Coverity complains that the computed sizes can lead to negative lengths passed to memcpy. If that happens we've been handed invalid arguments anyway, so just bomb out.
The funky "0%s" is because the size string for the variable-length part of the request is of the form "+ safe_pad() ...", and a unary + would coerce the result to always be positive, defeating the overflow check. Signed-off-by: Adam Jackson <[email protected]> --- src/mapi/glapi/gen/glX_proto_send.py | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/mapi/glapi/gen/glX_proto_send.py b/src/mapi/glapi/gen/glX_proto_send.py index 10abcff..26e7ab6 100644 --- a/src/mapi/glapi/gen/glX_proto_send.py +++ b/src/mapi/glapi/gen/glX_proto_send.py @@ -635,6 +635,15 @@ generic_%u_byte( GLint rop, const void * ptr ) if name != None and name not in f.glx_vendorpriv_names: print '#endif' + if f.command_variable_length() != "": + print " if (0%s < 0) {" % f.command_variable_length() + print " __glXSetError(gc, GL_INVALID_VALUE);" + if f.return_type != 'void': + print " return 0;" + else: + print " return;" + print " }" + condition_list = [] for p in f.parameterIterateCounters(): condition_list.append( "%s >= 0" % (p.name) ) -- 2.7.4 _______________________________________________ mesa-dev mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/mesa-dev
