Module Name: xsrc
Committed By: snj
Date: Tue Dec 9 19:36:58 UTC 2014
Modified Files:
xsrc/external/mit/xorg-server/dist [netbsd-7]: configure configure.ac
xsrc/external/mit/xorg-server/dist/Xext [netbsd-7]: xcmisc.c xvdisp.c
xsrc/external/mit/xorg-server/dist/Xi [netbsd-7]: chgdctl.c chgfctl.c
sendexev.c xiallowev.c xichangecursor.c xichangehierarchy.c
xigetclientpointer.c xigrabdev.c xipassivegrab.c xiproperty.c
xiquerydevice.c xiquerypointer.c xiselectev.c xisetclientpointer.c
xisetdevfocus.c xiwarppointer.c
xsrc/external/mit/xorg-server/dist/dbe [netbsd-7]: dbe.c
xsrc/external/mit/xorg-server/dist/dix [netbsd-7]: dispatch.c region.c
xsrc/external/mit/xorg-server/dist/glx [netbsd-7]: glxcmds.c
glxcmdsswap.c glxserver.h indirect_program.c indirect_reqsize.c
indirect_reqsize.h indirect_texture_compression.c indirect_util.c
rensize.c single2.c single2swap.c singlepix.c singlepixswap.c
swap_interval.c unpack.h
xsrc/external/mit/xorg-server/dist/hw/xfree86/dri2 [netbsd-7]:
dri2ext.c
xsrc/external/mit/xorg-server/dist/include [netbsd-7]: dix.h
regionstr.h
xsrc/external/mit/xorg-server/dist/os [netbsd-7]: access.c rpcauth.c
xsrc/external/mit/xorg-server/dist/randr [netbsd-7]: rrsdispatch.c
xsrc/external/mit/xorg-server/dist/render [netbsd-7]: render.c
xsrc/external/mit/xorg-server/dist/test [netbsd-7]: Makefile.am
xsrc/external/mit/xorg-server/dist/test/xi2 [netbsd-7]:
protocol-xigetclientpointer.c protocol-xiquerypointer.c
protocol-xiwarppointer.c
xsrc/external/mit/xorg-server/dist/xfixes [netbsd-7]: select.c
Added Files:
xsrc/external/mit/xorg-server/dist/test/xi1 [netbsd-7]: Makefile.am
protocol-xchangedevicecontrol.c
Log Message:
Apply patch (requested by mrg in ticket #308):
apply fixes for X.Org Security Advisory: Dec. 9, 2014
Protocol handling issues in X Window System servers
included are fixes for:
denial of service due to unchecked malloc in client authentication
CVE-2014-8091
integer overflows calculating memory needs for requests
CVE-2014-8092
CVE-2014-8093
CVE-2014-8094
out of bounds access due to not validating length or offset values in requests
CVE-2014-8095
CVE-2014-8096
CVE-2014-8097
CVE-2014-8098
CVE-2014-8099
CVE-2014-8100
CVE-2014-8101
CVE-2014-8102
CVE-2014-8103
To generate a diff of this commit:
cvs rdiff -u -r1.1.1.9 -r1.1.1.9.4.1 \
xsrc/external/mit/xorg-server/dist/configure \
xsrc/external/mit/xorg-server/dist/configure.ac
cvs rdiff -u -r1.1.1.4 -r1.1.1.4.10.1 \
xsrc/external/mit/xorg-server/dist/Xext/xcmisc.c
cvs rdiff -u -r1.4 -r1.4.4.1 xsrc/external/mit/xorg-server/dist/Xext/xvdisp.c
cvs rdiff -u -r1.1.1.3 -r1.1.1.3.10.1 \
xsrc/external/mit/xorg-server/dist/Xi/chgdctl.c \
xsrc/external/mit/xorg-server/dist/Xi/chgfctl.c \
xsrc/external/mit/xorg-server/dist/Xi/sendexev.c
cvs rdiff -u -r1.1.1.1 -r1.1.1.1.10.1 \
xsrc/external/mit/xorg-server/dist/Xi/xiallowev.c \
xsrc/external/mit/xorg-server/dist/Xi/xichangecursor.c \
xsrc/external/mit/xorg-server/dist/Xi/xigetclientpointer.c \
xsrc/external/mit/xorg-server/dist/Xi/xisetclientpointer.c \
xsrc/external/mit/xorg-server/dist/Xi/xisetdevfocus.c
cvs rdiff -u -r1.1.1.3 -r1.1.1.3.4.1 \
xsrc/external/mit/xorg-server/dist/Xi/xichangehierarchy.c \
xsrc/external/mit/xorg-server/dist/Xi/xipassivegrab.c
cvs rdiff -u -r1.1.1.2 -r1.1.1.2.10.1 \
xsrc/external/mit/xorg-server/dist/Xi/xigrabdev.c \
xsrc/external/mit/xorg-server/dist/Xi/xiquerydevice.c \
xsrc/external/mit/xorg-server/dist/Xi/xiquerypointer.c \
xsrc/external/mit/xorg-server/dist/Xi/xiselectev.c \
xsrc/external/mit/xorg-server/dist/Xi/xiwarppointer.c
cvs rdiff -u -r1.1.1.4 -r1.1.1.4.10.1 \
xsrc/external/mit/xorg-server/dist/Xi/xiproperty.c
cvs rdiff -u -r1.1.1.4 -r1.1.1.4.10.1 \
xsrc/external/mit/xorg-server/dist/dbe/dbe.c
cvs rdiff -u -r1.1.1.7 -r1.1.1.7.4.1 \
xsrc/external/mit/xorg-server/dist/dix/dispatch.c
cvs rdiff -u -r1.1.1.1 -r1.1.1.1.10.1 \
xsrc/external/mit/xorg-server/dist/dix/region.c
cvs rdiff -u -r1.6 -r1.6.10.1 \
xsrc/external/mit/xorg-server/dist/glx/glxcmds.c
cvs rdiff -u -r1.1.1.3 -r1.1.1.3.10.1 \
xsrc/external/mit/xorg-server/dist/glx/glxcmdsswap.c \
xsrc/external/mit/xorg-server/dist/glx/glxserver.h \
xsrc/external/mit/xorg-server/dist/glx/single2.c \
xsrc/external/mit/xorg-server/dist/glx/unpack.h
cvs rdiff -u -r1.1.1.2 -r1.1.1.2.10.1 \
xsrc/external/mit/xorg-server/dist/glx/indirect_program.c \
xsrc/external/mit/xorg-server/dist/glx/indirect_reqsize.c \
xsrc/external/mit/xorg-server/dist/glx/indirect_reqsize.h \
xsrc/external/mit/xorg-server/dist/glx/indirect_texture_compression.c \
xsrc/external/mit/xorg-server/dist/glx/indirect_util.c \
xsrc/external/mit/xorg-server/dist/glx/rensize.c \
xsrc/external/mit/xorg-server/dist/glx/single2swap.c \
xsrc/external/mit/xorg-server/dist/glx/singlepix.c \
xsrc/external/mit/xorg-server/dist/glx/singlepixswap.c \
xsrc/external/mit/xorg-server/dist/glx/swap_interval.c
cvs rdiff -u -r1.1.1.4 -r1.1.1.4.4.1 \
xsrc/external/mit/xorg-server/dist/hw/xfree86/dri2/dri2ext.c
cvs rdiff -u -r1.1.1.5 -r1.1.1.5.10.1 \
xsrc/external/mit/xorg-server/dist/include/dix.h
cvs rdiff -u -r1.1.1.3 -r1.1.1.3.10.1 \
xsrc/external/mit/xorg-server/dist/include/regionstr.h
cvs rdiff -u -r1.1.1.5 -r1.1.1.5.10.1 \
xsrc/external/mit/xorg-server/dist/os/access.c
cvs rdiff -u -r1.1.1.3 -r1.1.1.3.10.1 \
xsrc/external/mit/xorg-server/dist/os/rpcauth.c
cvs rdiff -u -r1.1.1.3 -r1.1.1.3.10.1 \
xsrc/external/mit/xorg-server/dist/randr/rrsdispatch.c
cvs rdiff -u -r1.1.1.7 -r1.1.1.7.10.1 \
xsrc/external/mit/xorg-server/dist/render/render.c
cvs rdiff -u -r1.1.1.1 -r1.1.1.1.10.1 \
xsrc/external/mit/xorg-server/dist/test/Makefile.am
cvs rdiff -u -r0 -r1.1.2.2 \
xsrc/external/mit/xorg-server/dist/test/xi1/Makefile.am \
xsrc/external/mit/xorg-server/dist/test/xi1/protocol-xchangedevicecontrol.c
cvs rdiff -u -r1.1.1.1 -r1.1.1.1.10.1 \
xsrc/external/mit/xorg-server/dist/test/xi2/protocol-xigetclientpointer.c \
xsrc/external/mit/xorg-server/dist/test/xi2/protocol-xiquerypointer.c \
xsrc/external/mit/xorg-server/dist/test/xi2/protocol-xiwarppointer.c
cvs rdiff -u -r1.1.1.3 -r1.1.1.3.10.1 \
xsrc/external/mit/xorg-server/dist/xfixes/select.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: xsrc/external/mit/xorg-server/dist/configure
diff -u xsrc/external/mit/xorg-server/dist/configure:1.1.1.9 xsrc/external/mit/xorg-server/dist/configure:1.1.1.9.4.1
--- xsrc/external/mit/xorg-server/dist/configure:1.1.1.9 Mon Jun 3 07:34:19 2013
+++ xsrc/external/mit/xorg-server/dist/configure Tue Dec 9 19:36:56 2014
@@ -39376,7 +39376,7 @@ DIX_CFLAGS="-DHAVE_DIX_CONFIG_H $XSERVER
ac_config_commands="$ac_config_commands sdksyms"
-ac_config_files="$ac_config_files Makefile glx/Makefile include/Makefile composite/Makefile damageext/Makefile dbe/Makefile dix/Makefile doc/Makefile doc/man/Makefile doc/xml/Makefile doc/xml/dtrace/Makefile doc/xml/xserver.ent fb/Makefile record/Makefile config/Makefile mi/Makefile miext/Makefile miext/sync/Makefile miext/damage/Makefile miext/shadow/Makefile miext/cw/Makefile miext/rootless/Makefile os/Makefile randr/Makefile render/Makefile xkb/Makefile Xext/Makefile Xi/Makefile xfixes/Makefile exa/Makefile hw/Makefile hw/xfree86/Makefile hw/xfree86/common/Makefile hw/xfree86/common/xf86Build.h hw/xfree86/ddc/Makefile hw/xfree86/dixmods/Makefile hw/xfree86/dixmods/extmod/Makefile hw/xfree86/doc/Makefile hw/xfree86/doc/devel/Makefile hw/xfree86/doc/man/Makefile hw/xfree86/doc/sgml/Makefile hw/xfree86/dri/Makefile hw/xfree86/dri2/Makefile hw/xfree86/exa/Makefile hw/xfree86/exa/man/Makefile hw/xfree86/fbdevhw/Makefile hw/xfree86/fbdevhw/man/Makefile hw/xfree86/i2c/Makefile h
w/xfree86/int10/Makefile hw/xfree86/loader/Makefile hw/xfree86/modes/Makefile hw/xfree86/os-support/Makefile hw/xfree86/os-support/bsd/Makefile hw/xfree86/os-support/bus/Makefile hw/xfree86/os-support/hurd/Makefile hw/xfree86/os-support/misc/Makefile hw/xfree86/os-support/linux/Makefile hw/xfree86/os-support/solaris/Makefile hw/xfree86/parser/Makefile hw/xfree86/ramdac/Makefile hw/xfree86/shadowfb/Makefile hw/xfree86/vbe/Makefile hw/xfree86/vgahw/Makefile hw/xfree86/x86emu/Makefile hw/xfree86/xaa/Makefile hw/xfree86/utils/Makefile hw/xfree86/utils/man/Makefile hw/xfree86/utils/cvt/Makefile hw/xfree86/utils/gtf/Makefile hw/dmx/config/Makefile hw/dmx/config/man/Makefile hw/dmx/doc/Makefile hw/dmx/doc/doxygen.conf hw/dmx/examples/Makefile hw/dmx/input/Makefile hw/dmx/glxProxy/Makefile hw/dmx/Makefile hw/dmx/man/Makefile hw/vfb/Makefile hw/vfb/man/Makefile hw/xnest/Makefile hw/xnest/man/Makefile hw/xwin/Makefile hw/xwin/glx/Makefile hw/xwin/man/Makefile hw/xquartz/Makefile hw/xq
uartz/GL/Makefile hw/xquartz/bundle/Makefile hw/xquartz/man/Makefile hw/xquartz/mach-startup/Makefile hw/xquartz/pbproxy/Makefile hw/xquartz/xpr/Makefile hw/kdrive/Makefile hw/kdrive/ephyr/Makefile hw/kdrive/ephyr/man/Makefile hw/kdrive/fake/Makefile hw/kdrive/fbdev/Makefile hw/kdrive/linux/Makefile hw/kdrive/src/Makefile test/Makefile test/xi2/Makefile xorg-server.pc"
+ac_config_files="$ac_config_files Makefile glx/Makefile include/Makefile composite/Makefile damageext/Makefile dbe/Makefile dix/Makefile doc/Makefile doc/man/Makefile doc/xml/Makefile doc/xml/dtrace/Makefile doc/xml/xserver.ent fb/Makefile record/Makefile config/Makefile mi/Makefile miext/Makefile miext/sync/Makefile miext/damage/Makefile miext/shadow/Makefile miext/cw/Makefile miext/rootless/Makefile os/Makefile randr/Makefile render/Makefile xkb/Makefile Xext/Makefile Xi/Makefile xfixes/Makefile exa/Makefile hw/Makefile hw/xfree86/Makefile hw/xfree86/common/Makefile hw/xfree86/common/xf86Build.h hw/xfree86/ddc/Makefile hw/xfree86/dixmods/Makefile hw/xfree86/dixmods/extmod/Makefile hw/xfree86/doc/Makefile hw/xfree86/doc/devel/Makefile hw/xfree86/doc/man/Makefile hw/xfree86/doc/sgml/Makefile hw/xfree86/dri/Makefile hw/xfree86/dri2/Makefile hw/xfree86/exa/Makefile hw/xfree86/exa/man/Makefile hw/xfree86/fbdevhw/Makefile hw/xfree86/fbdevhw/man/Makefile hw/xfree86/i2c/Makefile h
w/xfree86/int10/Makefile hw/xfree86/loader/Makefile hw/xfree86/modes/Makefile hw/xfree86/os-support/Makefile hw/xfree86/os-support/bsd/Makefile hw/xfree86/os-support/bus/Makefile hw/xfree86/os-support/hurd/Makefile hw/xfree86/os-support/misc/Makefile hw/xfree86/os-support/linux/Makefile hw/xfree86/os-support/solaris/Makefile hw/xfree86/parser/Makefile hw/xfree86/ramdac/Makefile hw/xfree86/shadowfb/Makefile hw/xfree86/vbe/Makefile hw/xfree86/vgahw/Makefile hw/xfree86/x86emu/Makefile hw/xfree86/xaa/Makefile hw/xfree86/utils/Makefile hw/xfree86/utils/man/Makefile hw/xfree86/utils/cvt/Makefile hw/xfree86/utils/gtf/Makefile hw/dmx/config/Makefile hw/dmx/config/man/Makefile hw/dmx/doc/Makefile hw/dmx/doc/doxygen.conf hw/dmx/examples/Makefile hw/dmx/input/Makefile hw/dmx/glxProxy/Makefile hw/dmx/Makefile hw/dmx/man/Makefile hw/vfb/Makefile hw/vfb/man/Makefile hw/xnest/Makefile hw/xnest/man/Makefile hw/xwin/Makefile hw/xwin/glx/Makefile hw/xwin/man/Makefile hw/xquartz/Makefile hw/xq
uartz/GL/Makefile hw/xquartz/bundle/Makefile hw/xquartz/man/Makefile hw/xquartz/mach-startup/Makefile hw/xquartz/pbproxy/Makefile hw/xquartz/xpr/Makefile hw/kdrive/Makefile hw/kdrive/ephyr/Makefile hw/kdrive/ephyr/man/Makefile hw/kdrive/fake/Makefile hw/kdrive/fbdev/Makefile hw/kdrive/linux/Makefile hw/kdrive/src/Makefile test/Makefile test/xi1/Makefile test/xi2/Makefile xorg-server.pc"
cat >confcache <<\_ACEOF
# This file is a shell script that caches the results of configure
@@ -41058,6 +41058,7 @@ do
"hw/kdrive/linux/Makefile") CONFIG_FILES="$CONFIG_FILES hw/kdrive/linux/Makefile" ;;
"hw/kdrive/src/Makefile") CONFIG_FILES="$CONFIG_FILES hw/kdrive/src/Makefile" ;;
"test/Makefile") CONFIG_FILES="$CONFIG_FILES test/Makefile" ;;
+ "test/xi1/Makefile") CONFIG_FILES="$CONFIG_FILES test/xi1/Makefile" ;;
"test/xi2/Makefile") CONFIG_FILES="$CONFIG_FILES test/xi2/Makefile" ;;
"xorg-server.pc") CONFIG_FILES="$CONFIG_FILES xorg-server.pc" ;;
Index: xsrc/external/mit/xorg-server/dist/configure.ac
diff -u xsrc/external/mit/xorg-server/dist/configure.ac:1.1.1.9 xsrc/external/mit/xorg-server/dist/configure.ac:1.1.1.9.4.1
--- xsrc/external/mit/xorg-server/dist/configure.ac:1.1.1.9 Mon Jun 3 07:34:19 2013
+++ xsrc/external/mit/xorg-server/dist/configure.ac Tue Dec 9 19:36:57 2014
@@ -2264,6 +2264,7 @@ hw/kdrive/fbdev/Makefile
hw/kdrive/linux/Makefile
hw/kdrive/src/Makefile
test/Makefile
+test/xi1/Makefile
test/xi2/Makefile
xorg-server.pc
])
Index: xsrc/external/mit/xorg-server/dist/Xext/xcmisc.c
diff -u xsrc/external/mit/xorg-server/dist/Xext/xcmisc.c:1.1.1.4 xsrc/external/mit/xorg-server/dist/Xext/xcmisc.c:1.1.1.4.10.1
--- xsrc/external/mit/xorg-server/dist/Xext/xcmisc.c:1.1.1.4 Tue Aug 2 06:57:06 2011
+++ xsrc/external/mit/xorg-server/dist/Xext/xcmisc.c Tue Dec 9 19:36:57 2014
@@ -175,6 +175,7 @@ SProcXCMiscGetXIDList(ClientPtr client)
{
int n;
REQUEST(xXCMiscGetXIDListReq);
+ REQUEST_SIZE_MATCH(xXCMiscGetXIDListReq);
swaps(&stuff->length, n);
swapl(&stuff->count, n);
Index: xsrc/external/mit/xorg-server/dist/Xext/xvdisp.c
diff -u xsrc/external/mit/xorg-server/dist/Xext/xvdisp.c:1.4 xsrc/external/mit/xorg-server/dist/Xext/xvdisp.c:1.4.4.1
--- xsrc/external/mit/xorg-server/dist/Xext/xvdisp.c:1.4 Mon Jun 3 07:38:40 2013
+++ xsrc/external/mit/xorg-server/dist/Xext/xvdisp.c Tue Dec 9 19:36:57 2014
@@ -1280,6 +1280,7 @@ SProcXvQueryExtension(ClientPtr client)
{
char n;
REQUEST(xvQueryExtensionReq);
+ REQUEST_SIZE_MATCH(xvQueryExtensionReq);
swaps(&stuff->length, n);
return XvProcVector[xv_QueryExtension](client);
}
@@ -1289,6 +1290,7 @@ SProcXvQueryAdaptors(ClientPtr client)
{
char n;
REQUEST(xvQueryAdaptorsReq);
+ REQUEST_SIZE_MATCH(xvQueryAdaptorsReq);
swaps(&stuff->length, n);
swapl(&stuff->window, n);
return XvProcVector[xv_QueryAdaptors](client);
@@ -1299,6 +1301,7 @@ SProcXvQueryEncodings(ClientPtr client)
{
char n;
REQUEST(xvQueryEncodingsReq);
+ REQUEST_SIZE_MATCH(xvQueryEncodingsReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
return XvProcVector[xv_QueryEncodings](client);
@@ -1309,6 +1312,7 @@ SProcXvGrabPort(ClientPtr client)
{
char n;
REQUEST(xvGrabPortReq);
+ REQUEST_SIZE_MATCH(xvGrabPortReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
swapl(&stuff->time, n);
@@ -1320,6 +1324,7 @@ SProcXvUngrabPort(ClientPtr client)
{
char n;
REQUEST(xvUngrabPortReq);
+ REQUEST_SIZE_MATCH(xvUngrabPortReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
swapl(&stuff->time, n);
@@ -1331,6 +1336,7 @@ SProcXvPutVideo(ClientPtr client)
{
char n;
REQUEST(xvPutVideoReq);
