Hello community, here is the log from the commit of package xorg-x11-server for openSUSE:11.4 checked in at Tue Feb 7 17:25:06 CET 2012.
-------- --- old-versions/11.4/UPDATES/all/xorg-x11-server/xorg-x11-server.changes 2011-05-30 17:26:35.000000000 +0200 +++ 11.4/xorg-x11-server/xorg-x11-server.changes 2012-02-06 15:50:34.000000000 +0100 @@ -1,0 +2,15 @@ +Mon Feb 6 14:50:06 UTC 2012 - sndir...@suse.com + +- U_01-glx-make-sure-screen-is-non-negative-in-validGlxScreen.patch + U_02-glx-validate-request-lengths.patch + U_03-glx-check-request-length-before-swapping.patch + U_04-glx-swap-the-request-arrays-entirely-not-just-half-of-them.patch + U_05-glx-validate-numAttribs-field-before-using-it.patch + U_06-glx-fix-request-length-check-for-CreateGLXPbufferSGIX.patch + U_07-glx-fix-BindTexImageEXT-length-check.patch + U_08-glx-Work-around-wrong-request-lengths-sent-by-mesa.patch: + Check GLX requests for correct size to avoid access to arbitrary + memory locations. + CVE-2010-4818, bnc #648287. + +------------------------------------------------------------------- calling whatdependson for 11.4-i586 New: ---- U_01-glx-make-sure-screen-is-non-negative-in-validGlxScreen.patch U_02-glx-validate-request-lengths.patch U_03-glx-check-request-length-before-swapping.patch U_04-glx-swap-the-request-arrays-entirely-not-just-half-of-them.patch U_05-glx-validate-numAttribs-field-before-using-it.patch U_06-glx-fix-request-length-check-for-CreateGLXPbufferSGIX.patch U_07-glx-fix-BindTexImageEXT-length-check.patch U_08-glx-Work-around-wrong-request-lengths-sent-by-mesa.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ xorg-x11-server.spec ++++++ --- /var/tmp/diff_new_pack.2bwXEp/_old 2012-02-07 17:24:33.000000000 +0100 +++ /var/tmp/diff_new_pack.2bwXEp/_new 2012-02-07 17:24:33.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package xorg-x11-server # -# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -32,7 +32,7 @@ %endif Url: http://xorg.freedesktop.org/ Version: 7.6_%{dirsuffix} -Release: 15.<RELEASE24> +Release: 15.<RELEASE26> License: GPLv2+ ; MIT License (or similar) BuildRoot: %{_tmppath}/%{name}-%{version}-build Group: System/X11/Servers/XF86_4 @@ -123,6 +123,14 @@ Patch224: pad-size-of-system-memory-copy-for-1x1-pixmaps Patch225: xorg-server-stop-cpu-eating.diff Patch226: EXA-mixed-ModifyPixmapHeader-pitch-fixes.-bug-33929.patch +Patch227: U_01-glx-make-sure-screen-is-non-negative-in-validGlxScreen.patch +Patch228: U_02-glx-validate-request-lengths.patch +Patch229: U_03-glx-check-request-length-before-swapping.patch +Patch230: U_04-glx-swap-the-request-arrays-entirely-not-just-half-of-them.patch +Patch231: U_05-glx-validate-numAttribs-field-before-using-it.patch +Patch232: U_06-glx-fix-request-length-check-for-CreateGLXPbufferSGIX.patch +Patch233: U_07-glx-fix-BindTexImageEXT-length-check.patch +Patch234: U_08-glx-Work-around-wrong-request-lengths-sent-by-mesa.patch %if %moblin Patch300: moblin-use_preferred_mode_for_all_outputs.diff %endif @@ -257,6 +265,14 @@ %patch224 -p1 %patch225 -p1 %patch226 -p1 +%patch227 -p1 +%patch228 -p1 +%patch229 -p1 +%patch230 -p1 +%patch231 -p1 +%patch232 -p1 +%patch233 -p1 +%patch234 -p1 %if %moblin %patch300 -p1 %endif ++++++ U_01-glx-make-sure-screen-is-non-negative-in-validGlxScreen.patch ++++++ From: Julien Cristau <jcris...@debian.org> Date: Sat Jul 3 19:42:26 2010 +0100 Subject: [PATCH] glx: make sure screen is non-negative in validGlxScreen Patch-Mainline: Upstream Git-commit: 3f0d3f4d97bce75c1828635c322b6560a45a037f References: bnc #648278, CVE-2010-4818 Signed-off-by: Egbert Eich <e...@suse.de> Reviewed-by: Adam Jackson <a...@redhat.com> Reviewed-by: Kristian Høgsberg <k...@bitplanet.net> Reviewed-by: Daniel Stone <dan...@fooishbar.org> Signed-off-by: Julien Cristau <jcris...@debian.org> --- glx/glxcmds.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- xorg-server-1.6.5.orig/glx/glxcmds.c +++ xorg-server-1.6.5/glx/glxcmds.c @@ -65,7 +65,7 @@ validGlxScreen(ClientPtr client, int scr /* ** Check if screen exists. */ - if (screen >= screenInfo.numScreens) { + if (screen < 0 || screen >= screenInfo.numScreens) { client->errorValue = screen; *err = BadValue; return FALSE; ++++++ U_02-glx-validate-request-lengths.patch ++++++ From: Julien Cristau <jcris...@debian.org> Date: Sat Jul 3 19:47:55 2010 +0100 Subject: [PATCH] glx: validate request lengths Patch-Mainline: Upstream Git-commit: ec9c97c6bf70b523bc500bd3adf62176f1bb33a4 References: bnc #648278, CVE-2010-4818 Signed-off-by: Egbert Eich <e...@suse.de> Reviewed-by: Adam Jackson <a...@redhat.com> Reviewed-by: Kristian Høgsberg <k...@bitplanet.net> Reviewed-by: Daniel Stone <dan...@fooishbar.org> Signed-off-by: Julien Cristau <jcris...@debian.org> --- xorg-server-1.6.5.orig/glx/xfont.c +++ xorg-server-1.6.5/glx/xfont.c @@ -161,6 +161,8 @@ int __glXDisp_UseXFont(__GLXclientState __GLXcontext *cx; int error; + REQUEST_SIZE_MATCH(xGLXUseXFontReq); + req = (xGLXUseXFontReq *) pc; cx = __glXForceCurrent(cl, req->contextTag, &error); if (!cx) { --- xorg-server-1.9.3/glx/glxcmds.c.orig 2012-02-06 14:45:15.000000000 +0100 +++ xorg-server-1.9.3/glx/glxcmds.c 2012-02-06 15:09:00.000000000 +0100 @@ -315,11 +315,14 @@ DoCreateContext(__GLXclientState *cl, GL int __glXDisp_CreateContext(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXCreateContextReq *req = (xGLXCreateContextReq *) pc; __GLXconfig *config; __GLXscreen *pGlxScreen; int err; + REQUEST_SIZE_MATCH(xGLXCreateContextReq); + if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err)) return err; if (!validGlxVisual(cl->client, pGlxScreen, req->visual, &config, &err)) @@ -331,11 +334,14 @@ int __glXDisp_CreateContext(__GLXclientS int __glXDisp_CreateNewContext(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXCreateNewContextReq *req = (xGLXCreateNewContextReq *) pc; __GLXconfig *config; __GLXscreen *pGlxScreen; int err; + REQUEST_SIZE_MATCH(xGLXCreateNewContextReq); + if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err)) return err; if (!validGlxFBConfig(cl->client, pGlxScreen, req->fbconfig, &config, &err)) @@ -347,12 +353,15 @@ int __glXDisp_CreateNewContext(__GLXclie int __glXDisp_CreateContextWithConfigSGIX(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXCreateContextWithConfigSGIXReq *req = (xGLXCreateContextWithConfigSGIXReq *) pc; __GLXconfig *config; __GLXscreen *pGlxScreen; int err; + REQUEST_SIZE_MATCH(xGLXCreateContextWithConfigSGIXReq); + if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err)) return