->largeCmdBytesTotal)) {
1426N/A+ if (safe_pad(cl->largeCmdBytesSoFar) != cl->largeCmdBytesTotal) {
1426N/A client->errorValue = dataBytes;
1426N/A __glXResetLargeCommandStatus(cl);
1426N/A return __glXError(GLXBadLargeRequest);
1426N/A--
1426N/A1.7.9.2
1426N/A
1426N/AFrom c91e4abc3b892f42802efa20fef7ada442c2d3f5 Mon Sep 17 00:00:00 2001
1426N/AFrom: Adam Jackson <ajax@redhat.com>
1426N/ADate: Mon, 10 Nov 2014 12:13:44 -0500
1426N/ASubject: [PATCH 31/40] glx: Top-level length checking for swapped
1426N/A VendorPrivate requests [CVE-2014-8098 4/8]
1426N/A
1426N/AReviewed-by: Keith Packard <keithp@keithp.com>
1426N/AReviewed-by: Julien Cristau <jcristau@debian.org>
1426N/AReviewed-by: Michal Srb <msrb@suse.com>
1426N/AReviewed-by: Andy Ritger <aritger@nvidia.com>
1426N/ASigned-off-by: Adam Jackson <ajax@redhat.com>
1426N/ASigned-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1426N/A---
1426N/A glx/glxcmdsswap.c | 4 ++++
1426N/A 1 file changed, 4 insertions(+)
1426N/A
1426N/Adiff --git a/glx/glxcmdsswap.c b/glx/glxcmdsswap.c
1426N/Aindex 5d179f3..9ec1222 100644
1426N/A--- a/glx/glxcmdsswap.c
1426N/A+++ b/glx/glxcmdsswap.c
1426N/A@@ -958,11 +958,13 @@ __glXDispSwap_RenderLarge(__GLXclientState * cl, GLbyte * pc)
1426N/A int
1426N/A __glXDispSwap_VendorPrivate(__GLXclientState * cl, GLbyte * pc)
1426N/A {
1426N/A+ ClientPtr client = cl->client;
1426N/A xGLXVendorPrivateReq *req;
1426N/A GLint vendorcode;
1426N/A __GLXdispatchVendorPrivProcPtr proc;
1426N/A
1426N/A __GLX_DECLARE_SWAP_VARIABLES;
1426N/A+ REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateReq);
1426N/A
1426N/A req = (xGLXVendorPrivateReq *) pc;
1426N/A __GLX_SWAP_SHORT(&req->length);
1426N/A@@ -985,11 +987,13 @@ __glXDispSwap_VendorPrivate(__GLXclientState * cl, GLbyte * pc)
1426N/A int
1426N/A __glXDispSwap_VendorPrivateWithReply(__GLXclientState * cl, GLbyte * pc)
1426N/A {
1426N/A+ ClientPtr client = cl->client;
1426N/A xGLXVendorPrivateWithReplyReq *req;
1426N/A GLint vendorcode;
1426N/A __GLXdispatchVendorPrivProcPtr proc;
1426N/A
1426N/A __GLX_DECLARE_SWAP_VARIABLES;
1426N/A+ REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateWithReplyReq);
1426N/A
1426N/A req = (xGLXVendorPrivateWithReplyReq *) pc;
1426N/A __GLX_SWAP_SHORT(&req->length);
1426N/A--
1426N/A1.7.9.2
1426N/A
1426N/AFrom afe177020d1fb776c6163f21eddc82cb185b95ca Mon Sep 17 00:00:00 2001
1426N/AFrom: Adam Jackson <ajax@redhat.com>
1426N/ADate: Mon, 10 Nov 2014 12:13:45 -0500
1426N/ASubject: [PATCH 32/40] glx: Request length checks for SetClientInfoARB
1426N/A [CVE-2014-8098 5/8]
1426N/A
1426N/AReviewed-by: Keith Packard <keithp@keithp.com>
1426N/AReviewed-by: Julien Cristau <jcristau@debian.org>
1426N/AReviewed-by: Michal Srb <msrb@suse.com>
1426N/AReviewed-by: Andy Ritger <aritger@nvidia.com>
1426N/ASigned-off-by: Adam Jackson <ajax@redhat.com>
1426N/ASigned-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1426N/A---
1426N/A glx/clientinfo.c | 19 ++++++++++++++-----
1426N/A 1 file changed, 14 insertions(+), 5 deletions(-)
1426N/A
1426N/Adiff --git a/glx/clientinfo.c b/glx/clientinfo.c
1426N/Aindex 4aaa4c9..c5fef30 100644
1426N/A--- a/glx/clientinfo.c
1426N/A+++ b/glx/clientinfo.c
1426N/A@@ -33,18 +33,21 @@ static int
1426N/A set_client_info(__GLXclientState * cl, xGLXSetClientInfoARBReq * req,
1426N/A unsigned bytes_per_version)
1426N/A {
1426N/A+ ClientPtr client = cl->client;
1426N/A char *gl_extensions;
1426N/A char *glx_extensions;
1426N/A
1426N/A+ REQUEST_AT_LEAST_SIZE(xGLXSetClientInfoARBReq);
1426N/A+
1426N/A /* Verify that the size of the packet matches the size inferred from the
1426N/A * sizes specified for the various fields.
1426N/A */
1426N/A- const unsigned expected_size = sz_xGLXSetClientInfoARBReq
1426N/A- + (req->numVersions * bytes_per_version)
1426N/A- + __GLX_PAD(req->numGLExtensionBytes)
1426N/A- + __GLX_PAD(req->numGLXExtensionBytes);
1426N/A+ int size = sz_xGLXSetClientInfoARBReq;
1426N/A+ size = safe_add(size, safe_mul(req->numVersions, bytes_per_version));
1426N/A+ size = safe_add(size, safe_pad(req->numGLExtensionBytes));
1426N/A+ size = safe_add(size, safe_pad(req->numGLXExtensionBytes));
1426N/A
1426N/A- if (req->length != (expected_size / 4))
1426N/A+ if (size < 0 || req->length != (size / 4))
1426N/A return BadLength;
1426N/A
1426N/A /* Verify that the actual length of the GL extension string matches what's
1426N/A@@ -80,8 +83,11 @@ __glXDisp_SetClientInfoARB(__GLXclientState * cl, GLbyte * pc)
1426N/A int
1426N/A __glXDispSwap_SetClientInfoARB(__GLXclientState * cl, GLbyte * pc)
1426N/A {
1426N/A+ ClientPtr client = cl->client;
1426N/A xGLXSetClientInfoARBReq *req = (xGLXSetClientInfoARBReq *) pc;
1426N/A
1426N/A+ REQUEST_AT_LEAST_SIZE(xGLXSetClientInfoARBReq);
1426N/A+
1426N/A req->length = bswap_16(req->length);
1426N/A req->numVersions = bswap_32(req->numVersions);
1426N/A req->numGLExtensionBytes = bswap_32(req->numGLExtensionBytes);
1426N/A@@ -99,8 +105,11 @@ __glXDisp_SetClientInfo2ARB(__GLXclientState * cl, GLbyte * pc)
1426N/A int
1426N/A __glXDispSwap_SetClientInfo2ARB(__GLXclientState * cl, GLbyte * pc)
1426N/A {
1426N/A+ ClientPtr client = cl->client;
1426N/A xGLXSetClientInfoARBReq *req = (xGLXSetClientInfoARBReq *) pc;
1426N/A
1426N/A+ REQUEST_AT_LEAST_SIZE(xGLXSetClientInfoARBReq);
1426N/A+
1426N/A req->length = bswap_16(req->length);
1426N/A req->numVersions = bswap_32(req->numVersions);
1426N/A req->numGLExtensionBytes = bswap_32(req->numGLExtensionBytes);
1426N/A--
1426N/A1.7.9.2
1426N/A
1426N/AFrom 44ba149f28ece93c2fbfc9cc980588de5322dd4b Mon Sep 17 00:00:00 2001
1426N/AFrom: Adam Jackson <ajax@redhat.com>
1426N/ADate: Mon, 10 Nov 2014 12:13:46 -0500
1426N/ASubject: [PATCH 33/40] glx: Length-checking for non-generated vendor private
1426N/A requests [CVE-2014-8098 6/8]
1426N/A
1426N/AReviewed-by: Keith Packard <keithp@keithp.com>
1426N/AReviewed-by: Michal Srb <msrb@suse.com>
1426N/AReviewed-by: Andy Ritger <aritger@nvidia.com>
1426N/ASigned-off-by: Adam Jackson <ajax@redhat.com>
1426N/ASigned-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1426N/A---
1426N/A glx/indirect_program.c | 2 ++
1426N/A glx/swap_interval.c | 2 ++
1426N/A 2 files changed, 4 insertions(+)
1426N/A
1426N/Adiff --git a/glx/indirect_program.c b/glx/indirect_program.c
1426N/Aindex cda139e..5caee7b 100644
1426N/A--- a/glx/indirect_program.c
1426N/A+++ b/glx/indirect_program.c
1426N/A@@ -56,6 +56,8 @@ DoGetProgramString(struct __GLXclientStateRec *cl, GLbyte * pc,
1426N/A __GLXcontext *const cx = __glXForceCurrent(cl, req->contextTag, &error);
1426N/A ClientPtr client = cl->client;
1426N/A
1426N/A+ REQUEST_FIXED_SIZE(xGLXVendorPrivateWithReplyReq, 8);
1426N/A+
1426N/A pc += __GLX_VENDPRIV_HDR_SIZE;
1426N/A if (cx != NULL) {
1426N/A GLenum target;
1426N/Adiff --git a/glx/swap_interval.c b/glx/swap_interval.c
1426N/Aindex 17bc992..2320550 100644
1426N/A--- a/glx/swap_interval.c
1426N/A+++ b/glx/swap_interval.c
1426N/A@@ -46,6 +46,8 @@ DoSwapInterval(__GLXclientState * cl, GLbyte * pc, int do_swap)
1426N/A __GLXcontext *cx;
1426N/A GLint interval;
1426N/A
1426N/A+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 4);
1426N/A+
1426N/A cx = __glXLookupContextByTag(cl, tag);
1426N/A
1426N/A if ((cx == NULL) || (cx->pGlxScreen == NULL)) {
1426N/A--
1426N/A1.7.9.2
1426N/A
1426N/AFrom 984583a497c813df5827ae22483133e704fee79c Mon Sep 17 00:00:00 2001
1426N/AFrom: Adam Jackson <ajax@redhat.com>
1426N/ADate: Mon, 10 Nov 2014 12:13:47 -0500
1426N/ASubject: [PATCH 34/40] glx: Length checking for non-generated single requests
1426N/A (v2) [CVE-2014-8098 7/8]
1426N/A
1426N/Av2:
1426N/AFix single versus vendor-private length checking for ARB_imaging subset
1426N/Aextensions. (Julien Cristau)
1426N/A
1426N/Av3:
1426N/AFix single versus vendor-private length checking for ARB_imaging subset
1426N/Aextensions. (Julien Cristau)
1426N/A
1426N/AReviewed-by: Michal Srb <msrb@suse.com>
1426N/AReviewed-by: Andy Ritger <aritger@nvidia.com>
1426N/ASigned-off-by: Adam Jackson <ajax@redhat.com>
1426N/ASigned-off-by: Julien Cristau <jcristau@debian.org>
1426N/ASigned-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1426N/A---
1426N/A glx/indirect_texture_compression.c | 4 ++++
1426N/A glx/single2.c | 23 +++++++++++++++----
1426N/A glx/single2swap.c | 19 ++++++++++++----
1426N/A glx/singlepix.c | 44 ++++++++++++++++++++++++------------
1426N/A glx/singlepixswap.c | 34 ++++++++++++++++++++++++----
1426N/A 5 files changed, 95 insertions(+), 29 deletions(-)
1426N/A
1426N/Adiff --git a/glx/indirect_texture_compression.c b/glx/indirect_texture_compression.c
1426N/Aindex cda7656..1ebf7f3 100644
1426N/A--- a/glx/indirect_texture_compression.c
1426N/A+++ b/glx/indirect_texture_compression.c
1426N/A@@ -43,6 +43,8 @@ __glXDisp_GetCompressedTexImage(struct __GLXclientStateRec *cl, GLbyte * pc)
1426N/A __GLXcontext *const cx = __glXForceCurrent(cl, req->contextTag, &error);
1426N/A ClientPtr client = cl->client;
1426N/A
1426N/A+ REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
1426N/A+
1426N/A pc += __GLX_SINGLE_HDR_SIZE;
1426N/A if (cx != NULL) {
1426N/A const GLenum target = *(GLenum *) (pc + 0);
1426N/A@@ -87,6 +89,8 @@ __glXDispSwap_GetCompressedTexImage(struct __GLXclientStateRec *cl, GLbyte * pc)
1426N/A __glXForceCurrent(cl, bswap_32(req->contextTag), &error);
1426N/A ClientPtr client = cl->client;
1426N/A
1426N/A+ REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
1426N/A+
1426N/A pc += __GLX_SINGLE_HDR_SIZE;
1426N/A if (cx != NULL) {
1426N/A const GLenum target = (GLenum) bswap_32(*(int *) (pc + 0));
1426N/Adiff --git a/glx/single2.c b/glx/single2.c
1426N/Aindex 53b661d..a6ea614 100644
1426N/A--- a/glx/single2.c
1426N/A+++ b/glx/single2.c
1426N/A@@ -45,11 +45,14 @@
1426N/A int
1426N/A __glXDisp_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
1426N/A {
1426N/A+ ClientPtr client = cl->client;
1426N/A GLsizei size;
1426N/A GLenum type;
1426N/A __GLXcontext *cx;
1426N/A int error;
1426N/A
1426N/A+ REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
1426N/A+
1426N/A cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
1426N/A if (!cx) {
1426N/A return error;
1426N/A@@ -76,10 +79,13 @@ __glXDisp_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
1426N/A int
1426N/A __glXDisp_SelectBuffer(__GLXclientState * cl, GLbyte * pc)
1426N/A {
1426N/A+ ClientPtr client = cl->client;
1426N/A __GLXcontext *cx;
1426N/A GLsizei size;
1426N/A int error;
1426N/A
1426N/A+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
1426N/A+
1426N/A cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
1426N/A if (!cx) {
1426N/A return error;
1426N/A@@ -104,7 +110,7 @@ __glXDisp_SelectBuffer(__GLXclientState * cl, GLbyte * pc)
1426N/A int
1426N/A __glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc)
1426N/A {
1426N/A- ClientPtr client;
1426N/A+ ClientPtr client = cl->client;
1426N/A xGLXRenderModeReply reply;
1426N/A __GLXcontext *cx;
1426N/A GLint nitems = 0, retBytes = 0, retval, newModeCheck;
1426N/A@@ -112,6 +118,8 @@ __glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc)
1426N/A GLenum newMode;
1426N/A int error;
1426N/A
1426N/A+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
1426N/A+
1426N/A cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
1426N/A if (!cx) {
1426N/A return error;
1426N/A@@ -188,7 +196,6 @@ __glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc)
1426N/A ** selection array, as per the API for glRenderMode itself.