+ REQUEST_SIZE_MATCH(xvPutVideoReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
swapl(&stuff->drawable, n);
@@ -1351,6 +1357,7 @@ SProcXvPutStill(ClientPtr client)
{
char n;
REQUEST(xvPutStillReq);
+ REQUEST_SIZE_MATCH(xvPutStillReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
swapl(&stuff->drawable, n);
@@ -1371,6 +1378,7 @@ SProcXvGetVideo(ClientPtr client)
{
char n;
REQUEST(xvGetVideoReq);
+ REQUEST_SIZE_MATCH(xvGetVideoReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
swapl(&stuff->drawable, n);
@@ -1391,6 +1399,7 @@ SProcXvGetStill(ClientPtr client)
{
char n;
REQUEST(xvGetStillReq);
+ REQUEST_SIZE_MATCH(xvGetStillReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
swapl(&stuff->drawable, n);
@@ -1411,6 +1420,7 @@ SProcXvPutImage(ClientPtr client)
{
char n;
REQUEST(xvPutImageReq);
+ REQUEST_AT_LEAST_SIZE(xvPutImageReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
swapl(&stuff->drawable, n);
@@ -1435,6 +1445,7 @@ SProcXvShmPutImage(ClientPtr client)
{
char n;
REQUEST(xvShmPutImageReq);
+ REQUEST_SIZE_MATCH(xvShmPutImageReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
swapl(&stuff->drawable, n);
@@ -1463,6 +1474,7 @@ SProcXvSelectVideoNotify(ClientPtr clien
{
char n;
REQUEST(xvSelectVideoNotifyReq);
+ REQUEST_SIZE_MATCH(xvSelectVideoNotifyReq);
swaps(&stuff->length, n);
swapl(&stuff->drawable, n);
return XvProcVector[xv_SelectVideoNotify](client);
@@ -1473,6 +1485,7 @@ SProcXvSelectPortNotify(ClientPtr client
{
char n;
REQUEST(xvSelectPortNotifyReq);
+ REQUEST_SIZE_MATCH(xvSelectPortNotifyReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
return XvProcVector[xv_SelectPortNotify](client);
@@ -1483,6 +1496,7 @@ SProcXvStopVideo(ClientPtr client)
{
char n;
REQUEST(xvStopVideoReq);
+ REQUEST_SIZE_MATCH(xvStopVideoReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
swapl(&stuff->drawable, n);
@@ -1494,6 +1508,7 @@ SProcXvSetPortAttribute(ClientPtr client
{
char n;
REQUEST(xvSetPortAttributeReq);
+ REQUEST_SIZE_MATCH(xvSetPortAttributeReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
swapl(&stuff->attribute, n);
@@ -1506,6 +1521,7 @@ SProcXvGetPortAttribute(ClientPtr client
{
char n;
REQUEST(xvGetPortAttributeReq);
+ REQUEST_SIZE_MATCH(xvGetPortAttributeReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
swapl(&stuff->attribute, n);
@@ -1517,6 +1533,7 @@ SProcXvQueryBestSize(ClientPtr client)
{
char n;
REQUEST(xvQueryBestSizeReq);
+ REQUEST_SIZE_MATCH(xvQueryBestSizeReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
swaps(&stuff->vid_w, n);
@@ -1531,6 +1548,7 @@ SProcXvQueryPortAttributes(ClientPtr cli
{
char n;
REQUEST(xvQueryPortAttributesReq);
+ REQUEST_SIZE_MATCH(xvQueryPortAttributesReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
return XvProcVector[xv_QueryPortAttributes](client);
@@ -1541,6 +1559,7 @@ SProcXvQueryImageAttributes(ClientPtr cl
{
char n;
REQUEST(xvQueryImageAttributesReq);
+ REQUEST_SIZE_MATCH(xvQueryImageAttributesReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
swapl(&stuff->id, n);
@@ -1554,6 +1573,7 @@ SProcXvListImageFormats(ClientPtr client
{
char n;
REQUEST(xvListImageFormatsReq);
+ REQUEST_SIZE_MATCH(xvListImageFormatsReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
return XvProcVector[xv_ListImageFormats](client);
Index: xsrc/external/mit/xorg-server/dist/Xi/chgdctl.c
diff -u xsrc/external/mit/xorg-server/dist/Xi/chgdctl.c:1.1.1.3 xsrc/external/mit/xorg-server/dist/Xi/chgdctl.c:1.1.1.3.10.1
--- xsrc/external/mit/xorg-server/dist/Xi/chgdctl.c:1.1.1.3 Tue Nov 23 05:22:10 2010
+++ xsrc/external/mit/xorg-server/dist/Xi/chgdctl.c Tue Dec 9 19:36:57 2014
@@ -81,7 +81,7 @@ SProcXChangeDeviceControl(ClientPtr clie
REQUEST(xChangeDeviceControlReq);
swaps(&stuff->length, n);
- REQUEST_AT_LEAST_SIZE(xChangeDeviceControlReq);
+ REQUEST_AT_LEAST_EXTRA_SIZE(xChangeDeviceControlReq, sizeof(xDeviceCtl));
swaps(&stuff->control, n);
ctl = (xDeviceCtl*)&stuff[1];
swaps(&ctl->control, n);
@@ -140,7 +140,7 @@ ProcXChangeDeviceControl(ClientPtr clien
devicePresenceNotify dpn;
REQUEST(xChangeDeviceControlReq);
- REQUEST_AT_LEAST_SIZE(xChangeDeviceControlReq);
+ REQUEST_AT_LEAST_EXTRA_SIZE(xChangeDeviceControlReq, sizeof(xDeviceCtl));
len = stuff->length - bytes_to_int32(sizeof(xChangeDeviceControlReq));
ret = dixLookupDevice(&dev, stuff->deviceid, client, DixManageAccess);
@@ -248,6 +248,10 @@ ProcXChangeDeviceControl(ClientPtr clien
break;
case DEVICE_ENABLE:
e = (xDeviceEnableCtl *)&stuff[1];
+ if ((len != bytes_to_int32(sizeof(xDeviceEnableCtl)))) {
+ ret = BadLength;
+ goto out;
+ }
status = ChangeDeviceControl(client, dev, (xDeviceCtl *) e);
Index: xsrc/external/mit/xorg-server/dist/Xi/chgfctl.c
diff -u xsrc/external/mit/xorg-server/dist/Xi/chgfctl.c:1.1.1.3 xsrc/external/mit/xorg-server/dist/Xi/chgfctl.c:1.1.1.3.10.1
--- xsrc/external/mit/xorg-server/dist/Xi/chgfctl.c:1.1.1.3 Tue Nov 23 05:22:10 2010
+++ xsrc/external/mit/xorg-server/dist/Xi/chgfctl.c Tue Dec 9 19:36:57 2014
@@ -471,6 +471,8 @@ ProcXChangeFeedbackControl(ClientPtr cli
xStringFeedbackCtl *f = ((xStringFeedbackCtl *) & stuff[1]);
if (client->swapped) {
+ if (len < bytes_to_int32(sizeof(xStringFeedbackCtl)))
+ return BadLength;
swaps(&f->num_keysyms, n);
}
if (len != (bytes_to_int32(sizeof(xStringFeedbackCtl)) + f->num_keysyms))
Index: xsrc/external/mit/xorg-server/dist/Xi/sendexev.c
diff -u xsrc/external/mit/xorg-server/dist/Xi/sendexev.c:1.1.1.3 xsrc/external/mit/xorg-server/dist/Xi/sendexev.c:1.1.1.3.10.1
--- xsrc/external/mit/xorg-server/dist/Xi/sendexev.c:1.1.1.3 Tue Nov 23 05:22:11 2010
+++ xsrc/external/mit/xorg-server/dist/Xi/sendexev.c Tue Dec 9 19:36:57 2014
@@ -134,6 +134,9 @@ ProcXSendExtensionEvent(ClientPtr client
if (ret != Success)
return ret;
+ if (stuff->num_events == 0)
+ return ret;
+
/* The client's event type must be one defined by an extension. */
first = ((xEvent *) & stuff[1]);
Index: xsrc/external/mit/xorg-server/dist/Xi/xiallowev.c
diff -u xsrc/external/mit/xorg-server/dist/Xi/xiallowev.c:1.1.1.1 xsrc/external/mit/xorg-server/dist/Xi/xiallowev.c:1.1.1.1.10.1
--- xsrc/external/mit/xorg-server/dist/Xi/xiallowev.c:1.1.1.1 Tue Nov 23 05:22:11 2010
+++ xsrc/external/mit/xorg-server/dist/Xi/xiallowev.c Tue Dec 9 19:36:57 2014
@@ -47,6 +47,7 @@ SProcXIAllowEvents(ClientPtr client)
char n;
REQUEST(xXIAllowEventsReq);
+ REQUEST_AT_LEAST_SIZE(xXIAllowEventsReq);
swaps(&stuff->length, n);
swaps(&stuff->deviceid, n);
Index: xsrc/external/mit/xorg-server/dist/Xi/xichangecursor.c
diff -u xsrc/external/mit/xorg-server/dist/Xi/xichangecursor.c:1.1.1.1 xsrc/external/mit/xorg-server/dist/Xi/xichangecursor.c:1.1.1.1.10.1
--- xsrc/external/mit/xorg-server/dist/Xi/xichangecursor.c:1.1.1.1 Tue Nov 23 05:22:10 2010
+++ xsrc/external/mit/xorg-server/dist/Xi/xichangecursor.c Tue Dec 9 19:36:57 2014
@@ -59,11 +59,11 @@ SProcXIChangeCursor(ClientPtr client)
char n;
REQUEST(xXIChangeCursorReq);
+ REQUEST_SIZE_MATCH(xXIChangeCursorReq);
swaps(&stuff->length, n);
swapl(&stuff->win, n);
swapl(&stuff->cursor, n);
swaps(&stuff->deviceid, n);
- REQUEST_SIZE_MATCH(xXIChangeCursorReq);
return (ProcXIChangeCursor(client));
}
Index: xsrc/external/mit/xorg-server/dist/Xi/xigetclientpointer.c
diff -u xsrc/external/mit/xorg-server/dist/Xi/xigetclientpointer.c:1.1.1.1 xsrc/external/mit/xorg-server/dist/Xi/xigetclientpointer.c:1.1.1.1.10.1
--- xsrc/external/mit/xorg-server/dist/Xi/xigetclientpointer.c:1.1.1.1 Tue Nov 23 05:22:11 2010
+++ xsrc/external/mit/xorg-server/dist/Xi/xigetclientpointer.c Tue Dec 9 19:36:57 2014
@@ -51,6 +51,7 @@ SProcXIGetClientPointer(ClientPtr client
{
char n;
REQUEST(xXIGetClientPointerReq);
+ REQUEST_SIZE_MATCH(xXIGetClientPointerReq);
swaps(&stuff->length, n);
swapl(&stuff->win, n);
Index: xsrc/external/mit/xorg-server/dist/Xi/xisetclientpointer.c
diff -u xsrc/external/mit/xorg-server/dist/Xi/xisetclientpointer.c:1.1.1.1 xsrc/external/mit/xorg-server/dist/Xi/xisetclientpointer.c:1.1.1.1.10.1
--- xsrc/external/mit/xorg-server/dist/Xi/xisetclientpointer.c:1.1.1.1 Tue Nov 23 05:22:11 2010
+++ xsrc/external/mit/xorg-server/dist/Xi/xisetclientpointer.c Tue Dec 9 19:36:57 2014
@@ -54,10 +54,11 @@ SProcXISetClientPointer(ClientPtr client
char n;
REQUEST(xXISetClientPointerReq);
+ REQUEST_SIZE_MATCH(xXISetClientPointerReq);
+
swaps(&stuff->length, n);
swapl(&stuff->win, n);
swaps(&stuff->deviceid, n);
- REQUEST_SIZE_MATCH(xXISetClientPointerReq);
return (ProcXISetClientPointer(client));
}
Index: xsrc/external/mit/xorg-server/dist/Xi/xisetdevfocus.c
diff -u xsrc/external/mit/xorg-server/dist/Xi/xisetdevfocus.c:1.1.1.1 xsrc/external/mit/xorg-server/dist/Xi/xisetdevfocus.c:1.1.1.1.10.1
--- xsrc/external/mit/xorg-server/dist/Xi/xisetdevfocus.c:1.1.1.1 Tue Nov 23 05:22:11 2010
+++ xsrc/external/mit/xorg-server/dist/Xi/xisetdevfocus.c Tue Dec 9 19:36:57 2014
@@ -46,6 +46,8 @@ SProcXISetFocus(ClientPtr client)
char n;
REQUEST(xXISetFocusReq);
+ REQUEST_AT_LEAST_SIZE(xXISetFocusReq);
+
swaps(&stuff->length, n);
swaps(&stuff->deviceid, n);
swapl(&stuff->focus, n);
@@ -60,6 +62,8 @@ SProcXIGetFocus(ClientPtr client)
char n;
REQUEST(xXIGetFocusReq);
+ REQUEST_AT_LEAST_SIZE(xXIGetFocusReq);
+
swaps(&stuff->length, n);
swaps(&stuff->deviceid, n);
Index: xsrc/external/mit/xorg-server/dist/Xi/xichangehierarchy.c
diff -u xsrc/external/mit/xorg-server/dist/Xi/xichangehierarchy.c:1.1.1.3 xsrc/external/mit/xorg-server/dist/Xi/xichangehierarchy.c:1.1.1.3.4.1
--- xsrc/external/mit/xorg-server/dist/Xi/xichangehierarchy.c:1.1.1.3 Mon Jun 3 07:34:29 2013
+++ xsrc/external/mit/xorg-server/dist/Xi/xichangehierarchy.c Tue Dec 9 19:36:57 2014
@@ -436,7 +436,7 @@ int
ProcXIChangeHierarchy(ClientPtr client)
{
xXIAnyHierarchyChangeInfo *any;
- int required_len = sizeof(xXIChangeHierarchyReq);
+ size_t len; /* length of data remaining in request */
char n;
int rc = Success;
int flags[MAXDEVICES] = {0};
@@ -447,22 +447,47 @@ ProcXIChangeHierarchy(ClientPtr client)
if (!stuff->num_changes)
return rc;
+ if (stuff->length > (INT_MAX >> 2))
+ return BadAlloc;
+ len = (stuff->length << 2) - sizeof(xXIAnyHierarchyChangeInfo);
+
any = (xXIAnyHierarchyChangeInfo*)&stuff[1];
while(stuff->num_changes--)
{
+ if (len < sizeof(xXIAnyHierarchyChangeInfo)) {
+ rc = BadLength;
+ goto unwind;
+ }
+
SWAPIF(swapl(&any->type, n));
SWAPIF(swaps(&any->length, n));
- required_len += any->length;
- if ((stuff->length * 4) < required_len)
+ if ((any->length > (INT_MAX >> 2)) || (len < (any->length << 2)))
return BadLength;
+#define CHANGE_SIZE_MATCH(type) \
+ do { \
+ if ((len < sizeof(type)) || (any->length != (sizeof(type) >> 2))) { \
+ rc = BadLength; \
+ goto unwind; \
+ } \
+ } while(0)
+
switch(any->type)
{
case XIAddMaster:
{
xXIAddMasterInfo* c = (xXIAddMasterInfo*)any;
+ /* Variable length, due to appended name string */
+ if (len < sizeof(xXIAddMasterInfo)) {
+ rc = BadLength;
+ goto unwind;
+ }
SWAPIF(swaps(&c->name_len, n));
+ if (c->name_len > (len - sizeof(xXIAddMasterInfo))) {
+ rc = BadLength;
+ goto unwind;
+ }
rc = add_master(client, c, flags);
if (rc != Success)
@@ -473,6 +498,7 @@ ProcXIChangeHierarchy(ClientPtr client)
{
xXIRemoveMasterInfo* r = (xXIRemoveMasterInfo*)any;
+ CHANGE_SIZE_MATCH(xXIRemoveMasterInfo);
rc = remove_master(client, r, flags);
if (rc != Success)
goto unwind;
@@ -482,6 +508,7 @@ ProcXIChangeHierarchy(ClientPtr client)
{
xXIDetachSlaveInfo* c = (xXIDetachSlaveInfo*)any;
+ CHANGE_SIZE_MATCH(xXIDetachSlaveInfo);
rc = detach_slave(client, c, flags);
if (rc != Success)
goto unwind;
@@ -491,6 +518,7 @@ ProcXIChangeHierarchy(ClientPtr client)
{
xXIAttachSlaveInfo* c = (xXIAttachSlaveInfo*)any;
+ CHANGE_SIZE_MATCH(xXIAttachSlaveInfo);
rc = attach_slave(client, c, flags);
if (rc != Success)
goto unwind;
@@ -498,6 +526,7 @@ ProcXIChangeHierarchy(ClientPtr client)
break;
}
+ len -= any->length * 4;
any = (xXIAnyHierarchyChangeInfo*)((char*)any + any->length * 4);
}
Index: xsrc/external/mit/xorg-server/dist/Xi/xipassivegrab.c
diff -u xsrc/external/mit/xorg-server/dist/Xi/xipassivegrab.c:1.1.1.3 xsrc/external/mit/xorg-server/dist/Xi/xipassivegrab.c:1.1.1.3.4.1
--- xsrc/external/mit/xorg-server/dist/Xi/xipassivegrab.c:1.1.1.3 Mon Jun 3 07:34:29 2013
+++ xsrc/external/mit/xorg-server/dist/Xi/xipassivegrab.c Tue Dec 9 19:36:57 2014
@@ -53,6 +53,7 @@ SProcXIPassiveGrabDevice(ClientPtr clien
xXIModifierInfo *mods;
REQUEST(xXIPassiveGrabDeviceReq);
+ REQUEST_AT_LEAST_SIZE(xXIPassiveGrabDeviceReq);
swaps(&stuff->length, n);
swaps(&stuff->deviceid, n);
@@ -63,6 +64,8 @@ SProcXIPassiveGrabDevice(ClientPtr clien
swaps(&stuff->mask_len, n);
swaps(&stuff->num_modifiers, n);
+ REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq,
+ ((uint32_t) stuff->mask_len + stuff->num_modifiers) *4);
mods = (xXIModifierInfo*)&stuff[1];
for (i = 0; i < stuff->num_modifiers; i++, mods++)
@@ -91,7 +94,8 @@ ProcXIPassiveGrabDevice(ClientPtr client
int n;
REQUEST(xXIPassiveGrabDeviceReq);
- REQUEST_AT_LEAST_SIZE(xXIPassiveGrabDeviceReq);
+ REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq,
+ ((uint32_t) stuff->mask_len + stuff->num_modifiers) * 4);
if (stuff->deviceid == XIAllDevices)
dev = inputInfo.all_devices;
@@ -243,6 +247,7 @@ SProcXIPassiveUngrabDevice(ClientPtr cli
uint32_t *modifiers;
REQUEST(xXIPassiveUngrabDeviceReq);
+ REQUEST_AT_LEAST_SIZE(xXIPassiveUngrabDeviceReq);
swaps(&stuff->length, n);
swapl(&stuff->grab_window, n);
@@ -250,6 +255,8 @@ SProcXIPassiveUngrabDevice(ClientPtr cli
swapl(&stuff->detail, n);
swaps(&stuff->num_modifiers, n);
+ REQUEST_FIXED_SIZE(xXIPassiveUngrabDeviceReq,
+ ((uint32_t) stuff->num_modifiers) << 2);
modifiers = (uint32_t*)&stuff[1];
for (i = 0; i < stuff->num_modifiers; i++, modifiers++)
@@ -268,7 +275,8 @@ ProcXIPassiveUngrabDevice(ClientPtr clie
int i, rc;
REQUEST(xXIPassiveUngrabDeviceReq);
- REQUEST_AT_LEAST_SIZE(xXIPassiveUngrabDeviceReq);
+ REQUEST_FIXED_SIZE(xXIPassiveUngrabDeviceReq,
+ ((uint32_t) stuff->num_modifiers) << 2);
if (stuff->deviceid == XIAllDevices)
dev = inputInfo.all_devices;
Index: xsrc/external/mit/xorg-server/dist/Xi/xigrabdev.c
diff -u xsrc/external/mit/xorg-server/dist/Xi/xigrabdev.c:1.1.1.2 xsrc/external/mit/xorg-server/dist/Xi/xigrabdev.c:1.1.1.2.10.1
--- xsrc/external/mit/xorg-server/dist/Xi/xigrabdev.c:1.1.1.2 Tue Aug 2 06:57:05 2011
+++ xsrc/external/mit/xorg-server/dist/Xi/xigrabdev.c Tue Dec 9 19:36:57 2014
@@ -48,6 +48,11 @@ SProcXIGrabDevice(ClientPtr client)
char n;
REQUEST(xXIGrabDeviceReq);
+ /*
+ * Check here for at least the length of the struct we swap, then
+ * let ProcXIGrabDevice check the full size after we swap mask_len.