err; if (!validGlxFBConfig(cl->client, pGlxScreen, req->fbconfig, &config, &err)) @@ -372,6 +372,7 @@ int __glXDisp_CreateContextWithConfigSGI } int __glXDisp_DestroyContext(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXDestroyContextReq *req = (xGLXDestroyContextReq *) pc; __GLXcontext *glxc; int err; @@ -367,6 +376,8 @@ int __glXDisp_DestroyContext(__GLXclient __GLXcontext *glxc; int err; + REQUEST_SIZE_MATCH(xGLXDestroyContextReq); + if (!validGlxContext(cl->client, req->context, DixDestroyAccess, &glxc, &err)) return err; @@ -686,24 +697,33 @@ DoMakeCurrent(__GLXclientState *cl, int __glXDisp_MakeCurrent(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXMakeCurrentReq *req = (xGLXMakeCurrentReq *) pc; + REQUEST_SIZE_MATCH(xGLXMakeCurrentReq); + return DoMakeCurrent( cl, req->drawable, req->drawable, req->context, req->oldContextTag ); } int __glXDisp_MakeContextCurrent(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXMakeContextCurrentReq *req = (xGLXMakeContextCurrentReq *) pc; + REQUEST_SIZE_MATCH(xGLXMakeContextCurrentReq); + return DoMakeCurrent( cl, req->drawable, req->readdrawable, req->context, req->oldContextTag ); } int __glXDisp_MakeCurrentReadSGI(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXMakeCurrentReadSGIReq *req = (xGLXMakeCurrentReadSGIReq *) pc; + REQUEST_SIZE_MATCH(xGLXMakeCurrentReadSGIReq); + return DoMakeCurrent( cl, req->drawable, req->readable, req->context, req->oldContextTag ); } @@ -716,6 +736,8 @@ int __glXDisp_IsDirect(__GLXclientState __GLXcontext *glxc; int err; + REQUEST_SIZE_MATCH(xGLXIsDirectReq); + if (!validGlxContext(cl->client, req->context, DixReadAccess, &glxc, &err)) return err; @@ -740,6 +762,8 @@ int __glXDisp_QueryVersion(__GLXclientSt xGLXQueryVersionReply reply; GLuint major, minor; + REQUEST_SIZE_MATCH(xGLXQueryVersionReq); + major = req->majorVersion; minor = req->minorVersion; (void)major; @@ -766,11 +790,15 @@ int __glXDisp_QueryVersion(__GLXclientSt int __glXDisp_WaitGL(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXWaitGLReq *req = (xGLXWaitGLReq *)pc; - GLXContextTag tag = req->contextTag; + GLXContextTag tag; __GLXcontext *glxc = NULL; int error; + REQUEST_SIZE_MATCH(xGLXWaitGLReq); + + tag = req->contextTag; if (tag) { glxc = __glXLookupContextByTag(cl, tag); if (!glxc) @@ -790,11 +818,15 @@ int __glXDisp_WaitGL(__GLXclientState *c int __glXDisp_WaitX(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXWaitXReq *req = (xGLXWaitXReq *)pc; - GLXContextTag tag = req->contextTag; + GLXContextTag tag; __GLXcontext *glxc = NULL; int error; + REQUEST_SIZE_MATCH(xGLXWaitXReq); + + tag = req->contextTag; if (tag) { glxc = __glXLookupContextByTag(cl, tag); if (!glxc) @@ -814,13 +846,21 @@ int __glXDisp_CopyContext(__GLXclientSta { ClientPtr client = cl->client; xGLXCopyContextReq *req = (xGLXCopyContextReq *) pc; - GLXContextID source = req->source; - GLXContextID dest = req->dest; - GLXContextTag tag = req->contextTag; - unsigned long mask = req->mask; + GLXContextID source; + GLXContextID dest; + GLXContextTag tag; + unsigned long mask; + __GLXcontext *src, *dst; int error; + REQUEST_SIZE_MATCH(xGLXCopyContextReq); + + source = req->source; + dest = req->dest; + tag = req->contextTag; + mask = req->mask; + if (!validGlxContext(cl->client, source, DixReadAccess, &src, &error)) return error; if (!validGlxContext(cl->client, dest, DixWriteAccess, &dst, &error)) @@ -903,6 +943,8 @@ int __glXDisp_GetVisualConfigs(__GLXclie __GLX_DECLARE_SWAP_VARIABLES; __GLX_DECLARE_SWAP_ARRAY_VARIABLES; + REQUEST_SIZE_MATCH(xGLXGetVisualConfigsReq); + if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err)) return err; @@ -1082,13 +1124,17 @@ DoGetFBConfigs(__GLXclientState *cl, uns int __glXDisp_GetFBConfigs(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXGetFBConfigsReq *req = (xGLXGetFBConfigsReq *) pc; + REQUEST_SIZE_MATCH(xGLXGetFBConfigsReq); return DoGetFBConfigs(cl, req->screen); } int __glXDisp_GetFBConfigsSGIX(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXGetFBConfigsSGIXReq *req = (xGLXGetFBConfigsSGIXReq *) pc; + REQUEST_SIZE_MATCH(xGLXGetFBConfigsSGIXReq); return DoGetFBConfigs(cl, req->screen); } @@ -1214,11 +1260,14 @@ determineTextureTarget(ClientPtr client, int __glXDisp_CreateGLXPixmap(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXCreateGLXPixmapReq *req = (xGLXCreateGLXPixmapReq *) pc; __GLXconfig *config; __GLXscreen *pGlxScreen; int err; + REQUEST_SIZE_MATCH(xGLXCreateGLXPixmapReq); + if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err)) return err; if (!validGlxVisual(cl->client, pGlxScreen, req->visual, &config, &err)) @@ -1230,11 +1279,14 @@ int __glXDisp_CreateGLXPixmap(__GLXclien int __glXDisp_CreatePixmap(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXCreatePixmapReq *req = (xGLXCreatePixmapReq *) pc; __GLXconfig *config; __GLXscreen *pGlxScreen; int err; + REQUEST_FIXED_SIZE(xGLXCreatePixmapReq, req->numAttribs << 3); + if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err)) return err; if (!validGlxFBConfig(cl->client, pGlxScreen, req->fbconfig, &config, &err)) @@ -1253,12 +1305,15 @@ int __glXDisp_CreatePixmap(__GLXclientSt int __glXDisp_CreateGLXPixmapWithConfigSGIX(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXCreateGLXPixmapWithConfigSGIXReq *req = (xGLXCreateGLXPixmapWithConfigSGIXReq *) pc; __GLXconfig *config; __GLXscreen *pGlxScreen; int err; + REQUEST_SIZE_MATCH(xGLXCreateGLXPixmapWithConfigSGIXReq); + if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err)) return err; if (!validGlxFBConfig(cl->client, pGlxScreen, req->fbconfig, &config, &err)) @@ -1285,15 +1340,21 @@ static int DoDestroyDrawable(__GLXclient int __glXDisp_DestroyGLXPixmap(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXDestroyGLXPixmapReq *req = (xGLXDestroyGLXPixmapReq *) pc; + REQUEST_SIZE_MATCH(xGLXDestroyGLXPixmapReq); + return DoDestroyDrawable(cl, req->glxpixmap, GLX_DRAWABLE_PIXMAP); } int __glXDisp_DestroyPixmap(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXDestroyPixmapReq *req = (xGLXDestroyPixmapReq *) pc; + REQUEST_SIZE_MATCH(xGLXDestroyPixmapReq); + return DoDestroyDrawable(cl, req->glxpixmap, GLX_DRAWABLE_PIXMAP); } @@ -1332,10 +1393,13 @@ DoCreatePbuffer(ClientPtr client, int sc int __glXDisp_CreatePbuffer(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXCreatePbufferReq *req = (xGLXCreatePbufferReq *) pc; CARD32 *attrs; int width, height, i; + REQUEST_FIXED_SIZE(xGLXCreatePbufferReq, req->numAttribs << 3); + attrs = (CARD32 *) (req + 1); width = 0; height = 0; @@ -1361,23 +1425,32 @@ int __glXDisp_CreatePbuffer(__GLXclientS int __glXDisp_CreateGLXPbufferSGIX(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXCreateGLXPbufferSGIXReq *req = (xGLXCreateGLXPbufferSGIXReq *) pc; + REQUEST_SIZE_MATCH(xGLXCreateGLXPbufferSGIXReq); + return DoCreatePbuffer(cl->client, req->screen, req->fbconfig, req->width, req->height, req->pbuffer); } int __glXDisp_DestroyPbuffer(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXDestroyPbufferReq *req = (xGLXDestroyPbufferReq *) pc; + REQUEST_SIZE_MATCH(xGLXDestroyPbufferReq); + return DoDestroyDrawable(cl, req->pbuffer, GLX_DRAWABLE_PBUFFER); } int __glXDisp_DestroyGLXPbufferSGIX(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXDestroyGLXPbufferSGIXReq *req = (xGLXDestroyGLXPbufferSGIXReq *) pc; + REQUEST_SIZE_MATCH(xGLXDestroyGLXPbufferSGIXReq); + return DoDestroyDrawable(cl, req->pbuffer, GLX_DRAWABLE_PBUFFER); } @@ -1408,18 +1481,24 @@ DoChangeDrawableAttributes(ClientPtr cli int __glXDisp_ChangeDrawableAttributes(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXChangeDrawableAttributesReq *req = (xGLXChangeDrawableAttributesReq *) pc; + REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3); + return DoChangeDrawableAttributes(cl->client, req->drawable, req->numAttribs, (CARD32 *) (req + 1)); } int __glXDisp_ChangeDrawableAttributesSGIX(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXChangeDrawableAttributesSGIXReq *req = (xGLXChangeDrawableAttributesSGIXReq *)pc; + REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesSGIXReq, req->numAttribs << 3); + return DoChangeDrawableAttributes(cl->client, req->drawable, req->numAttribs, (CARD32 *) (req + 1)); } @@ -1433,6 +1512,8 @@ int __glXDisp_CreateWindow(__GLXclientSt DrawablePtr pDraw; int err; + REQUEST_FIXED_SIZE(xGLXCreateWindowReq, req->numAttribs << 3); + LEGAL_NEW_RESOURCE(req->glxwindow, client); if (!validGlxScreen(client, req->screen, &pGlxScreen, &err)) @@ -1456,8 +1537,11 @@ int __glXDisp_CreateWindow(__GLXclientSt int __glXDisp_DestroyWindow(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXDestroyWindowReq *req = (xGLXDestroyWindowReq *) pc; + REQUEST_SIZE_MATCH(xGLXDestroyWindowReq); + return DoDestroyDrawable(cl, req->glxwindow, GLX_DRAWABLE_WINDOW); } @@ -1473,12 +1557,16 @@ int __glXDisp_SwapBuffers(__GLXclientSta { ClientPtr client = cl->client; xGLXSwapBuffersReq *req = (xGLXSwapBuffersReq *) pc; - GLXContextTag tag = req->contextTag; - XID drawId = req->drawable; + GLXContextTag tag; + XID drawId; __GLXcontext *glxc = NULL; __GLXdrawable *pGlxDraw; int error; + REQUEST_SIZE_MATCH(xGLXSwapBuffersReq); + + tag = req->contextTag; + drawId = req->drawable; if (tag) { glxc = __glXLookupContextByTag(cl, tag); if (!glxc) { @@ -1559,15 +1647,21 @@ DoQueryContext(__GLXclientState *cl, GLX int __glXDisp_QueryContextInfoEXT(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXQueryContextInfoEXTReq *req = (xGLXQueryContextInfoEXTReq *) pc; + REQUEST_SIZE_MATCH(xGLXQueryContextInfoEXTReq); + return DoQueryContext(cl, req->context); } int __glXDisp_QueryContext(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXQueryContextReq *req = (xGLXQueryContextReq *) pc; + REQUEST_SIZE_MATCH(xGLXQueryContextReq); + return DoQueryContext(cl, req->context); } @@ -1581,6 +1675,8 @@ int __glXDisp_BindTexImageEXT(__GLXclien int buffer; int error; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 8); + pc += __GLX_VENDPRIV_HDR_SIZE; drawId = *((CARD32 *) (pc)); @@ -1615,6 +1711,8 @@ int __glXDisp_ReleaseTexImageEXT(__GLXcl int buffer; int error; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 8); + pc += __GLX_VENDPRIV_HDR_SIZE; drawId = *((CARD32 *) (pc)); @@ -1650,6 +1748,8 @@ int __glXDisp_CopySubBufferMESA(__GLXcli (void) client; (void) req; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 20); + pc += __GLX_VENDPRIV_HDR_SIZE; drawId = *((CARD32 *) (pc)); @@ -1738,16 +1838,22 @@ DoGetDrawableAttributes(__GLXclientState int __glXDisp_GetDrawableAttributes(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXGetDrawableAttributesReq *req = (xGLXGetDrawableAttributesReq *)pc; + REQUEST_SIZE_MATCH(xGLXGetDrawableAttributesReq); + return DoGetDrawableAttributes(cl, req->drawable); } int __glXDisp_GetDrawableAttributesSGIX(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXGetDrawableAttributesSGIXReq *req = (xGLXGetDrawableAttributesSGIXReq *)pc; + REQUEST_SIZE_MATCH(xGLXGetDrawableAttributesSGIXReq); + return DoGetDrawableAttributes(cl, req->drawable); } @@ -1772,6 +1878,8 @@ int __glXDisp_Render(__GLXclientState *c __GLXcontext *glxc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_AT_LEAST_SIZE(xGLXRenderReq); + req = (xGLXRenderReq *) pc; if (client->swapped) { __GLX_SWAP_SHORT(&req->length); @@ -1792,6 +1900,9 @@ int __glXDisp_Render(__GLXclientState *c __GLXdispatchRenderProcPtr proc; int err; + if (left < sizeof(__GLXrenderHeader)) + return BadLength; + /* ** Verify that the header length and the overall length agree. ** Also, each command must be word aligned. @@ -2302,10 +2413,12 @@ int __glXDisp_HyperpipeConfigSGIX(__GLXc int __glXDisp_VendorPrivate(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXVendorPrivateReq *req = (xGLXVendorPrivateReq *) pc; GLint vendorcode = req->vendorCode; __GLXdispatchVendorPrivProcPtr proc; + REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateReq); proc = (__GLXdispatchVendorPrivProcPtr) __glXGetProtocolDecodeFunction(& VendorPriv_dispatch_info, @@ -2321,10 +2434,12 @@ int __glXDisp_VendorPrivate(__GLXclientS int __glXDisp_VendorPrivateWithReply(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXVendorPrivateReq *req = (xGLXVendorPrivateReq *) pc; GLint vendorcode = req->vendorCode; __GLXdispatchVendorPrivProcPtr proc; + REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateReq); proc = (__GLXdispatchVendorPrivProcPtr) __glXGetProtocolDecodeFunction(& VendorPriv_dispatch_info, @@ -2347,6 +2462,8 @@ int __glXDisp_QueryExtensionsString(__GL char *buf; int err; + REQUEST_SIZE_MATCH(xGLXQueryExtensionsStringReq); + if (!validGlxScreen(client, req->screen, &pGlxScreen, &err)) return err; @@ -2386,6 +2503,8 @@ int __glXDisp_QueryServerString(__GLXcli int err; char ver_str[16]; + REQUEST_SIZE_MATCH(xGLXQueryServerStringReq); + if (!validGlxScreen(client, req->screen, &pGlxScreen, &err)) return err; @@ -2433,13 +2552,19 @@ int __glXDisp_QueryServerString(__GLXcli int __glXDisp_ClientInfo(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXClientInfoReq *req = (xGLXClientInfoReq *) pc; const char *buf; + + REQUEST_AT_LEAST_SIZE(xGLXClientInfoReq); + + buf = (const char *)(req+1); + if (!memchr(buf, 0, (client->req_len << 2) - sizeof(xGLXClientInfoReq))) + return BadLength; cl->GLClientmajorVersion = req->major; cl->GLClientminorVersion = req->minor; free(cl->GLClientextensions); - buf = (const char *)(req+1); cl->GLClientextensions = strdup(buf); return Success; ++++++ U_03-glx-check-request-length-before-swapping.patch ++++++ From: Julien Cristau <jcris...