1426N/A */
1426N/A noChangeAllowed:;
1426N/A- client = cl->client;
1426N/A reply = (xGLXRenderModeReply) {
1426N/A .type = X_Reply,
1426N/A .sequenceNumber = client->sequence,
1426N/A@@ -207,9 +214,12 @@ __glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc)
1426N/A int
1426N/A __glXDisp_Flush(__GLXclientState * cl, GLbyte * pc)
1426N/A {
1426N/A+ ClientPtr client = cl->client;
1426N/A __GLXcontext *cx;
1426N/A int error;
1426N/A
1426N/A+ REQUEST_SIZE_MATCH(xGLXSingleReq);
1426N/A+
1426N/A cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
1426N/A if (!cx) {
1426N/A return error;
1426N/A@@ -223,10 +233,12 @@ __glXDisp_Flush(__GLXclientState * cl, GLbyte * pc)
1426N/A int
1426N/A __glXDisp_Finish(__GLXclientState * cl, GLbyte * pc)
1426N/A {
1426N/A+ ClientPtr client = cl->client;
1426N/A __GLXcontext *cx;
1426N/A- ClientPtr client;
1426N/A int error;
1426N/A
1426N/A+ REQUEST_SIZE_MATCH(xGLXSingleReq);
1426N/A+
1426N/A cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
1426N/A if (!cx) {
1426N/A return error;
1426N/A@@ -317,7 +329,7 @@ __glXcombine_strings(const char *cext_string, const char *sext_string)
1426N/A int
1426N/A DoGetString(__GLXclientState * cl, GLbyte * pc, GLboolean need_swap)
1426N/A {
1426N/A- ClientPtr client;
1426N/A+ ClientPtr client = cl->client;
1426N/A __GLXcontext *cx;
1426N/A GLenum name;
1426N/A const char *string;
1426N/A@@ -327,6 +339,8 @@ DoGetString(__GLXclientState * cl, GLbyte * pc, GLboolean need_swap)
1426N/A char *buf = NULL, *buf1 = NULL;
1426N/A GLint length = 0;
1426N/A
1426N/A+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
1426N/A+
1426N/A /* If the client has the opposite byte order, swap the contextTag and
1426N/A * the name.
1426N/A */
1426N/A@@ -343,7 +357,6 @@ DoGetString(__GLXclientState * cl, GLbyte * pc, GLboolean need_swap)
1426N/A pc += __GLX_SINGLE_HDR_SIZE;
1426N/A name = *(GLenum *) (pc + 0);
1426N/A string = (const char *) CALL_GetString(GET_DISPATCH(), (name));
1426N/A- client = cl->client;
1426N/A
1426N/A if (string == NULL)
1426N/A string = "";
1426N/Adiff --git a/glx/single2swap.c b/glx/single2swap.c
1426N/Aindex 764501f..5349069 100644
1426N/A--- a/glx/single2swap.c
1426N/A+++ b/glx/single2swap.c
1426N/A@@ -41,6 +41,7 @@
1426N/A int
1426N/A __glXDispSwap_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
1426N/A {
1426N/A+ ClientPtr client = cl->client;
1426N/A GLsizei size;
1426N/A GLenum type;
1426N/A
1426N/A@@ -48,6 +49,8 @@ __glXDispSwap_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
1426N/A __GLXcontext *cx;
1426N/A int error;
1426N/A
1426N/A+ REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
1426N/A+
1426N/A __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
1426N/A cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
1426N/A if (!cx) {
1426N/A@@ -77,12 +80,15 @@ __glXDispSwap_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
1426N/A int
1426N/A __glXDispSwap_SelectBuffer(__GLXclientState * cl, GLbyte * pc)
1426N/A {
1426N/A+ ClientPtr client = cl->client;
1426N/A __GLXcontext *cx;
1426N/A GLsizei size;
1426N/A
1426N/A __GLX_DECLARE_SWAP_VARIABLES;
1426N/A int error;
1426N/A
1426N/A+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
1426N/A+
1426N/A __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
1426N/A cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
1426N/A if (!cx) {
1426N/A@@ -109,7 +115,7 @@ __glXDispSwap_SelectBuffer(__GLXclientState * cl, GLbyte * pc)
1426N/A int
1426N/A __glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc)
1426N/A {
1426N/A- ClientPtr client;
1426N/A+ ClientPtr client = cl->client;
1426N/A __GLXcontext *cx;
1426N/A xGLXRenderModeReply reply;
1426N/A GLint nitems = 0, retBytes = 0, retval, newModeCheck;
1426N/A@@ -120,6 +126,8 @@ __glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc)
1426N/A __GLX_DECLARE_SWAP_ARRAY_VARIABLES;
1426N/A int error;
1426N/A
1426N/A+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
1426N/A+
1426N/A __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
1426N/A cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
1426N/A if (!cx) {
1426N/A@@ -200,7 +208,6 @@ __glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc)
1426N/A ** selection array, as per the API for glRenderMode itself.
1426N/A */
1426N/A noChangeAllowed:;
1426N/A- client = cl->client;
1426N/A reply = (xGLXRenderModeReply) {
1426N/A .type = X_Reply,
1426N/A .sequenceNumber = client->sequence,
1426N/A@@ -224,11 +231,14 @@ __glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc)
1426N/A int
1426N/A __glXDispSwap_Flush(__GLXclientState * cl, GLbyte * pc)
1426N/A {
1426N/A+ ClientPtr client = cl->client;
1426N/A __GLXcontext *cx;
1426N/A int error;
1426N/A
1426N/A __GLX_DECLARE_SWAP_VARIABLES;
1426N/A
1426N/A+ REQUEST_SIZE_MATCH(xGLXSingleReq);
1426N/A+
1426N/A __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
1426N/A cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
1426N/A if (!cx) {
1426N/A@@ -243,12 +253,14 @@ __glXDispSwap_Flush(__GLXclientState * cl, GLbyte * pc)
1426N/A int
1426N/A __glXDispSwap_Finish(__GLXclientState * cl, GLbyte * pc)
1426N/A {
1426N/A+ ClientPtr client = cl->client;
1426N/A __GLXcontext *cx;
1426N/A- ClientPtr client;
1426N/A int error;
1426N/A
1426N/A __GLX_DECLARE_SWAP_VARIABLES;
1426N/A
1426N/A+ REQUEST_SIZE_MATCH(xGLXSingleReq);
1426N/A+
1426N/A __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
1426N/A cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
1426N/A if (!cx) {
1426N/A@@ -260,7 +272,6 @@ __glXDispSwap_Finish(__GLXclientState * cl, GLbyte * pc)
1426N/A cx->hasUnflushedCommands = GL_FALSE;
1426N/A
1426N/A /* Send empty reply packet to indicate finish is finished */
1426N/A- client = cl->client;
1426N/A __GLX_BEGIN_REPLY(0);
1426N/A __GLX_PUT_RETVAL(0);
1426N/A __GLX_SWAP_REPLY_HEADER();
1426N/Adiff --git a/glx/singlepix.c b/glx/singlepix.c
1426N/Aindex 8b6c261..54ed7fd 100644
1426N/A--- a/glx/singlepix.c
1426N/A+++ b/glx/singlepix.c
1426N/A@@ -51,6 +51,8 @@ __glXDisp_ReadPixels(__GLXclientState * cl, GLbyte * pc)
1426N/A int error;
1426N/A char *answer, answerBuffer[200];
1426N/A
1426N/A+ REQUEST_FIXED_SIZE(xGLXSingleReq, 28);
1426N/A+
1426N/A cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
1426N/A if (!cx) {
1426N/A return error;
1426N/A@@ -100,6 +102,8 @@ __glXDisp_GetTexImage(__GLXclientState * cl, GLbyte * pc)
1426N/A char *answer, answerBuffer[200];
1426N/A GLint width = 0, height = 0, depth = 1;
1426N/A
1426N/A+ REQUEST_FIXED_SIZE(xGLXSingleReq, 20);
1426N/A+
1426N/A cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
1426N/A if (!cx) {
1426N/A return error;
1426N/A@@ -157,6 +161,8 @@ __glXDisp_GetPolygonStipple(__GLXclientState * cl, GLbyte * pc)
1426N/A GLubyte answerBuffer[200];
1426N/A char *answer;
1426N/A
1426N/A+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
1426N/A+
1426N/A cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
1426N/A if (!cx) {
1426N/A return error;
1426N/A@@ -217,15 +223,13 @@ GetSeparableFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
1426N/A compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
1426N/A compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1);
1426N/A
1426N/A- if (compsize < 0)
1426N/A+ if ((compsize = safe_pad(compsize)) < 0)
1426N/A return BadLength;
1426N/A- if (compsize2 < 0)
1426N/A+ if ((compsize2 = safe_pad(compsize2)) < 0)
1426N/A return BadLength;
1426N/A- compsize = __GLX_PAD(compsize);
1426N/A- compsize2 = __GLX_PAD(compsize2);
1426N/A
1426N/A CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, swapBytes));
1426N/A- __GLX_GET_ANSWER_BUFFER(answer, cl, compsize + compsize2, 1);
1426N/A+ __GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1);
1426N/A __glXClearErrorOccured();
1426N/A CALL_GetSeparableFilter(GET_DISPATCH(), (*(GLenum *) (pc + 0),
1426N/A *(GLenum *) (pc + 4),
1426N/A@@ -249,7 +253,8 @@ int
1426N/A __glXDisp_GetSeparableFilter(__GLXclientState * cl, GLbyte * pc)
1426N/A {
1426N/A const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
1426N/A-
1426N/A+ ClientPtr client = cl->client;
1426N/A+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
1426N/A return GetSeparableFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
1426N/A }
1426N/A
1426N/A@@ -257,7 +262,8 @@ int
1426N/A __glXDisp_GetSeparableFilterEXT(__GLXclientState * cl, GLbyte * pc)
1426N/A {
1426N/A const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
1426N/A-
1426N/A+ ClientPtr client = cl->client;
1426N/A+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
1426N/A return GetSeparableFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
1426N/A }
1426N/A
1426N/A@@ -323,7 +329,8 @@ int
1426N/A __glXDisp_GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc)
1426N/A {
1426N/A const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
1426N/A-
1426N/A+ ClientPtr client = cl->client;
1426N/A+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
1426N/A return GetConvolutionFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
1426N/A }
1426N/A
1426N/A@@ -331,7 +338,8 @@ int
1426N/A __glXDisp_GetConvolutionFilterEXT(__GLXclientState * cl, GLbyte * pc)
1426N/A {
1426N/A const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
1426N/A-
1426N/A+ ClientPtr client = cl->client;
1426N/A+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
1426N/A return GetConvolutionFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
1426N/A }
1426N/A
1426N/A@@ -390,7 +398,8 @@ int
1426N/A __glXDisp_GetHistogram(__GLXclientState * cl, GLbyte * pc)
1426N/A {
1426N/A const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
1426N/A-
1426N/A+ ClientPtr client = cl->client;
1426N/A+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
1426N/A return GetHistogram(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
1426N/A }
1426N/A
1426N/A@@ -398,7 +407,8 @@ int
1426N/A __glXDisp_GetHistogramEXT(__GLXclientState * cl, GLbyte * pc)
1426N/A {
1426N/A const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
1426N/A-
1426N/A+ ClientPtr client = cl->client;
1426N/A+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
1426N/A return GetHistogram(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