+ */
+ REQUEST_AT_LEAST_SIZE(xXIGrabDeviceReq);
swaps(&stuff->length, n);
swaps(&stuff->deviceid, n);
@@ -70,7 +75,7 @@ ProcXIGrabDevice(ClientPtr client)
int mask_len;
REQUEST(xXIGrabDeviceReq);
- REQUEST_AT_LEAST_SIZE(xXIGrabDeviceReq);
+ REQUEST_FIXED_SIZE(xXIGrabDeviceReq, ((size_t) stuff->mask_len) * 4);
ret = dixLookupDevice(&dev, stuff->deviceid, client, DixGrabAccess);
if (ret != Success)
@@ -135,6 +140,8 @@ ProcXIUngrabDevice(ClientPtr client)
TimeStamp time;
REQUEST(xXIUngrabDeviceReq);
+ REQUEST_SIZE_MATCH(xXIUngrabDeviceReq);
+ REQUEST_SIZE_MATCH(xXIUngrabDeviceReq);
ret = dixLookupDevice(&dev, stuff->deviceid, client, DixGetAttrAccess);
if (ret != Success)
Index: xsrc/external/mit/xorg-server/dist/Xi/xiquerydevice.c
diff -u xsrc/external/mit/xorg-server/dist/Xi/xiquerydevice.c:1.1.1.2 xsrc/external/mit/xorg-server/dist/Xi/xiquerydevice.c:1.1.1.2.10.1
--- xsrc/external/mit/xorg-server/dist/Xi/xiquerydevice.c:1.1.1.2 Tue Aug 2 06:57:05 2011
+++ xsrc/external/mit/xorg-server/dist/Xi/xiquerydevice.c Tue Dec 9 19:36:57 2014
@@ -55,6 +55,7 @@ SProcXIQueryDevice(ClientPtr client)
char n;
REQUEST(xXIQueryDeviceReq);
+ REQUEST_SIZE_MATCH(xXIQueryDeviceReq);
swaps(&stuff->length, n);
swaps(&stuff->deviceid, n);
Index: xsrc/external/mit/xorg-server/dist/Xi/xiquerypointer.c
diff -u xsrc/external/mit/xorg-server/dist/Xi/xiquerypointer.c:1.1.1.2 xsrc/external/mit/xorg-server/dist/Xi/xiquerypointer.c:1.1.1.2.10.1
--- xsrc/external/mit/xorg-server/dist/Xi/xiquerypointer.c:1.1.1.2 Tue Aug 2 06:57:05 2011
+++ xsrc/external/mit/xorg-server/dist/Xi/xiquerypointer.c Tue Dec 9 19:36:57 2014
@@ -64,6 +64,8 @@ SProcXIQueryPointer(ClientPtr client)
char n;
REQUEST(xXIQueryPointerReq);
+ REQUEST_SIZE_MATCH(xXIQueryPointerReq);
+
swaps(&stuff->length, n);
swaps(&stuff->deviceid, n);
swapl(&stuff->win, n);
Index: xsrc/external/mit/xorg-server/dist/Xi/xiselectev.c
diff -u xsrc/external/mit/xorg-server/dist/Xi/xiselectev.c:1.1.1.2 xsrc/external/mit/xorg-server/dist/Xi/xiselectev.c:1.1.1.2.10.1
--- xsrc/external/mit/xorg-server/dist/Xi/xiselectev.c:1.1.1.2 Tue Aug 2 06:57:05 2011
+++ xsrc/external/mit/xorg-server/dist/Xi/xiselectev.c Tue Dec 9 19:36:57 2014
@@ -65,6 +65,7 @@ SProcXISelectEvents(ClientPtr client)
{
char n;
int i;
+ int len;
xXIEventMask* evmask;
REQUEST(xXISelectEventsReq);
@@ -73,11 +74,18 @@ SProcXISelectEvents(ClientPtr client)
swapl(&stuff->win, n);
swaps(&stuff->num_masks, n);
+ len = stuff->length - bytes_to_int32(sizeof(xXISelectEventsReq));
evmask = (xXIEventMask*)&stuff[1];
for (i = 0; i < stuff->num_masks; i++)
{
+ if (len < bytes_to_int32(sizeof(xXIEventMask)))
+ return BadLength;
+ len -= bytes_to_int32(sizeof(xXIEventMask));
swaps(&evmask->deviceid, n);
swaps(&evmask->mask_len, n);
+ if (len < evmask->mask_len)
+ return BadLength;
+ len -= evmask->mask_len;
evmask = (xXIEventMask*)(((char*)&evmask[1]) + evmask->mask_len * 4);
}
Index: xsrc/external/mit/xorg-server/dist/Xi/xiwarppointer.c
diff -u xsrc/external/mit/xorg-server/dist/Xi/xiwarppointer.c:1.1.1.2 xsrc/external/mit/xorg-server/dist/Xi/xiwarppointer.c:1.1.1.2.10.1
--- xsrc/external/mit/xorg-server/dist/Xi/xiwarppointer.c:1.1.1.2 Tue Aug 2 06:57:05 2011
+++ xsrc/external/mit/xorg-server/dist/Xi/xiwarppointer.c Tue Dec 9 19:36:57 2014
@@ -59,6 +59,8 @@ SProcXIWarpPointer(ClientPtr client)
char n;
REQUEST(xXIWarpPointerReq);
+ REQUEST_SIZE_MATCH(xXIWarpPointerReq);
+
swaps(&stuff->length, n);
swapl(&stuff->src_win, n);
swapl(&stuff->dst_win, n);
Index: xsrc/external/mit/xorg-server/dist/Xi/xiproperty.c
diff -u xsrc/external/mit/xorg-server/dist/Xi/xiproperty.c:1.1.1.4 xsrc/external/mit/xorg-server/dist/Xi/xiproperty.c:1.1.1.4.10.1
--- xsrc/external/mit/xorg-server/dist/Xi/xiproperty.c:1.1.1.4 Tue Aug 2 06:57:05 2011
+++ xsrc/external/mit/xorg-server/dist/Xi/xiproperty.c Tue Dec 9 19:36:57 2014
@@ -1038,10 +1038,9 @@ SProcXListDeviceProperties (ClientPtr cl
{
char n;
REQUEST(xListDevicePropertiesReq);
+ REQUEST_SIZE_MATCH(xListDevicePropertiesReq);
swaps(&stuff->length, n);
-
- REQUEST_SIZE_MATCH(xListDevicePropertiesReq);
return (ProcXListDeviceProperties(client));
}
@@ -1064,10 +1063,10 @@ SProcXDeleteDeviceProperty (ClientPtr cl
{
char n;
REQUEST(xDeleteDevicePropertyReq);
+ REQUEST_SIZE_MATCH(xDeleteDevicePropertyReq);
swaps(&stuff->length, n);
swapl(&stuff->property, n);
- REQUEST_SIZE_MATCH(xDeleteDevicePropertyReq);
return (ProcXDeleteDeviceProperty(client));
}
@@ -1076,13 +1075,13 @@ SProcXGetDeviceProperty (ClientPtr clien
{
char n;
REQUEST(xGetDevicePropertyReq);
+ REQUEST_SIZE_MATCH(xGetDevicePropertyReq);
swaps(&stuff->length, n);
swapl(&stuff->property, n);
swapl(&stuff->type, n);
swapl(&stuff->longOffset, n);
swapl(&stuff->longLength, n);
- REQUEST_SIZE_MATCH(xGetDevicePropertyReq);
return (ProcXGetDeviceProperty(client));
}
@@ -1281,11 +1280,10 @@ SProcXIListProperties(ClientPtr client)
{
char n;
REQUEST(xXIListPropertiesReq);
+ REQUEST_SIZE_MATCH(xXIListPropertiesReq);
swaps(&stuff->length, n);
swaps(&stuff->deviceid, n);
-
- REQUEST_SIZE_MATCH(xXIListPropertiesReq);
return (ProcXIListProperties(client));
}
@@ -1309,11 +1307,11 @@ SProcXIDeleteProperty(ClientPtr client)
{
char n;
REQUEST(xXIDeletePropertyReq);
+ REQUEST_SIZE_MATCH(xXIDeletePropertyReq);
swaps(&stuff->length, n);
swaps(&stuff->deviceid, n);
swapl(&stuff->property, n);
- REQUEST_SIZE_MATCH(xXIDeletePropertyReq);
return (ProcXIDeleteProperty(client));
}
@@ -1322,6 +1320,7 @@ SProcXIGetProperty(ClientPtr client)
{
char n;
REQUEST(xXIGetPropertyReq);
+ REQUEST_SIZE_MATCH(xXIGetPropertyReq);
swaps(&stuff->length, n);
swaps(&stuff->deviceid, n);
@@ -1329,7 +1328,6 @@ SProcXIGetProperty(ClientPtr client)
swapl(&stuff->type, n);
swapl(&stuff->offset, n);
swapl(&stuff->len, n);
- REQUEST_SIZE_MATCH(xXIGetPropertyReq);
return (ProcXIGetProperty(client));
}
Index: xsrc/external/mit/xorg-server/dist/dbe/dbe.c
diff -u xsrc/external/mit/xorg-server/dist/dbe/dbe.c:1.1.1.4 xsrc/external/mit/xorg-server/dist/dbe/dbe.c:1.1.1.4.10.1
--- xsrc/external/mit/xorg-server/dist/dbe/dbe.c:1.1.1.4 Tue Aug 2 06:56:45 2011
+++ xsrc/external/mit/xorg-server/dist/dbe/dbe.c Tue Dec 9 19:36:57 2014
@@ -487,8 +487,8 @@ ProcDbeSwapBuffers(ClientPtr client)
DbeSwapInfoPtr swapInfo;
xDbeSwapInfo *dbeSwapInfo;
int error;
- register int i, j;
- int nStuff;
+ unsigned int i, j;
+ unsigned int nStuff;
REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq);
@@ -496,11 +496,13 @@ ProcDbeSwapBuffers(ClientPtr client)
if (nStuff == 0)
{
+ REQUEST_SIZE_MATCH(xDbeSwapBuffersReq);
return Success;
}
if (nStuff > UINT32_MAX / sizeof(DbeSwapInfoRec))
return BadAlloc;
+ REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, nStuff * sizeof(xDbeSwapInfo));
/* Get to the swap info appended to the end of the request. */
dbeSwapInfo = (xDbeSwapInfo *)&stuff[1];
@@ -1035,7 +1037,7 @@ static int
SProcDbeSwapBuffers(ClientPtr client)
{
REQUEST(xDbeSwapBuffersReq);
- register int i, n;
+ unsigned int i, n;
xDbeSwapInfo *pSwapInfo;
@@ -1043,6 +1045,9 @@ SProcDbeSwapBuffers(ClientPtr client)
REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq);
swapl(&stuff->n, n);
+ if (stuff->n > UINT32_MAX / sizeof(DbeSwapInfoRec))
+ return BadAlloc;
+ REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, stuff->n * sizeof(xDbeSwapInfo));
if (stuff->n != 0)
{
Index: xsrc/external/mit/xorg-server/dist/dix/dispatch.c
diff -u xsrc/external/mit/xorg-server/dist/dix/dispatch.c:1.1.1.7 xsrc/external/mit/xorg-server/dist/dix/dispatch.c:1.1.1.7.4.1
--- xsrc/external/mit/xorg-server/dist/dix/dispatch.c:1.1.1.7 Mon Jun 3 07:34:19 2013
+++ xsrc/external/mit/xorg-server/dist/dix/dispatch.c Tue Dec 9 19:36:57 2014
@@ -1973,6 +1973,9 @@ ProcPutImage(ClientPtr client)
tmpImage = (char *)&stuff[1];
lengthProto = length;
+
+ if (lengthProto >= (INT32_MAX / stuff->height))
+ return BadLength;
if ((bytes_to_int32(lengthProto * stuff->height) +
bytes_to_int32(sizeof(xPutImageReq))) != client->req_len)
Index: xsrc/external/mit/xorg-server/dist/dix/region.c
diff -u xsrc/external/mit/xorg-server/dist/dix/region.c:1.1.1.1 xsrc/external/mit/xorg-server/dist/dix/region.c:1.1.1.1.10.1
--- xsrc/external/mit/xorg-server/dist/dix/region.c:1.1.1.1 Tue Nov 23 05:21:00 2010
+++ xsrc/external/mit/xorg-server/dist/dix/region.c Tue Dec 9 19:36:57 2014
@@ -169,7 +169,6 @@ Equipment Corporation.
((r1)->y1 <= (r2)->y1) && \
((r1)->y2 >= (r2)->y2) )
-#define xallocData(n) malloc(RegionSizeof(n))
#define xfreeData(reg) if ((reg)->data && (reg)->data->size) free((reg)->data)
#define RECTALLOC_BAIL(pReg,n,bail) \
@@ -206,8 +205,9 @@ if (!(pReg)->data || (((pReg)->data->num
#define DOWNSIZE(reg,numRects) \
if (((numRects) < ((reg)->data->size >> 1)) && ((reg)->data->size > 50)) \
{ \
- RegDataPtr NewData; \
- NewData = (RegDataPtr)realloc((reg)->data, RegionSizeof(numRects)); \
+ size_t NewSize = RegionSizeof(numRects); \
+ RegDataPtr NewData = \
+ (NewSize > 0) ? realloc((reg)->data, NewSize) : NULL ; \
if (NewData) \
{ \
NewData->size = (numRects); \
@@ -335,11 +335,13 @@ Bool
RegionRectAlloc(RegionPtr pRgn, int n)
{
RegDataPtr data;
+ size_t rgnSize;
if (!pRgn->data)
{
n++;
- pRgn->data = xallocData(n);
+ rgnSize = RegionSizeof(n);
+ pRgn->data = (rgnSize > 0) ? malloc(rgnSize) : NULL;
if (!pRgn->data)
return RegionBreak (pRgn);
pRgn->data->numRects = 1;
@@ -347,7 +349,8 @@ RegionRectAlloc(RegionPtr pRgn, int n)
}
else if (!pRgn->data->size)
{
- pRgn->data = xallocData(n);
+ rgnSize = RegionSizeof(n);
+ pRgn->data = (rgnSize > 0) ? malloc(rgnSize) : NULL;
if (!pRgn->data)
return RegionBreak (pRgn);
pRgn->data->numRects = 0;
@@ -361,7 +364,8 @@ RegionRectAlloc(RegionPtr pRgn, int n)
n = 250;
}
n += pRgn->data->numRects;
- data = (RegDataPtr)realloc(pRgn->data, RegionSizeof(n));
+ rgnSize = RegionSizeof(n);
+ data = (rgnSize > 0) ? realloc(pRgn->data, rgnSize) : NULL;
if (!data)
return RegionBreak (pRgn);
pRgn->data = data;
@@ -1350,6 +1354,7 @@ RegionFromRects(int nrects, xRectangle *
{
RegionPtr pRgn;
+ size_t rgnSize;
RegDataPtr pData;
BoxPtr pBox;
int i;
@@ -1378,7 +1383,8 @@ RegionFromRects(int nrects, xRectangle *
}
return pRgn;
}
- pData = xallocData(nrects);
+ rgnSize = RegionSizeof(nrects);
+ pData = (rgnSize > 0) ? malloc(rgnSize) : NULL;
if (!pData)
{
RegionBreak (pRgn);
Index: xsrc/external/mit/xorg-server/dist/glx/glxcmds.c
diff -u xsrc/external/mit/xorg-server/dist/glx/glxcmds.c:1.6 xsrc/external/mit/xorg-server/dist/glx/glxcmds.c:1.6.10.1
--- xsrc/external/mit/xorg-server/dist/glx/glxcmds.c:1.6 Tue Aug 2 07:16:36 2011
+++ xsrc/external/mit/xorg-server/dist/glx/glxcmds.c Tue Dec 9 19:36:57 2014
@@ -1895,7 +1895,7 @@ int __glXDisp_Render(__GLXclientState *c
left = (req->length << 2) - sz_xGLXRenderReq;
while (left > 0) {
__GLXrenderSizeData entry;
- int extra;
+ int extra = 0;
__GLXdispatchRenderProcPtr proc;
int err;
@@ -1914,6 +1914,9 @@ int __glXDisp_Render(__GLXclientState *c
cmdlen = hdr->length;
opcode = hdr->opcode;
+ if (left < cmdlen)
+ return BadLength;