@debian.org> Date: Sun Aug 22 00:50:05 2010 +0100 Subject: [PATCH] glx: check request length before swapping Patch-Mainline: Upstream Git-commit: 6c69235a9dfc52e4b4e47630ff4bab1a820eb543 References: bnc #648278, CVE-2010-4818 Signed-off-by: Egbert Eich <e...@suse.de> Reviewed-by: Kristian Høgsberg <k...@bitplanet.net> Reviewed-by: Daniel Stone <dan...@fooishbar.org> Signed-off-by: Julien Cristau <jcris...@debian.org> --- xorg-server-1.9.3/glx/glxcmdsswap.c.orig 2010-03-23 18:35:57.000000000 +0100 +++ xorg-server-1.9.3/glx/glxcmdsswap.c 2012-02-06 15:21:28.000000000 +0100 @@ -61,9 +61,12 @@ int __glXDispSwap_CreateContext(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXCreateContextReq *req = (xGLXCreateContextReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXCreateContextReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->context); __GLX_SWAP_INT(&req->visual); @@ -75,9 +78,12 @@ int __glXDispSwap_CreateContext(__GLXcli int __glXDispSwap_CreateNewContext(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXCreateNewContextReq *req = (xGLXCreateNewContextReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXCreateNewContextReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->context); __GLX_SWAP_INT(&req->fbconfig); @@ -90,10 +96,13 @@ int __glXDispSwap_CreateNewContext(__GLX int __glXDispSwap_CreateContextWithConfigSGIX(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXCreateContextWithConfigSGIXReq *req = (xGLXCreateContextWithConfigSGIXReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXCreateContextWithConfigSGIXReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->context); __GLX_SWAP_INT(&req->fbconfig); @@ -106,9 +115,12 @@ int __glXDispSwap_CreateContextWithConfi int __glXDispSwap_DestroyContext(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXDestroyContextReq *req = (xGLXDestroyContextReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXDestroyContextReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->context); @@ -117,9 +129,12 @@ int __glXDispSwap_DestroyContext(__GLXcl int __glXDispSwap_MakeCurrent(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXMakeCurrentReq *req = (xGLXMakeCurrentReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXMakeCurrentReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->drawable); __GLX_SWAP_INT(&req->context); @@ -130,9 +145,12 @@ int __glXDispSwap_MakeCurrent(__GLXclien int __glXDispSwap_MakeContextCurrent(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXMakeContextCurrentReq *req = (xGLXMakeContextCurrentReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXMakeContextCurrentReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->drawable); __GLX_SWAP_INT(&req->readdrawable); @@ -144,9 +162,12 @@ int __glXDispSwap_MakeContextCurrent(__G int __glXDispSwap_MakeCurrentReadSGI(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXMakeCurrentReadSGIReq *req = (xGLXMakeCurrentReadSGIReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXMakeCurrentReadSGIReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->drawable); __GLX_SWAP_INT(&req->readable); @@ -158,9 +179,12 @@ int __glXDispSwap_MakeCurrentReadSGI(__G int __glXDispSwap_IsDirect(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXIsDirectReq *req = (xGLXIsDirectReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXIsDirectReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->context); @@ -169,9 +193,12 @@ int __glXDispSwap_IsDirect(__GLXclientSt int __glXDispSwap_QueryVersion(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXQueryVersionReq *req = (xGLXQueryVersionReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXQueryVersionReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->majorVersion); __GLX_SWAP_INT(&req->minorVersion); @@ -181,9 +208,12 @@ int __glXDispSwap_QueryVersion(__GLXclie int __glXDispSwap_WaitGL(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXWaitGLReq *req = (xGLXWaitGLReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXWaitGLReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->contextTag); @@ -192,9 +222,12 @@ int __glXDispSwap_WaitGL(__GLXclientStat int __glXDispSwap_WaitX(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXWaitXReq *req = (xGLXWaitXReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXWaitXReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->contextTag); @@ -203,9 +236,12 @@ int __glXDispSwap_WaitX(__GLXclientState int __glXDispSwap_CopyContext(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXCopyContextReq *req = (xGLXCopyContextReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXCopyContextReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->source); __GLX_SWAP_INT(&req->dest); @@ -216,36 +252,48 @@ int __glXDispSwap_CopyContext(__GLXclien int __glXDispSwap_GetVisualConfigs(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXGetVisualConfigsReq *req = (xGLXGetVisualConfigsReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXGetVisualConfigsReq); + __GLX_SWAP_INT(&req->screen); return __glXDisp_GetVisualConfigs(cl, pc); } int __glXDispSwap_GetFBConfigs(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXGetFBConfigsReq *req = (xGLXGetFBConfigsReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXGetFBConfigsReq); + __GLX_SWAP_INT(&req->screen); return __glXDisp_GetFBConfigs(cl, pc); } int __glXDispSwap_GetFBConfigsSGIX(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXGetFBConfigsSGIXReq *req = (xGLXGetFBConfigsSGIXReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXGetFBConfigsSGIXReq); + __GLX_SWAP_INT(&req->screen); return __glXDisp_GetFBConfigsSGIX(cl, pc); } int __glXDispSwap_CreateGLXPixmap(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXCreateGLXPixmapReq *req = (xGLXCreateGLXPixmapReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXCreateGLXPixmapReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->screen); __GLX_SWAP_INT(&req->visual); @@ -257,17 +305,22 @@ int __glXDispSwap_CreateGLXPixmap(__GLXc int __glXDispSwap_CreatePixmap(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXCreatePixmapReq *req = (xGLXCreatePixmapReq *) pc; CARD32 *attribs; __GLX_DECLARE_SWAP_VARIABLES; __GLX_DECLARE_SWAP_ARRAY_VARIABLES; + REQUEST_AT_LEAST_SIZE(xGLXCreatePixmapReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->screen); __GLX_SWAP_INT(&req->fbconfig); __GLX_SWAP_INT(&req->pixmap); __GLX_SWAP_INT(&req->glxpixmap); __GLX_SWAP_INT(&req->numAttribs); + + REQUEST_FIXED_SIZE(xGLXCreatePixmapReq, req->numAttribs << 3); attribs = (CARD32*)(req + 1); __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs); @@ -276,10 +329,13 @@ int __glXDispSwap_CreatePixmap(__GLXclie int __glXDispSwap_CreateGLXPixmapWithConfigSGIX(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXCreateGLXPixmapWithConfigSGIXReq *req = (xGLXCreateGLXPixmapWithConfigSGIXReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXCreateGLXPixmapWithConfigSGIXReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->screen); __GLX_SWAP_INT(&req->fbconfig); @@ -291,9 +347,12 @@ int __glXDispSwap_CreateGLXPixmapWithCon int __glXDispSwap_DestroyGLXPixmap(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXDestroyGLXPixmapReq *req = (xGLXDestroyGLXPixmapReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXDestroyGLXPixmapReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->glxpixmap); @@ -302,9 +361,12 @@ int __glXDispSwap_DestroyGLXPixmap(__GLX int __glXDispSwap_DestroyPixmap(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXDestroyGLXPixmapReq *req = (xGLXDestroyGLXPixmapReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXDestroyGLXPixmapReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->glxpixmap); @@ -313,9 +375,12 @@ int __glXDispSwap_DestroyPixmap(__GLXcli int __glXDispSwap_QueryContext(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXQueryContextReq *req = (xGLXQueryContextReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXQueryContextReq); + __GLX_SWAP_INT(&req->context); return __glXDisp_QueryContext(cl, pc); @@ -323,15 +388,20 @@ int __glXDispSwap_QueryContext(__GLXclie int __glXDispSwap_CreatePbuffer(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXCreatePbufferReq *req = (xGLXCreatePbufferReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; __GLX_DECLARE_SWAP_ARRAY_VARIABLES; CARD32 *attribs; + REQUEST_AT_LEAST_SIZE(xGLXCreatePbufferReq); + __GLX_SWAP_INT(&req->screen); __GLX_SWAP_INT(&req->fbconfig); __GLX_SWAP_INT(&req->pbuffer); __GLX_SWAP_INT(&req->numAttribs); + + REQUEST_FIXED_SIZE(xGLXCreatePbufferReq, req->numAttribs << 3); attribs = (CARD32*)(req + 1); __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs); @@ -340,9 +410,12 @@ int __glXDispSwap_CreatePbuffer(__GLXcli int __glXDispSwap_CreateGLXPbufferSGIX(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXCreateGLXPbufferSGIXReq *req = (xGLXCreateGLXPbufferSGIXReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXCreateGLXPbufferSGIXReq); + __GLX_SWAP_INT(&req->screen); __GLX_SWAP_INT(&req->fbconfig); __GLX_SWAP_INT(&req->pbuffer); @@ -354,9 +427,12 @@ int __glXDispSwap_CreateGLXPbufferSGIX(_ int __glXDispSwap_DestroyPbuffer(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXDestroyPbufferReq *req = (xGLXDestroyPbufferReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXDestroyPbufferReq); + __GLX_SWAP_INT(&req->pbuffer); return __glXDisp_DestroyPbuffer(cl, pc); @@ -366,22 +442,31 @@ int __glXDispSwap_DestroyGLXPbufferSGIX( { xGLXDestroyGLXPbufferSGIXReq *req = (xGLXDestroyGLXPbufferSGIXReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + ClientPtr client = cl->client; __GLX_SWAP_INT(&req->pbuffer); + REQUEST_SIZE_MATCH(xGLXDestroyPbufferReq); + + __GLX_SWAP_INT(&req->pbuffer); return __glXDisp_DestroyGLXPbufferSGIX(cl, pc); } int __glXDispSwap_ChangeDrawableAttributes(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXChangeDrawableAttributesReq *req = (xGLXChangeDrawableAttributesReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; __GLX_DECLARE_SWAP_ARRAY_VARIABLES; CARD32 *attribs; + REQUEST_AT_LEAST_SIZE(xGLXChangeDrawableAttributesReq); + __GLX_SWAP_INT(&req->drawable); __GLX_SWAP_INT(&req->numAttribs); + + REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3); attribs = (CARD32*)(req + 1); __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs); @@ -391,14 +476,19 @@ int __glXDispSwap_ChangeDrawableAttribut int __glXDispSwap_ChangeDrawableAttributesSGIX(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXChangeDrawableAttributesSGIXReq *req = (xGLXChangeDrawableAttributesSGIXReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; __GLX_DECLARE_SWAP_ARRAY_VARIABLES; CARD32 *attribs; + REQUEST_AT_LEAST_SIZE(xGLXChangeDrawableAttributesSGIXReq); + __GLX_SWAP_INT(&req->drawable); __GLX_SWAP_INT(&req->numAttribs); + + REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesSGIXReq, req->numAttribs << 3); attribs = (CARD32*)(req + 1); __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs); @@ -407,16 +497,21 @@ int __glXDispSwap_ChangeDrawableAttribut int __glXDispSwap_CreateWindow(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXCreateWindowReq *req = (xGLXCreateWindowReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; __GLX_DECLARE_SWAP_ARRAY_VARIABLES; CARD32 *attribs; + REQUEST_AT_LEAST_SIZE(xGLXCreateWindowReq); + __GLX_SWAP_INT(&req->screen); __GLX_SWAP_INT(&req->fbconfig); __GLX_SWAP_INT(&req->window); __GLX_SWAP_INT(&req->glxwindow); __GLX_SWAP_INT(&req->numAttribs); + + REQUEST_FIXED_SIZE(xGLXCreateWindowReq, req->numAttribs << 3); attribs = (CARD32*)(req + 1); __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs); @@ -425,9 +520,12 @@ int __glXDispSwap_CreateWindow(__GLXclie int __glXDispSwap_DestroyWindow(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXDestroyWindowReq *req = (xGLXDestroyWindowReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXDestroyWindowReq); + __GLX_SWAP_INT(&req->glxwindow); return __glXDisp_DestroyWindow(cl, pc); @@ -435,9 +533,12 @@ int __glXDispSwap_DestroyWindow(__GLXcli int __glXDispSwap_SwapBuffers(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXSwapBuffersReq *req = (xGLXSwapBuffersReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXSwapBuffersReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->contextTag); __GLX_SWAP_INT(&req->drawable); @@ -447,9 +548,12 @@ int __glXDispSwap_SwapBuffers(__GLXclien int __glXDispSwap_UseXFont(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXUseXFontReq *req = (xGLXUseXFontReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXUseXFontReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->contextTag); __GLX_SWAP_INT(&req->font); @@ -463,9 +567,12 @@ int __glXDispSwap_UseXFont(__GLXclientSt int __glXDispSwap_QueryExtensionsString(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXQueryExtensionsStringReq *req = (xGLXQueryExtensionsStringReq *)pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXQueryExtensionsStringReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->screen); @@ -474,9 +581,12 @@ int __glXDispSwap_QueryExtensionsString( int __glXDispSwap_QueryServerString(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXQueryServerStringReq *req = (xGLXQueryServerStringReq *)pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXQueryServerStringReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->screen); __GLX_SWAP_INT(&req->name); @@ -486,9 +596,12 @@ int __glXDispSwap_QueryServerString(__GL int __glXDispSwap_ClientInfo(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXClientInfoReq *req = (xGLXClientInfoReq *)pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_AT_LEAST_SIZE(xGLXClientInfoReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->major); __GLX_SWAP_INT(&req->minor); @@ -499,9 +612,12 @@ int __glXDispSwap_ClientInfo(__GLXclient int __glXDispSwap_QueryContextInfoEXT(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXQueryContextInfoEXTReq *req = (xGLXQueryContextInfoEXTReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXQueryContextInfoEXTReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->context); @@ -510,12 +626,14 @@ int __glXDispSwap_QueryContextInfoEXT(__ int __glXDispSwap_BindTexImageEXT(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXVendorPrivateReq *req = (xGLXVendorPrivateReq *) pc; GLXDrawable *drawId; int *buffer; - __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 8); + pc += __GLX_VENDPRIV_HDR_SIZE; drawId = ((GLXDrawable *) (pc)); @@ -531,12 +649,14 @@ int __glXDispSwap_BindTexImageEXT(__GLXc int __glXDispSwap_ReleaseTexImageEXT(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXVendorPrivateReq *req = (xGLXVendorPrivateReq *) pc; GLXDrawable *drawId; int *buffer; - __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 8); + pc += __GLX_VENDPRIV_HDR_SIZE; drawId = ((GLXDrawable *) (pc)); @@ -552,12 +672,14 @@ int __glXDispSwap_ReleaseTexImageEXT(__G int __glXDispSwap_CopySubBufferMESA(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXVendorPrivateReq *req = (xGLXVendorPrivateReq *) pc; GLXDrawable *drawId; int *buffer; - __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 20); + (void) drawId; (void) buffer; @@ -577,11 +699,13 @@ int __glXDispSwap_CopySubBufferMESA(__GL int __glXDispSwap_GetDrawableAttributesSGIX(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXVendorPrivateWithReplyReq *req = (xGLXVendorPrivateWithReplyReq *)pc; CARD32 *data; - __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXGetDrawableAttributesSGIXReq); + data = (CARD32 *) (req + 1); __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->contextTag); @@ -592,10 +716,12 @@ int __glXDispSwap_GetDrawableAttributesS int __glXDispSwap_GetDrawableAttributes(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXGetDrawableAttributesReq *req = (xGLXGetDrawableAttributesReq *)pc; - __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXGetDrawableAttributesReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->drawable); ++++++ U_04-glx-swap-the-request-arrays-entirely-not-just-half-of-them.patch ++++++ From: Julien Cristau <jcris...@debian.org> Date: Sun Aug 22 16:20:45 2010 +0100 Subject: [PATCH] glx: swap the request arrays entirely, not just half of them Patch-Mainline: Upstream Git-commit: 62319e8381ebd645ae36b25e5fc3c0e9b098387b References: bnc #648278, CVE-2010-4818 Signed-off-by: Egbert Eich <e...@suse.de> Various glx requests include a list of pairs of attributes. We were only swapping the first half. Reviewed-by: Kristian Høgsberg <k...@bitplanet.net> Reviewed-by: Daniel Stone <dan...@fooishbar.org> Signed-off-by: Julien Cristau <jcris...@debian.org> --- glx/glxcmdsswap.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) --- xorg-server-1.6.5.orig/glx/glxcmdsswap.c +++ xorg-server-1.6.5/glx/glxcmdsswap.c @@ -324,7 +324,7 @@ int __glXDispSwap_CreatePixmap(__GLXclie REQUEST_FIXED_SIZE(xGLXCreatePixmapReq, req->numAttribs << 3); attribs = (CARD32*)(req + 1); - __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs); + __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1); return __glXDisp_CreatePixmap(cl, pc); } @@ -405,7 +405,7 @@ int __glXDispSwap_CreatePbuffer(__GLXcli REQUEST_FIXED_SIZE(xGLXCreatePbufferReq, req->numAttribs << 3); attribs = (CARD32*)(req + 1); - __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs); + __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1); return __glXDisp_CreatePbuffer(cl, pc); } @@ -470,7 +470,7 @@ int __glXDispSwap_ChangeDrawableAttribut REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3); attribs = (CARD32*)(req + 1); - __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs); + __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1); return __glXDisp_ChangeDrawableAttributes(cl, pc); } @@ -492,7 +492,7 @@ int __glXDispSwap_ChangeDrawableAttribut REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesSGIXReq, req->numAttribs << 3); attribs = (CARD32*)(req + 1); - __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs); + __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1); return __glXDisp_ChangeDrawableAttributesSGIX(cl, pc); } @@ -515,7 +515,7 @@ int __glXDispSwap_CreateWindow(__GLXclie REQUEST_FIXED_SIZE(xGLXCreateWindowReq, req->numAttribs << 3); attribs = (CARD32*)(req + 1); - __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs); + __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1); return __glXDisp_CreateWindow(cl, pc); } ++++++ U_05-glx-validate-numAttribs-field-before-using-it.patch ++++++ From: Julien Cristau <jcris...@debian.org> Date: Wed Nov 10 22:39:54 2010 +0100 Subject: [PATCH] glx: validate numAttribs field before using it Patch-Mainline: Upstream Git-commit: d9225b9602c85603ae616a7381c784f5cf5e811c References: bnc #648278, CVE-2010-4818 Signed-off-by: Egbert Eich <e...