1426N/A }
1426N/A
1426N/A@@ -450,7 +460,8 @@ int
1426N/A __glXDisp_GetMinmax(__GLXclientState * cl, GLbyte * pc)
1426N/A {
1426N/A const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
1426N/A-
1426N/A+ ClientPtr client = cl->client;
1426N/A+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
1426N/A return GetMinmax(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
1426N/A }
1426N/A
1426N/A@@ -458,7 +469,8 @@ int
1426N/A __glXDisp_GetMinmaxEXT(__GLXclientState * cl, GLbyte * pc)
1426N/A {
1426N/A const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
1426N/A-
1426N/A+ ClientPtr client = cl->client;
1426N/A+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
1426N/A return GetMinmax(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
1426N/A }
1426N/A
1426N/A@@ -517,7 +529,8 @@ int
1426N/A __glXDisp_GetColorTable(__GLXclientState * cl, GLbyte * pc)
1426N/A {
1426N/A const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
1426N/A-
1426N/A+ ClientPtr client = cl->client;
1426N/A+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
1426N/A return GetColorTable(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
1426N/A }
1426N/A
1426N/A@@ -525,6 +538,7 @@ int
1426N/A __glXDisp_GetColorTableSGI(__GLXclientState * cl, GLbyte * pc)
1426N/A {
1426N/A const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
1426N/A-
1426N/A+ ClientPtr client = cl->client;
1426N/A+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
1426N/A return GetColorTable(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
1426N/A }
1426N/Adiff --git a/glx/singlepixswap.c b/glx/singlepixswap.c
1426N/Aindex 8dc304f..9eff592 100644
1426N/A--- a/glx/singlepixswap.c
1426N/A+++ b/glx/singlepixswap.c
1426N/A@@ -53,6 +53,8 @@ __glXDispSwap_ReadPixels(__GLXclientState * cl, GLbyte * pc)
1426N/A int error;
1426N/A char *answer, answerBuffer[200];
1426N/A
1426N/A+ REQUEST_FIXED_SIZE(xGLXSingleReq, 28);
1426N/A+
1426N/A __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
1426N/A cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
1426N/A if (!cx) {
1426N/A@@ -114,6 +116,8 @@ __glXDispSwap_GetTexImage(__GLXclientState * cl, GLbyte * pc)
1426N/A char *answer, answerBuffer[200];
1426N/A GLint width = 0, height = 0, depth = 1;
1426N/A
1426N/A+ REQUEST_FIXED_SIZE(xGLXSingleReq, 20);
1426N/A+
1426N/A __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
1426N/A cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
1426N/A if (!cx) {
1426N/A@@ -184,6 +188,8 @@ __glXDispSwap_GetPolygonStipple(__GLXclientState * cl, GLbyte * pc)
1426N/A
1426N/A __GLX_DECLARE_SWAP_VARIABLES;
1426N/A
1426N/A+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
1426N/A+
1426N/A __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
1426N/A cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
1426N/A if (!cx) {
1426N/A@@ -251,15 +257,13 @@ GetSeparableFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
1426N/A compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
1426N/A compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1);
1426N/A
1426N/A- if (compsize < 0)
1426N/A+ if ((compsize = safe_pad(compsize)) < 0)
1426N/A return BadLength;
1426N/A- if (compsize2 < 0)
1426N/A+ if ((compsize2 = safe_pad(compsize2)) < 0)
1426N/A return BadLength;
1426N/A- compsize = __GLX_PAD(compsize);
1426N/A- compsize2 = __GLX_PAD(compsize2);
1426N/A
1426N/A CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, !swapBytes));
1426N/A- __GLX_GET_ANSWER_BUFFER(answer, cl, compsize + compsize2, 1);
1426N/A+ __GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1);
1426N/A __glXClearErrorOccured();
1426N/A CALL_GetSeparableFilter(GET_DISPATCH(), (*(GLenum *) (pc + 0),
1426N/A *(GLenum *) (pc + 4),
1426N/A@@ -285,7 +289,9 @@ int
1426N/A __glXDispSwap_GetSeparableFilter(__GLXclientState * cl, GLbyte * pc)
1426N/A {
1426N/A const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
1426N/A+ ClientPtr client = cl->client;
1426N/A
1426N/A+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
1426N/A return GetSeparableFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
1426N/A }
1426N/A
1426N/A@@ -293,7 +299,9 @@ int
1426N/A __glXDispSwap_GetSeparableFilterEXT(__GLXclientState * cl, GLbyte * pc)
1426N/A {
1426N/A const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
1426N/A+ ClientPtr client = cl->client;
1426N/A
1426N/A+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
1426N/A return GetSeparableFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
1426N/A }
1426N/A
1426N/A@@ -367,7 +375,9 @@ int
1426N/A __glXDispSwap_GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc)
1426N/A {
1426N/A const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
1426N/A+ ClientPtr client = cl->client;
1426N/A
1426N/A+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
1426N/A return GetConvolutionFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
1426N/A }
1426N/A
1426N/A@@ -375,7 +385,9 @@ int
1426N/A __glXDispSwap_GetConvolutionFilterEXT(__GLXclientState * cl, GLbyte * pc)
1426N/A {
1426N/A const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
1426N/A+ ClientPtr client = cl->client;
1426N/A
1426N/A+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
1426N/A return GetConvolutionFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
1426N/A }
1426N/A
1426N/A@@ -441,7 +453,9 @@ int
1426N/A __glXDispSwap_GetHistogram(__GLXclientState * cl, GLbyte * pc)
1426N/A {
1426N/A const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
1426N/A+ ClientPtr client = cl->client;
1426N/A
1426N/A+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
1426N/A return GetHistogram(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
1426N/A }
1426N/A
1426N/A@@ -449,7 +463,9 @@ int
1426N/A __glXDispSwap_GetHistogramEXT(__GLXclientState * cl, GLbyte * pc)
1426N/A {
1426N/A const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
1426N/A+ ClientPtr client = cl->client;
1426N/A
1426N/A+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
1426N/A return GetHistogram(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
1426N/A }
1426N/A
1426N/A@@ -507,7 +523,9 @@ int
1426N/A __glXDispSwap_GetMinmax(__GLXclientState * cl, GLbyte * pc)
1426N/A {
1426N/A const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
1426N/A+ ClientPtr client = cl->client;
1426N/A
1426N/A+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
1426N/A return GetMinmax(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
1426N/A }
1426N/A
1426N/A@@ -515,7 +533,9 @@ int
1426N/A __glXDispSwap_GetMinmaxEXT(__GLXclientState * cl, GLbyte * pc)
1426N/A {
1426N/A const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
1426N/A+ ClientPtr client = cl->client;
1426N/A
1426N/A+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
1426N/A return GetMinmax(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
1426N/A }
1426N/A
1426N/A@@ -581,7 +601,9 @@ int
1426N/A __glXDispSwap_GetColorTable(__GLXclientState * cl, GLbyte * pc)
1426N/A {
1426N/A const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
1426N/A+ ClientPtr client = cl->client;
1426N/A
1426N/A+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
1426N/A return GetColorTable(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
1426N/A }
1426N/A
1426N/A@@ -589,6 +611,8 @@ int
1426N/A __glXDispSwap_GetColorTableSGI(__GLXclientState * cl, GLbyte * pc)
1426N/A {
1426N/A const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
1426N/A+ ClientPtr client = cl->client;
1426N/A
1426N/A+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
1426N/A return GetColorTable(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
1426N/A }
1426N/A--
1426N/A1.7.9.2
1426N/A
1426N/AFrom e883c170c15493ab3637c0a01890f5a7ca4e16a5 Mon Sep 17 00:00:00 2001
1426N/AFrom: Adam Jackson <ajax@redhat.com>
1426N/ADate: Mon, 10 Nov 2014 12:13:48 -0500
1426N/ASubject: [PATCH 35/40] glx: Pass remaining request length into ->varsize (v2)
1426N/A [CVE-2014-8098 8/8]
1426N/A
1426N/Av2: Handle more multiplies in indirect_reqsize.c (Julien Cristau)
1426N/A
1426N/AReviewed-by: Julien Cristau <jcristau@debian.org>
1426N/AReviewed-by: Michal Srb <msrb@suse.com>
1426N/AReviewed-by: Andy Ritger <aritger@nvidia.com>
1426N/ASigned-off-by: Adam Jackson <ajax@redhat.com>
1426N/ASigned-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1426N/A---
1426N/A glx/glxcmds.c | 7 +-
1426N/A glx/glxserver.h | 2 +-
1426N/A glx/indirect_reqsize.c | 142 +++++++++++++++++++------------------
1426N/A glx/indirect_reqsize.h | 181 +++++++++++++++++++++++++++++-------------------
1426N/A glx/rensize.c | 27 +++++---
1426N/A 5 files changed, 205 insertions(+), 154 deletions(-)
1426N/A
1426N/Adiff --git a/glx/glxcmds.c b/glx/glxcmds.c
1426N/Aindex a7a5172..bd6cb8d 100644
1426N/A--- a/glx/glxcmds.c
1426N/A+++ b/glx/glxcmds.c
1426N/A@@ -2067,7 +2067,8 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
1426N/A if (entry.varsize) {
1426N/A /* variable size command */
1426N/A extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE,
1426N/A- client->swapped);
1426N/A+ client->swapped,
1426N/A+ left - __GLX_RENDER_HDR_SIZE);
1426N/A if (extra < 0) {
1426N/A return BadLength;
1426N/A }
1426N/A@@ -2144,6 +2145,7 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
1426N/A if (cl->largeCmdRequestsSoFar == 0) {
1426N/A __GLXrenderSizeData entry;
1426N/A int extra = 0;
1426N/A+ int left = (req->length << 2) - sz_xGLXRenderLargeReq;
1426N/A size_t cmdlen;
1426N/A int err;
1426N/A
1426N/A@@ -2184,7 +2186,8 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
1426N/A ** will be in the 1st request, so it's okay to do this.
1426N/A */
1426N/A extra = (*entry.varsize) (pc + __GLX_RENDER_LARGE_HDR_SIZE,
1426N/A- client->swapped);
1426N/A+ client->swapped,
1426N/A+ left - __GLX_RENDER_LARGE_HDR_SIZE);
1426N/A if (extra < 0) {
1426N/A return BadLength;
1426N/A }
1426N/Adiff --git a/glx/glxserver.h b/glx/glxserver.h
1426N/Aindex 9482601..9088ec4 100644
1426N/A--- a/glx/glxserver.h
1426N/A+++ b/glx/glxserver.h
1426N/A@@ -177,7 +177,7 @@ typedef int (*__GLXprocPtr) (__GLXclientState *, char *pc);
1426N/A /*
1426N/A * Tables for computing the size of each rendering command.