+
/*
** Check for core opcodes and grab entry data.
*/
@@ -1927,23 +1930,21 @@ int __glXDisp_Render(__GLXclientState *c
return __glXError(GLXBadRenderRequest);
}
+ if (cmdlen < entry.bytes) {
+ return BadLength;
+ }
+
if (entry.varsize) {
/* variable size command */
extra = (*entry.varsize)(pc + __GLX_RENDER_HDR_SIZE,
- client->swapped);
+ client->swapped,
+ left - __GLX_RENDER_LARGE_HDR_SIZE);
if (extra < 0) {
- extra = 0;
- }
- if (cmdlen != __GLX_PAD(entry.bytes + extra)) {
- return BadLength;
- }
- } else {
- /* constant size command */
- if (cmdlen != __GLX_PAD(entry.bytes)) {
return BadLength;
}
}
- if (left < cmdlen) {
+
+ if (cmdlen != safe_pad(safe_add(entry.bytes, extra))) {
return BadLength;
}
@@ -1978,6 +1979,8 @@ int __glXDisp_RenderLarge(__GLXclientSta
CARD16 opcode;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_AT_LEAST_SIZE(xGLXRenderLargeReq);
+
req = (xGLXRenderLargeReq *) pc;
if (client->swapped) {
__GLX_SWAP_SHORT(&req->length);
@@ -1993,12 +1996,14 @@ int __glXDisp_RenderLarge(__GLXclientSta
__glXResetLargeCommandStatus(cl);
return error;
}
+ if (safe_pad(req->dataBytes) < 0)
+ return BadLength;
dataBytes = req->dataBytes;
/*
** Check the request length.
*/
- if ((req->length << 2) != __GLX_PAD(dataBytes) + sz_xGLXRenderLargeReq) {
+ if ((req->length << 2) != safe_pad(dataBytes) + sz_xGLXRenderLargeReq) {
client->errorValue = req->length;
/* Reset in case this isn't 1st request. */
__glXResetLargeCommandStatus(cl);
@@ -2008,7 +2013,8 @@ int __glXDisp_RenderLarge(__GLXclientSta
if (cl->largeCmdRequestsSoFar == 0) {
__GLXrenderSizeData entry;
- int extra;
+ int extra = 0;
+ int left = (req->length << 2) - sz_xGLXRenderLargeReq;
size_t cmdlen;
int err;
@@ -2021,13 +2027,17 @@ int __glXDisp_RenderLarge(__GLXclientSta
return __glXError(GLXBadLargeRequest);
}
+ if (dataBytes < __GLX_RENDER_LARGE_HDR_SIZE)
+ return BadLength;
+
hdr = (__GLXrenderLargeHeader *) pc;
if (client->swapped) {
__GLX_SWAP_INT(&hdr->length);
__GLX_SWAP_INT(&hdr->opcode);
}
- cmdlen = hdr->length;
opcode = hdr->opcode;
+ if ((cmdlen = safe_pad(hdr->length)) < 0)
+ return BadLength;
/*
** Check for core opcodes and grab entry data.
@@ -2045,20 +2055,18 @@ int __glXDisp_RenderLarge(__GLXclientSta
** will be in the 1st request, so it's okay to do this.
*/
extra = (*entry.varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE,
- client->swapped);
+ client->swapped,
+ left - __GLX_RENDER_HDR_SIZE);
if (extra < 0) {
- extra = 0;
- }
- /* large command's header is 4 bytes longer, so add 4 */
- if (cmdlen != __GLX_PAD(entry.bytes + 4 + extra)) {
- return BadLength;
- }
- } else {
- /* constant size command */
- if (cmdlen != __GLX_PAD(entry.bytes + 4)) {
- return BadLength;
+ return BadLength;
}
}
+
+ /* the +4 is safe because we know entry.bytes is small */
+ if (cmdlen != safe_pad(safe_add(entry.bytes + 4, extra))) {
+ return BadLength;
+ }
+
/*
** Make enough space in the buffer, then copy the entire request.
*/
@@ -2086,6 +2094,7 @@ int __glXDisp_RenderLarge(__GLXclientSta
** We are receiving subsequent (i.e. not the first) requests of a
** multi request command.
*/
+ int bytesSoFar; /* including this packet */
/*
** Check the request number and the total request count.
@@ -2104,11 +2113,18 @@ int __glXDisp_RenderLarge(__GLXclientSta
/*
** Check that we didn't get too much data.
*/
- if ((cl->largeCmdBytesSoFar + dataBytes) > cl->largeCmdBytesTotal) {
+ if ((bytesSoFar = safe_add(cl->largeCmdBytesSoFar, dataBytes)) < 0) {
client->errorValue = dataBytes;
__glXResetLargeCommandStatus(cl);
return __glXError(GLXBadLargeRequest);
}
+
+ if (bytesSoFar > cl->largeCmdBytesTotal) {
+ client->errorValue = dataBytes;
+ __glXResetLargeCommandStatus(cl);
+ return __glXError(GLXBadLargeRequest);
+ }
+
memcpy(cl->largeCmdBuf + cl->largeCmdBytesSoFar, pc, dataBytes);
cl->largeCmdBytesSoFar += dataBytes;
cl->largeCmdRequestsSoFar++;
@@ -2120,17 +2136,16 @@ int __glXDisp_RenderLarge(__GLXclientSta
** This is the last request; it must have enough bytes to complete
** the command.
*/
- /* NOTE: the two pad macros have been added below; they are needed
- ** because the client library pads the total byte count, but not
- ** the per-request byte counts. The Protocol Encoding says the
- ** total byte count should not be padded, so a proposal will be
- ** made to the ARB to relax the padding constraint on the total
- ** byte count, thus preserving backward compatibility. Meanwhile,
- ** the padding done below fixes a bug that did not allow
- ** large commands of odd sizes to be accepted by the server.
+ /* NOTE: the pad macro below is needed because the client library
+ ** pads the total byte count, but not the per-request byte counts.
+ ** The Protocol Encoding says the total byte count should not be
+ ** padded, so a proposal will be made to the ARB to relax the
+ ** padding constraint on the total byte count, thus preserving
+ ** backward compatibility. Meanwhile, the padding done below
+ ** fixes a bug that did not allow large commands of odd sizes to
+ ** be accepted by the server.
*/
- if (__GLX_PAD(cl->largeCmdBytesSoFar) !=
- __GLX_PAD(cl->largeCmdBytesTotal)) {
+ if (safe_pad(cl->largeCmdBytesSoFar) != cl->largeCmdBytesTotal) {
client->errorValue = dataBytes;
__glXResetLargeCommandStatus(cl);
return __glXError(GLXBadLargeRequest);
Index: xsrc/external/mit/xorg-server/dist/glx/glxcmdsswap.c
diff -u xsrc/external/mit/xorg-server/dist/glx/glxcmdsswap.c:1.1.1.3 xsrc/external/mit/xorg-server/dist/glx/glxcmdsswap.c:1.1.1.3.10.1
--- xsrc/external/mit/xorg-server/dist/glx/glxcmdsswap.c:1.1.1.3 Tue Aug 2 06:56:47 2011
+++ xsrc/external/mit/xorg-server/dist/glx/glxcmdsswap.c Tue Dec 9 19:36:57 2014
@@ -870,11 +870,13 @@ int __glXDispSwap_RenderLarge(__GLXclien
int __glXDispSwap_VendorPrivate(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXVendorPrivateReq *req;
GLint vendorcode;
__GLXdispatchVendorPrivProcPtr proc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateReq);
req = (xGLXVendorPrivateReq *) pc;
__GLX_SWAP_SHORT(&req->length);
@@ -897,11 +899,13 @@ int __glXDispSwap_VendorPrivate(__GLXcli
int __glXDispSwap_VendorPrivateWithReply(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXVendorPrivateWithReplyReq *req;
GLint vendorcode;
__GLXdispatchVendorPrivProcPtr proc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateWithReplyReq);
req = (xGLXVendorPrivateWithReplyReq *) pc;
__GLX_SWAP_SHORT(&req->length);
Index: xsrc/external/mit/xorg-server/dist/glx/glxserver.h
diff -u xsrc/external/mit/xorg-server/dist/glx/glxserver.h:1.1.1.3 xsrc/external/mit/xorg-server/dist/glx/glxserver.h:1.1.1.3.10.1
--- xsrc/external/mit/xorg-server/dist/glx/glxserver.h:1.1.1.3 Tue Aug 2 06:56:47 2011
+++ xsrc/external/mit/xorg-server/dist/glx/glxserver.h Tue Dec 9 19:36:57 2014
@@ -183,7 +183,7 @@ typedef int (*__GLXprocPtr)(__GLXclientS
/*
* Tables for computing the size of each rendering command.
*/
-typedef int (*gl_proto_size_func)(const GLbyte *, Bool);
+typedef int (*gl_proto_size_func)(const GLbyte *, Bool, int);
typedef struct {
int bytes;
@@ -233,6 +233,47 @@ extern void glxSwapQueryServerStringRepl
* Routines for computing the size of variably-sized rendering commands.
*/
+static _X_INLINE int
+safe_add(int a, int b)
+{
+ if (a < 0 || b < 0)
+ return -1;
+
+ if (INT_MAX - a < b)
+ return -1;
+
+ return a + b;
+}
+
+static _X_INLINE int
+safe_mul(int a, int b)
+{
+ if (a < 0 || b < 0)
+ return -1;
+
+ if (a == 0 || b == 0)
+ return 0;
+
+ if (a > INT_MAX / b)
+ return -1;
+
+ return a * b;
+}
+
+static _X_INLINE int
+safe_pad(int a)
+{
+ int ret;
+
+ if (a < 0)
+ return -1;
+
+ if ((ret = safe_add(a, 3)) < 0)
+ return -1;
+
+ return ret & (GLuint)~3;
+}
+
extern int __glXTypeSize(GLenum enm);
extern int __glXImageSize(GLenum format, GLenum type,
GLenum target, GLsizei w, GLsizei h, GLsizei d,
Index: xsrc/external/mit/xorg-server/dist/glx/single2.c
diff -u xsrc/external/mit/xorg-server/dist/glx/single2.c:1.1.1.3 xsrc/external/mit/xorg-server/dist/glx/single2.c:1.1.1.3.10.1
--- xsrc/external/mit/xorg-server/dist/glx/single2.c:1.1.1.3 Tue Aug 2 06:56:48 2011
+++ xsrc/external/mit/xorg-server/dist/glx/single2.c Tue Dec 9 19:36:57 2014
@@ -48,11 +48,14 @@
int __glXDisp_FeedbackBuffer(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
GLsizei size;
GLenum type;
__GLXcontext *cx;
int error;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
+
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
return error;
@@ -78,10 +81,13 @@ int __glXDisp_FeedbackBuffer(__GLXclient
int __glXDisp_SelectBuffer(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
__GLXcontext *cx;
GLsizei size;
int error;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
return error;
@@ -106,7 +112,7 @@ int __glXDisp_SelectBuffer(__GLXclientSt
int __glXDisp_RenderMode(__GLXclientState *cl, GLbyte *pc)
{
- ClientPtr client;
+ ClientPtr client = cl->client;
xGLXRenderModeReply reply;
__GLXcontext *cx;
GLint nitems=0, retBytes=0, retval, newModeCheck;
@@ -114,6 +120,8 @@ int __glXDisp_RenderMode(__GLXclientStat
GLenum newMode;
int error;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
return error;
@@ -188,7 +196,6 @@ int __glXDisp_RenderMode(__GLXclientStat
** selection array, as per the API for glRenderMode itself.
*/
noChangeAllowed:;
- client = cl->client;
reply.length = nitems;
reply.type = X_Reply;
reply.sequenceNumber = client->sequence;
@@ -204,9 +211,12 @@ int __glXDisp_RenderMode(__GLXclientStat
int __glXDisp_Flush(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
__GLXcontext *cx;
int error;
+ REQUEST_SIZE_MATCH(xGLXSingleReq);
+
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
return error;
@@ -219,10 +229,12 @@ int __glXDisp_Flush(__GLXclientState *cl
int __glXDisp_Finish(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
__GLXcontext *cx;
- ClientPtr client;
int error;
+ REQUEST_SIZE_MATCH(xGLXSingleReq);
+
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
return error;
@@ -306,7 +318,7 @@ char *__glXcombine_strings(const char *c
int DoGetString(__GLXclientState *cl, GLbyte *pc, GLboolean need_swap)
{
- ClientPtr client;
+ ClientPtr client = cl->client;
__GLXcontext *cx;
GLenum name;
const char *string;
@@ -315,6 +327,8 @@ int DoGetString(__GLXclientState *cl, GL
char *buf = NULL, *buf1 = NULL;
GLint length = 0;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
/* If the client has the opposite byte order, swap the contextTag and
* the name.
*/
@@ -331,7 +345,6 @@ int DoGetString(__GLXclientState *cl, GL
pc += __GLX_SINGLE_HDR_SIZE;
name = *(GLenum *)(pc + 0);
string = (const char *) CALL_GetString( GET_DISPATCH(), (name) );
- client = cl->client;
if (string == NULL)
string = "";
Index: xsrc/external/mit/xorg-server/dist/glx/unpack.h
diff -u xsrc/external/mit/xorg-server/dist/glx/unpack.h:1.1.1.3 xsrc/external/mit/xorg-server/dist/glx/unpack.h:1.1.1.3.10.1
--- xsrc/external/mit/xorg-server/dist/glx/unpack.h:1.1.1.3 Tue Aug 2 06:56:48 2011
+++ xsrc/external/mit/xorg-server/dist/glx/unpack.h Tue Dec 9 19:36:57 2014
@@ -83,7 +83,8 @@ extern xGLXSingleReply __glXReply;
