dist

Soren Jacobsen Tue, 09 Dec 2014 12:00:06 -0800

Module Name:    xsrc
Committed By:   snj
Date:           Tue Dec  9 19:56:35 UTC 2014


Modified Files:
        xsrc/external/mit/xorg-server/dist/Xext [netbsd-5-1]: xcmisc.c xvdisp.c
        xsrc/external/mit/xorg-server/dist/Xi [netbsd-5-1]: chgdctl.c chgfctl.c
            sendexev.c xiproperty.c
        xsrc/external/mit/xorg-server/dist/dbe [netbsd-5-1]: dbe.c
        xsrc/external/mit/xorg-server/dist/dix [netbsd-5-1]: dispatch.c
        xsrc/external/mit/xorg-server/dist/glx [netbsd-5-1]: glxcmds.c
            glxcmdsswap.c glxserver.h indirect_program.c indirect_reqsize.c
            indirect_reqsize.h indirect_texture_compression.c indirect_util.c
            rensize.c single2.c single2swap.c singlepix.c singlepixswap.c
            swap_interval.c unpack.h
        xsrc/external/mit/xorg-server/dist/hw/xfree86/dri2 [netbsd-5-1]:
            dri2ext.c
        xsrc/external/mit/xorg-server/dist/include [netbsd-5-1]: dix.h misc.h
        xsrc/external/mit/xorg-server/dist/os [netbsd-5-1]: access.c rpcauth.c
        xsrc/external/mit/xorg-server/dist/randr [netbsd-5-1]: rrsdispatch.c
        xsrc/external/mit/xorg-server/dist/render [netbsd-5-1]: render.c
        xsrc/external/mit/xorg-server/dist/xfixes [netbsd-5-1]: select.c

Log Message:
Apply patch (requested by mrg in ticket #1935):
apply fixes for X.Org Security Advisory:  Dec. 9, 2014
Protocol handling issues in X Window System servers

included are fixes for:

denial of service due to unchecked malloc in client authentication
       CVE-2014-8091
integer overflows calculating memory needs for requests
       CVE-2014-8092
       CVE-2014-8093
       CVE-2014-8094
out of bounds access due to not validating length or offset values in requests
       CVE-2014-8095
       CVE-2014-8096
       CVE-2014-8097
       CVE-2014-8098
       CVE-2014-8099
       CVE-2014-8100
       CVE-2014-8101
       CVE-2014-8102
       CVE-2014-8103