@suse.de> Reviewed-by: Kristian Høgsberg <k...@bitplanet.net> Reviewed-by: Daniel Stone <dan...@fooishbar.org> Signed-off-by: Julien Cristau <jcris...@debian.org> --- xorg-server-1.6.5.orig/glx/glxcmdsswap.c +++ xorg-server-1.6.5/glx/glxcmdsswap.c @@ -322,6 +322,10 @@ int __glXDispSwap_CreatePixmap(__GLXclie __GLX_SWAP_INT(&req->glxpixmap); __GLX_SWAP_INT(&req->numAttribs); + if (req->numAttribs > (UINT32_MAX >> 3)) { + client->errorValue = req->numAttribs; + return BadValue; + } REQUEST_FIXED_SIZE(xGLXCreatePixmapReq, req->numAttribs << 3); attribs = (CARD32*)(req + 1); __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1); @@ -403,6 +407,10 @@ int __glXDispSwap_CreatePbuffer(__GLXcli __GLX_SWAP_INT(&req->pbuffer); __GLX_SWAP_INT(&req->numAttribs); + if (req->numAttribs > (UINT32_MAX >> 3)) { + client->errorValue = req->numAttribs; + return BadValue; + } REQUEST_FIXED_SIZE(xGLXCreatePbufferReq, req->numAttribs << 3); attribs = (CARD32*)(req + 1); __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1); @@ -468,6 +476,10 @@ int __glXDispSwap_ChangeDrawableAttribut __GLX_SWAP_INT(&req->drawable); __GLX_SWAP_INT(&req->numAttribs); + if (req->numAttribs > (UINT32_MAX >> 3)) { + client->errorValue = req->numAttribs; + return BadValue; + } REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3); attribs = (CARD32*)(req + 1); __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1); @@ -490,6 +502,10 @@ int __glXDispSwap_ChangeDrawableAttribut __GLX_SWAP_INT(&req->drawable); __GLX_SWAP_INT(&req->numAttribs); + if (req->numAttribs > (UINT32_MAX >> 3)) { + client->errorValue = req->numAttribs; + return BadValue; + } REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesSGIXReq, req->numAttribs << 3); attribs = (CARD32*)(req + 1); __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1); @@ -513,6 +529,10 @@ int __glXDispSwap_CreateWindow(__GLXclie __GLX_SWAP_INT(&req->glxwindow); __GLX_SWAP_INT(&req->numAttribs); + if (req->numAttribs > (UINT32_MAX >> 3)) { + client->errorValue = req->numAttribs; + return BadValue; + } REQUEST_FIXED_SIZE(xGLXCreateWindowReq, req->numAttribs << 3); attribs = (CARD32*)(req + 1); __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1); --- xorg-server-1.9.3/glx/glxcmds.c.orig 2012-02-06 15:24:13.000000000 +0100 +++ xorg-server-1.9.3/glx/glxcmds.c 2012-02-06 15:26:23.000000000 +0100 @@ -1285,6 +1285,11 @@ int __glXDisp_CreatePixmap(__GLXclientSt __GLXscreen *pGlxScreen; int err; + REQUEST_AT_LEAST_SIZE(xGLXCreatePixmapReq); + if (req->numAttribs > (UINT32_MAX >> 3)) { + client->errorValue = req->numAttribs; + return BadValue; + } REQUEST_FIXED_SIZE(xGLXCreatePixmapReq, req->numAttribs << 3); if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err)) @@ -1398,6 +1403,11 @@ int __glXDisp_CreatePbuffer(__GLXclientS CARD32 *attrs; int width, height, i; + REQUEST_AT_LEAST_SIZE(xGLXCreatePbufferReq); + if (req->numAttribs > (UINT32_MAX >> 3)) { + client->errorValue = req->numAttribs; + return BadValue; + } REQUEST_FIXED_SIZE(xGLXCreatePbufferReq, req->numAttribs << 3); attrs = (CARD32 *) (req + 1); @@ -1485,6 +1495,11 @@ int __glXDisp_ChangeDrawableAttributes(_ xGLXChangeDrawableAttributesReq *req = (xGLXChangeDrawableAttributesReq *) pc; + REQUEST_AT_LEAST_SIZE(xGLXChangeDrawableAttributesReq); + if (req->numAttribs > (UINT32_MAX >> 3)) { + client->errorValue = req->numAttribs; + return BadValue; + } REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3); return DoChangeDrawableAttributes(cl->client, req->drawable, @@ -1497,6 +1512,11 @@ int __glXDisp_ChangeDrawableAttributesSG xGLXChangeDrawableAttributesSGIXReq *req = (xGLXChangeDrawableAttributesSGIXReq *)pc; + REQUEST_AT_LEAST_SIZE(xGLXChangeDrawableAttributesSGIXReq); + if (req->numAttribs > (UINT32_MAX >> 3)) { + client->errorValue = req->numAttribs; + return BadValue; + } REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesSGIXReq, req->numAttribs << 3); return DoChangeDrawableAttributes(cl->client, req->drawable, @@ -1512,6 +1532,11 @@ int __glXDisp_CreateWindow(__GLXclientSt DrawablePtr pDraw; int err; + REQUEST_AT_LEAST_SIZE(xGLXCreateWindowReq); + if (req->numAttribs > (UINT32_MAX >> 3)) { + client->errorValue = req->numAttribs; + return BadValue; + } REQUEST_FIXED_SIZE(xGLXCreateWindowReq, req->numAttribs << 3); LEGAL_NEW_RESOURCE(req->glxwindow, client); ++++++ U_06-glx-fix-request-length-check-for-CreateGLXPbufferSGIX.patch ++++++ From: Julien Cristau <jcris...@debian.org> Date: Sun Jan 23 17:05:26 2011 +0100 Subject: [PATCH] glx: fix request length check for CreateGLXPbufferSGIX Patch-Mainline: Upstream Git-commit: a883cf1545abd89bb2cadfa659718884b56fd234 References: bnc #648278, CVE-2010-4818 Signed-off-by: Egbert Eich <e...@suse.de> The request is followed by an attribute list. Signed-off-by: Julien Cristau <jcris...@debian.org> Reviewed-by: Adam Jackson <a...@redhat.com> --- glx/glxcmds.c | 2 +- glx/glxcmdsswap.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) --- xorg-server-1.6.5.orig/glx/glxcmds.c +++ xorg-server-1.6.5/glx/glxcmds.c @@ -1411,7 +1411,7 @@ int __glXDisp_CreateGLXPbufferSGIX(__GLX ClientPtr client = cl->client; xGLXCreateGLXPbufferSGIXReq *req = (xGLXCreateGLXPbufferSGIXReq *) pc; - REQUEST_SIZE_MATCH(xGLXCreateGLXPbufferSGIXReq); + REQUEST_AT_LEAST_SIZE(xGLXCreateGLXPbufferSGIXReq); return DoCreatePbuffer(cl->client, req->screen, req->fbconfig, req->width, req->height, req->pbuffer); --- xorg-server-1.6.5.orig/glx/glxcmdsswap.c +++ xorg-server-1.6.5/glx/glxcmdsswap.c @@ -424,7 +424,7 @@ int __glXDispSwap_CreateGLXPbufferSGIX(_ xGLXCreateGLXPbufferSGIXReq *req = (xGLXCreateGLXPbufferSGIXReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; - REQUEST_SIZE_MATCH(xGLXCreateGLXPbufferSGIXReq); + REQUEST_AT_LEAST_SIZE(xGLXCreateGLXPbufferSGIXReq); __GLX_SWAP_INT(&req->screen); __GLX_SWAP_INT(&req->fbconfig); ++++++ U_07-glx-fix-BindTexImageEXT-length-check.patch ++++++ From: Julien Cristau <jcris...@debian.org> Date: Wed Jan 26 13:06:53 2011 +0100 Subject: [PATCH] glx: fix BindTexImageEXT length check Patch-Mainline: Upstream Git-commit: 1137c11be0f82049d28024eaf963c6f76e0d4334 References: bnc #648278, CVE-2010-4818 Signed-off-by: Egbert Eich <e...@suse.de> The request is followed by a list of attributes. X.Org bug#33449 Reported-and-tested-by: meng <mengmeng.m...@intel.com> Signed-off-by: Julien Cristau <jcris...@debian.org> Reviewed-by: Adam Jackson <a...