** pointer.
*/
#define __GLX_GET_ANSWER_BUFFER(res,cl,size,align) \
- if ((size) > sizeof(answerBuffer)) { \
+ if (size < 0) return BadLength; \
+ else if ((size) > sizeof(answerBuffer)) { \
int bump; \
if ((cl)->returnBufSize < (size)+(align)) { \
(cl)->returnBuf = (GLbyte*)realloc((cl)->returnBuf, \
Index: xsrc/external/mit/xorg-server/dist/glx/indirect_program.c
diff -u xsrc/external/mit/xorg-server/dist/glx/indirect_program.c:1.1.1.2 xsrc/external/mit/xorg-server/dist/glx/indirect_program.c:1.1.1.2.10.1
--- xsrc/external/mit/xorg-server/dist/glx/indirect_program.c:1.1.1.2 Tue Nov 23 05:21:09 2010
+++ xsrc/external/mit/xorg-server/dist/glx/indirect_program.c Tue Dec 9 19:36:57 2014
@@ -71,6 +71,8 @@ int DoGetProgramString(struct __GLXclien
ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateWithReplyReq, 8);
+
pc += __GLX_VENDPRIV_HDR_SIZE;
if (cx != NULL) {
GLenum target;
Index: xsrc/external/mit/xorg-server/dist/glx/indirect_reqsize.c
diff -u xsrc/external/mit/xorg-server/dist/glx/indirect_reqsize.c:1.1.1.2 xsrc/external/mit/xorg-server/dist/glx/indirect_reqsize.c:1.1.1.2.10.1
--- xsrc/external/mit/xorg-server/dist/glx/indirect_reqsize.c:1.1.1.2 Tue Nov 23 05:21:09 2010
+++ xsrc/external/mit/xorg-server/dist/glx/indirect_reqsize.c Tue Dec 9 19:36:57 2014
@@ -32,25 +32,23 @@
#include "indirect_size.h"
#include "indirect_reqsize.h"
-#define __GLX_PAD(x) (((x) + 3) & ~3)
-
#if defined(__CYGWIN__) || defined(__MINGW32__)
# undef HAVE_ALIAS
#endif
#ifdef HAVE_ALIAS
# define ALIAS2(from,to) \
- int __glX ## from ## ReqSize( const GLbyte * pc, Bool swap ) \
+ int __glX ## from ## ReqSize( const GLbyte * pc, Bool swap, int reqlen ) \
__attribute__ ((alias( # to )));
# define ALIAS(from,to) ALIAS2( from, __glX ## to ## ReqSize )
#else
# define ALIAS(from,to) \
- int __glX ## from ## ReqSize( const GLbyte * pc, Bool swap ) \
- { return __glX ## to ## ReqSize( pc, swap ); }
+ int __glX ## from ## ReqSize( const GLbyte * pc, Bool swap, int reqlen ) \
+ { return __glX ## to ## ReqSize( pc, swap, reqlen ); }
#endif
int
-__glXCallListsReqSize(const GLbyte *pc, Bool swap)
+__glXCallListsReqSize(const GLbyte *pc, Bool swap, int reqlen)
{
GLsizei n = *(GLsizei *) (pc + 0);
GLenum type = *(GLenum *) (pc + 4);
@@ -62,11 +60,11 @@ __glXCallListsReqSize(const GLbyte *pc,
}
compsize = __glCallLists_size(type);
- return __GLX_PAD((compsize * n));
+ return safe_pad(safe_mul(compsize, n));
}
int
-__glXBitmapReqSize(const GLbyte *pc, Bool swap)
+__glXBitmapReqSize(const GLbyte *pc, Bool swap, int reqlen)
{
GLint row_length = *(GLint *) (pc + 4);
GLint image_height = 0;
@@ -90,7 +88,7 @@ __glXBitmapReqSize(const GLbyte *pc, Boo
}
int
-__glXFogfvReqSize(const GLbyte *pc, Bool swap)
+__glXFogfvReqSize(const GLbyte *pc, Bool swap, int reqlen)
{
GLenum pname = *(GLenum *) (pc + 0);
GLsizei compsize;
@@ -100,11 +98,11 @@ __glXFogfvReqSize(const GLbyte *pc, Bool
}
compsize = __glFogfv_size(pname);
- return __GLX_PAD((compsize * 4));
+ return safe_pad(safe_mul(compsize, 4));
}
int
-__glXLightfvReqSize(const GLbyte *pc, Bool swap)
+__glXLightfvReqSize(const GLbyte *pc, Bool swap, int reqlen)
{
GLenum pname = *(GLenum *) (pc + 4);
GLsizei compsize;
@@ -114,11 +112,11 @@ __glXLightfvReqSize(const GLbyte *pc, Bo
}
compsize = __glLightfv_size(pname);
- return __GLX_PAD((compsize * 4));
+ return safe_pad(safe_mul(compsize, 4));
}
int
-__glXLightModelfvReqSize(const GLbyte *pc, Bool swap)
+__glXLightModelfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLenum pname = *(GLenum *) (pc + 0);
GLsizei compsize;
@@ -128,11 +126,11 @@ __glXLightModelfvReqSize(const GLbyte *p
}
compsize = __glLightModelfv_size(pname);
- return __GLX_PAD((compsize * 4));
+ return safe_pad(safe_mul(compsize, 4));
}
int
-__glXMaterialfvReqSize(const GLbyte *pc, Bool swap)
+__glXMaterialfvReqSize(const GLbyte *pc, Bool swap, int reqlen)
{
GLenum pname = *(GLenum *) (pc + 4);
GLsizei compsize;
@@ -142,11 +140,11 @@ __glXMaterialfvReqSize(const GLbyte *pc,
}
compsize = __glMaterialfv_size(pname);
- return __GLX_PAD((compsize * 4));
+ return safe_pad(safe_mul(compsize, 4));
}
int
-__glXPolygonStippleReqSize(const GLbyte *pc, Bool swap)
+__glXPolygonStippleReqSize(const GLbyte *pc, Bool swap, int reqlen)
{
GLint row_length = *(GLint *) (pc + 4);
GLint image_height = 0;
@@ -166,7 +164,7 @@ __glXPolygonStippleReqSize(const GLbyte
}
int
-__glXTexParameterfvReqSize(const GLbyte *pc, Bool swap)
+__glXTexParameterfvReqSize(const GLbyte *pc, Bool swap, int reqlen)
{
GLenum pname = *(GLenum *) (pc + 4);
GLsizei compsize;
@@ -176,11 +174,11 @@ __glXTexParameterfvReqSize(const GLbyte
}
compsize = __glTexParameterfv_size(pname);
- return __GLX_PAD((compsize * 4));
+ return safe_pad(safe_mul(compsize, 4));
}
int
-__glXTexImage1DReqSize(const GLbyte *pc, Bool swap)
+__glXTexImage1DReqSize(const GLbyte *pc, Bool swap, int reqlen)
{
GLint row_length = *(GLint *) (pc + 4);
GLint image_height = 0;
@@ -208,7 +206,7 @@ __glXTexImage1DReqSize(const GLbyte *pc,
}
int
-__glXTexImage2DReqSize(const GLbyte *pc, Bool swap)
+__glXTexImage2DReqSize(const GLbyte *pc, Bool swap, int reqlen)
{
GLint row_length = *(GLint *) (pc + 4);
GLint image_height = 0;
@@ -238,7 +236,7 @@ __glXTexImage2DReqSize(const GLbyte *pc,
}
int
-__glXTexEnvfvReqSize(const GLbyte *pc, Bool swap)
+__glXTexEnvfvReqSize(const GLbyte *pc, Bool swap, int reqlen)
{
GLenum pname = *(GLenum *) (pc + 4);
GLsizei compsize;
@@ -248,11 +246,11 @@ __glXTexEnvfvReqSize(const GLbyte *pc, B
}
compsize = __glTexEnvfv_size(pname);
- return __GLX_PAD((compsize * 4));
+ return safe_pad(safe_mul(compsize, 4));
}
int
-__glXTexGendvReqSize(const GLbyte *pc, Bool swap)
+__glXTexGendvReqSize(const GLbyte *pc, Bool swap, int reqlen)
{
GLenum pname = *(GLenum *) (pc + 4);
GLsizei compsize;
@@ -262,11 +260,11 @@ __glXTexGendvReqSize(const GLbyte *pc, B
}
compsize = __glTexGendv_size(pname);
- return __GLX_PAD((compsize * 8));
+ return safe_pad(safe_mul(compsize, 8));
}
int
-__glXTexGenfvReqSize(const GLbyte *pc, Bool swap)
+__glXTexGenfvReqSize(const GLbyte *pc, Bool swap, int reqlen)
{
GLenum pname = *(GLenum *) (pc + 4);
GLsizei compsize;
@@ -276,11 +274,11 @@ __glXTexGenfvReqSize(const GLbyte *pc, B
}
compsize = __glTexGenfv_size(pname);
- return __GLX_PAD((compsize * 4));
+ return safe_pad(safe_mul(compsize, 4));
}
int
-__glXPixelMapfvReqSize(const GLbyte *pc, Bool swap)
+__glXPixelMapfvReqSize(const GLbyte *pc, Bool swap, int reqlen)
{
GLsizei mapsize = *(GLsizei *) (pc + 4);
@@ -288,11 +286,11 @@ __glXPixelMapfvReqSize(const GLbyte *pc,
mapsize = bswap_32(mapsize);
}
- return __GLX_PAD((mapsize * 4));
+ return safe_pad(safe_mul(mapsize, 4));
}
int
-__glXPixelMapusvReqSize(const GLbyte *pc, Bool swap)
+__glXPixelMapusvReqSize(const GLbyte *pc, Bool swap, int reqlen)
{
GLsizei mapsize = *(GLsizei *) (pc + 4);
@@ -300,11 +298,11 @@ __glXPixelMapusvReqSize(const GLbyte *pc
mapsize = bswap_32(mapsize);
}
- return __GLX_PAD((mapsize * 2));
+ return safe_pad(safe_mul(mapsize, 2));
}
int
-__glXDrawPixelsReqSize(const GLbyte *pc, Bool swap)
+__glXDrawPixelsReqSize(const GLbyte *pc, Bool swap, int reqlen)
{
GLint row_length = *(GLint *) (pc + 4);
GLint image_height = 0;
@@ -332,7 +330,7 @@ __glXDrawPixelsReqSize(const GLbyte *pc,
}
int
-__glXPrioritizeTexturesReqSize(const GLbyte *pc, Bool swap)
+__glXPrioritizeTexturesReqSize(const GLbyte *pc, Bool swap, int reqlen)
{
GLsizei n = *(GLsizei *) (pc + 0);
@@ -340,11 +338,11 @@ __glXPrioritizeTexturesReqSize(const GLb
n = bswap_32(n);
}
- return __GLX_PAD((n * 4) + (n * 4));
+ return safe_pad(safe_add(safe_mul(n, 4), safe_mul(n, 4)));
}
int
-__glXTexSubImage1DReqSize(const GLbyte *pc, Bool swap)
+__glXTexSubImage1DReqSize(const GLbyte *pc, Bool swap, int reqlen)
{
GLint row_length = *(GLint *) (pc + 4);
GLint image_height = 0;
@@ -372,7 +370,7 @@ __glXTexSubImage1DReqSize(const GLbyte *
}
int
-__glXTexSubImage2DReqSize(const GLbyte *pc, Bool swap)
+__glXTexSubImage2DReqSize(const GLbyte *pc, Bool swap, int reqlen)
{
GLint row_length = *(GLint *) (pc + 4);
GLint image_height = 0;
@@ -402,7 +400,7 @@ __glXTexSubImage2DReqSize(const GLbyte *
}
int
-__glXColorTableReqSize(const GLbyte *pc, Bool swap)
+__glXColorTableReqSize(const GLbyte *pc, Bool swap, int reqlen)
{
GLint row_length = *(GLint *) (pc + 4);
GLint image_height = 0;
@@ -430,7 +428,7 @@ __glXColorTableReqSize(const GLbyte *pc,
}
int
-__glXColorTableParameterfvReqSize(const GLbyte *pc, Bool swap)
+__glXColorTableParameterfvReqSize(const GLbyte *pc, Bool swap, int reqlen)
{
GLenum pname = *(GLenum *) (pc + 4);
GLsizei compsize;
@@ -440,11 +438,11 @@ __glXColorTableParameterfvReqSize(const
}
compsize = __glColorTableParameterfv_size(pname);
- return __GLX_PAD((compsize * 4));
+ return safe_pad(safe_mul(compsize, 4));
}
int
-__glXColorSubTableReqSize(const GLbyte *pc, Bool swap)
+__glXColorSubTableReqSize(const GLbyte *pc, Bool swap, int reqlen)
{
GLint row_length = *(GLint *) (pc + 4);
GLint image_height = 0;
@@ -472,7 +470,7 @@ __glXColorSubTableReqSize(const GLbyte *
}
int
-__glXConvolutionFilter1DReqSize(const GLbyte *pc, Bool swap)
+__glXConvolutionFilter1DReqSize(const GLbyte *pc, Bool swap, int reqlen)
{
GLint row_length = *(GLint *) (pc + 4);
GLint image_height = 0;
@@ -500,7 +498,7 @@ __glXConvolutionFilter1DReqSize(const GL
}
int
-__glXConvolutionFilter2DReqSize(const GLbyte *pc, Bool swap)
+__glXConvolutionFilter2DReqSize(const GLbyte *pc, Bool swap, int reqlen)
{
GLint row_length = *(GLint *) (pc + 4);
GLint image_height = 0;
@@ -530,7 +528,7 @@ __glXConvolutionFilter2DReqSize(const GL
}
int
-__glXConvolutionParameterfvReqSize(const GLbyte *pc, Bool swap)
+__glXConvolutionParameterfvReqSize(const GLbyte *pc, Bool swap, int reqlen)
{
GLenum pname = *(GLenum *) (pc + 4);
GLsizei compsize;
@@ -540,11 +538,11 @@ __glXConvolutionParameterfvReqSize(const
}
compsize = __glConvolutionParameterfv_size(pname);
- return __GLX_PAD((compsize * 4));
+ return safe_pad(safe_mul(compsize, 4));
}
int
-__glXTexImage3DReqSize(const GLbyte *pc, Bool swap)
+__glXTexImage3DReqSize(const GLbyte *pc, Bool swap, int reqlen)
{
GLint row_length = *(GLint *) (pc + 4);
GLint image_height = *(GLint *) (pc + 8);
@@ -581,7 +579,7 @@ __glXTexImage3DReqSize(const GLbyte *pc,
}
int
-__glXTexSubImage3DReqSize(const GLbyte *pc, Bool swap)
+__glXTexSubImage3DReqSize(const GLbyte *pc, Bool swap, int reqlen)
{
GLint row_length = *(GLint *) (pc + 4);
GLint image_height = *(GLint *) (pc + 8);
@@ -615,7 +613,7 @@ __glXTexSubImage3DReqSize(const GLbyte *
}
int
-__glXCompressedTexImage1DARBReqSize(const GLbyte *pc, Bool swap)
+__glXCompressedTexImage1DARBReqSize(const GLbyte *pc, Bool swap, int reqlen)
{
GLsizei imageSize = *(GLsizei *) (pc + 20);
@@ -623,11 +621,11 @@ __glXCompressedTexImage1DARBReqSize(cons
imageSize = bswap_32(imageSize);
}
- return __GLX_PAD(imageSize);
+ return safe_pad(imageSize);
}
int
-__glXCompressedTexImage2DARBReqSize(const GLbyte *pc, Bool swap)
+__glXCompressedTexImage2DARBReqSize(const GLbyte *pc, Bool swap, int reqlen)
{
GLsizei imageSize = *(GLsizei *) (pc + 24);
@@ -635,11 +633,11 @@ __glXCompressedTexImage2DARBReqSize(cons
imageSize = bswap_32(imageSize);
}
- return __GLX_PAD(imageSize);
+ return safe_pad(imageSize);
}
int
-__glXCompressedTexImage3DARBReqSize(const GLbyte *pc, Bool swap)
+__glXCompressedTexImage3DARBReqSize(const GLbyte *pc, Bool swap, int reqlen)
{
GLsizei imageSize = *(GLsizei *) (pc + 28);
@@ -647,11 +645,11 @@ __glXCompressedTexImage3DARBReqSize(cons
imageSize = bswap_32(imageSize);
}
- return __GLX_PAD(imageSize);
+ return safe_pad(imageSize);
}
int
-__glXCompressedTexSubImage3DARBReqSize(const GLbyte *pc, Bool swap)
+__glXCompressedTexSubImage3DARBReqSize(const GLbyte *pc, Bool swap, int reqlen)
{
GLsizei imageSize = *(GLsizei *) (pc + 36);
@@ -659,11 +657,11 @@ __glXCompressedTexSubImage3DARBReqSize(c
imageSize = bswap_32(imageSize);
}
- return __GLX_PAD(imageSize);
+ return safe_pad(imageSize);
}
int
-__glXProgramStringARBReqSize(const GLbyte *pc, Bool swap)
+__glXProgramStringARBReqSize(const GLbyte *pc, Bool swap, int reqlen)
{
GLsizei len = *(GLsizei *) (pc + 8);
@@ -671,11 +669,11 @@ __glXProgramStringARBReqSize(const GLbyt
len = bswap_32(len);
}
- return __GLX_PAD(len);
+ return safe_pad(len);
}
int
-__glXDrawBuffersARBReqSize(const GLbyte *pc, Bool swap)
+__glXDrawBuffersARBReqSize(const GLbyte *pc, Bool swap, int reqlen)
{
GLsizei n = *(GLsizei *) (pc + 0);
@@ -683,11 +681,11 @@ __glXDrawBuffersARBReqSize(const GLbyte
n = bswap_32(n);
}
- return __GLX_PAD((n * 4));
+ return safe_pad(safe_mul(n, 4));
}
int
-__glXPointParameterfvEXTReqSize(const GLbyte *pc, Bool swap)
+__glXPointParameterfvEXTReqSize(const GLbyte *pc, Bool swap, int reqlen)
{
GLenum pname = *(GLenum *) (pc + 0);
GLsizei compsize;
@@ -697,11 +695,11 @@ __glXPointParameterfvEXTReqSize(const GL
}
compsize = __glPointParameterfvEXT_size(pname);
- return __GLX_PAD((compsize * 4));
+ return safe_pad(safe_mul(compsize, 4));
}
int
-__glXProgramParameters4dvNVReqSize(const GLbyte *pc, Bool swap)
+__glXProgramParameters4dvNVReqSize(const GLbyte *pc, Bool swap, int reqlen)
{
GLuint num = *(GLuint *) (pc + 8);
@@ -709,11 +707,11 @@ __glXProgramParameters4dvNVReqSize(const
num = bswap_32(num);
}
- return __GLX_PAD((num * 32));
+ return safe_pad(safe_mul(num, 32));
}
int
-__glXProgramParameters4fvNVReqSize(const GLbyte *pc, Bool swap)
+__glXProgramParameters4fvNVReqSize(const GLbyte *pc, Bool swap, int reqlen)
{
GLuint num = *(GLuint *) (pc + 8);
@@ -721,11 +719,11 @@ __glXProgramParameters4fvNVReqSize(const
num = bswap_32(num);
}
- return __GLX_PAD((num * 16));
+ return safe_pad(safe_mul(num, 16));
}
int
-__glXVertexAttribs1dvNVReqSize(const GLbyte *pc, Bool swap)
+__glXVertexAttribs1dvNVReqSize(const GLbyte *pc, Bool swap, int reqlen)
{
GLsizei n = *(GLsizei *) (pc + 4);
@@ -733,11 +731,11 @@ __glXVertexAttribs1dvNVReqSize(const GLb
n = bswap_32(n);
}
- return __GLX_PAD((n * 8));
+ return safe_pad(safe_mul(n, 8));
}
int
-__glXVertexAttribs2dvNVReqSize(const GLbyte *pc, Bool swap)
+__glXVertexAttribs2dvNVReqSize(const GLbyte *pc, Bool swap, int reqlen)
{
GLsizei n = *(GLsizei *) (pc + 4);
@@ -745,11 +743,11 @@ __glXVertexAttribs2dvNVReqSize(const GLb
n = bswap_32(n);
}
- return __GLX_PAD((n * 16));
+ return safe_pad(safe_mul(n, 16));
}
int
-__glXVertexAttribs3dvNVReqSize(const GLbyte *pc, Bool swap)
+__glXVertexAttribs3dvNVReqSize(const GLbyte *pc, Bool swap, int reqlen)
{
GLsizei n = *(GLsizei *) (pc + 4);
@@ -757,11 +755,11 @@ __glXVertexAttribs3dvNVReqSize(const GLb
n = bswap_32(n);
}
- return __GLX_PAD((n * 24));
+ return safe_pad(safe_mul(n, 24));
}
int
-__glXVertexAttribs3fvNVReqSize(const GLbyte *pc, Bool swap)
+__glXVertexAttribs3fvNVReqSize(const GLbyte *pc, Bool swap, int reqlen)
{
GLsizei n = *(GLsizei *) (pc + 4);
@@ -769,11 +767,11 @@ __glXVertexAttribs3fvNVReqSize(const GLb
n = bswap_32(n);
}
- return __GLX_PAD((n * 12));
+ return safe_pad(safe_mul(n, 12));
}
int
-__glXVertexAttribs3svNVReqSize(const GLbyte *pc, Bool swap)
+__glXVertexAttribs3svNVReqSize(const GLbyte *pc, Bool swap, int reqlen)
{
GLsizei n = *(GLsizei *) (pc + 4);
@@ -781,11 +779,11 @@ __glXVertexAttribs3svNVReqSize(const GLb
n = bswap_32(n);
}
- return __GLX_PAD((n * 6));
+ return safe_pad(safe_mul(n, 6));
}
int
-__glXVertexAttribs4dvNVReqSize(const GLbyte *pc, Bool swap)
+__glXVertexAttribs4dvNVReqSize(const GLbyte *pc, Bool swap, int reqlen)
{
GLsizei n = *(GLsizei *) (pc + 4);
@@ -793,11 +791,11 @@ __glXVertexAttribs4dvNVReqSize(const GLb
n = bswap_32(n);
}
- return __GLX_PAD((n * 32));
+ return safe_pad(safe_mul(n, 32));
}
int
-__glXProgramNamedParameter4fvNVReqSize(const GLbyte *pc, Bool swap)
+__glXProgramNamedParameter4fvNVReqSize(const GLbyte *pc, Bool swap, int reqlen)
{
GLsizei len = *(GLsizei *) (pc + 4);
@@ -805,7 +803,7 @@ __glXProgramNamedParameter4fvNVReqSize(c
len = bswap_32(len);
}
- return __GLX_PAD(len);
+ return safe_pad(len);
}
ALIAS(Fogiv, Fogfv)
Index: xsrc/external/mit/xorg-server/dist/glx/indirect_reqsize.h
diff -u xsrc/external/mit/xorg-server/dist/glx/indirect_reqsize.h:1.1.1.2 xsrc/external/mit/xorg-server/dist/glx/indirect_reqsize.h:1.1.1.2.10.1
--- xsrc/external/mit/xorg-server/dist/glx/indirect_reqsize.h:1.1.1.2 Tue Nov 23 05:21:09 2010
+++ xsrc/external/mit/xorg-server/dist/glx/indirect_reqsize.h Tue Dec 9 19:36:57 2014
@@ -40,80 +40,80 @@
# define PURE
# endif
-extern PURE HIDDEN int __glXCallListsReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXBitmapReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXFogfvReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXFogivReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXLightfvReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXLightivReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXLightModelfvReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXLightModelivReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXMaterialfvReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXMaterialivReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXPolygonStippleReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXTexParameterfvReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXTexParameterivReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXTexImage1DReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXTexImage2DReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXTexEnvfvReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXTexEnvivReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXTexGendvReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXTexGenfvReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXTexGenivReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXMap1dReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXMap1fReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXMap2dReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXMap2fReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXPixelMapfvReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXPixelMapuivReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXPixelMapusvReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXDrawPixelsReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXDrawArraysReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXPrioritizeTexturesReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXTexSubImage1DReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXTexSubImage2DReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXColorTableReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXColorTableParameterfvReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXColorTableParameterivReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXColorSubTableReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXConvolutionFilter1DReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXConvolutionFilter2DReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXConvolutionParameterfvReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXConvolutionParameterivReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXSeparableFilter2DReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXTexImage3DReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXTexSubImage3DReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXCompressedTexImage1DARBReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXCompressedTexImage2DARBReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXCompressedTexImage3DARBReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXCompressedTexSubImage1DARBReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXCompressedTexSubImage2DARBReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXCompressedTexSubImage3DARBReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXProgramStringARBReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXDrawBuffersARBReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXPointParameterfvEXTReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXLoadProgramNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXProgramParameters4dvNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXProgramParameters4fvNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXRequestResidentProgramsNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXVertexAttribs1dvNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXVertexAttribs1fvNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXVertexAttribs1svNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXVertexAttribs2dvNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXVertexAttribs2fvNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXVertexAttribs2svNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXVertexAttribs3dvNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXVertexAttribs3fvNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXVertexAttribs3svNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXVertexAttribs4dvNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXVertexAttribs4fvNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXVertexAttribs4svNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXVertexAttribs4ubvNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXPointParameterivNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXProgramNamedParameter4dvNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXProgramNamedParameter4fvNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXDeleteFramebuffersEXTReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXDeleteRenderbuffersEXTReqSize(const GLbyte *pc, Bool swap);