1426N/A */
1426N/A-typedef int (*gl_proto_size_func) (const GLbyte *, Bool);
1426N/A+typedef int (*gl_proto_size_func) (const GLbyte *, Bool, int);
1426N/A
1426N/A typedef struct {
1426N/A int bytes;
1426N/Adiff --git a/glx/indirect_reqsize.c b/glx/indirect_reqsize.c
1426N/Aindex 86ea970..1042d54 100644
1426N/A--- a/glx/indirect_reqsize.c
1426N/A+++ b/glx/indirect_reqsize.c
1426N/A@@ -31,24 +31,22 @@
1426N/A #include "indirect_size.h"
1426N/A #include "indirect_reqsize.h"
1426N/A
1426N/A-#define __GLX_PAD(x) (((x) + 3) & ~3)
1426N/A-
1426N/A #if defined(__CYGWIN__) || defined(__MINGW32__)
1426N/A #undef HAVE_ALIAS
1426N/A #endif
1426N/A #ifdef HAVE_ALIAS
1426N/A #define ALIAS2(from,to) \
1426N/A- GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap ) \
1426N/A+ GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap, int reqlen ) \
1426N/A __attribute__ ((alias( # to )));
1426N/A #define ALIAS(from,to) ALIAS2( from, __glX ## to ## ReqSize )
1426N/A #else
1426N/A #define ALIAS(from,to) \
1426N/A- GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap ) \
1426N/A- { return __glX ## to ## ReqSize( pc, swap ); }
1426N/A+ GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap, int reqlen ) \
1426N/A+ { return __glX ## to ## ReqSize( pc, swap, reqlen ); }
1426N/A #endif
1426N/A
1426N/A int
1426N/A-__glXCallListsReqSize(const GLbyte * pc, Bool swap)
1426N/A+__glXCallListsReqSize(const GLbyte * pc, Bool swap, int reqlen)
1426N/A {
1426N/A GLsizei n = *(GLsizei *) (pc + 0);
1426N/A GLenum type = *(GLenum *) (pc + 4);
1426N/A@@ -60,11 +58,11 @@ __glXCallListsReqSize(const GLbyte * pc, Bool swap)
1426N/A }
1426N/A
1426N/A compsize = __glCallLists_size(type);
1426N/A- return __GLX_PAD((compsize * n));
1426N/A+ return safe_pad(safe_mul(compsize, n));
1426N/A }
1426N/A
1426N/A int
1426N/A-__glXBitmapReqSize(const GLbyte * pc, Bool swap)
1426N/A+__glXBitmapReqSize(const GLbyte * pc, Bool swap, int reqlen)
1426N/A {
1426N/A GLint row_length = *(GLint *) (pc + 4);
1426N/A GLint image_height = 0;
1426N/A@@ -88,7 +86,7 @@ __glXBitmapReqSize(const GLbyte * pc, Bool swap)
1426N/A }
1426N/A
1426N/A int
1426N/A-__glXFogfvReqSize(const GLbyte * pc, Bool swap)
1426N/A+__glXFogfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
1426N/A {
1426N/A GLenum pname = *(GLenum *) (pc + 0);
1426N/A GLsizei compsize;
1426N/A@@ -98,11 +96,11 @@ __glXFogfvReqSize(const GLbyte * pc, Bool swap)
1426N/A }
1426N/A
1426N/A compsize = __glFogfv_size(pname);
1426N/A- return __GLX_PAD((compsize * 4));
1426N/A+ return safe_pad(safe_mul(compsize, 4));
1426N/A }
1426N/A
1426N/A int
1426N/A-__glXLightfvReqSize(const GLbyte * pc, Bool swap)
1426N/A+__glXLightfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
1426N/A {
1426N/A GLenum pname = *(GLenum *) (pc + 4);
1426N/A GLsizei compsize;
1426N/A@@ -112,11 +110,11 @@ __glXLightfvReqSize(const GLbyte * pc, Bool swap)
1426N/A }
1426N/A
1426N/A compsize = __glLightfv_size(pname);
1426N/A- return __GLX_PAD((compsize * 4));
1426N/A+ return safe_pad(safe_mul(compsize, 4));
1426N/A }
1426N/A
1426N/A int
1426N/A-__glXLightModelfvReqSize(const GLbyte * pc, Bool swap)
1426N/A+__glXLightModelfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
1426N/A {
1426N/A GLenum pname = *(GLenum *) (pc + 0);
1426N/A GLsizei compsize;
1426N/A@@ -126,11 +124,11 @@ __glXLightModelfvReqSize(const GLbyte * pc, Bool swap)
1426N/A }
1426N/A
1426N/A compsize = __glLightModelfv_size(pname);
1426N/A- return __GLX_PAD((compsize * 4));
1426N/A+ return safe_pad(safe_mul(compsize, 4));
1426N/A }
1426N/A
1426N/A int
1426N/A-__glXMaterialfvReqSize(const GLbyte * pc, Bool swap)
1426N/A+__glXMaterialfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
1426N/A {
1426N/A GLenum pname = *(GLenum *) (pc + 4);
1426N/A GLsizei compsize;
1426N/A@@ -140,11 +138,11 @@ __glXMaterialfvReqSize(const GLbyte * pc, Bool swap)
1426N/A }
1426N/A
1426N/A compsize = __glMaterialfv_size(pname);
1426N/A- return __GLX_PAD((compsize * 4));
1426N/A+ return safe_pad(safe_mul(compsize, 4));
1426N/A }
1426N/A
1426N/A int
1426N/A-__glXPolygonStippleReqSize(const GLbyte * pc, Bool swap)
1426N/A+__glXPolygonStippleReqSize(const GLbyte * pc, Bool swap, int reqlen)
1426N/A {
1426N/A GLint row_length = *(GLint *) (pc + 4);
1426N/A GLint image_height = 0;
1426N/A@@ -164,7 +162,7 @@ __glXPolygonStippleReqSize(const GLbyte * pc, Bool swap)
1426N/A }
1426N/A
1426N/A int
1426N/A-__glXTexParameterfvReqSize(const GLbyte * pc, Bool swap)
1426N/A+__glXTexParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
1426N/A {
1426N/A GLenum pname = *(GLenum *) (pc + 4);
1426N/A GLsizei compsize;
1426N/A@@ -174,11 +172,11 @@ __glXTexParameterfvReqSize(const GLbyte * pc, Bool swap)
1426N/A }
1426N/A
1426N/A compsize = __glTexParameterfv_size(pname);
1426N/A- return __GLX_PAD((compsize * 4));
1426N/A+ return safe_pad(safe_mul(compsize, 4));
1426N/A }
1426N/A
1426N/A int
1426N/A-__glXTexImage1DReqSize(const GLbyte * pc, Bool swap)
1426N/A+__glXTexImage1DReqSize(const GLbyte * pc, Bool swap, int reqlen)
1426N/A {
1426N/A GLint row_length = *(GLint *) (pc + 4);
1426N/A GLint image_height = 0;
1426N/A@@ -206,7 +204,7 @@ __glXTexImage1DReqSize(const GLbyte * pc, Bool swap)
1426N/A }
1426N/A
1426N/A int
1426N/A-__glXTexImage2DReqSize(const GLbyte * pc, Bool swap)
1426N/A+__glXTexImage2DReqSize(const GLbyte * pc, Bool swap, int reqlen)
1426N/A {
1426N/A GLint row_length = *(GLint *) (pc + 4);
1426N/A GLint image_height = 0;
1426N/A@@ -236,7 +234,7 @@ __glXTexImage2DReqSize(const GLbyte * pc, Bool swap)
1426N/A }
1426N/A
1426N/A int
1426N/A-__glXTexEnvfvReqSize(const GLbyte * pc, Bool swap)
1426N/A+__glXTexEnvfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
1426N/A {
1426N/A GLenum pname = *(GLenum *) (pc + 4);
1426N/A GLsizei compsize;
1426N/A@@ -246,11 +244,11 @@ __glXTexEnvfvReqSize(const GLbyte * pc, Bool swap)
1426N/A }
1426N/A
1426N/A compsize = __glTexEnvfv_size(pname);
1426N/A- return __GLX_PAD((compsize * 4));
1426N/A+ return safe_pad(safe_mul(compsize, 4));
1426N/A }
1426N/A
1426N/A int
1426N/A-__glXTexGendvReqSize(const GLbyte * pc, Bool swap)
1426N/A+__glXTexGendvReqSize(const GLbyte * pc, Bool swap, int reqlen)
1426N/A {
1426N/A GLenum pname = *(GLenum *) (pc + 4);
1426N/A GLsizei compsize;
1426N/A@@ -260,11 +258,11 @@ __glXTexGendvReqSize(const GLbyte * pc, Bool swap)
1426N/A }
1426N/A
1426N/A compsize = __glTexGendv_size(pname);
1426N/A- return __GLX_PAD((compsize * 8));
1426N/A+ return safe_pad(safe_mul(compsize, 8));
1426N/A }
1426N/A
1426N/A int
1426N/A-__glXTexGenfvReqSize(const GLbyte * pc, Bool swap)
1426N/A+__glXTexGenfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
1426N/A {
1426N/A GLenum pname = *(GLenum *) (pc + 4);
1426N/A GLsizei compsize;
1426N/A@@ -274,11 +272,11 @@ __glXTexGenfvReqSize(const GLbyte * pc, Bool swap)
1426N/A }
1426N/A
1426N/A compsize = __glTexGenfv_size(pname);
1426N/A- return __GLX_PAD((compsize * 4));
1426N/A+ return safe_pad(safe_mul(compsize, 4));
1426N/A }
1426N/A
1426N/A int
1426N/A-__glXPixelMapfvReqSize(const GLbyte * pc, Bool swap)
1426N/A+__glXPixelMapfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
1426N/A {
1426N/A GLsizei mapsize = *(GLsizei *) (pc + 4);
1426N/A
1426N/A@@ -286,11 +284,11 @@ __glXPixelMapfvReqSize(const GLbyte * pc, Bool swap)
1426N/A mapsize = bswap_32(mapsize);
1426N/A }
1426N/A
1426N/A- return __GLX_PAD((mapsize * 4));
1426N/A+ return safe_pad(safe_mul(mapsize, 4));
1426N/A }
1426N/A
1426N/A int
1426N/A-__glXPixelMapusvReqSize(const GLbyte * pc, Bool swap)
1426N/A+__glXPixelMapusvReqSize(const GLbyte * pc, Bool swap, int reqlen)
1426N/A {
1426N/A GLsizei mapsize = *(GLsizei *) (pc + 4);
1426N/A
1426N/A@@ -298,11 +296,11 @@ __glXPixelMapusvReqSize(const GLbyte * pc, Bool swap)
1426N/A mapsize = bswap_32(mapsize);
1426N/A }
1426N/A
1426N/A- return __GLX_PAD((mapsize * 2));
1426N/A+ return safe_pad(safe_mul(mapsize, 2));
1426N/A }
1426N/A
1426N/A int
1426N/A-__glXDrawPixelsReqSize(const GLbyte * pc, Bool swap)
1426N/A+__glXDrawPixelsReqSize(const GLbyte * pc, Bool swap, int reqlen)
1426N/A {
1426N/A GLint row_length = *(GLint *) (pc + 4);
1426N/A GLint image_height = 0;
1426N/A@@ -330,7 +328,7 @@ __glXDrawPixelsReqSize(const GLbyte * pc, Bool swap)
1426N/A }
1426N/A
1426N/A int
1426N/A-__glXPrioritizeTexturesReqSize(const GLbyte * pc, Bool swap)
1426N/A+__glXPrioritizeTexturesReqSize(const GLbyte * pc, Bool swap, int reqlen)
1426N/A {
1426N/A GLsizei n = *(GLsizei *) (pc + 0);
1426N/A
1426N/A@@ -338,11 +336,11 @@ __glXPrioritizeTexturesReqSize(const GLbyte * pc, Bool swap)
1426N/A n = bswap_32(n);
1426N/A }
1426N/A
1426N/A- return __GLX_PAD((n * 4) + (n * 4));
1426N/A+ return safe_pad(safe_add(safe_mul(n, 4), safe_mul(n, 4)));
1426N/A }
1426N/A
1426N/A int