To generate a diff of this commit:
cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.1.2.1 \
    xsrc/external/mit/xorg-server/dist/Xext/xcmisc.c \
    xsrc/external/mit/xorg-server/dist/Xext/xvdisp.c
cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.1.2.1 \
    xsrc/external/mit/xorg-server/dist/Xi/chgdctl.c \
    xsrc/external/mit/xorg-server/dist/Xi/chgfctl.c \
    xsrc/external/mit/xorg-server/dist/Xi/sendexev.c
cvs rdiff -u -r1.1.1.2.2.2 -r1.1.1.2.2.2.2.1 \
    xsrc/external/mit/xorg-server/dist/Xi/xiproperty.c
cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.1.2.1 \
    xsrc/external/mit/xorg-server/dist/dbe/dbe.c
cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.1.2.1 \
    xsrc/external/mit/xorg-server/dist/dix/dispatch.c
cvs rdiff -u -r1.1.1.2.2.2 -r1.1.1.2.2.2.2.1 \
    xsrc/external/mit/xorg-server/dist/glx/glxcmds.c
cvs rdiff -u -r1.1.1.1.2.2 -r1.1.1.1.2.2.2.1 \
    xsrc/external/mit/xorg-server/dist/glx/glxcmdsswap.c \
    xsrc/external/mit/xorg-server/dist/glx/glxserver.h \
    xsrc/external/mit/xorg-server/dist/glx/indirect_program.c \
    xsrc/external/mit/xorg-server/dist/glx/indirect_reqsize.c \
    xsrc/external/mit/xorg-server/dist/glx/indirect_reqsize.h \
    xsrc/external/mit/xorg-server/dist/glx/indirect_texture_compression.c \
    xsrc/external/mit/xorg-server/dist/glx/indirect_util.c \
    xsrc/external/mit/xorg-server/dist/glx/rensize.c \
    xsrc/external/mit/xorg-server/dist/glx/single2.c \
    xsrc/external/mit/xorg-server/dist/glx/single2swap.c \
    xsrc/external/mit/xorg-server/dist/glx/singlepix.c \
    xsrc/external/mit/xorg-server/dist/glx/singlepixswap.c \
    xsrc/external/mit/xorg-server/dist/glx/swap_interval.c \
    xsrc/external/mit/xorg-server/dist/glx/unpack.h
cvs rdiff -u -r1.1.1.2.2.2 -r1.1.1.2.2.2.2.1 \
    xsrc/external/mit/xorg-server/dist/hw/xfree86/dri2/dri2ext.c
cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.1.2.1 \
    xsrc/external/mit/xorg-server/dist/include/dix.h \
    xsrc/external/mit/xorg-server/dist/include/misc.h
cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.1.2.1 \
    xsrc/external/mit/xorg-server/dist/os/access.c \
    xsrc/external/mit/xorg-server/dist/os/rpcauth.c
cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.1.2.1 \
    xsrc/external/mit/xorg-server/dist/randr/rrsdispatch.c
cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.1.2.1 \
    xsrc/external/mit/xorg-server/dist/render/render.c
cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.1.2.1 \
    xsrc/external/mit/xorg-server/dist/xfixes/select.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: xsrc/external/mit/xorg-server/dist/Xext/xcmisc.c
diff -u xsrc/external/mit/xorg-server/dist/Xext/xcmisc.c:1.1.1.1.2.1 xsrc/external/mit/xorg-server/dist/Xext/xcmisc.c:1.1.1.1.2.1.2.1
--- xsrc/external/mit/xorg-server/dist/Xext/xcmisc.c:1.1.1.1.2.1	Thu Sep 17 03:34:49 2009
+++ xsrc/external/mit/xorg-server/dist/Xext/xcmisc.c	Tue Dec  9 19:56:34 2014
@@ -200,6 +200,7 @@ SProcXCMiscGetXIDList(client)
 {
     int n;
     REQUEST(xXCMiscGetXIDListReq);
+    REQUEST_SIZE_MATCH(xXCMiscGetXIDListReq);
 