+extern PURE HIDDEN int __glXCallListsReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXBitmapReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXFogfvReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXFogivReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXLightfvReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXLightivReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXLightModelfvReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXLightModelivReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXMaterialfvReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXMaterialivReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXPolygonStippleReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXTexParameterfvReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXTexParameterivReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXTexImage1DReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXTexImage2DReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXTexEnvfvReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXTexEnvivReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXTexGendvReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXTexGenfvReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXTexGenivReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXMap1dReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXMap1fReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXMap2dReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXMap2fReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXPixelMapfvReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXPixelMapuivReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXPixelMapusvReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXDrawPixelsReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXDrawArraysReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXPrioritizeTexturesReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXTexSubImage1DReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXTexSubImage2DReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXColorTableReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXColorTableParameterfvReqSize(const GLbyte *pc, Bool swa, int reqlenp);
+extern PURE HIDDEN int __glXColorTableParameterivReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXColorSubTableReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXConvolutionFilter1DReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXConvolutionFilter2DReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXConvolutionParameterfvReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXConvolutionParameterivReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXSeparableFilter2DReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXTexImage3DReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXTexSubImage3DReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXCompressedTexImage1DARBReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXCompressedTexImage2DARBReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXCompressedTexImage3DARBReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXCompressedTexSubImage1DARBReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXCompressedTexSubImage2DARBReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXCompressedTexSubImage3DARBReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXProgramStringARBReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXDrawBuffersARBReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXPointParameterfvEXTReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXLoadProgramNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXProgramParameters4dvNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXProgramParameters4fvNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXRequestResidentProgramsNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXVertexAttribs1dvNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXVertexAttribs1fvNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXVertexAttribs1svNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXVertexAttribs2dvNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXVertexAttribs2fvNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXVertexAttribs2svNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXVertexAttribs3dvNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXVertexAttribs3fvNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXVertexAttribs3svNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXVertexAttribs4dvNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXVertexAttribs4fvNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXVertexAttribs4svNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXVertexAttribs4ubvNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXPointParameterivNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXProgramNamedParameter4dvNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXProgramNamedParameter4fvNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXDeleteFramebuffersEXTReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXDeleteRenderbuffersEXTReqSize(const GLbyte *pc, Bool swap, int reqlen);
# undef HIDDEN
# undef PURE
Index: xsrc/external/mit/xorg-server/dist/glx/indirect_texture_compression.c
diff -u xsrc/external/mit/xorg-server/dist/glx/indirect_texture_compression.c:1.1.1.2 xsrc/external/mit/xorg-server/dist/glx/indirect_texture_compression.c:1.1.1.2.10.1
--- xsrc/external/mit/xorg-server/dist/glx/indirect_texture_compression.c:1.1.1.2 Tue Nov 23 05:21:09 2010
+++ xsrc/external/mit/xorg-server/dist/glx/indirect_texture_compression.c Tue Dec 9 19:36:57 2014
@@ -47,6 +47,8 @@ int __glXDisp_GetCompressedTexImageARB(s
ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
+
pc += __GLX_SINGLE_HDR_SIZE;
if ( cx != NULL ) {
const GLenum target = *(GLenum *)(pc + 0);
@@ -87,6 +89,8 @@ int __glXDispSwap_GetCompressedTexImageA
ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
+
pc += __GLX_SINGLE_HDR_SIZE;
if ( cx != NULL ) {
const GLenum target = (GLenum) bswap_32( *(int *)(pc + 0) );
Index: xsrc/external/mit/xorg-server/dist/glx/indirect_util.c
diff -u xsrc/external/mit/xorg-server/dist/glx/indirect_util.c:1.1.1.2 xsrc/external/mit/xorg-server/dist/glx/indirect_util.c:1.1.1.2.10.1
--- xsrc/external/mit/xorg-server/dist/glx/indirect_util.c:1.1.1.2 Tue Nov 23 05:21:09 2010
+++ xsrc/external/mit/xorg-server/dist/glx/indirect_util.c Tue Dec 9 19:36:57 2014
@@ -81,12 +81,17 @@ __glXGetAnswerBuffer( __GLXclientState *
void * local_buffer, size_t local_size, unsigned alignment )
{
void * buffer = local_buffer;
- const unsigned mask = alignment - 1;
+ const intptr_t mask = alignment - 1;
if ( local_size < required_size ) {
- const size_t worst_case_size = required_size + alignment;
+ size_t worst_case_size;
intptr_t temp_buf;
+ if (required_size < SIZE_MAX - alignment)
+ worst_case_size = required_size + alignment;
+ else
+ return NULL;
+
if ( cl->returnBufSize < worst_case_size ) {
void * temp = realloc( cl->returnBuf, worst_case_size );
Index: xsrc/external/mit/xorg-server/dist/glx/rensize.c
diff -u xsrc/external/mit/xorg-server/dist/glx/rensize.c:1.1.1.2 xsrc/external/mit/xorg-server/dist/glx/rensize.c:1.1.1.2.10.1
--- xsrc/external/mit/xorg-server/dist/glx/rensize.c:1.1.1.2 Tue Nov 23 05:21:09 2010
+++ xsrc/external/mit/xorg-server/dist/glx/rensize.c Tue Dec 9 19:36:57 2014
@@ -43,16 +43,10 @@
(((a & 0xff000000U)>>24) | ((a & 0xff0000U)>>8) | \
((a & 0xff00U)<<8) | ((a & 0xffU)<<24))
-static int Map1Size( GLint k, GLint order)
-{
- if (order <= 0 || k < 0) return -1;
- return k * order;
-}
-
-int __glXMap1dReqSize( const GLbyte *pc, Bool swap )
+int __glXMap1dReqSize( const GLbyte *pc, Bool swap, int reqlen )
{
GLenum target;
- GLint order, k;
+ GLint order;
target = *(GLenum*) (pc + 16);
order = *(GLint*) (pc + 20);
@@ -60,14 +54,15 @@ int __glXMap1dReqSize( const GLbyte *pc,
target = SWAPL( target );
order = SWAPL( order );
}
- k = __glMap1d_size( target );
- return 8 * Map1Size( k, order );
+ if (order < 1)
+ return -1;
+ return safe_mul(8, safe_mul(__glMap1d_size(target), order));
}
-int __glXMap1fReqSize( const GLbyte *pc, Bool swap )
+int __glXMap1fReqSize( const GLbyte *pc, Bool swap, int reqlen )
{
GLenum target;
- GLint order, k;
+ GLint order;
target = *(GLenum *)(pc + 0);
order = *(GLint *)(pc + 12);
@@ -75,20 +70,22 @@ int __glXMap1fReqSize( const GLbyte *pc,
target = SWAPL( target );
order = SWAPL( order );
}
- k = __glMap1f_size(target);
- return 4 * Map1Size(k, order);
+ if (order < 1)
+ return -1;
+ return safe_mul(4, safe_mul(__glMap1f_size(target), order));
}
static int Map2Size(int k, int majorOrder, int minorOrder)
{
- if (majorOrder <= 0 || minorOrder <= 0 || k < 0) return -1;
- return k * majorOrder * minorOrder;
+ if (majorOrder < 1 || minorOrder < 1)
+ return -1;
+ return safe_mul(k, safe_mul(majorOrder, minorOrder));
}
-int __glXMap2dReqSize( const GLbyte *pc, Bool swap )
+int __glXMap2dReqSize( const GLbyte *pc, Bool swap, int reqlen )
{
GLenum target;
- GLint uorder, vorder, k;
+ GLint uorder, vorder;
target = *(GLenum *)(pc + 32);
uorder = *(GLint *)(pc + 36);
@@ -98,14 +95,13 @@ int __glXMap2dReqSize( const GLbyte *pc,
uorder = SWAPL( uorder );
vorder = SWAPL( vorder );
}
- k = __glMap2d_size( target );
- return 8 * Map2Size( k, uorder, vorder );
+ return safe_mul(8, Map2Size(__glMap2d_size(target), uorder, vorder));
}
-int __glXMap2fReqSize( const GLbyte *pc, Bool swap )
+int __glXMap2fReqSize( const GLbyte *pc, Bool swap, int reqlen )
{
GLenum target;
- GLint uorder, vorder, k;
+ GLint uorder, vorder;
target = *(GLenum *)(pc + 0);
uorder = *(GLint *)(pc + 12);
@@ -115,8 +111,7 @@ int __glXMap2fReqSize( const GLbyte *pc,
uorder = SWAPL( uorder );
vorder = SWAPL( vorder );
}
- k = __glMap2f_size( target );
- return 4 * Map2Size( k, uorder, vorder );
+ return safe_mul(4, Map2Size(__glMap2f_size(target), uorder, vorder));
}
/**
@@ -166,13 +161,16 @@ int __glXImageSize( GLenum format, GLenu
GLint bytesPerElement, elementsPerGroup, groupsPerRow;
GLint groupSize, rowSize, padding, imageSize;
+ if (w == 0 || h == 0 || d == 0)
+ return 0;
+
if (w < 0 || h < 0 || d < 0 ||
(type == GL_BITMAP &&
(format != GL_COLOR_INDEX && format != GL_STENCIL_INDEX))) {
return -1;
}
- if (w==0 || h==0 || d == 0) return 0;
+ /* proxy targets have no data */
switch( target ) {
case GL_PROXY_TEXTURE_1D:
case GL_PROXY_TEXTURE_2D:
@@ -189,6 +187,12 @@ int __glXImageSize( GLenum format, GLenu
return 0;
}
+ /* real data has to have real sizes */
+ if (imageHeight < 0 || rowLength < 0 || skipImages < 0 || skipRows < 0)
+ return -1;
+ if (alignment != 1 && alignment != 2 && alignment != 4 && alignment != 8)
+ return -1;
+
if (type == GL_BITMAP) {
if (rowLength > 0) {
groupsPerRow = rowLength;
@@ -196,11 +200,14 @@ int __glXImageSize( GLenum format, GLenu
groupsPerRow = w;
}
rowSize = bits_to_bytes(groupsPerRow);
+ if (rowSize < 0)
+ return -1;
padding = (rowSize % alignment);
if (padding) {
rowSize += alignment - padding;
}
- return ((h + skipRows) * rowSize);
+
+ return safe_mul(safe_add(h, skipRows), rowSize);
} else {
switch(format) {
case GL_COLOR_INDEX:
@@ -212,6 +219,11 @@ int __glXImageSize( GLenum format, GLenu
case GL_ALPHA:
case GL_LUMINANCE:
case GL_INTENSITY:
+ case GL_RED_INTEGER_EXT:
+ case GL_GREEN_INTEGER_EXT:
+ case GL_BLUE_INTEGER_EXT:
+ case GL_ALPHA_INTEGER_EXT:
+ case GL_LUMINANCE_INTEGER_EXT:
elementsPerGroup = 1;
break;
case GL_422_EXT:
@@ -222,14 +234,19 @@ int __glXImageSize( GLenum format, GLenu
case GL_DEPTH_STENCIL_MESA:
case GL_YCBCR_MESA:
case GL_LUMINANCE_ALPHA:
+ case GL_LUMINANCE_ALPHA_INTEGER_EXT:
elementsPerGroup = 2;
break;
case GL_RGB:
case GL_BGR:
+ case GL_RGB_INTEGER_EXT:
+ case GL_BGR_INTEGER_EXT:
elementsPerGroup = 3;
break;
case GL_RGBA:
case GL_BGRA:
+ case GL_RGBA_INTEGER_EXT:
+ case GL_BGRA_INTEGER_EXT:
case GL_ABGR_EXT:
elementsPerGroup = 4;
break;
@@ -281,23 +298,27 @@ int __glXImageSize( GLenum format, GLenu
default:
return -1;
}
+ /* known safe by the switches above, not checked */
groupSize = bytesPerElement * elementsPerGroup;
if (rowLength > 0) {
groupsPerRow = rowLength;
} else {
groupsPerRow = w;
}
- rowSize = groupsPerRow * groupSize;
+ if ((rowSize = safe_mul(groupsPerRow, groupSize)) < 0)
+ return -1;
padding = (rowSize % alignment);
if (padding) {
rowSize += alignment - padding;
}
- if (imageHeight > 0) {
- imageSize = (imageHeight + skipRows) * rowSize;
- } else {
- imageSize = (h + skipRows) * rowSize;
- }
- return ((d + skipImages) * imageSize);
+
+ if (imageHeight > 0)
+ h = imageHeight;
+ h = safe_add(h, skipRows);
+
+ imageSize = safe_mul(h, rowSize);
+
+ return safe_mul(safe_add(d, skipImages), imageSize);
}
}
@@ -318,13 +339,14 @@ int __glXTypeSize(GLenum enm)
}
}
-int __glXDrawArraysReqSize( const GLbyte *pc, Bool swap )
+int __glXDrawArraysReqSize( const GLbyte *pc, Bool swap, int reqlen )
{
__GLXdispatchDrawArraysHeader *hdr = (__GLXdispatchDrawArraysHeader *) pc;
__GLXdispatchDrawArraysComponentHeader *compHeader;
GLint numVertexes = hdr->numVertexes;
GLint numComponents = hdr->numComponents;
GLint arrayElementSize = 0;
+ GLint x, size;
int i;
if (swap) {
@@ -333,6 +355,13 @@ int __glXDrawArraysReqSize( const GLbyte
}
pc += sizeof(__GLXdispatchDrawArraysHeader);
+ reqlen -= sizeof(__GLXdispatchDrawArraysHeader);
+
+ size = safe_mul(sizeof(__GLXdispatchDrawArraysComponentHeader),
+ numComponents);
+ if (size < 0 || reqlen < 0 || reqlen < size)
+ return -1;
+
compHeader = (__GLXdispatchDrawArraysComponentHeader *) pc;
for (i=0; i<numComponents; i++) {
@@ -381,11 +410,10 @@ int __glXDrawArraysReqSize( const GLbyte
pc += sizeof(__GLXdispatchDrawArraysComponentHeader);
}
- return ((numComponents * sizeof(__GLXdispatchDrawArraysComponentHeader)) +
- (numVertexes * arrayElementSize));
+ return safe_add(size, safe_mul(numVertexes, arrayElementSize));
}
-int __glXSeparableFilter2DReqSize( const GLbyte *pc, Bool swap )
+int __glXSeparableFilter2DReqSize( const GLbyte *pc, Bool swap, int reqlen )
{
__GLXdispatchConvolutionFilterHeader *hdr =
(__GLXdispatchConvolutionFilterHeader *) pc;
@@ -410,9 +438,8 @@ int __glXSeparableFilter2DReqSize( const
/* XXX Should rowLength be used for either or both image? */
image1size = __glXImageSize( format, type, 0, w, 1, 1,
0, rowLength, 0, 0, alignment );
- image1size = __GLX_PAD(image1size);
image2size = __glXImageSize( format, type, 0, h, 1, 1,
0, rowLength, 0, 0, alignment );
- return image1size + image2size;
+ return safe_add(safe_pad(image1size), image2size);
}
Index: xsrc/external/mit/xorg-server/dist/glx/single2swap.c
diff -u xsrc/external/mit/xorg-server/dist/glx/single2swap.c:1.1.1.2 xsrc/external/mit/xorg-server/dist/glx/single2swap.c:1.1.1.2.10.1
--- xsrc/external/mit/xorg-server/dist/glx/single2swap.c:1.1.1.2 Tue Nov 23 05:21:09 2010
+++ xsrc/external/mit/xorg-server/dist/glx/single2swap.c Tue Dec 9 19:36:57 2014
@@ -44,12 +44,15 @@
int __glXDispSwap_FeedbackBuffer(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
GLsizei size;
GLenum type;
__GLX_DECLARE_SWAP_VARIABLES;
__GLXcontext *cx;
int error;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
+
__GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@@ -78,11 +81,14 @@ int __glXDispSwap_FeedbackBuffer(__GLXcl
int __glXDispSwap_SelectBuffer(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
__GLXcontext *cx;
GLsizei size;
__GLX_DECLARE_SWAP_VARIABLES;
int error;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
__GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@@ -109,7 +115,7 @@ int __glXDispSwap_SelectBuffer(__GLXclie
int __glXDispSwap_RenderMode(__GLXclientState *cl, GLbyte *pc)
{
- ClientPtr client;
+ ClientPtr client = cl->client;
__GLXcontext *cx;
xGLXRenderModeReply reply;
GLint nitems=0, retBytes=0, retval, newModeCheck;
@@ -119,6 +125,8 @@ int __glXDispSwap_RenderMode(__GLXclient
__GLX_DECLARE_SWAP_ARRAY_VARIABLES;
int error;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
__GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@@ -197,7 +205,6 @@ int __glXDispSwap_RenderMode(__GLXclient
** selection array, as per the API for glRenderMode itself.
*/
noChangeAllowed:;
- client = cl->client;
reply.length = nitems;
reply.type = X_Reply;
reply.sequenceNumber = client->sequence;
@@ -218,10 +225,13 @@ int __glXDispSwap_RenderMode(__GLXclient
int __glXDispSwap_Flush(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
__GLXcontext *cx;
int error;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXSingleReq);
+
__GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@@ -235,11 +245,13 @@ int __glXDispSwap_Flush(__GLXclientState
int __glXDispSwap_Finish(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
__GLXcontext *cx;
- ClientPtr client;
int error;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXSingleReq);
+
__GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@@ -251,7 +263,6 @@ int __glXDispSwap_Finish(__GLXclientStat
__GLX_NOTE_FLUSHED_CMDS(cx);
/* Send empty reply packet to indicate finish is finished */
- client = cl->client;
__GLX_BEGIN_REPLY(0);
__GLX_PUT_RETVAL(0);
__GLX_SWAP_REPLY_HEADER();
Index: xsrc/external/mit/xorg-server/dist/glx/singlepix.c
diff -u xsrc/external/mit/xorg-server/dist/glx/singlepix.c:1.1.1.2 xsrc/external/mit/xorg-server/dist/glx/singlepix.c:1.1.1.2.10.1
--- xsrc/external/mit/xorg-server/dist/glx/singlepix.c:1.1.1.2 Tue Nov 23 05:21:09 2010
+++ xsrc/external/mit/xorg-server/dist/glx/singlepix.c Tue Dec 9 19:36:57 2014
@@ -54,6 +54,8 @@ int __glXDisp_ReadPixels(__GLXclientStat
int error;
char *answer, answerBuffer[200];
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 28);
+
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
return error;
@@ -67,7 +69,8 @@ int __glXDisp_ReadPixels(__GLXclientStat
swapBytes = *(GLboolean *)(pc + 24);
lsbFirst = *(GLboolean *)(pc + 25);
compsize = __glReadPixels_size(format,type,width,height);
- if (compsize < 0) compsize = 0;
+ if (compsize < 0)
+ return BadLength;
CALL_PixelStorei( GET_DISPATCH(), (GL_PACK_SWAP_BYTES, swapBytes) );
CALL_PixelStorei( GET_DISPATCH(), (GL_PACK_LSB_FIRST, lsbFirst) );
@@ -106,6 +109,8 @@ int __glXDisp_GetTexImage(__GLXclientSta
char *answer, answerBuffer[200];
GLint width=0, height=0, depth=1;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 20);
+
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
return error;
@@ -128,7 +133,8 @@ int __glXDisp_GetTexImage(__GLXclientSta
* are illegal, but then width, height, and depth would still be zero anyway.