1426N/A-__glXTexSubImage1DReqSize(const GLbyte * pc, Bool swap)
1426N/A+__glXTexSubImage1DReqSize(const GLbyte * pc, Bool swap, int reqlen)
1426N/A {
1426N/A GLint row_length = *(GLint *) (pc + 4);
1426N/A GLint image_height = 0;
1426N/A@@ -370,7 +368,7 @@ __glXTexSubImage1DReqSize(const GLbyte * pc, Bool swap)
1426N/A }
1426N/A
1426N/A int
1426N/A-__glXTexSubImage2DReqSize(const GLbyte * pc, Bool swap)
1426N/A+__glXTexSubImage2DReqSize(const GLbyte * pc, Bool swap, int reqlen)
1426N/A {
1426N/A GLint row_length = *(GLint *) (pc + 4);
1426N/A GLint image_height = 0;
1426N/A@@ -400,7 +398,7 @@ __glXTexSubImage2DReqSize(const GLbyte * pc, Bool swap)
1426N/A }
1426N/A
1426N/A int
1426N/A-__glXColorTableReqSize(const GLbyte * pc, Bool swap)
1426N/A+__glXColorTableReqSize(const GLbyte * pc, Bool swap, int reqlen)
1426N/A {
1426N/A GLint row_length = *(GLint *) (pc + 4);
1426N/A GLint image_height = 0;
1426N/A@@ -428,7 +426,7 @@ __glXColorTableReqSize(const GLbyte * pc, Bool swap)
1426N/A }
1426N/A
1426N/A int
1426N/A-__glXColorTableParameterfvReqSize(const GLbyte * pc, Bool swap)
1426N/A+__glXColorTableParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
1426N/A {
1426N/A GLenum pname = *(GLenum *) (pc + 4);
1426N/A GLsizei compsize;
1426N/A@@ -438,11 +436,11 @@ __glXColorTableParameterfvReqSize(const GLbyte * pc, Bool swap)
1426N/A }
1426N/A
1426N/A compsize = __glColorTableParameterfv_size(pname);
1426N/A- return __GLX_PAD((compsize * 4));
1426N/A+ return safe_pad(safe_mul(compsize, 4));
1426N/A }
1426N/A
1426N/A int
1426N/A-__glXColorSubTableReqSize(const GLbyte * pc, Bool swap)
1426N/A+__glXColorSubTableReqSize(const GLbyte * pc, Bool swap, int reqlen)
1426N/A {
1426N/A GLint row_length = *(GLint *) (pc + 4);
1426N/A GLint image_height = 0;
1426N/A@@ -470,7 +468,7 @@ __glXColorSubTableReqSize(const GLbyte * pc, Bool swap)
1426N/A }
1426N/A
1426N/A int
1426N/A-__glXConvolutionFilter1DReqSize(const GLbyte * pc, Bool swap)
1426N/A+__glXConvolutionFilter1DReqSize(const GLbyte * pc, Bool swap, int reqlen)
1426N/A {
1426N/A GLint row_length = *(GLint *) (pc + 4);
1426N/A GLint image_height = 0;
1426N/A@@ -498,7 +496,7 @@ __glXConvolutionFilter1DReqSize(const GLbyte * pc, Bool swap)
1426N/A }
1426N/A
1426N/A int
1426N/A-__glXConvolutionFilter2DReqSize(const GLbyte * pc, Bool swap)
1426N/A+__glXConvolutionFilter2DReqSize(const GLbyte * pc, Bool swap, int reqlen)
1426N/A {
1426N/A GLint row_length = *(GLint *) (pc + 4);
1426N/A GLint image_height = 0;
1426N/A@@ -528,7 +526,7 @@ __glXConvolutionFilter2DReqSize(const GLbyte * pc, Bool swap)
1426N/A }
1426N/A
1426N/A int
1426N/A-__glXConvolutionParameterfvReqSize(const GLbyte * pc, Bool swap)
1426N/A+__glXConvolutionParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
1426N/A {
1426N/A GLenum pname = *(GLenum *) (pc + 4);
1426N/A GLsizei compsize;
1426N/A@@ -538,11 +536,11 @@ __glXConvolutionParameterfvReqSize(const GLbyte * pc, Bool swap)
1426N/A }
1426N/A
1426N/A compsize = __glConvolutionParameterfv_size(pname);
1426N/A- return __GLX_PAD((compsize * 4));
1426N/A+ return safe_pad(safe_mul(compsize, 4));
1426N/A }
1426N/A
1426N/A int
1426N/A-__glXTexImage3DReqSize(const GLbyte * pc, Bool swap)
1426N/A+__glXTexImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen)
1426N/A {
1426N/A GLint row_length = *(GLint *) (pc + 4);
1426N/A GLint image_height = *(GLint *) (pc + 8);
1426N/A@@ -579,7 +577,7 @@ __glXTexImage3DReqSize(const GLbyte * pc, Bool swap)
1426N/A }
1426N/A
1426N/A int
1426N/A-__glXTexSubImage3DReqSize(const GLbyte * pc, Bool swap)
1426N/A+__glXTexSubImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen)
1426N/A {
1426N/A GLint row_length = *(GLint *) (pc + 4);
1426N/A GLint image_height = *(GLint *) (pc + 8);
1426N/A@@ -613,7 +611,7 @@ __glXTexSubImage3DReqSize(const GLbyte * pc, Bool swap)
1426N/A }
1426N/A
1426N/A int
1426N/A-__glXCompressedTexImage1DARBReqSize(const GLbyte * pc, Bool swap)
1426N/A+__glXCompressedTexImage1DARBReqSize(const GLbyte * pc, Bool swap, int reqlen)
1426N/A {
1426N/A GLsizei imageSize = *(GLsizei *) (pc + 20);
1426N/A
1426N/A@@ -621,11 +619,11 @@ __glXCompressedTexImage1DARBReqSize(const GLbyte * pc, Bool swap)
1426N/A imageSize = bswap_32(imageSize);
1426N/A }
1426N/A
1426N/A- return __GLX_PAD(imageSize);
1426N/A+ return safe_pad(imageSize);
1426N/A }
1426N/A
1426N/A int
1426N/A-__glXCompressedTexImage2DARBReqSize(const GLbyte * pc, Bool swap)
1426N/A+__glXCompressedTexImage2DARBReqSize(const GLbyte * pc, Bool swap, int reqlen)
1426N/A {
1426N/A GLsizei imageSize = *(GLsizei *) (pc + 24);
1426N/A
1426N/A@@ -633,11 +631,11 @@ __glXCompressedTexImage2DARBReqSize(const GLbyte * pc, Bool swap)
1426N/A imageSize = bswap_32(imageSize);
1426N/A }
1426N/A
1426N/A- return __GLX_PAD(imageSize);
1426N/A+ return safe_pad(imageSize);
1426N/A }
1426N/A
1426N/A int
1426N/A-__glXCompressedTexImage3DARBReqSize(const GLbyte * pc, Bool swap)
1426N/A+__glXCompressedTexImage3DARBReqSize(const GLbyte * pc, Bool swap, int reqlen)
1426N/A {
1426N/A GLsizei imageSize = *(GLsizei *) (pc + 28);
1426N/A
1426N/A@@ -645,11 +643,11 @@ __glXCompressedTexImage3DARBReqSize(const GLbyte * pc, Bool swap)
1426N/A imageSize = bswap_32(imageSize);
1426N/A }
1426N/A
1426N/A- return __GLX_PAD(imageSize);
1426N/A+ return safe_pad(imageSize);
1426N/A }
1426N/A
1426N/A int
1426N/A-__glXCompressedTexSubImage3DARBReqSize(const GLbyte * pc, Bool swap)
1426N/A+__glXCompressedTexSubImage3DARBReqSize(const GLbyte * pc, Bool swap, int reqlen)
1426N/A {
1426N/A GLsizei imageSize = *(GLsizei *) (pc + 36);
1426N/A
1426N/A@@ -657,11 +655,11 @@ __glXCompressedTexSubImage3DARBReqSize(const GLbyte * pc, Bool swap)
1426N/A imageSize = bswap_32(imageSize);
1426N/A }
1426N/A
1426N/A- return __GLX_PAD(imageSize);
1426N/A+ return safe_pad(imageSize);
1426N/A }
1426N/A
1426N/A int
1426N/A-__glXProgramStringARBReqSize(const GLbyte * pc, Bool swap)
1426N/A+__glXProgramStringARBReqSize(const GLbyte * pc, Bool swap, int reqlen)
1426N/A {
1426N/A GLsizei len = *(GLsizei *) (pc + 8);
1426N/A
1426N/A@@ -669,11 +667,11 @@ __glXProgramStringARBReqSize(const GLbyte * pc, Bool swap)
1426N/A len = bswap_32(len);
1426N/A }
1426N/A
1426N/A- return __GLX_PAD(len);
1426N/A+ return safe_pad(len);
1426N/A }
1426N/A
1426N/A int
1426N/A-__glXDrawBuffersARBReqSize(const GLbyte * pc, Bool swap)
1426N/A+__glXDrawBuffersARBReqSize(const GLbyte * pc, Bool swap, int reqlen)
1426N/A {
1426N/A GLsizei n = *(GLsizei *) (pc + 0);
1426N/A
1426N/A@@ -681,11 +679,11 @@ __glXDrawBuffersARBReqSize(const GLbyte * pc, Bool swap)
1426N/A n = bswap_32(n);
1426N/A }
1426N/A
1426N/A- return __GLX_PAD((n * 4));
1426N/A+ return safe_pad((n * 4));
1426N/A }
1426N/A
1426N/A int
1426N/A-__glXPointParameterfvEXTReqSize(const GLbyte * pc, Bool swap)
1426N/A+__glXPointParameterfvEXTReqSize(const GLbyte * pc, Bool swap, int reqlen)
1426N/A {
1426N/A GLenum pname = *(GLenum *) (pc + 0);
1426N/A GLsizei compsize;
1426N/A@@ -695,11 +693,11 @@ __glXPointParameterfvEXTReqSize(const GLbyte * pc, Bool swap)
1426N/A }
1426N/A
1426N/A compsize = __glPointParameterfvEXT_size(pname);
1426N/A- return __GLX_PAD((compsize * 4));
1426N/A+ return safe_pad(safe_mul(compsize, 4));
1426N/A }
1426N/A
1426N/A int
1426N/A-__glXProgramParameters4dvNVReqSize(const GLbyte * pc, Bool swap)
1426N/A+__glXProgramParameters4dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
1426N/A {
1426N/A GLsizei num = *(GLsizei *) (pc + 8);
1426N/A
1426N/A@@ -707,11 +705,11 @@ __glXProgramParameters4dvNVReqSize(const GLbyte * pc, Bool swap)
1426N/A num = bswap_32(num);
1426N/A }
1426N/A
1426N/A- return __GLX_PAD((num * 32));
1426N/A+ return safe_pad(safe_mul(num, 32));
1426N/A }
1426N/A
1426N/A int
1426N/A-__glXProgramParameters4fvNVReqSize(const GLbyte * pc, Bool swap)
1426N/A+__glXProgramParameters4fvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
1426N/A {
1426N/A GLsizei num = *(GLsizei *) (pc + 8);
1426N/A
1426N/A@@ -719,11 +717,11 @@ __glXProgramParameters4fvNVReqSize(const GLbyte * pc, Bool swap)
1426N/A num = bswap_32(num);
1426N/A }
1426N/A
1426N/A- return __GLX_PAD((num * 16));
1426N/A+ return safe_pad(safe_mul(num, 16));
1426N/A }
1426N/A
1426N/A int
1426N/A-__glXVertexAttribs1dvNVReqSize(const GLbyte * pc, Bool swap)
1426N/A+__glXVertexAttribs1dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
1426N/A {
1426N/A GLsizei n = *(GLsizei *) (pc + 4);
1426N/A
1426N/A@@ -731,11 +729,11 @@ __glXVertexAttribs1dvNVReqSize(const GLbyte * pc, Bool swap)
1426N/A n = bswap_32(n);
1426N/A }
1426N/A
1426N/A- return __GLX_PAD((n * 8));
1426N/A+ return safe_pad(safe_mul(n, 8));
1426N/A }
1426N/A
1426N/A int
1426N/A-__glXVertexAttribs2dvNVReqSize(const GLbyte * pc, Bool swap)
1426N/A+__glXVertexAttribs2dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