     swaps(&stuff->length, n);
     swapl(&stuff->count, n);
Index: xsrc/external/mit/xorg-server/dist/Xext/xvdisp.c
diff -u xsrc/external/mit/xorg-server/dist/Xext/xvdisp.c:1.1.1.1.2.1 xsrc/external/mit/xorg-server/dist/Xext/xvdisp.c:1.1.1.1.2.1.2.1
--- xsrc/external/mit/xorg-server/dist/Xext/xvdisp.c:1.1.1.1.2.1	Thu Sep 17 03:34:49 2009
+++ xsrc/external/mit/xorg-server/dist/Xext/xvdisp.c	Tue Dec  9 19:56:34 2014
@@ -1371,6 +1371,7 @@ SProcXvQueryExtension(ClientPtr client)
 {
   char n;
   REQUEST(xvQueryExtensionReq);
+  REQUEST_SIZE_MATCH(xvQueryExtensionReq);
   swaps(&stuff->length, n);
   return XvProcVector[xv_QueryExtension](client);
 }
@@ -1380,6 +1381,7 @@ SProcXvQueryAdaptors(ClientPtr client)
 {
   char n;
   REQUEST(xvQueryAdaptorsReq);
+  REQUEST_SIZE_MATCH(xvQueryAdaptorsReq);
   swaps(&stuff->length, n);
   swapl(&stuff->window, n);
   return XvProcVector[xv_QueryAdaptors](client);
@@ -1390,6 +1392,7 @@ SProcXvQueryEncodings(ClientPtr client)
 {
   char n;
   REQUEST(xvQueryEncodingsReq);
+  REQUEST_SIZE_MATCH(xvQueryEncodingsReq);
   swaps(&stuff->length, n);
   swapl(&stuff->port, n);
   return XvProcVector[xv_QueryEncodings](client);
@@ -1400,6 +1403,7 @@ SProcXvGrabPort(ClientPtr client)
 {
   char n;
   REQUEST(xvGrabPortReq);
+  REQUEST_SIZE_MATCH(xvGrabPortReq);
   swaps(&stuff->length, n);
   swapl(&stuff->port, n);
   swapl(&stuff->time, n);
@@ -1411,6 +1415,7 @@ SProcXvUngrabPort(ClientPtr client)
 {
   char n;
   REQUEST(xvUngrabPortReq);
+  REQUEST_SIZE_MATCH(xvUngrabPortReq);
   swaps(&stuff->length, n);
   swapl(&stuff->port, n);
   swapl(&stuff->time, n);
@@ -1422,6 +1427,7 @@ SProcXvPutVideo(ClientPtr client)
 {
   char n;
   REQUEST(xvPutVideoReq);
+  REQUEST_SIZE_MATCH(xvPutVideoReq);
   swaps(&stuff->length, n);
   swapl(&stuff->port, n);
   swapl(&stuff->drawable, n);
@@ -1442,6 +1448,7 @@ SProcXvPutStill(ClientPtr client)
 {
   char n;
   REQUEST(xvPutStillReq);
+  REQUEST_SIZE_MATCH(xvPutStillReq);
   swaps(&stuff->length, n);
   swapl(&stuff->port, n);
   swapl(&stuff->drawable, n);
@@ -1462,6 +1469,7 @@ SProcXvGetVideo(ClientPtr client)
 {
   char n;
   REQUEST(xvGetVideoReq);
+  REQUEST_SIZE_MATCH(xvGetVideoReq);
   swaps(&stuff->length, n);
   swapl(&stuff->port, n);
   swapl(&stuff->drawable, n);
@@ -1482,6 +1490,7 @@ SProcXvGetStill(ClientPtr client)
 {
   char n;
   REQUEST(xvGetStillReq);
+  REQUEST_SIZE_MATCH(xvGetStillReq);
   swaps(&stuff->length, n);
   swapl(&stuff->port, n);
   swapl(&stuff->drawable, n);
@@ -1502,6 +1511,7 @@ SProcXvPutImage(ClientPtr client)
 {
   char n;
   REQUEST(xvPutImageReq);
+  REQUEST_AT_LEAST_SIZE(xvPutImageReq);
   swaps(&stuff->length, n);
   swapl(&stuff->port, n);
   swapl(&stuff->drawable, n);
@@ -1526,6 +1536,7 @@ SProcXvShmPutImage(ClientPtr client)
 {
   char n;
   REQUEST(xvShmPutImageReq);
+  REQUEST_SIZE_MATCH(xvShmPutImageReq);
   swaps(&stuff->length, n);
   swapl(&stuff->port, n);
   swapl(&stuff->drawable, n);
@@ -1554,6 +1565,7 @@ SProcXvSelectVideoNotify(ClientPtr clien
 {
   char n;
   REQUEST(xvSelectVideoNotifyReq);
+  REQUEST_SIZE_MATCH(xvSelectVideoNotifyReq);
   swaps(&stuff->length, n);
   swapl(&stuff->drawable, n);
   return XvProcVector[xv_SelectVideoNotify](client);
@@ -1564,6 +1576,7 @@ SProcXvSelectPortNotify(ClientPtr client
 {
   char n;
   REQUEST(xvSelectPortNotifyReq);
+  REQUEST_SIZE_MATCH(xvSelectPortNotifyReq);
   swaps(&stuff->length, n);
   swapl(&stuff->port, n);
   return XvProcVector[xv_SelectPortNotify](client);
@@ -1574,6 +1587,7 @@ SProcXvStopVideo(ClientPtr client)
 {
   char n;
   REQUEST(xvStopVideoReq);
+  REQUEST_SIZE_MATCH(xvStopVideoReq);
   swaps(&stuff->length, n);
   swapl(&stuff->port, n);
   swapl(&stuff->drawable, n);
@@ -1585,6 +1599,7 @@ SProcXvSetPortAttribute(ClientPtr client
 {
   char n;
   REQUEST(xvSetPortAttributeReq);
+  REQUEST_SIZE_MATCH(xvSetPortAttributeReq);
   swaps(&stuff->length, n);
   swapl(&stuff->port, n);
   swapl(&stuff->attribute, n);
@@ -1597,6 +1612,7 @@ SProcXvGetPortAttribute(ClientPtr client
 {
   char n;
   REQUEST(xvGetPortAttributeReq);
+  REQUEST_SIZE_MATCH(xvGetPortAttributeReq);
   swaps(&stuff->length, n);
   swapl(&stuff->port, n);
   swapl(&stuff->attribute, n);
@@ -1608,6 +1624,7 @@ SProcXvQueryBestSize(ClientPtr client)
 {
   char n;
   REQUEST(xvQueryBestSizeReq);
+  REQUEST_SIZE_MATCH(xvQueryBestSizeReq);
   swaps(&stuff->length, n);
   swapl(&stuff->port, n);
   swaps(&stuff->vid_w, n);
@@ -1622,6 +1639,7 @@ SProcXvQueryPortAttributes(ClientPtr cli
 {
   char n;
   REQUEST(xvQueryPortAttributesReq);
+  REQUEST_SIZE_MATCH(xvQueryPortAttributesReq);
   swaps(&stuff->length, n);
   swapl(&stuff->port, n);
   return XvProcVector[xv_QueryPortAttributes](client);
@@ -1632,6 +1650,7 @@ SProcXvQueryImageAttributes(ClientPtr cl
 {
   char n;
   REQUEST(xvQueryImageAttributesReq);
+  REQUEST_SIZE_MATCH(xvQueryImageAttributesReq);
   swaps(&stuff->length, n);
   swapl(&stuff->port, n);
   swapl(&stuff->id, n);
@@ -1645,6 +1664,7 @@ SProcXvListImageFormats(ClientPtr client
 {
   char n;
   REQUEST(xvListImageFormatsReq);
+  REQUEST_SIZE_MATCH(xvListImageFormatsReq);
   swaps(&stuff->length, n);
   swapl(&stuff->port, n);
   return XvProcVector[xv_ListImageFormats](client);