*/
compsize = __glGetTexImage_size(target,level,format,type,width,height,depth);
- if (compsize < 0) compsize = 0;
+ if (compsize < 0)
+ return BadLength;
CALL_PixelStorei( GET_DISPATCH(), (GL_PACK_SWAP_BYTES, swapBytes) );
__GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1);
@@ -164,6 +170,8 @@ int __glXDisp_GetPolygonStipple(__GLXcli
GLubyte answerBuffer[200];
char *answer;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
return error;
@@ -222,13 +230,13 @@ static int GetSeparableFilter(__GLXclien
compsize = __glGetTexImage_size(target,1,format,type,width,1,1);
compsize2 = __glGetTexImage_size(target,1,format,type,height,1,1);
- if (compsize < 0) compsize = 0;
- if (compsize2 < 0) compsize2 = 0;
- compsize = __GLX_PAD(compsize);
- compsize2 = __GLX_PAD(compsize2);
+ if ((compsize = safe_pad(compsize)) < 0)
+ return BadLength;
+ if ((compsize2 = safe_pad(compsize2)) < 0)
+ return BadLength;
CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, swapBytes));
- __GLX_GET_ANSWER_BUFFER(answer,cl,compsize + compsize2,1);
+ __GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1);
__glXClearErrorOccured();
CALL_GetSeparableFilter( GET_DISPATCH(), (
*(GLenum *)(pc + 0),
@@ -256,14 +264,16 @@ static int GetSeparableFilter(__GLXclien
int __glXDisp_GetSeparableFilter(__GLXclientState *cl, GLbyte *pc)
{
const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
-
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
return GetSeparableFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
}
int __glXDisp_GetSeparableFilterEXT(__GLXclientState *cl, GLbyte *pc)
{
const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
-
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
return GetSeparableFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
}
@@ -302,7 +312,8 @@ static int GetConvolutionFilter(__GLXcli
* are illegal, but then width and height would still be zero anyway.
*/
compsize = __glGetTexImage_size(target,1,format,type,width,height,1);
- if (compsize < 0) compsize = 0;
+ if (compsize < 0)
+ return BadLength;
CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, swapBytes));
__GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1);
@@ -331,14 +342,16 @@ static int GetConvolutionFilter(__GLXcli
int __glXDisp_GetConvolutionFilter(__GLXclientState *cl, GLbyte *pc)
{
const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
-
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
return GetConvolutionFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
}
int __glXDisp_GetConvolutionFilterEXT(__GLXclientState *cl, GLbyte *pc)
{
const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
-
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
return GetConvolutionFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
}
@@ -371,7 +384,8 @@ static int GetHistogram(__GLXclientState
* are illegal, but then width would still be zero anyway.
*/
compsize = __glGetTexImage_size(target,1,format,type,width,1,1);
- if (compsize < 0) compsize = 0;
+ if (compsize < 0)
+ return BadLength;
CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, swapBytes));
__GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1);
@@ -394,14 +408,16 @@ static int GetHistogram(__GLXclientState
int __glXDisp_GetHistogram(__GLXclientState *cl, GLbyte *pc)
{
const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
-
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
return GetHistogram(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
}
int __glXDisp_GetHistogramEXT(__GLXclientState *cl, GLbyte *pc)
{
const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
-
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
return GetHistogram(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
}
@@ -427,7 +443,8 @@ static int GetMinmax(__GLXclientState *c
reset = *(GLboolean *)(pc + 13);
compsize = __glGetTexImage_size(target,1,format,type,2,1,1);
- if (compsize < 0) compsize = 0;
+ if (compsize < 0)
+ return BadLength;
CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, swapBytes));
__GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1);
@@ -449,14 +466,16 @@ static int GetMinmax(__GLXclientState *c
int __glXDisp_GetMinmax(__GLXclientState *cl, GLbyte *pc)
{
const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
-
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
return GetMinmax(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
}
int __glXDisp_GetMinmaxEXT(__GLXclientState *cl, GLbyte *pc)
{
const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
-
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
return GetMinmax(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
}
@@ -488,7 +507,8 @@ static int GetColorTable(__GLXclientStat
* are illegal, but then width would still be zero anyway.
*/
compsize = __glGetTexImage_size(target,1,format,type,width,1,1);
- if (compsize < 0) compsize = 0;
+ if (compsize < 0)
+ return BadLength;
CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, swapBytes));
__GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1);
@@ -516,13 +536,15 @@ static int GetColorTable(__GLXclientStat
int __glXDisp_GetColorTable(__GLXclientState *cl, GLbyte *pc)
{
const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
-
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
return GetColorTable(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
}
int __glXDisp_GetColorTableSGI(__GLXclientState *cl, GLbyte *pc)
{
const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
-
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
return GetColorTable(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
}
Index: xsrc/external/mit/xorg-server/dist/glx/singlepixswap.c
diff -u xsrc/external/mit/xorg-server/dist/glx/singlepixswap.c:1.1.1.2 xsrc/external/mit/xorg-server/dist/glx/singlepixswap.c:1.1.1.2.10.1
--- xsrc/external/mit/xorg-server/dist/glx/singlepixswap.c:1.1.1.2 Tue Nov 23 05:21:09 2010
+++ xsrc/external/mit/xorg-server/dist/glx/singlepixswap.c Tue Dec 9 19:36:57 2014
@@ -55,6 +55,8 @@ int __glXDispSwap_ReadPixels(__GLXclient
int error;
char *answer, answerBuffer[200];
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 28);
+
__GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@@ -76,7 +78,8 @@ int __glXDispSwap_ReadPixels(__GLXclient
swapBytes = *(GLboolean *)(pc + 24);
lsbFirst = *(GLboolean *)(pc + 25);
compsize = __glReadPixels_size(format,type,width,height);
- if (compsize < 0) compsize = 0;
+ if (compsize < 0)
+ return BadLength;
CALL_PixelStorei( GET_DISPATCH(), (GL_PACK_SWAP_BYTES, !swapBytes) );
CALL_PixelStorei( GET_DISPATCH(), (GL_PACK_LSB_FIRST, lsbFirst) );
@@ -118,6 +121,8 @@ int __glXDispSwap_GetTexImage(__GLXclien
char *answer, answerBuffer[200];
GLint width=0, height=0, depth=1;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 20);
+
__GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@@ -146,7 +151,8 @@ int __glXDispSwap_GetTexImage(__GLXclien
* are illegal, but then width, height, and depth would still be zero anyway.
*/
compsize = __glGetTexImage_size(target,level,format,type,width,height,depth);
- if (compsize < 0) compsize = 0;
+ if (compsize < 0)
+ return BadLength;
CALL_PixelStorei( GET_DISPATCH(), (GL_PACK_SWAP_BYTES, !swapBytes) );
__GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1);
@@ -188,6 +194,8 @@ int __glXDispSwap_GetPolygonStipple(__GL
char *answer;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
__GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@@ -252,13 +260,13 @@ static int GetSeparableFilter(__GLXclien
compsize = __glGetTexImage_size(target,1,format,type,width,1,1);
compsize2 = __glGetTexImage_size(target,1,format,type,height,1,1);
- if (compsize < 0) compsize = 0;
- if (compsize2 < 0) compsize2 = 0;
- compsize = __GLX_PAD(compsize);
- compsize2 = __GLX_PAD(compsize2);
+ if ((compsize = safe_pad(compsize)) < 0)
+ return BadLength;
+ if ((compsize2 = safe_pad(compsize2)) < 0)
+ return BadLength;
CALL_PixelStorei( GET_DISPATCH(), (GL_PACK_SWAP_BYTES, !swapBytes) );
- __GLX_GET_ANSWER_BUFFER(answer,cl,compsize + compsize2,1);
+ __GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1);
__glXClearErrorOccured();
CALL_GetSeparableFilter( GET_DISPATCH(), (
*(GLenum *)(pc + 0),
@@ -288,14 +296,18 @@ static int GetSeparableFilter(__GLXclien
int __glXDispSwap_GetSeparableFilter(__GLXclientState *cl, GLbyte *pc)
{
const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
return GetSeparableFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
}
int __glXDispSwap_GetSeparableFilterEXT(__GLXclientState *cl, GLbyte *pc)
{
const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
return GetSeparableFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
}
@@ -336,7 +348,8 @@ static int GetConvolutionFilter(__GLXcli
* are illegal, but then width and height would still be zero anyway.
*/
compsize = __glGetTexImage_size(target,1,format,type,width,height,1);
- if (compsize < 0) compsize = 0;
+ if (compsize < 0)
+ return BadLength;
CALL_PixelStorei( GET_DISPATCH(), (GL_PACK_SWAP_BYTES, !swapBytes) );
__GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1);
@@ -367,14 +380,18 @@ static int GetConvolutionFilter(__GLXcli
int __glXDispSwap_GetConvolutionFilter(__GLXclientState *cl, GLbyte *pc)
{
const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
return GetConvolutionFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
}
int __glXDispSwap_GetConvolutionFilterEXT(__GLXclientState *cl, GLbyte *pc)
{
const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
return GetConvolutionFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
}
@@ -411,7 +428,8 @@ static int GetHistogram(__GLXclientState
* are illegal, but then width would still be zero anyway.
*/
compsize = __glGetTexImage_size(target,1,format,type,width,1,1);
- if (compsize < 0) compsize = 0;
+ if (compsize < 0)
+ return BadLength;
CALL_PixelStorei( GET_DISPATCH(), (GL_PACK_SWAP_BYTES, !swapBytes) );
__GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1);
@@ -435,14 +453,18 @@ static int GetHistogram(__GLXclientState
int __glXDispSwap_GetHistogram(__GLXclientState *cl, GLbyte *pc)
{
const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
return GetHistogram(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
}
int __glXDispSwap_GetHistogramEXT(__GLXclientState *cl, GLbyte *pc)
{
const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
return GetHistogram(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
}
@@ -473,7 +495,8 @@ static int GetMinmax(__GLXclientState *c
reset = *(GLboolean *)(pc + 13);
compsize = __glGetTexImage_size(target,1,format,type,2,1,1);
- if (compsize < 0) compsize = 0;
+ if (compsize < 0)
+ return BadLength;
CALL_PixelStorei( GET_DISPATCH(), (GL_PACK_SWAP_BYTES, !swapBytes) );
__GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1);
@@ -495,14 +518,18 @@ static int GetMinmax(__GLXclientState *c
int __glXDispSwap_GetMinmax(__GLXclientState *cl, GLbyte *pc)
{
const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
return GetMinmax(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
}
int __glXDispSwap_GetMinmaxEXT(__GLXclientState *cl, GLbyte *pc)
{
const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
return GetMinmax(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
}
@@ -538,7 +565,8 @@ static int GetColorTable(__GLXclientStat
* are illegal, but then width would still be zero anyway.
*/
compsize = __glGetTexImage_size(target,1,format,type,width,1,1);
- if (compsize < 0) compsize = 0;
+ if (compsize < 0)
+ return BadLength;
CALL_PixelStorei( GET_DISPATCH(), (GL_PACK_SWAP_BYTES, !swapBytes) );
__GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1);
@@ -567,13 +595,17 @@ static int GetColorTable(__GLXclientStat
int __glXDispSwap_GetColorTable(__GLXclientState *cl, GLbyte *pc)
{
const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
return GetColorTable(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
}
int __glXDispSwap_GetColorTableSGI(__GLXclientState *cl, GLbyte *pc)
{
const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
return GetColorTable(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
}
Index: xsrc/external/mit/xorg-server/dist/glx/swap_interval.c
diff -u xsrc/external/mit/xorg-server/dist/glx/swap_interval.c:1.1.1.2 xsrc/external/mit/xorg-server/dist/glx/swap_interval.c:1.1.1.2.10.1
--- xsrc/external/mit/xorg-server/dist/glx/swap_interval.c:1.1.1.2 Tue Nov 23 05:21:09 2010
+++ xsrc/external/mit/xorg-server/dist/glx/swap_interval.c Tue Dec 9 19:36:57 2014
@@ -51,6 +51,8 @@ int DoSwapInterval(__GLXclientState *cl,
GLint interval;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 4);
+
cx = __glXLookupContextByTag(cl, tag);
if ((cx == NULL) || (cx->pGlxScreen == NULL)) {
Index: xsrc/external/mit/xorg-server/dist/hw/xfree86/dri2/dri2ext.c
diff -u xsrc/external/mit/xorg-server/dist/hw/xfree86/dri2/dri2ext.c:1.1.1.4 xsrc/external/mit/xorg-server/dist/hw/xfree86/dri2/dri2ext.c:1.1.1.4.4.1
--- xsrc/external/mit/xorg-server/dist/hw/xfree86/dri2/dri2ext.c:1.1.1.4 Mon Jun 3 07:34:24 2013
+++ xsrc/external/mit/xorg-server/dist/hw/xfree86/dri2/dri2ext.c Tue Dec 9 19:36:57 2014
@@ -266,6 +266,9 @@ ProcDRI2GetBuffers(ClientPtr client)
unsigned int *attachments;
REQUEST_FIXED_SIZE(xDRI2GetBuffersReq, stuff->count * 4);
+ if (stuff->count > (INT_MAX / 4))
+ return BadLength;
+
if (!validDrawable(client, stuff->drawable, DixReadAccess | DixWriteAccess,
&pDrawable, &status))
return status;
Index: xsrc/external/mit/xorg-server/dist/include/dix.h
diff -u xsrc/external/mit/xorg-server/dist/include/dix.h:1.1.1.5 xsrc/external/mit/xorg-server/dist/include/dix.h:1.1.1.5.10.1
--- xsrc/external/mit/xorg-server/dist/include/dix.h:1.1.1.5 Tue Aug 2 06:57:02 2011
+++ xsrc/external/mit/xorg-server/dist/include/dix.h Tue Dec 9 19:36:57 2014
@@ -74,9 +74,14 @@ SOFTWARE.