1426N/A {
1426N/A GLsizei n = *(GLsizei *) (pc + 4);
1426N/A
1426N/A@@ -743,11 +741,11 @@ __glXVertexAttribs2dvNVReqSize(const GLbyte * pc, Bool swap)
1426N/A n = bswap_32(n);
1426N/A }
1426N/A
1426N/A- return __GLX_PAD((n * 16));
1426N/A+ return safe_pad(safe_mul(n, 16));
1426N/A }
1426N/A
1426N/A int
1426N/A-__glXVertexAttribs3dvNVReqSize(const GLbyte * pc, Bool swap)
1426N/A+__glXVertexAttribs3dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
1426N/A {
1426N/A GLsizei n = *(GLsizei *) (pc + 4);
1426N/A
1426N/A@@ -755,11 +753,11 @@ __glXVertexAttribs3dvNVReqSize(const GLbyte * pc, Bool swap)
1426N/A n = bswap_32(n);
1426N/A }
1426N/A
1426N/A- return __GLX_PAD((n * 24));
1426N/A+ return safe_pad(safe_mul(n, 24));
1426N/A }
1426N/A
1426N/A int
1426N/A-__glXVertexAttribs3fvNVReqSize(const GLbyte * pc, Bool swap)
1426N/A+__glXVertexAttribs3fvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
1426N/A {
1426N/A GLsizei n = *(GLsizei *) (pc + 4);
1426N/A
1426N/A@@ -767,11 +765,11 @@ __glXVertexAttribs3fvNVReqSize(const GLbyte * pc, Bool swap)
1426N/A n = bswap_32(n);
1426N/A }
1426N/A
1426N/A- return __GLX_PAD((n * 12));
1426N/A+ return safe_pad(safe_mul(n, 12));
1426N/A }
1426N/A
1426N/A int
1426N/A-__glXVertexAttribs3svNVReqSize(const GLbyte * pc, Bool swap)
1426N/A+__glXVertexAttribs3svNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
1426N/A {
1426N/A GLsizei n = *(GLsizei *) (pc + 4);
1426N/A
1426N/A@@ -779,11 +777,11 @@ __glXVertexAttribs3svNVReqSize(const GLbyte * pc, Bool swap)
1426N/A n = bswap_32(n);
1426N/A }
1426N/A
1426N/A- return __GLX_PAD((n * 6));
1426N/A+ return safe_pad(safe_mul(n, 6));
1426N/A }
1426N/A
1426N/A int
1426N/A-__glXVertexAttribs4dvNVReqSize(const GLbyte * pc, Bool swap)
1426N/A+__glXVertexAttribs4dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
1426N/A {
1426N/A GLsizei n = *(GLsizei *) (pc + 4);
1426N/A
1426N/A@@ -791,11 +789,11 @@ __glXVertexAttribs4dvNVReqSize(const GLbyte * pc, Bool swap)
1426N/A n = bswap_32(n);
1426N/A }
1426N/A
1426N/A- return __GLX_PAD((n * 32));
1426N/A+ return safe_pad(safe_mul(n, 32));
1426N/A }
1426N/A
1426N/A int
1426N/A-__glXProgramNamedParameter4fvNVReqSize(const GLbyte * pc, Bool swap)
1426N/A+__glXProgramNamedParameter4fvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
1426N/A {
1426N/A GLsizei len = *(GLsizei *) (pc + 4);
1426N/A
1426N/A@@ -803,7 +801,7 @@ __glXProgramNamedParameter4fvNVReqSize(const GLbyte * pc, Bool swap)
1426N/A len = bswap_32(len);
1426N/A }
1426N/A
1426N/A- return __GLX_PAD(len);
1426N/A+ return safe_pad(len);
1426N/A }
1426N/A
1426N/A ALIAS(Fogiv, Fogfv)
1426N/Adiff --git a/glx/indirect_reqsize.h b/glx/indirect_reqsize.h
1426N/Aindex 49d400c..632a85b 100644
1426N/A--- a/glx/indirect_reqsize.h
1426N/A+++ b/glx/indirect_reqsize.h
1426N/A@@ -36,128 +36,168 @@
1426N/A #define PURE
1426N/A #endif
1426N/A
1426N/A-extern PURE _X_HIDDEN int __glXCallListsReqSize(const GLbyte * pc, Bool swap);
1426N/A-extern PURE _X_HIDDEN int __glXBitmapReqSize(const GLbyte * pc, Bool swap);
1426N/A-extern PURE _X_HIDDEN int __glXFogfvReqSize(const GLbyte * pc, Bool swap);
1426N/A-extern PURE _X_HIDDEN int __glXFogivReqSize(const GLbyte * pc, Bool swap);
1426N/A-extern PURE _X_HIDDEN int __glXLightfvReqSize(const GLbyte * pc, Bool swap);
1426N/A-extern PURE _X_HIDDEN int __glXLightivReqSize(const GLbyte * pc, Bool swap);
1426N/A-extern PURE _X_HIDDEN int __glXLightModelfvReqSize(const GLbyte * pc,
1426N/A- Bool swap);
1426N/A-extern PURE _X_HIDDEN int __glXLightModelivReqSize(const GLbyte * pc,
1426N/A- Bool swap);
1426N/A-extern PURE _X_HIDDEN int __glXMaterialfvReqSize(const GLbyte * pc, Bool swap);
1426N/A-extern PURE _X_HIDDEN int __glXMaterialivReqSize(const GLbyte * pc, Bool swap);
1426N/A+extern PURE _X_HIDDEN int __glXCallListsReqSize(const GLbyte * pc, Bool swap,
1426N/A+ int reqlen);
1426N/A+extern PURE _X_HIDDEN int __glXBitmapReqSize(const GLbyte * pc, Bool swap,
1426N/A+ int reqlen);
1426N/A+extern PURE _X_HIDDEN int __glXFogfvReqSize(const GLbyte * pc, Bool swap,
1426N/A+ int reqlen);
1426N/A+extern PURE _X_HIDDEN int __glXFogivReqSize(const GLbyte * pc, Bool swap,
1426N/A+ int reqlen);
1426N/A+extern PURE _X_HIDDEN int __glXLightfvReqSize(const GLbyte * pc, Bool swap,
1426N/A+ int reqlen);
1426N/A+extern PURE _X_HIDDEN int __glXLightivReqSize(const GLbyte * pc, Bool swap,
1426N/A+ int reqlen);
1426N/A+extern PURE _X_HIDDEN int __glXLightModelfvReqSize(const GLbyte * pc, Bool swap,
1426N/A+ int reqlen);
1426N/A+extern PURE _X_HIDDEN int __glXLightModelivReqSize(const GLbyte * pc, Bool swap,
1426N/A+ int reqlen);
1426N/A+extern PURE _X_HIDDEN int __glXMaterialfvReqSize(const GLbyte * pc, Bool swap,
1426N/A+ int reqlen);
1426N/A+extern PURE _X_HIDDEN int __glXMaterialivReqSize(const GLbyte * pc, Bool swap,
1426N/A+ int reqlen);
1426N/A extern PURE _X_HIDDEN int __glXPolygonStippleReqSize(const GLbyte * pc,
1426N/A- Bool swap);
1426N/A+ Bool swap, int reqlen);
1426N/A extern PURE _X_HIDDEN int __glXTexParameterfvReqSize(const GLbyte * pc,
1426N/A- Bool swap);
1426N/A+ Bool swap, int reqlen);
1426N/A extern PURE _X_HIDDEN int __glXTexParameterivReqSize(const GLbyte * pc,
1426N/A- Bool swap);
1426N/A-extern PURE _X_HIDDEN int __glXTexImage1DReqSize(const GLbyte * pc, Bool swap);
1426N/A-extern PURE _X_HIDDEN int __glXTexImage2DReqSize(const GLbyte * pc, Bool swap);
1426N/A-extern PURE _X_HIDDEN int __glXTexEnvfvReqSize(const GLbyte * pc, Bool swap);
1426N/A-extern PURE _X_HIDDEN int __glXTexEnvivReqSize(const GLbyte * pc, Bool swap);
1426N/A-extern PURE _X_HIDDEN int __glXTexGendvReqSize(const GLbyte * pc, Bool swap);
1426N/A-extern PURE _X_HIDDEN int __glXTexGenfvReqSize(const GLbyte * pc, Bool swap);
1426N/A-extern PURE _X_HIDDEN int __glXTexGenivReqSize(const GLbyte * pc, Bool swap);
1426N/A-extern PURE _X_HIDDEN int __glXMap1dReqSize(const GLbyte * pc, Bool swap);
1426N/A-extern PURE _X_HIDDEN int __glXMap1fReqSize(const GLbyte * pc, Bool swap);
1426N/A-extern PURE _X_HIDDEN int __glXMap2dReqSize(const GLbyte * pc, Bool swap);
1426N/A-extern PURE _X_HIDDEN int __glXMap2fReqSize(const GLbyte * pc, Bool swap);
1426N/A-extern PURE _X_HIDDEN int __glXPixelMapfvReqSize(const GLbyte * pc, Bool swap);
1426N/A-extern PURE _X_HIDDEN int __glXPixelMapuivReqSize(const GLbyte * pc, Bool swap);
1426N/A-extern PURE _X_HIDDEN int __glXPixelMapusvReqSize(const GLbyte * pc, Bool swap);
1426N/A-extern PURE _X_HIDDEN int __glXDrawPixelsReqSize(const GLbyte * pc, Bool swap);
1426N/A-extern PURE _X_HIDDEN int __glXDrawArraysReqSize(const GLbyte * pc, Bool swap);
1426N/A+ Bool swap, int reqlen);
1426N/A+extern PURE _X_HIDDEN int __glXTexImage1DReqSize(const GLbyte * pc, Bool swap,
1426N/A+ int reqlen);
1426N/A+extern PURE _X_HIDDEN int __glXTexImage2DReqSize(const GLbyte * pc, Bool swap,
1426N/A+ int reqlen);
1426N/A+extern PURE _X_HIDDEN int __glXTexEnvfvReqSize(const GLbyte * pc, Bool swap,
1426N/A+ int reqlen);
1426N/A+extern PURE _X_HIDDEN int __glXTexEnvivReqSize(const GLbyte * pc, Bool swap,
1426N/A+ int reqlen);
1426N/A+extern PURE _X_HIDDEN int __glXTexGendvReqSize(const GLbyte * pc, Bool swap,
1426N/A+ int reqlen);
1426N/A+extern PURE _X_HIDDEN int __glXTexGenfvReqSize(const GLbyte * pc, Bool swap,
1426N/A+ int reqlen);
1426N/A+extern PURE _X_HIDDEN int __glXTexGenivReqSize(const GLbyte * pc, Bool swap,
1426N/A+ int reqlen);
1426N/A+extern PURE _X_HIDDEN int __glXMap1dReqSize(const GLbyte * pc, Bool swap,
1426N/A+ int reqlen);
1426N/A+extern PURE _X_HIDDEN int __glXMap1fReqSize(const GLbyte * pc, Bool swap,
1426N/A+ int reqlen);
1426N/A+extern PURE _X_HIDDEN int __glXMap2dReqSize(const GLbyte * pc, Bool swap,
1426N/A+ int reqlen);
1426N/A+extern PURE _X_HIDDEN int __glXMap2fReqSize(const GLbyte * pc, Bool swap,
1426N/A+ int reqlen);
1426N/A+extern PURE _X_HIDDEN int __glXPixelMapfvReqSize(const GLbyte * pc, Bool swap,
1426N/A+ int reqlen);
1426N/A+extern PURE _X_HIDDEN int __glXPixelMapuivReqSize(const GLbyte * pc, Bool swap,
1426N/A+ int reqlen);
1426N/A+extern PURE _X_HIDDEN int __glXPixelMapusvReqSize(const GLbyte * pc, Bool swap,
1426N/A+ int reqlen);
1426N/A+extern PURE _X_HIDDEN int __glXDrawPixelsReqSize(const GLbyte * pc, Bool swap,
1426N/A+ int reqlen);
1426N/A+extern PURE _X_HIDDEN int __glXDrawArraysReqSize(const GLbyte * pc, Bool swap,
1426N/A+ int reqlen);
1426N/A extern PURE _X_HIDDEN int __glXPrioritizeTexturesReqSize(const GLbyte * pc,
1426N/A- Bool swap);
1426N/A+ Bool swap, int reqlen);
1426N/A extern PURE _X_HIDDEN int __glXTexSubImage1DReqSize(const GLbyte * pc,
1426N/A- Bool swap);
1426N/A+ Bool swap, int reqlen);
1426N/A extern PURE _X_HIDDEN int __glXTexSubImage2DReqSize(const GLbyte * pc,
1426N/A- Bool swap);