Index: xsrc/external/mit/xorg-server/dist/Xi/chgdctl.c
diff -u xsrc/external/mit/xorg-server/dist/Xi/chgdctl.c:1.1.1.1.2.1 xsrc/external/mit/xorg-server/dist/Xi/chgdctl.c:1.1.1.1.2.1.2.1
--- xsrc/external/mit/xorg-server/dist/Xi/chgdctl.c:1.1.1.1.2.1	Thu Sep 17 03:34:49 2009
+++ xsrc/external/mit/xorg-server/dist/Xi/chgdctl.c	Tue Dec  9 19:56:34 2014
@@ -83,7 +83,7 @@ SProcXChangeDeviceControl(ClientPtr clie
 
     REQUEST(xChangeDeviceControlReq);
     swaps(&stuff->length, n);
-    REQUEST_AT_LEAST_SIZE(xChangeDeviceControlReq);
+    REQUEST_AT_LEAST_EXTRA_SIZE(xChangeDeviceControlReq, sizeof(xDeviceCtl));
     swaps(&stuff->control, n);
     ctl = (xDeviceCtl*)&stuff[1];
     swaps(&ctl->control, n);
@@ -142,7 +142,7 @@ ProcXChangeDeviceControl(ClientPtr clien
     devicePresenceNotify dpn;
 
     REQUEST(xChangeDeviceControlReq);
-    REQUEST_AT_LEAST_SIZE(xChangeDeviceControlReq);
+    REQUEST_AT_LEAST_EXTRA_SIZE(xChangeDeviceControlReq, sizeof(xDeviceCtl));
 
     len = stuff->length - (sizeof(xChangeDeviceControlReq) >> 2);
     ret = dixLookupDevice(&dev, stuff->deviceid, client, DixManageAccess);
@@ -250,6 +250,10 @@ ProcXChangeDeviceControl(ClientPtr clien
         break;
     case DEVICE_ENABLE:
         e = (xDeviceEnableCtl *)&stuff[1];
+        if ((len != bytes_to_int32(sizeof(xDeviceEnableCtl)))) {
+            ret = BadLength;
+            goto out;
+        }
 
         status = ChangeDeviceControl(client, dev, (xDeviceCtl *) e);
 
Index: xsrc/external/mit/xorg-server/dist/Xi/chgfctl.c
diff -u xsrc/external/mit/xorg-server/dist/Xi/chgfctl.c:1.1.1.1.2.1 xsrc/external/mit/xorg-server/dist/Xi/chgfctl.c:1.1.1.1.2.1.2.1
--- xsrc/external/mit/xorg-server/dist/Xi/chgfctl.c:1.1.1.1.2.1	Thu Sep 17 03:34:49 2009
+++ xsrc/external/mit/xorg-server/dist/Xi/chgfctl.c	Tue Dec  9 19:56:34 2014
@@ -473,6 +473,8 @@ ProcXChangeFeedbackControl(ClientPtr cli
 	xStringFeedbackCtl *f = ((xStringFeedbackCtl *) & stuff[1]);
 
