[PATCH 5/5] glx: validate numAttribs field before using it

Julien Cristau Mon, 03 Jan 2011 12:14:28 -0800

Signed-off-by: Julien Cristau <[email protected]>
---
 glx/glxcmds.c     |   25 +++++++++++++++++++++++++
 glx/glxcmdsswap.c |   20 ++++++++++++++++++++
 2 files changed, 45 insertions(+), 0 deletions(-)


diff --git a/glx/glxcmds.c b/glx/glxcmds.c
index 566dbbe..3ef567d 100644
--- a/glx/glxcmds.c
+++ b/glx/glxcmds.c
@@ -1283,6 +1283,11 @@ int __glXDisp_CreatePixmap(__GLXclientState *cl, GLbyte 
*pc)
     __GLXscreen *pGlxScreen;
     int err;
 
+    REQUEST_AT_LEAST_SIZE(xGLXCreatePixmapReq);
+    if (req->numAttribs > (UINT32_MAX >> 3)) {
+       client->errorValue = req->numAttribs;
+       return BadValue;
+    }
     REQUEST_FIXED_SIZE(xGLXCreatePixmapReq, req->numAttribs << 3);
 
     if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err))
@@ -1396,6 +1401,11 @@ int __glXDisp_CreatePbuffer(__GLXclientState *cl, GLbyte 
*pc)
     CARD32                     *attrs;
     int                                 width, height, i;
 
+    REQUEST_AT_LEAST_SIZE(xGLXCreatePbufferReq);
+    if (req->numAttribs > (UINT32_MAX >> 3)) {
+       client->errorValue = req->numAttribs;
+       return BadValue;
+    }
     REQUEST_FIXED_SIZE(xGLXCreatePbufferReq, req->numAttribs << 3);
 
     attrs = (CARD32 *) (req + 1);
@@ -1483,6 +1493,11 @@ int __glXDisp_ChangeDrawableAttributes(__GLXclientState 
*cl, GLbyte *pc)
     xGLXChangeDrawableAttributesReq *req =
        (xGLXChangeDrawableAttributesReq *) pc;
 
+    REQUEST_AT_LEAST_SIZE(xGLXChangeDrawableAttributesReq);
+    if (req->numAttribs > (UINT32_MAX >> 3)) {
+       client->errorValue = req->numAttribs;
+       return BadValue;
+    }
     REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3);
 
     return DoChangeDrawableAttributes(cl->client, req->drawable,
@@ -1495,6 +1510,11 @@ int 
__glXDisp_ChangeDrawableAttributesSGIX(__GLXclientState *cl, GLbyte *pc)
     xGLXChangeDrawableAttributesSGIXReq *req =
        (xGLXChangeDrawableAttributesSGIXReq *)pc;
 
+    REQUEST_AT_LEAST_SIZE(xGLXChangeDrawableAttributesSGIXReq);
+    if (req->numAttribs > (UINT32_MAX >> 3)) {
+       client->errorValue = req->numAttribs;
+       return BadValue;
+    }
     REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesSGIXReq, req->numAttribs << 
3);
 
     return DoChangeDrawableAttributes(cl->client, req->drawable,
@@ -1510,6 +1530,11 @@ int __glXDisp_CreateWindow(__GLXclientState *cl, GLbyte 
*pc)
     DrawablePtr                 pDraw;
     int                         err;
 
+    REQUEST_AT_LEAST_SIZE(xGLXCreateWindowReq);
+    if (req->numAttribs > (UINT32_MAX >> 3)) {
+       client->errorValue = req->numAttribs;
+       return BadValue;
+    }
     REQUEST_FIXED_SIZE(xGLXCreateWindowReq, req->numAttribs << 3);
 
     LEGAL_NEW_RESOURCE(req->glxwindow, client);
diff --git a/glx/glxcmdsswap.c b/glx/glxcmdsswap.c
index 87bf75b..3bb4cad 100644
--- a/glx/glxcmdsswap.c
+++ b/glx/glxcmdsswap.c
@@ -319,6 +319,10 @@ int __glXDispSwap_CreatePixmap(__GLXclientState *cl, 
GLbyte *pc)
     __GLX_SWAP_INT(&req->glxpixmap);
     __GLX_SWAP_INT(&req->numAttribs);
 
+    if (req->numAttribs > (UINT32_MAX >> 3)) {
+       client->errorValue = req->numAttribs;
+       return BadValue;
+    }
     REQUEST_FIXED_SIZE(xGLXCreatePixmapReq, req->numAttribs << 3);
     attribs = (CARD32*)(req + 1);
     __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
@@ -400,6 +404,10 @@ int __glXDispSwap_CreatePbuffer(__GLXclientState *cl, 
GLbyte *pc)
     __GLX_SWAP_INT(&req->pbuffer);
     __GLX_SWAP_INT(&req->numAttribs);
 
+    if (req->numAttribs > (UINT32_MAX >> 3)) {
+       client->errorValue = req->numAttribs;
+       return BadValue;
+    }
     REQUEST_FIXED_SIZE(xGLXCreatePbufferReq, req->numAttribs << 3);
     attribs = (CARD32*)(req + 1);
     __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
@@ -464,6 +472,10 @@ int 
__glXDispSwap_ChangeDrawableAttributes(__GLXclientState *cl, GLbyte *pc)
     __GLX_SWAP_INT(&req->drawable);
     __GLX_SWAP_INT(&req->numAttribs);
 
+    if (req->numAttribs > (UINT32_MAX >> 3)) {
+       client->errorValue = req->numAttribs;
+       return BadValue;
+    }
     REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3);
     attribs = (CARD32*)(req + 1);
     __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
@@ -486,6 +498,10 @@ int 
__glXDispSwap_ChangeDrawableAttributesSGIX(__GLXclientState *cl,
     __GLX_SWAP_INT(&req->drawable);
     __GLX_SWAP_INT(&req->numAttribs);
 
+    if (req->numAttribs > (UINT32_MAX >> 3)) {
+       client->errorValue = req->numAttribs;
+       return BadValue;
+    }
     REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesSGIXReq, req->numAttribs << 
3);
     attribs = (CARD32*)(req + 1);
     __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
@@ -509,6 +525,10 @@ int __glXDispSwap_CreateWindow(__GLXclientState *cl, 
GLbyte *pc)
     __GLX_SWAP_INT(&req->glxwindow);
     __GLX_SWAP_INT(&req->numAttribs);
 
+    if (req->numAttribs > (UINT32_MAX >> 3)) {
+       client->errorValue = req->numAttribs;
+       return BadValue;
+    }
     REQUEST_FIXED_SIZE(xGLXCreateWindowReq, req->numAttribs << 3);
     attribs = (CARD32*)(req + 1);
     __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
-- 
1.7.2.3

_______________________________________________
[email protected]: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

[PATCH 5/5] glx: validate numAttribs field before using it

Reply via email to