1426N/A-extern PURE _X_HIDDEN int __glXColorTableReqSize(const GLbyte * pc, Bool swap);
1426N/A+ Bool swap, int reqlen);
1426N/A+extern PURE _X_HIDDEN int __glXColorTableReqSize(const GLbyte * pc, Bool swap,
1426N/A+ int reqlen);
1426N/A extern PURE _X_HIDDEN int __glXColorTableParameterfvReqSize(const GLbyte * pc,
1426N/A- Bool swap);
1426N/A+ Bool swap,
1426N/A+ int reqlen);
1426N/A extern PURE _X_HIDDEN int __glXColorTableParameterivReqSize(const GLbyte * pc,
1426N/A- Bool swap);
1426N/A+ Bool swap,
1426N/A+ int reqlen);
1426N/A extern PURE _X_HIDDEN int __glXColorSubTableReqSize(const GLbyte * pc,
1426N/A- Bool swap);
1426N/A+ Bool swap, int reqlen);
1426N/A extern PURE _X_HIDDEN int __glXConvolutionFilter1DReqSize(const GLbyte * pc,
1426N/A- Bool swap);
1426N/A+ Bool swap,
1426N/A+ int reqlen);
1426N/A extern PURE _X_HIDDEN int __glXConvolutionFilter2DReqSize(const GLbyte * pc,
1426N/A- Bool swap);
1426N/A+ Bool swap,
1426N/A+ int reqlen);
1426N/A extern PURE _X_HIDDEN int __glXConvolutionParameterfvReqSize(const GLbyte * pc,
1426N/A- Bool swap);
1426N/A+ Bool swap,
1426N/A+ int reqlen);
1426N/A extern PURE _X_HIDDEN int __glXConvolutionParameterivReqSize(const GLbyte * pc,
1426N/A- Bool swap);
1426N/A+ Bool swap,
1426N/A+ int reqlen);
1426N/A extern PURE _X_HIDDEN int __glXSeparableFilter2DReqSize(const GLbyte * pc,
1426N/A- Bool swap);
1426N/A-extern PURE _X_HIDDEN int __glXTexImage3DReqSize(const GLbyte * pc, Bool swap);
1426N/A+ Bool swap, int reqlen);
1426N/A+extern PURE _X_HIDDEN int __glXTexImage3DReqSize(const GLbyte * pc, Bool swap,
1426N/A+ int reqlen);
1426N/A extern PURE _X_HIDDEN int __glXTexSubImage3DReqSize(const GLbyte * pc,
1426N/A- Bool swap);
1426N/A+ Bool swap, int reqlen);
1426N/A extern PURE _X_HIDDEN int __glXCompressedTexImage1DARBReqSize(const GLbyte * pc,
1426N/A- Bool swap);
1426N/A+ Bool swap,
1426N/A+ int reqlen);
1426N/A extern PURE _X_HIDDEN int __glXCompressedTexImage2DARBReqSize(const GLbyte * pc,
1426N/A- Bool swap);
1426N/A+ Bool swap,
1426N/A+ int reqlen);
1426N/A extern PURE _X_HIDDEN int __glXCompressedTexImage3DARBReqSize(const GLbyte * pc,
1426N/A- Bool swap);
1426N/A+ Bool swap,
1426N/A+ int reqlen);
1426N/A extern PURE _X_HIDDEN int __glXCompressedTexSubImage1DARBReqSize(const GLbyte *
1426N/A- pc, Bool swap);
1426N/A+ pc, Bool swap,
1426N/A+ int reqlen);
1426N/A extern PURE _X_HIDDEN int __glXCompressedTexSubImage2DARBReqSize(const GLbyte *
1426N/A- pc, Bool swap);
1426N/A+ pc, Bool swap,
1426N/A+ int reqlen);
1426N/A extern PURE _X_HIDDEN int __glXCompressedTexSubImage3DARBReqSize(const GLbyte *
1426N/A- pc, Bool swap);
1426N/A+ pc, Bool swap,
1426N/A+ int reqlen);
1426N/A extern PURE _X_HIDDEN int __glXProgramStringARBReqSize(const GLbyte * pc,
1426N/A- Bool swap);
1426N/A+ Bool swap, int reqlen);
1426N/A extern PURE _X_HIDDEN int __glXDrawBuffersARBReqSize(const GLbyte * pc,
1426N/A- Bool swap);
1426N/A+ Bool swap, int reqlen);
1426N/A extern PURE _X_HIDDEN int __glXPointParameterfvEXTReqSize(const GLbyte * pc,
1426N/A- Bool swap);
1426N/A+ Bool swap, int reqlen);
1426N/A extern PURE _X_HIDDEN int __glXLoadProgramNVReqSize(const GLbyte * pc,
1426N/A- Bool swap);
1426N/A+ Bool swap, int reqlen);
1426N/A extern PURE _X_HIDDEN int __glXProgramParameters4dvNVReqSize(const GLbyte * pc,
1426N/A- Bool swap);
1426N/A+ Bool swap, int reqlen);
1426N/A extern PURE _X_HIDDEN int __glXProgramParameters4fvNVReqSize(const GLbyte * pc,
1426N/A- Bool swap);
1426N/A+ Bool swap, int reqlen);
1426N/A extern PURE _X_HIDDEN int __glXRequestResidentProgramsNVReqSize(const GLbyte *
1426N/A- pc, Bool swap);
1426N/A+ pc, Bool swap, int reqlen);
1426N/A extern PURE _X_HIDDEN int __glXVertexAttribs1dvNVReqSize(const GLbyte * pc,
1426N/A- Bool swap);
1426N/A+ Bool swap, int reqlen);
1426N/A extern PURE _X_HIDDEN int __glXVertexAttribs1fvNVReqSize(const GLbyte * pc,
1426N/A- Bool swap);
1426N/A+ Bool swap, int reqlen);
1426N/A extern PURE _X_HIDDEN int __glXVertexAttribs1svNVReqSize(const GLbyte * pc,
1426N/A- Bool swap);
1426N/A+ Bool swap, int reqlen);
1426N/A extern PURE _X_HIDDEN int __glXVertexAttribs2dvNVReqSize(const GLbyte * pc,
1426N/A- Bool swap);
1426N/A+ Bool swap, int reqlen);
1426N/A extern PURE _X_HIDDEN int __glXVertexAttribs2fvNVReqSize(const GLbyte * pc,
1426N/A- Bool swap);
1426N/A+ Bool swap, int reqlen);
1426N/A extern PURE _X_HIDDEN int __glXVertexAttribs2svNVReqSize(const GLbyte * pc,
1426N/A- Bool swap);
1426N/A+ Bool swap, int reqlen);
1426N/A extern PURE _X_HIDDEN int __glXVertexAttribs3dvNVReqSize(const GLbyte * pc,
1426N/A- Bool swap);
1426N/A+ Bool swap, int reqlen);
1426N/A extern PURE _X_HIDDEN int __glXVertexAttribs3fvNVReqSize(const GLbyte * pc,
1426N/A- Bool swap);
1426N/A+ Bool swap, int reqlen);
1426N/A extern PURE _X_HIDDEN int __glXVertexAttribs3svNVReqSize(const GLbyte * pc,
1426N/A- Bool swap);
1426N/A+ Bool swap, int reqlen);
1426N/A extern PURE _X_HIDDEN int __glXVertexAttribs4dvNVReqSize(const GLbyte * pc,
1426N/A- Bool swap);
1426N/A+ Bool swap, int reqlen);
1426N/A extern PURE _X_HIDDEN int __glXVertexAttribs4fvNVReqSize(const GLbyte * pc,
1426N/A- Bool swap);
1426N/A+ Bool swap, int reqlen);
1426N/A extern PURE _X_HIDDEN int __glXVertexAttribs4svNVReqSize(const GLbyte * pc,
1426N/A- Bool swap);
1426N/A+ Bool swap, int reqlen);
1426N/A extern PURE _X_HIDDEN int __glXVertexAttribs4ubvNVReqSize(const GLbyte * pc,
1426N/A- Bool swap);
1426N/A+ Bool swap,
1426N/A+ int reqlen);
1426N/A extern PURE _X_HIDDEN int __glXPointParameterivNVReqSize(const GLbyte * pc,
1426N/A- Bool swap);
1426N/A+ Bool swap, int reqlen);
1426N/A extern PURE _X_HIDDEN int __glXProgramNamedParameter4dvNVReqSize(const GLbyte *
1426N/A- pc, Bool swap);
1426N/A+ pc, Bool swap, int reqlen);
1426N/A extern PURE _X_HIDDEN int __glXProgramNamedParameter4fvNVReqSize(const GLbyte *
1426N/A- pc, Bool swap);
1426N/A+ pc, Bool swap, int reqlen);
1426N/A extern PURE _X_HIDDEN int __glXDeleteFramebuffersEXTReqSize(const GLbyte * pc,
1426N/A- Bool swap);
1426N/A+ Bool swap, int reqlen);
1426N/A extern PURE _X_HIDDEN int __glXDeleteRenderbuffersEXTReqSize(const GLbyte * pc,
1426N/A- Bool swap);
1426N/A+ Bool swap,
1426N/A+ int reqlen);
1426N/A
1426N/A #undef PURE
1426N/A
1426N/Adiff --git a/glx/rensize.c b/glx/rensize.c
1426N/Aindex d46334a..6bfe99b 100644
1426N/A--- a/glx/rensize.c
1426N/A+++ b/glx/rensize.c
1426N/A@@ -44,7 +44,7 @@
1426N/A ((a & 0xff00U)<<8) | ((a & 0xffU)<<24))
1426N/A
1426N/A int
1426N/A-__glXMap1dReqSize(const GLbyte * pc, Bool swap)
1426N/A+__glXMap1dReqSize(const GLbyte * pc, Bool swap, int reqlen)
1426N/A {
1426N/A GLenum target;
1426N/A GLint order;
1426N/A@@ -61,7 +61,7 @@ __glXMap1dReqSize(const GLbyte * pc, Bool swap)
1426N/A }
1426N/A
1426N/A int
1426N/A-__glXMap1fReqSize(const GLbyte * pc, Bool swap)
1426N/A+__glXMap1fReqSize(const GLbyte * pc, Bool swap, int reqlen)
1426N/A {
1426N/A GLenum target;
1426N/A GLint order;
1426N/A@@ -86,7 +86,7 @@ Map2Size(int k, int majorOrder, int minorOrder)
1426N/A }
1426N/A
1426N/A int
1426N/A-__glXMap2dReqSize(const GLbyte * pc, Bool swap)
1426N/A+__glXMap2dReqSize(const GLbyte * pc, Bool swap, int reqlen)
1426N/A {
1426N/A GLenum target;
1426N/A GLint uorder, vorder;
1426N/A@@ -103,7 +103,7 @@ __glXMap2dReqSize(const GLbyte * pc, Bool swap)
1426N/A }
1426N/A
1426N/A int
1426N/A-__glXMap2fReqSize(const GLbyte * pc, Bool swap)
1426N/A+__glXMap2fReqSize(const GLbyte * pc, Bool swap, int reqlen)
1426N/A {
1426N/A GLenum target;
1426N/A GLint uorder, vorder;
1426N/A@@ -359,13 +359,14 @@ __glXTypeSize(GLenum enm)
1426N/A }
1426N/A
1426N/A int
1426N/A-__glXDrawArraysReqSize(const GLbyte * pc, Bool swap)
1426N/A+__glXDrawArraysReqSize(const GLbyte * pc, Bool swap, int reqlen)
1426N/A {
1426N/A __GLXdispatchDrawArraysHeader *hdr = (__GLXdispatchDrawArraysHeader *) pc;
1426N/A __GLXdispatchDrawArraysComponentHeader *compHeader;
1426N/A GLint numVertexes = hdr->numVertexes;
1426N/A GLint numComponents = hdr->numComponents;
1426N/A GLint arrayElementSize = 0;
1426N/A+ GLint x, size;
1426N/A int i;
1426N/A
1426N/A if (swap) {
1426N/A@@ -374,6 +375,13 @@ __glXDrawArraysReqSize(const GLbyte * pc, Bool swap)
1426N/A }
1426N/A
1426N/A pc += sizeof(__GLXdispatchDrawArraysHeader);
1426N/A+ reqlen -= sizeof(__GLXdispatchDrawArraysHeader);
1426N/A+
1426N/A+ size = safe_mul(sizeof(__GLXdispatchDrawArraysComponentHeader),
1426N/A+ numComponents);
1426N/A+ if (size < 0 || reqlen < 0 || reqlen < size)
1426N/A+ return -1;
1426N/A+
1426N/A compHeader = (__GLXdispatchDrawArraysComponentHeader *) pc;
1426N/A
1426N/A for (i = 0; i < numComponents; i++) {
1426N/A@@ -417,17 +425,18 @@ __glXDrawArraysReqSize(const GLbyte * pc, Bool swap)
1426N/A return -1;
1426N/A }
1426N/A
1426N/A- arrayElementSize += __GLX_PAD(numVals * __glXTypeSize(datatype));