 	if (client->swapped) {
+            if (len < bytes_to_int32(sizeof(xStringFeedbackCtl)))
+                return BadLength;
 	    swaps(&f->num_keysyms, n);
 	}
 	if (len != ((sizeof(xStringFeedbackCtl) >> 2) + f->num_keysyms))
Index: xsrc/external/mit/xorg-server/dist/Xi/sendexev.c
diff -u xsrc/external/mit/xorg-server/dist/Xi/sendexev.c:1.1.1.1.2.1 xsrc/external/mit/xorg-server/dist/Xi/sendexev.c:1.1.1.1.2.1.2.1
--- xsrc/external/mit/xorg-server/dist/Xi/sendexev.c:1.1.1.1.2.1	Thu Sep 17 03:34:50 2009
+++ xsrc/external/mit/xorg-server/dist/Xi/sendexev.c	Tue Dec  9 19:56:34 2014
@@ -136,6 +136,9 @@ ProcXSendExtensionEvent(ClientPtr client
     if (ret != Success)
 	return ret;
 
+    if (stuff->num_events == 0)
+        return ret;
+
     /* The client's event type must be one defined by an extension. */
 
     first = ((xEvent *) & stuff[1]);

Index: xsrc/external/mit/xorg-server/dist/Xi/xiproperty.c
diff -u xsrc/external/mit/xorg-server/dist/Xi/xiproperty.c:1.1.1.2.2.2 xsrc/external/mit/xorg-server/dist/Xi/xiproperty.c:1.1.1.2.2.2.2.1
--- xsrc/external/mit/xorg-server/dist/Xi/xiproperty.c:1.1.1.2.2.2	Thu Sep 17 03:34:50 2009
+++ xsrc/external/mit/xorg-server/dist/Xi/xiproperty.c	Tue Dec  9 19:56:34 2014
@@ -839,10 +839,9 @@ SProcXListDeviceProperties (ClientPtr cl
 {
     char n;
     REQUEST(xListDevicePropertiesReq);
+    REQUEST_SIZE_MATCH(xListDevicePropertiesReq);
 
     swaps(&stuff->length, n);
-
-    REQUEST_SIZE_MATCH(xListDevicePropertiesReq);
     return (ProcXListDeviceProperties(client));
 }
 
@@ -865,10 +864,10 @@ SProcXDeleteDeviceProperty (ClientPtr cl
 {
     char n;
     REQUEST(xDeleteDevicePropertyReq);
+    REQUEST_SIZE_MATCH(xDeleteDevicePropertyReq);
 
     swaps(&stuff->length, n);
     swapl(&stuff->property, n);
-    REQUEST_SIZE_MATCH(xDeleteDevicePropertyReq);
     return (ProcXDeleteDeviceProperty(client));
 }
 
@@ -877,13 +876,13 @@ SProcXGetDeviceProperty (ClientPtr clien
 {
     char n;
     REQUEST(xGetDevicePropertyReq);
+    REQUEST_SIZE_MATCH(xGetDevicePropertyReq);
 
     swaps(&stuff->length, n);
     swapl(&stuff->property, n);
     swapl(&stuff->type, n);
     swapl(&stuff->longOffset, n);
     swapl(&stuff->longLength, n);
-    REQUEST_SIZE_MATCH(xGetDevicePropertyReq);
     return (ProcXGetDeviceProperty(client));
 }
 

Index: xsrc/external/mit/xorg-server/dist/dbe/dbe.c
diff -u xsrc/external/mit/xorg-server/dist/dbe/dbe.c:1.1.1.1.2.1 xsrc/external/mit/xorg-server/dist/dbe/dbe.c:1.1.1.1.2.1.2.1
--- xsrc/external/mit/xorg-server/dist/dbe/dbe.c:1.1.1.1.2.1	Thu Sep 17 03:34:53 2009
+++ xsrc/external/mit/xorg-server/dist/dbe/dbe.c	Tue Dec  9 19:56:34 2014
@@ -487,8 +487,8 @@ ProcDbeSwapBuffers(ClientPtr client)
     DbeSwapInfoPtr	swapInfo;
     xDbeSwapInfo	*dbeSwapInfo;
     int			error;
-    register int	i, j;
-    int			nStuff;
+    unsigned int i, j;
+    unsigned int nStuff;
 