@redhat.com> --- glx/glxcmds.c | 10 +++++++++- glx/glxcmdsswap.c | 6 +++++- 2 files changed, 14 insertions(+), 2 deletions(-) --- xorg-server-1.6.5.orig/glx/glxcmds.c +++ xorg-server-1.6.5/glx/glxcmds.c @@ -1668,13 +1668,21 @@ int __glXDisp_BindTexImageEXT(__GLXclien GLXDrawable drawId; int buffer; int error; + CARD32 num_attribs; - REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 8); + if ((sizeof(xGLXVendorPrivateReq) + 12) >> 2 > client->req_len) + return BadLength; pc += __GLX_VENDPRIV_HDR_SIZE; drawId = *((CARD32 *) (pc)); buffer = *((INT32 *) (pc + 4)); + num_attribs = *((CARD32 *) (pc + 8)); + if (num_attribs > (UINT32_MAX >> 3)) { + client->errorValue = num_attribs; + return BadValue; + } + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 12 + (num_attribs << 3)); if (buffer != GLX_FRONT_LEFT_EXT) return __glXError(GLXBadPixmap); --- xorg-server-1.6.5.orig/glx/glxcmdsswap.c +++ xorg-server-1.6.5/glx/glxcmdsswap.c @@ -652,19 +652,23 @@ int __glXDispSwap_BindTexImageEXT(__GLXc xGLXVendorPrivateReq *req = (xGLXVendorPrivateReq *) pc; GLXDrawable *drawId; int *buffer; + CARD32 *num_attribs; __GLX_DECLARE_SWAP_VARIABLES; - REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 8); + if ((sizeof(xGLXVendorPrivateReq) + 12) >> 2 > client->req_len) + return BadLength; pc += __GLX_VENDPRIV_HDR_SIZE; drawId = ((GLXDrawable *) (pc)); buffer = ((int *) (pc + 4)); + num_attribs = ((CARD32 *) (pc + 8)); __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->contextTag); __GLX_SWAP_INT(drawId); __GLX_SWAP_INT(buffer); + __GLX_SWAP_INT(num_attribs); return __glXDisp_BindTexImageEXT(cl, (GLbyte *)pc); } ++++++ U_08-glx-Work-around-wrong-request-lengths-sent-by-mesa.patch ++++++ From: Julien Cristau <jcris...@debian.org> Date: Sun Jan 23 13:35:54 2011 +0100 Subject: [PATCH] glx: Work around wrong request lengths sent by mesa Patch-Mainline: Upstream Git-commit: 402b329c3aa8ddbebaa1f593306a02d4cd6fed26 References: bnc #648278, CVE-2010-4818 Signed-off-by: Egbert Eich <e...@suse.de> mesa used to send too long requests for GLXDestroyPixmap, GLXDestroyWindow, GLXChangeDrawableAttributes, GLXGetDrawableAttributes and GLXGetFBConfigsSGIX. Fixes a regression introduced in ec9c97c6bf70b523bc500bd3adf62176f1bb33a4 X.Org bug#33324 <https://bugs.freedesktop.org/show_bug.cgi?id=33324> Reported-by: xunx.f...@intel.com Signed-off-by: Julien Cristau <jcris...@debian.org> Reviewed-by: Adam Jackson <a...@redhat.com> --- glx/glxcmds.c | 19 +++++++++++++++---- glx/glxcmdsswap.c | 12 +++++++----- 2 files changed, 22 insertions(+), 9 deletions(-) --- xorg-server-1.6.5.orig/glx/glxcmds.c +++ xorg-server-1.6.5/glx/glxcmds.c @@ -1113,7 +1113,8 @@ int __glXDisp_GetFBConfigsSGIX(__GLXclie { ClientPtr client = cl->client; xGLXGetFBConfigsSGIXReq *req = (xGLXGetFBConfigsSGIXReq *) pc; - REQUEST_SIZE_MATCH(xGLXGetFBConfigsSGIXReq); + /* work around mesa bug, don't use REQUEST_SIZE_MATCH */ + REQUEST_AT_LEAST_SIZE(xGLXGetFBConfigsSGIXReq); return DoGetFBConfigs(cl, req->screen); } @@ -1341,7 +1342,9 @@ int __glXDisp_DestroyPixmap(__GLXclientS ClientPtr client = cl->client; xGLXDestroyPixmapReq *req = (xGLXDestroyPixmapReq *) pc; - REQUEST_SIZE_MATCH(xGLXDestroyPixmapReq); + /* should be REQUEST_SIZE_MATCH, but mesa's glXDestroyPixmap used to set + * length to 3 instead of 2 */ + REQUEST_AT_LEAST_SIZE(xGLXDestroyPixmapReq); return DoDestroyDrawable(cl, req->glxpixmap, GLX_DRAWABLE_PIXMAP); } @@ -1470,7 +1473,13 @@ int __glXDisp_ChangeDrawableAttributes(_ client->errorValue = req->numAttribs; return BadValue; } +#if 0 + /* mesa sends an additional 8 bytes */ REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3); +#else + if (((sizeof(xGLXChangeDrawableAttributesReq) + (req->numAttribs << 3)) >> 2) < client->req_len) + return BadLength; +#endif return DoChangeDrawableAttributes(cl->client, req->drawable, req->numAttribs, (CARD32 *) (req + 1)); @@ -1532,7 +1541,8 @@ int __glXDisp_DestroyWindow(__GLXclientS ClientPtr client = cl->client; xGLXDestroyWindowReq *req = (xGLXDestroyWindowReq *) pc; - REQUEST_SIZE_MATCH(xGLXDestroyWindowReq); + /* mesa's glXDestroyWindow used to set length to 3 instead of 2 */ + REQUEST_AT_LEAST_SIZE(xGLXDestroyWindowReq); return DoDestroyDrawable(cl, req->glxwindow, GLX_DRAWABLE_WINDOW); } @@ -1849,7 +1859,8 @@ int __glXDisp_GetDrawableAttributes(__GL ClientPtr client = cl->client; xGLXGetDrawableAttributesReq *req = (xGLXGetDrawableAttributesReq *)pc; - REQUEST_SIZE_MATCH(xGLXGetDrawableAttributesReq); + /* this should be REQUEST_SIZE_MATCH, but mesa sends an additional 4 bytes */ + REQUEST_AT_LEAST_SIZE(xGLXGetDrawableAttributesReq); return DoGetDrawableAttributes(cl, req->drawable); } --- xorg-server-1.6.5.orig/glx/glxcmdsswap.c +++ xorg-server-1.6.5/glx/glxcmdsswap.c @@ -282,7 +282,7 @@ int __glXDispSwap_GetFBConfigsSGIX(__GLX xGLXGetFBConfigsSGIXReq *req = (xGLXGetFBConfigsSGIXReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; - REQUEST_SIZE_MATCH(xGLXGetFBConfigsSGIXReq); + REQUEST_AT_LEAST_SIZE(xGLXGetFBConfigsSGIXReq); __GLX_SWAP_INT(&req->screen); return __glXDisp_GetFBConfigsSGIX(cl, pc); @@ -371,7 +371,7 @@ int __glXDispSwap_DestroyPixmap(__GLXcli xGLXDestroyGLXPixmapReq *req = (xGLXDestroyGLXPixmapReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; - REQUEST_SIZE_MATCH(xGLXDestroyGLXPixmapReq); + REQUEST_AT_LEAST_SIZE(xGLXDestroyGLXPixmapReq); __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->glxpixmap); @@ -480,7 +480,9 @@ int __glXDispSwap_ChangeDrawableAttribut client->errorValue = req->numAttribs; return BadValue; } - REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3); + if (((sizeof(xGLXChangeDrawableAttributesReq) + (req->numAttribs << 3)) >> 2) < client->req_len) + return BadLength; + attribs = (CARD32*)(req + 1); __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1); @@ -546,7 +548,7 @@ int __glXDispSwap_DestroyWindow(__GLXcli xGLXDestroyWindowReq *req = (xGLXDestroyWindowReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; - REQUEST_SIZE_MATCH(xGLXDestroyWindowReq); + REQUEST_AT_LEAST_SIZE(xGLXDestroyWindowReq); __GLX_SWAP_INT(&req->glxwindow); @@ -746,7 +748,7 @@ int __glXDispSwap_GetDrawableAttributes( xGLXGetDrawableAttributesReq *req = (xGLXGetDrawableAttributesReq *)pc; __GLX_DECLARE_SWAP_VARIABLES; - REQUEST_SIZE_MATCH(xGLXGetDrawableAttributesReq); + REQUEST_AT_LEAST_SIZE(xGLXGetDrawableAttributesReq); __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->drawable); continue with "q"... Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