1426N/A+ x = safe_pad(safe_mul(numVals, __glXTypeSize(datatype)));
1426N/A+ if ((arrayElementSize = safe_add(arrayElementSize, x)) < 0)
1426N/A+ return -1;
1426N/A
1426N/A pc += sizeof(__GLXdispatchDrawArraysComponentHeader);
1426N/A }
1426N/A
1426N/A- return ((numComponents * sizeof(__GLXdispatchDrawArraysComponentHeader)) +
1426N/A- (numVertexes * arrayElementSize));
1426N/A+ return safe_add(size, safe_mul(numVertexes, arrayElementSize));
1426N/A }
1426N/A
1426N/A int
1426N/A-__glXSeparableFilter2DReqSize(const GLbyte * pc, Bool swap)
1426N/A+__glXSeparableFilter2DReqSize(const GLbyte * pc, Bool swap, int reqlen)
1426N/A {
1426N/A __GLXdispatchConvolutionFilterHeader *hdr =
1426N/A (__GLXdispatchConvolutionFilterHeader *) pc;
1426N/A--
1426N/A1.7.9.2
1426N/A
1426N/AFrom 7e7630bbb775573eea2a2335adb9d190c3e1e971 Mon Sep 17 00:00:00 2001
1426N/AFrom: Robert Morell <rmorell@nvidia.com>
1426N/ADate: Wed, 12 Nov 2014 18:51:43 -0800
1426N/ASubject: [PATCH 36/40] glx: Fix mask truncation in __glXGetAnswerBuffer
1426N/A [CVE-2014-8093 6/6]
1426N/A
1426N/AOn a system where sizeof(unsigned) != sizeof(intptr_t), the unary
1426N/Abitwise not operation will result in a mask that clears all high bits
1426N/Afrom temp_buf in the expression:
1426N/A temp_buf = (temp_buf + mask) & ~mask;
1426N/A
1426N/ASigned-off-by: Robert Morell <rmorell@nvidia.com>
1426N/AReviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1426N/ASigned-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1426N/A---
1426N/A glx/indirect_util.c | 2 +-
1426N/A 1 file changed, 1 insertion(+), 1 deletion(-)
1426N/A
1426N/Adiff --git a/glx/indirect_util.c b/glx/indirect_util.c
1426N/Aindex de81491..9ba2815 100644
1426N/A--- a/glx/indirect_util.c
1426N/A+++ b/glx/indirect_util.c
1426N/A@@ -73,7 +73,7 @@ __glXGetAnswerBuffer(__GLXclientState * cl, size_t required_size,
1426N/A void *local_buffer, size_t local_size, unsigned alignment)
1426N/A {
1426N/A void *buffer = local_buffer;
1426N/A- const unsigned mask = alignment - 1;
1426N/A+ const intptr_t mask = alignment - 1;
1426N/A
1426N/A if (local_size < required_size) {
1426N/A size_t worst_case_size;
1426N/A--
1426N/A1.7.9.2
1426N/A
1426N/AFrom b20912c3d45cbbde3c443e6c3d9e189092fe65e1 Mon Sep 17 00:00:00 2001
1426N/AFrom: Keith Packard <keithp@keithp.com>
1426N/ADate: Tue, 9 Dec 2014 09:30:57 -0800
1426N/ASubject: [PATCH 37/40] dbe: Call to DDX SwapBuffers requires address of int,
1426N/A not unsigned int [CVE-2014-8097 pt. 2]
1426N/A
1426N/AWhen the local types used to walk the DBE request were changed, this
1426N/Achanged the type of the parameter passed to the DDX SwapBuffers API,
1426N/Abut there wasn't a matching change in the API definition.
1426N/A
1426N/AAt this point, with the API frozen, I just stuck a new variable in
1426N/Awith the correct type. Because we've already bounds-checked nStuff to
1426N/Abe smaller than UINT32_MAX / sizeof(DbeSwapInfoRec), we know it will
1426N/Afit in a signed int without overflow.
1426N/A
1426N/ASigned-off-by: Keith Packard <keithp@keithp.com
1426N/AReviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1426N/ASigned-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1426N/A---
1426N/A dbe/dbe.c | 6 ++++--
1426N/A 1 file changed, 4 insertions(+), 2 deletions(-)
1426N/A
1426N/Adiff --git a/dbe/dbe.c b/dbe/dbe.c
1426N/Aindex df2ad5c..e5d928d 100644
1426N/A--- a/dbe/dbe.c
1426N/A+++ b/dbe/dbe.c
1426N/A@@ -452,6 +452,7 @@ ProcDbeSwapBuffers(ClientPtr client)
1426N/A int error;
1426N/A unsigned int i, j;
1426N/A unsigned int nStuff;
1426N/A+ int nStuff_i; /* DDX API requires int for nStuff */
1426N/A
1426N/A REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq);
1426N/A nStuff = stuff->n; /* use local variable for performance. */
1426N/A@@ -527,9 +528,10 @@ ProcDbeSwapBuffers(ClientPtr client)
1426N/A * could deal with cross-screen synchronization.
1426N/A */
1426N/A
1426N/A- while (nStuff > 0) {
1426N/A+ nStuff_i = nStuff;
1426N/A+ while (nStuff_i > 0) {
1426N/A pDbeScreenPriv = DBE_SCREEN_PRIV_FROM_WINDOW(swapInfo[0].pWindow);
1426N/A- error = (*pDbeScreenPriv->SwapBuffers) (client, &nStuff, swapInfo);
1426N/A+ error = (*pDbeScreenPriv->SwapBuffers) (client, &nStuff_i, swapInfo);
1426N/A if (error != Success) {
1426N/A free(swapInfo);
1426N/A return error;
1426N/A--
1426N/A1.7.9.2
1426N/A
1426N/AFrom 61b17c0f10307e25e51e30e6fb1d3e3127f82d86 Mon Sep 17 00:00:00 2001
1426N/AFrom: Keith Packard <keithp@keithp.com>
1426N/ADate: Tue, 9 Dec 2014 09:30:58 -0800
1426N/ASubject: [PATCH 38/40] glx: Can't mix declarations and code in X.org sources
1426N/A [CVE-2014-8098 pt. 9]
1426N/A
1426N/AWe're using compiler compatibility settings which generate warnings
1426N/Awhen a variable is declared after the first statement.
1426N/A
1426N/ASigned-off-by: Keith Packard <keithp@keithp.com>
1426N/AReviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1426N/ASigned-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1426N/A---
1426N/A glx/clientinfo.c | 3 ++-
1426N/A 1 file changed, 2 insertions(+), 1 deletion(-)
1426N/A
1426N/Adiff --git a/glx/clientinfo.c b/glx/clientinfo.c
1426N/Aindex c5fef30..74ad919 100644
1426N/A--- a/glx/clientinfo.c
1426N/A+++ b/glx/clientinfo.c
1426N/A@@ -36,13 +36,14 @@ set_client_info(__GLXclientState * cl, xGLXSetClientInfoARBReq * req,
1426N/A ClientPtr client = cl->client;
1426N/A char *gl_extensions;
1426N/A char *glx_extensions;
1426N/A+ int size;
1426N/A
1426N/A REQUEST_AT_LEAST_SIZE(xGLXSetClientInfoARBReq);
1426N/A
1426N/A /* Verify that the size of the packet matches the size inferred from the
1426N/A * sizes specified for the various fields.
1426N/A */
1426N/A- int size = sz_xGLXSetClientInfoARBReq;
1426N/A+ size = sz_xGLXSetClientInfoARBReq;
1426N/A size = safe_add(size, safe_mul(req->numVersions, bytes_per_version));
1426N/A size = safe_add(size, safe_pad(req->numGLExtensionBytes));
1426N/A size = safe_add(size, safe_pad(req->numGLXExtensionBytes));
1426N/A--
1426N/A1.7.9.2
1426N/A
1426N/AFrom 9802a0162f738de03585ca3f3b8a8266494f7d45 Mon Sep 17 00:00:00 2001
1426N/AFrom: Keith Packard <keithp@keithp.com>
1426N/ADate: Tue, 9 Dec 2014 09:30:59 -0800
1426N/ASubject: [PATCH 39/40] Missing parens in REQUEST_FIXED_SIZE macro
1426N/A [CVE-2014-8092 pt. 5]
1426N/A
1426N/AThe 'n' parameter must be surrounded by parens in both places to
1426N/Aprevent precedence from mis-computing things.
1426N/A
1426N/ASigned-off-by: Keith Packard <keithp@keithp.com>
1426N/AReviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1426N/ASigned-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1426N/A---
1426N/A include/dix.h | 2 +-
1426N/A 1 file changed, 1 insertion(+), 1 deletion(-)
1426N/A
1426N/Adiff --git a/include/dix.h b/include/dix.h
1426N/Aindex 21176a8..921156b 100644
1426N/A--- a/include/dix.h
1426N/A+++ b/include/dix.h
1426N/A@@ -80,7 +80,7 @@ SOFTWARE.
1426N/A
1426N/A #define REQUEST_FIXED_SIZE(req, n)\
1426N/A if (((sizeof(req) >> 2) > client->req_len) || \
1426N/A- ((n >> 2) >= client->req_len) || \
1426N/A+ (((n) >> 2) >= client->req_len) || \
1426N/A ((((uint64_t) sizeof(req) + (n) + 3) >> 2) != (uint64_t) client->req_len)) \
1426N/A return(BadLength)
1426N/A
1426N/A--
1426N/A1.7.9.2
1426N/A
1426N/AFrom 1559a94395258fd73e369f1a2c98a44bfe21a486 Mon Sep 17 00:00:00 2001
1426N/AFrom: Keith Packard <keithp@keithp.com>
1426N/ADate: Tue, 9 Dec 2014 09:31:00 -0800
1426N/ASubject: [PATCH 40/40] dix: GetHosts bounds check using wrong pointer value
1426N/A [CVE-2014-8092 pt. 6]
1426N/A
1426N/AGetHosts saves the pointer to allocated memory in *data, and then
1426N/Awants to bounds-check writes to that region, but was mistakenly using
1426N/Aa bare 'data' instead of '*data'. Also, data is declared as void **,
1426N/Aso we need a cast to turn it into a byte pointer so we can actually do
1426N/Apointer comparisons.
1426N/A
1426N/ASigned-off-by: Keith Packard <keithp@keithp.com>
1426N/AReviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1426N/ASigned-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1426N/A---
1426N/A os/access.c | 2 +-
1426N/A 1 file changed, 1 insertion(+), 1 deletion(-)
1426N/A
1426N/Adiff --git a/os/access.c b/os/access.c
1426N/Aindex f393c8d..28f2d32 100644
1426N/A--- a/os/access.c
1426N/A+++ b/os/access.c
1426N/A@@ -1308,7 +1308,7 @@ GetHosts(void **data, int *pnHosts, int *pLen, BOOL * pEnabled)
1426N/A }
1426N/A for (host = validhosts; host; host = host->next) {
1426N/A len = host->len;
1426N/A- if ((ptr + sizeof(xHostEntry) + len) > (data + n))
1426N/A+ if ((ptr + sizeof(xHostEntry) + len) > ((unsigned char *) *data + n))
1426N/A break;
1426N/A ((xHostEntry *) ptr)->family = host->family;
1426N/A ((xHostEntry *) ptr)->length = len;
1426N/A--
1426N/A1.7.9.2
1426N/A