 
     REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq);
@@ -496,11 +496,13 @@ ProcDbeSwapBuffers(ClientPtr client)
 
     if (nStuff == 0)
     {
+        REQUEST_SIZE_MATCH(xDbeSwapBuffersReq);
         return(Success);
     }
 
     if (nStuff > UINT32_MAX / sizeof(DbeSwapInfoRec))
 	    return BadAlloc;
+    REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, nStuff * sizeof(xDbeSwapInfo));
 
     /* Get to the swap info appended to the end of the request. */
     dbeSwapInfo = (xDbeSwapInfo *)&stuff[1];
@@ -1045,7 +1047,7 @@ static int
 SProcDbeSwapBuffers(ClientPtr client)
 {
     REQUEST(xDbeSwapBuffersReq);
-    register int	i, n;
+    unsigned int	i, n;
     xDbeSwapInfo	*pSwapInfo;
 
 
@@ -1053,6 +1055,9 @@ SProcDbeSwapBuffers(ClientPtr client)
     REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq);
 
     swapl(&stuff->n, n);
+    if (stuff->n > UINT32_MAX / sizeof(DbeSwapInfoRec))
+        return BadAlloc;
+    REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, stuff->n * sizeof(xDbeSwapInfo));
 
     if (stuff->n != 0)
     { 

Index: xsrc/external/mit/xorg-server/dist/dix/dispatch.c
diff -u xsrc/external/mit/xorg-server/dist/dix/dispatch.c:1.1.1.1.2.1 xsrc/external/mit/xorg-server/dist/dix/dispatch.c:1.1.1.1.2.1.2.1
--- xsrc/external/mit/xorg-server/dist/dix/dispatch.c:1.1.1.1.2.1	Thu Sep 17 03:34:53 2009
+++ xsrc/external/mit/xorg-server/dist/dix/dispatch.c	Tue Dec  9 19:56:34 2014
@@ -1885,6 +1885,9 @@ ProcPutImage(ClientPtr client)
 
     tmpImage = (char *)&stuff[1];
     lengthProto = length;
+
+    if (lengthProto >= (INT32_MAX / stuff->height))
+        return BadLength;
 	
     if (((((lengthProto * stuff->height) + (unsigned)3) >> 2) + 
 	(sizeof(xPutImageReq) >> 2)) != client->req_len)

Index: xsrc/external/mit/xorg-server/dist/glx/glxcmds.c
diff -u xsrc/external/mit/xorg-server/dist/glx/glxcmds.c:1.1.1.2.2.2 xsrc/external/mit/xorg-server/dist/glx/glxcmds.c:1.1.1.2.2.2.2.1
--- xsrc/external/mit/xorg-server/dist/glx/glxcmds.c:1.1.1.2.2.2	Thu Sep 17 03:34:56 2009
+++ xsrc/external/mit/xorg-server/dist/glx/glxcmds.c	Tue Dec  9 19:56:35 2014
@@ -1764,7 +1764,7 @@ int __glXDisp_Render(__GLXclientState *c
     left = (req->length << 2) - sz_xGLXRenderReq;
     while (left > 0) {
         __GLXrenderSizeData entry;
-        int extra;
+        int extra = 0;
 	__GLXdispatchRenderProcPtr proc;
 	int err;
 
@@ -1780,6 +1780,9 @@ int __glXDisp_Render(__GLXclientState *c
 	cmdlen = hdr->length;
 	opcode = hdr->opcode;
 
+        if (left < cmdlen)
+            return BadLength;
+
 	/*
 	** Check for core opcodes and grab entry data.
 	*/
@@ -1793,23 +1796,21 @@ int __glXDisp_Render(__GLXclientState *c
 	    return __glXError(GLXBadRenderRequest);
 	}
 
+        if (cmdlen < entry.bytes) {
+            return BadLength;
+        }
+
         if (entry.varsize) {
             /* variable size command */
             extra = (*entry.varsize)(pc + __GLX_RENDER_HDR_SIZE,
-				     client->swapped);
+                                     client->swapped,
+                                     left - __GLX_RENDER_LARGE_HDR_SIZE);
             if (extra < 0) {
-                extra = 0;
-            }
-            if (cmdlen != __GLX_PAD(entry.bytes + extra)) {
-                return BadLength;
-            }
-        } else {
-            /* constant size command */
-            if (cmdlen != __GLX_PAD(entry.bytes)) {
                 return BadLength;
             }
         }
-	if (left < cmdlen) {
+
+        if (cmdlen != safe_pad(safe_add(entry.bytes, extra))) {
 	    return BadLength;
 	}
 