if ((sizeof(req) >> 2) > client->req_len )\
return(BadLength)
+#define REQUEST_AT_LEAST_EXTRA_SIZE(req, extra) \
+ if (((sizeof(req) + ((uint64_t) extra)) >> 2) > client->req_len ) \
+ return(BadLength)
+
#define REQUEST_FIXED_SIZE(req, n)\
if (((sizeof(req) >> 2) > client->req_len) || \
- (((sizeof(req) + (n) + 3) >> 2) != client->req_len)) \
+ ((n >> 2) >= client->req_len) || \
+ ((((uint64_t) sizeof(req) + (n) + 3) >> 2) != (uint64_t) client->req_len)) \
return(BadLength)
#define LEGAL_NEW_RESOURCE(id,client)\
Index: xsrc/external/mit/xorg-server/dist/include/regionstr.h
diff -u xsrc/external/mit/xorg-server/dist/include/regionstr.h:1.1.1.3 xsrc/external/mit/xorg-server/dist/include/regionstr.h:1.1.1.3.10.1
--- xsrc/external/mit/xorg-server/dist/include/regionstr.h:1.1.1.3 Tue Nov 23 05:22:05 2010
+++ xsrc/external/mit/xorg-server/dist/include/regionstr.h Tue Dec 9 19:36:57 2014
@@ -108,7 +108,10 @@ static inline BoxPtr RegionEnd(RegionPtr
}
static inline size_t RegionSizeof(int n) {
- return (sizeof(RegDataRec) + ((n) * sizeof(BoxRec)));
+ if (n < ((INT_MAX - sizeof(RegDataRec)) / sizeof(BoxRec)))
+ return (sizeof(RegDataRec) + ((n) * sizeof(BoxRec)));
+ else
+ return 0;
}
static inline void RegionInit(RegionPtr _pReg, BoxPtr _rect, int _size)
@@ -120,10 +123,10 @@ static inline void RegionInit(RegionPtr
}
else
{
+ size_t rgnSize;
(_pReg)->extents = RegionEmptyBox;
- if (((_size) > 1) && ((_pReg)->data =
- (RegDataPtr)malloc(RegionSizeof(_size))))
- {
+ if (((_size) > 1) && ((rgnSize = RegionSizeof(_size)) > 0) &&
+ (((_pReg)->data = malloc(rgnSize)) != NULL)) {
(_pReg)->data->size = (_size);
(_pReg)->data->numRects = 0;
}
Index: xsrc/external/mit/xorg-server/dist/os/access.c
diff -u xsrc/external/mit/xorg-server/dist/os/access.c:1.1.1.5 xsrc/external/mit/xorg-server/dist/os/access.c:1.1.1.5.10.1
--- xsrc/external/mit/xorg-server/dist/os/access.c:1.1.1.5 Tue Aug 2 06:57:04 2011
+++ xsrc/external/mit/xorg-server/dist/os/access.c Tue Dec 9 19:36:57 2014
@@ -1405,6 +1405,10 @@ GetHosts (
{
nHosts++;
n += pad_to_int32(host->len) + sizeof(xHostEntry);
+ /* Could check for INT_MAX, but in reality having more than 1mb of
+ hostnames in the access list is ridiculous */
+ if (n >= 1048576)
+ break;
}
if (n)
{
@@ -1416,6 +1420,8 @@ GetHosts (
for (host = validhosts; host; host = host->next)
{
len = host->len;
+ if ((ptr + sizeof(xHostEntry) + len) > (data + n))
+ break;
((xHostEntry *)ptr)->family = host->family;
((xHostEntry *)ptr)->length = len;
ptr += sizeof(xHostEntry);
Index: xsrc/external/mit/xorg-server/dist/os/rpcauth.c
diff -u xsrc/external/mit/xorg-server/dist/os/rpcauth.c:1.1.1.3 xsrc/external/mit/xorg-server/dist/os/rpcauth.c:1.1.1.3.10.1
--- xsrc/external/mit/xorg-server/dist/os/rpcauth.c:1.1.1.3 Tue Nov 23 05:22:09 2010
+++ xsrc/external/mit/xorg-server/dist/os/rpcauth.c Tue Dec 9 19:36:57 2014
@@ -67,6 +67,10 @@ authdes_ezdecode(const char *inmsg, int
SVCXPRT xprt;
temp_inmsg = malloc(len);
+ if (temp_inmsg == NULL) {
+ why = AUTH_FAILED; /* generic error, since there is no AUTH_BADALLOC */
+ return NULL;
+ }
memmove(temp_inmsg, inmsg, len);
memset((char *)&msg, 0, sizeof(msg));
Index: xsrc/external/mit/xorg-server/dist/randr/rrsdispatch.c
diff -u xsrc/external/mit/xorg-server/dist/randr/rrsdispatch.c:1.1.1.3 xsrc/external/mit/xorg-server/dist/randr/rrsdispatch.c:1.1.1.3.10.1
--- xsrc/external/mit/xorg-server/dist/randr/rrsdispatch.c:1.1.1.3 Tue Nov 23 05:22:11 2010
+++ xsrc/external/mit/xorg-server/dist/randr/rrsdispatch.c Tue Dec 9 19:36:57 2014
@@ -28,6 +28,7 @@ SProcRRQueryVersion (ClientPtr client)
register int n;
REQUEST(xRRQueryVersionReq);
+ REQUEST_SIZE_MATCH(xRRQueryVersionReq);
swaps(&stuff->length, n);
swapl(&stuff->majorVersion, n);
swapl(&stuff->minorVersion, n);
@@ -40,6 +41,7 @@ SProcRRGetScreenInfo (ClientPtr client)
register int n;
REQUEST(xRRGetScreenInfoReq);
+ REQUEST_SIZE_MATCH(xRRGetScreenInfoReq);
swaps(&stuff->length, n);
swapl(&stuff->window, n);
return (*ProcRandrVector[stuff->randrReqType]) (client);
@@ -75,6 +77,7 @@ SProcRRSelectInput (ClientPtr client)
register int n;
REQUEST(xRRSelectInputReq);
+ REQUEST_SIZE_MATCH(xRRSelectInputReq);
swaps(&stuff->length, n);
swapl(&stuff->window, n);
swaps(&stuff->enable, n);
@@ -165,6 +168,7 @@ SProcRRConfigureOutputProperty (ClientPt
int n;
REQUEST(xRRConfigureOutputPropertyReq);
+ REQUEST_AT_LEAST_SIZE(xRRConfigureOutputPropertyReq);
swaps(&stuff->length, n);
swapl(&stuff->output, n);
swapl(&stuff->property, n);
Index: xsrc/external/mit/xorg-server/dist/render/render.c
diff -u xsrc/external/mit/xorg-server/dist/render/render.c:1.1.1.7 xsrc/external/mit/xorg-server/dist/render/render.c:1.1.1.7.10.1
--- xsrc/external/mit/xorg-server/dist/render/render.c:1.1.1.7 Tue Aug 2 06:57:05 2011
+++ xsrc/external/mit/xorg-server/dist/render/render.c Tue Dec 9 19:36:57 2014
@@ -278,11 +278,11 @@ ProcRenderQueryVersion (ClientPtr client
xRenderQueryVersionReply rep;
register int n;
REQUEST(xRenderQueryVersionReq);
+ REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
pRenderClient->major_version = stuff->majorVersion;
pRenderClient->minor_version = stuff->minorVersion;
- REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
memset(&rep, 0, sizeof(xRenderQueryVersionReply));
rep.type = X_Reply;
rep.length = 0;
@@ -2064,6 +2064,7 @@ SProcRenderQueryVersion (ClientPtr clien
{
register int n;
REQUEST(xRenderQueryVersionReq);
+ REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
swaps(&stuff->length, n);
swapl(&stuff->majorVersion, n);
@@ -2076,6 +2077,7 @@ SProcRenderQueryPictFormats (ClientPtr c
{
register int n;
REQUEST(xRenderQueryPictFormatsReq);
+ REQUEST_SIZE_MATCH(xRenderQueryPictFormatsReq);
swaps(&stuff->length, n);
return (*ProcRenderVector[stuff->renderReqType]) (client);
}
@@ -2085,6 +2087,7 @@ SProcRenderQueryPictIndexValues (ClientP
{
register int n;
REQUEST(xRenderQueryPictIndexValuesReq);
+ REQUEST_AT_LEAST_SIZE(xRenderQueryPictIndexValuesReq);
swaps(&stuff->length, n);
swapl(&stuff->format, n);
return (*ProcRenderVector[stuff->renderReqType]) (client);
@@ -2101,6 +2104,7 @@ SProcRenderCreatePicture (ClientPtr clie
{
register int n;
REQUEST(xRenderCreatePictureReq);
+ REQUEST_AT_LEAST_SIZE(xRenderCreatePictureReq);
swaps(&stuff->length, n);
swapl(&stuff->pid, n);
swapl(&stuff->drawable, n);
@@ -2115,6 +2119,7 @@ SProcRenderChangePicture (ClientPtr clie
{
register int n;
REQUEST(xRenderChangePictureReq);
+ REQUEST_AT_LEAST_SIZE(xRenderChangePictureReq);
swaps(&stuff->length, n);
swapl(&stuff->picture, n);
swapl(&stuff->mask, n);
@@ -2127,6 +2132,7 @@ SProcRenderSetPictureClipRectangles (Cli
{
register int n;
REQUEST(xRenderSetPictureClipRectanglesReq);
+ REQUEST_AT_LEAST_SIZE(xRenderSetPictureClipRectanglesReq);
swaps(&stuff->length, n);
swapl(&stuff->picture, n);
swaps(&stuff->xOrigin, n);
@@ -2140,6 +2146,7 @@ SProcRenderFreePicture (ClientPtr client
{
register int n;
REQUEST(xRenderFreePictureReq);
+ REQUEST_SIZE_MATCH(xRenderFreePictureReq);
swaps(&stuff->length, n);
swapl(&stuff->picture, n);
return (*ProcRenderVector[stuff->renderReqType]) (client);
@@ -2150,6 +2157,7 @@ SProcRenderComposite (ClientPtr client)
{
register int n;
REQUEST(xRenderCompositeReq);
+ REQUEST_SIZE_MATCH(xRenderCompositeReq);
swaps(&stuff->length, n);
swapl(&stuff->src, n);
swapl(&stuff->mask, n);
@@ -2170,6 +2178,7 @@ SProcRenderScale (ClientPtr client)
{
register int n;
REQUEST(xRenderScaleReq);
+ REQUEST_SIZE_MATCH(xRenderScaleReq);
swaps(&stuff->length, n);
swapl(&stuff->src, n);
swapl(&stuff->dst, n);
@@ -2275,6 +2284,7 @@ SProcRenderCreateGlyphSet (ClientPtr cli
{
register int n;
REQUEST(xRenderCreateGlyphSetReq);
+ REQUEST_SIZE_MATCH(xRenderCreateGlyphSetReq);
swaps(&stuff->length, n);
swapl(&stuff->gsid, n);
swapl(&stuff->format, n);
@@ -2286,6 +2296,7 @@ SProcRenderReferenceGlyphSet (ClientPtr
{
register int n;
REQUEST(xRenderReferenceGlyphSetReq);
+ REQUEST_SIZE_MATCH(xRenderReferenceGlyphSetReq);
swaps(&stuff->length, n);
swapl(&stuff->gsid, n);
swapl(&stuff->existing, n);
@@ -2297,6 +2308,7 @@ SProcRenderFreeGlyphSet (ClientPtr clien
{
register int n;
REQUEST(xRenderFreeGlyphSetReq);
+ REQUEST_SIZE_MATCH(xRenderFreeGlyphSetReq);
swaps(&stuff->length, n);
swapl(&stuff->glyphset, n);
return (*ProcRenderVector[stuff->renderReqType]) (client);
@@ -2311,6 +2323,7 @@ SProcRenderAddGlyphs (ClientPtr client)
void *end;
xGlyphInfo *gi;
REQUEST(xRenderAddGlyphsReq);
+ REQUEST_AT_LEAST_SIZE(xRenderAddGlyphsReq);
swaps(&stuff->length, n);
swapl(&stuff->glyphset, n);
swapl(&stuff->nglyphs, n);
@@ -2347,6 +2360,7 @@ SProcRenderFreeGlyphs (ClientPtr client)
{
register int n;
REQUEST(xRenderFreeGlyphsReq);
+ REQUEST_AT_LEAST_SIZE(xRenderFreeGlyphsReq);
swaps(&stuff->length, n);
swapl(&stuff->glyphset, n);
SwapRestL(stuff);
@@ -2365,6 +2379,7 @@ SProcRenderCompositeGlyphs (ClientPtr cl
int size;
REQUEST(xRenderCompositeGlyphsReq);
+ REQUEST_AT_LEAST_SIZE(xRenderCompositeGlyphsReq);
switch (stuff->renderReqType) {
default: size = 1; break;
Index: xsrc/external/mit/xorg-server/dist/test/Makefile.am
diff -u xsrc/external/mit/xorg-server/dist/test/Makefile.am:1.1.1.1 xsrc/external/mit/xorg-server/dist/test/Makefile.am:1.1.1.1.10.1
--- xsrc/external/mit/xorg-server/dist/test/Makefile.am:1.1.1.1 Tue Nov 23 05:22:13 2010
+++ xsrc/external/mit/xorg-server/dist/test/Makefile.am Tue Dec 9 19:36:57 2014
@@ -1,5 +1,5 @@
if UNITTESTS
-SUBDIRS= . xi2
+SUBDIRS= . xi1 xi2
check_PROGRAMS = xkb input xtest
check_LTLIBRARIES = libxservertest.la
Index: xsrc/external/mit/xorg-server/dist/test/xi2/protocol-xigetclientpointer.c
diff -u xsrc/external/mit/xorg-server/dist/test/xi2/protocol-xigetclientpointer.c:1.1.1.1 xsrc/external/mit/xorg-server/dist/test/xi2/protocol-xigetclientpointer.c:1.1.1.1.10.1
--- xsrc/external/mit/xorg-server/dist/test/xi2/protocol-xigetclientpointer.c:1.1.1.1 Tue Nov 23 05:22:14 2010
+++ xsrc/external/mit/xorg-server/dist/test/xi2/protocol-xigetclientpointer.c Tue Dec 9 19:36:58 2014
@@ -125,6 +125,11 @@ static void test_XIGetClientPointer(void
request.win = INVALID_WINDOW_ID;
request_XIGetClientPointer(&client_request, &request, BadWindow);
+ printf("Testing invalid length\n");
+ client_request.req_len -= 4;
+ request_XIGetClientPointer(&client_request, &request, BadLength);
+ client_request.req_len += 4;
+
test_data.cp_is_set = FALSE;
g_test_message("Testing window None, unset ClientPointer.");
Index: xsrc/external/mit/xorg-server/dist/test/xi2/protocol-xiquerypointer.c
diff -u xsrc/external/mit/xorg-server/dist/test/xi2/protocol-xiquerypointer.c:1.1.1.1 xsrc/external/mit/xorg-server/dist/test/xi2/protocol-xiquerypointer.c:1.1.1.1.10.1
--- xsrc/external/mit/xorg-server/dist/test/xi2/protocol-xiquerypointer.c:1.1.1.1 Tue Nov 23 05:22:14 2010
+++ xsrc/external/mit/xorg-server/dist/test/xi2/protocol-xiquerypointer.c Tue Dec 9 19:36:58 2014
@@ -205,6 +205,10 @@ static void test_XIQueryPointer(void)
test_data.dev = devices.mouse;
request.deviceid = devices.mouse->id;
request_XIQueryPointer(&client_request, &request, Success);
+
+ /* test REQUEST_SIZE_MATCH */
+ client_request.req_len -= 4;
+ request_XIQueryPointer(&client_request, &request, BadLength);
}
int main(int argc, char** argv)
Index: xsrc/external/mit/xorg-server/dist/test/xi2/protocol-xiwarppointer.c
diff -u xsrc/external/mit/xorg-server/dist/test/xi2/protocol-xiwarppointer.c:1.1.1.1 xsrc/external/mit/xorg-server/dist/test/xi2/protocol-xiwarppointer.c:1.1.1.1.10.1
--- xsrc/external/mit/xorg-server/dist/test/xi2/protocol-xiwarppointer.c:1.1.1.1 Tue Nov 23 05:22:14 2010
+++ xsrc/external/mit/xorg-server/dist/test/xi2/protocol-xiwarppointer.c Tue Dec 9 19:36:58 2014
@@ -200,6 +200,9 @@ static void test_XIWarpPointer(void)
request_XIWarpPointer(&client_request, &request, Success);
/* FIXME: src_x/y checks */
+
+ client_request.req_len -= 2; /* invalid length */
+ request_XIWarpPointer(&client_request, &request, BadLength);
}
int main(int argc, char** argv)
Index: xsrc/external/mit/xorg-server/dist/xfixes/select.c
diff -u xsrc/external/mit/xorg-server/dist/xfixes/select.c:1.1.1.3 xsrc/external/mit/xorg-server/dist/xfixes/select.c:1.1.1.3.10.1
--- xsrc/external/mit/xorg-server/dist/xfixes/select.c:1.1.1.3 Tue Nov 23 05:22:16 2010
+++ xsrc/external/mit/xorg-server/dist/xfixes/select.c Tue Dec 9 19:36:58 2014
@@ -223,6 +223,7 @@ SProcXFixesSelectSelectionInput (ClientP
register int n;
REQUEST(xXFixesSelectSelectionInputReq);
+ REQUEST_SIZE_MATCH(xXFixesSelectSelectionInputReq);
swaps(&stuff->length, n);
swapl(&stuff->window, n);
swapl(&stuff->selection, n);
Added files:
Index: xsrc/external/mit/xorg-server/dist/test/xi1/Makefile.am
diff -u /dev/null xsrc/external/mit/xorg-server/dist/test/xi1/Makefile.am:1.1.2.2
--- /dev/null Tue Dec 9 19:36:59 2014
+++ xsrc/external/mit/xorg-server/dist/test/xi1/Makefile.am Tue Dec 9 19:36:58 2014
@@ -0,0 +1,34 @@
+if ENABLE_UNIT_TESTS
+if HAVE_LD_WRAP
+noinst_PROGRAMS = \
+ protocol-xchangedevicecontrol
+
+TESTS=$(noinst_PROGRAMS)
+TESTS_ENVIRONMENT = $(XORG_MALLOC_DEBUG_ENV)
+
+AM_CFLAGS = $(DIX_CFLAGS) @XORG_CFLAGS@
+AM_CPPFLAGS = @XORG_INCS@ -I$(srcdir)/../xi2
+TEST_LDADD=../libxservertest.la $(XORG_SYS_LIBS) $(XSERVER_SYS_LIBS) $(GLX_SYS_LIBS)
+COMMON_SOURCES=$(srcdir)/../xi2/protocol-common.c
+
+if SPECIAL_DTRACE_OBJECTS
+TEST_LDADD += $(OS_LIB) $(DIX_LIB)
+endif
+
+protocol_xchangedevicecontrol_LDADD=$(TEST_LDADD)
+
+protocol_xchangedevicecontrol_LDFLAGS=$(AM_LDFLAGS) -Wl,-wrap,WriteToClient
+
+protocol_xchangedevicecontrol_SOURCES=$(COMMON_SOURCES) protocol-xchangedevicecontrol.c
+
+else
+# Print that xi1-tests were skipped (exit code 77 for automake test harness)
+TESTS = xi1-tests
+CLEANFILES = $(TESTS)
+
+xi1-tests:
+ @echo 'echo "ld -wrap support required for xi1 unit tests, skipping"' > $@
+ @echo 'exit 77' >> $@
+ $(AM_V_GEN)chmod +x $@
+endif
+endif
Index: xsrc/external/mit/xorg-server/dist/test/xi1/protocol-xchangedevicecontrol.c
diff -u /dev/null xsrc/external/mit/xorg-server/dist/test/xi1/protocol-xchangedevicecontrol.c:1.1.2.2
--- /dev/null Tue Dec 9 19:36:59 2014
+++ xsrc/external/mit/xorg-server/dist/test/xi1/protocol-xchangedevicecontrol.c Tue Dec 9 19:36:58 2014
@@ -0,0 +1,122 @@
+/**
+ * Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice (including the next
+ * paragraph) shall be included in all copies or substantial portions of the
+ * Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ */
+
+#ifdef HAVE_DIX_CONFIG_H
+#include <dix-config.h>
+#endif
+
+/*
+ * Protocol testing for ChangeDeviceControl request.
+ */
+#include <stdint.h>
+#include <X11/X.h>
+#include <X11/Xproto.h>
+#include <X11/extensions/XIproto.h>
+#include "inputstr.h"
+#include "chgdctl.h"
+
+#include "protocol-common.h"
+
+static ClientRec client_request;
+
+static void
+reply_ChangeDeviceControl(ClientPtr client, int len, char *data, void *userdata)
+{
+ xChangeDeviceControlReply *rep = (xChangeDeviceControlReply *) data;
+
+ if (client->swapped) {
+ swapl(&rep->length);
+ swaps(&rep->sequenceNumber);
+ }
+
+ reply_check_defaults(rep, len, ChangeDeviceControl);
+
+ /* XXX: check status code in reply */
+}
+
+static void
+request_ChangeDeviceControl(ClientPtr client, xChangeDeviceControlReq * req,
+ xDeviceCtl *ctl, int error)
+{
+ int rc;
+
+ client_request.req_len = req->length;
+ rc = ProcXChangeDeviceControl(&client_request);
+ assert(rc == error);
+
+ /* XXX: ChangeDeviceControl doesn't seem to fill in errorValue to check */
+
+ client_request.swapped = TRUE;
+ swaps(&req->length);
+ swaps(&req->control);
+ swaps(&ctl->length);
+ swaps(&ctl->control);
+ /* XXX: swap other contents of ctl, depending on type */
+ rc = SProcXChangeDeviceControl(&client_request);
+ assert(rc == error);
+}
+
+static unsigned char *data[4096]; /* the request buffer */
+
+static void
+test_ChangeDeviceControl(void)
+{
+ xChangeDeviceControlReq *request = (xChangeDeviceControlReq *) data;
+ xDeviceCtl *control = (xDeviceCtl *) (&request[1]);
+
+ request_init(request, ChangeDeviceControl);
+
+ reply_handler = reply_ChangeDeviceControl;
+
+ client_request = init_client(request->length, request);
+
+ printf("Testing invalid lengths:\n");
+ printf(" -- no control struct\n");
+ request_ChangeDeviceControl(&client_request, request, control, BadLength);
+
+ printf(" -- xDeviceResolutionCtl\n");
+ request_init(request, ChangeDeviceControl);
+ request->control = DEVICE_RESOLUTION;
+ control->length = (sizeof(xDeviceResolutionCtl) >> 2);
+ request->length += control->length - 2;
+ request_ChangeDeviceControl(&client_request, request, control, BadLength);
+
+ printf(" -- xDeviceEnableCtl\n");
+ request_init(request, ChangeDeviceControl);
+ request->control = DEVICE_ENABLE;
+ control->length = (sizeof(xDeviceEnableCtl) >> 2);
+ request->length += control->length - 2;
+ request_ChangeDeviceControl(&client_request, request, control, BadLength);
+
+ /* XXX: Test functionality! */
+}
+
+int
+main(int argc, char **argv)
+{
+ init_simple();
+
+ test_ChangeDeviceControl();
+
+ return 0;
+}