@@ -1844,6 +1845,8 @@ int __glXDisp_RenderLarge(__GLXclientSta
     CARD16 opcode;
     __GLX_DECLARE_SWAP_VARIABLES;
     
+    REQUEST_AT_LEAST_SIZE(xGLXRenderLargeReq);
+
     req = (xGLXRenderLargeReq *) pc;
     if (client->swapped) {
 	__GLX_SWAP_SHORT(&req->length);
@@ -1859,12 +1862,14 @@ int __glXDisp_RenderLarge(__GLXclientSta
 	__glXResetLargeCommandStatus(cl);
 	return error;
     }
+    if (safe_pad(req->dataBytes) < 0)
+        return BadLength;
     dataBytes = req->dataBytes;
 
     /*
     ** Check the request length.
     */
-    if ((req->length << 2) != __GLX_PAD(dataBytes) + sz_xGLXRenderLargeReq) {
+    if ((req->length << 2) != safe_pad(dataBytes) + sz_xGLXRenderLargeReq) {
 	client->errorValue = req->length;
 	/* Reset in case this isn't 1st request. */
 	__glXResetLargeCommandStatus(cl);
@@ -1874,7 +1879,8 @@ int __glXDisp_RenderLarge(__GLXclientSta
     
     if (cl->largeCmdRequestsSoFar == 0) {
 	__GLXrenderSizeData entry;
-	int extra;
+	int extra = 0;
+	int left = (req->length << 2) - sz_xGLXRenderLargeReq;
 	size_t cmdlen;
 	int err;
 
@@ -1887,13 +1893,17 @@ int __glXDisp_RenderLarge(__GLXclientSta
 	    return __glXError(GLXBadLargeRequest);
 	}
 
+	if (dataBytes < __GLX_RENDER_LARGE_HDR_SIZE)
+	    return BadLength;
+
 	hdr = (__GLXrenderLargeHeader *) pc;
 	if (client->swapped) {
 	    __GLX_SWAP_INT(&hdr->length);
 	    __GLX_SWAP_INT(&hdr->opcode);
 	}
-	cmdlen = hdr->length;
 	opcode = hdr->opcode;
+	if ((cmdlen = safe_pad(hdr->length)) < 0)
+	    return BadLength;
 
 	/*
 	** Check for core opcodes and grab entry data.
@@ -1911,20 +1921,18 @@ int __glXDisp_RenderLarge(__GLXclientSta
 	    ** will be in the 1st request, so it's okay to do this.
 	    */
 	    extra = (*entry.varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE,
-				     client->swapped);
+                                     client->swapped,
+                                     left - __GLX_RENDER_HDR_SIZE);
 	    if (extra < 0) {
-		extra = 0;
-	    }
-	    /* large command's header is 4 bytes longer, so add 4 */
-	    if (cmdlen != __GLX_PAD(entry.bytes + 4 + extra)) {
-		return BadLength;
-	    }
-	} else {
-	    /* constant size command */
-	    if (cmdlen != __GLX_PAD(entry.bytes + 4)) {
-		return BadLength;
+                return BadLength;
 	    }
 	}
+
+	/* the +4 is safe because we know entry.bytes is small */
+	if (cmdlen != safe_pad(safe_add(entry.bytes + 4, extra))) {
+            return BadLength;
+	}
+
 	/*
 	** Make enough space in the buffer, then copy the entire request.
 	*/
@@ -1952,6 +1960,7 @@ int __glXDisp_RenderLarge(__GLXclientSta
 	** We are receiving subsequent (i.e. not the first) requests of a
 	** multi request command.
 	*/
+	int bytesSoFar; /* including this packet */
 
 	/*
 	** Check the request number and the total request count.
@@ -1970,11 +1979,18 @@ int __glXDisp_RenderLarge(__GLXclientSta
 	/*
 	** Check that we didn't get too much data.
 	*/
-	if ((cl->largeCmdBytesSoFar + dataBytes) > cl->largeCmdBytesTotal) {
+	if ((bytesSoFar = safe_add(cl->largeCmdBytesSoFar, dataBytes)) < 0) {
 	    client->errorValue = dataBytes;
 	    __glXResetLargeCommandStatus(cl);
 	    return __glXError(GLXBadLargeRequest);
 	}
+
+	if (bytesSoFar > cl->largeCmdBytesTotal) {
+	    client->errorValue = dataBytes;
+	    __glXResetLargeCommandStatus(cl);
+	    return __glXError(GLXBadLargeRequest);
+	}
+
 	memcpy(cl->largeCmdBuf + cl->largeCmdBytesSoFar, pc, dataBytes);
 	cl->largeCmdBytesSoFar += dataBytes;
 	cl->largeCmdRequestsSoFar++;
@@ -1986,17 +2002,16 @@ int __glXDisp_RenderLarge(__GLXclientSta
 	    ** This is the last request; it must have enough bytes to complete
 	    ** the command.
 	    */
-	    /* NOTE: the two pad macros have been added below; they are needed
-	    ** because the client library pads the total byte count, but not
-	    ** the per-request byte counts.  The Protocol Encoding says the
-	    ** total byte count should not be padded, so a proposal will be 
-	    ** made to the ARB to relax the padding constraint on the total 
-	    ** byte count, thus preserving backward compatibility.  Meanwhile, 
-	    ** the padding done below fixes a bug that did not allow
-	    ** large commands of odd sizes to be accepted by the server.
+	    /* NOTE: the pad macro below is needed because the client library
+	    ** pads the total byte count, but not the per-request byte counts.
+	    ** The Protocol Encoding says the total byte count should not be
+	    ** padded, so a proposal will be made to the ARB to relax the
+	    ** padding constraint on the total byte count, thus preserving
+	    ** backward compatibility.  Meanwhile, the padding done below
+	    ** fixes a bug that did not allow large commands of odd sizes to
+	    ** be accepted by the server.
 	    */
-	    if (__GLX_PAD(cl->largeCmdBytesSoFar) !=
-		__GLX_PAD(cl->largeCmdBytesTotal)) {
+	    if (safe_pad(cl->largeCmdBytesSoFar) != cl->largeCmdBytesTotal) {
 		client->errorValue = dataBytes;
 		__glXResetLargeCommandStatus(cl);
 		return __glXError(GLXBadLargeRequest);

Index: xsrc/external/mit/xorg-server/dist/glx/glxcmdsswap.c
diff -u xsrc/external/mit/xorg-server/dist/glx/glxcmdsswap.c:1.1.1.1.2.2 xsrc/external/mit/xorg-server/dist/glx/glxcmdsswap.c:1.1.1.1.2.2.2.1
--- xsrc/external/mit/xorg-server/dist/glx/glxcmdsswap.c:1.1.1.1.2.2	Thu Sep 17 03:34:56 2009
+++ xsrc/external/mit/xorg-server/dist/glx/glxcmdsswap.c	Tue Dec  9 19:56:35 2014
@@ -722,11 +722,13 @@ int __glXDispSwap_RenderLarge(__GLXclien
 
 int __glXDispSwap_VendorPrivate(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXVendorPrivateReq *req;
     GLint vendorcode;
     __GLXdispatchVendorPrivProcPtr proc;
 
     __GLX_DECLARE_SWAP_VARIABLES;
+    REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateReq);
 
     req = (xGLXVendorPrivateReq *) pc;
     __GLX_SWAP_SHORT(&req->length);
@@ -749,11 +751,13 @@ int __glXDispSwap_VendorPrivate(__GLXcli
 
 int __glXDispSwap_VendorPrivateWithReply(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXVendorPrivateWithReplyReq *req;
     GLint vendorcode;
     __GLXdispatchVendorPrivProcPtr proc;
 
     __GLX_DECLARE_SWAP_VARIABLES;
+    REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateWithReplyReq);
 
     req = (xGLXVendorPrivateWithReplyReq *) pc;
     __GLX_SWAP_SHORT(&req->length);
Index: xsrc/external/mit/xorg-server/dist/glx/glxserver.h
diff -u xsrc/external/mit/xorg-server/dist/glx/glxserver.h:1.1.1.1.2.2 xsrc/external/mit/xorg-server/dist/glx/glxserver.h:1.1.1.1.2.2.2.1
--- xsrc/external/mit/xorg-server/dist/glx/glxserver.h:1.1.1.1.2.2	Thu Sep 17 03:34:56 2009
+++ xsrc/external/mit/xorg-server/dist/glx/glxserver.h	Tue Dec  9 19:56:35 2014
@@ -200,7 +200,7 @@ typedef int (*__GLXprocPtr)(__GLXclientS
 /*
  * Tables for computing the size of each rendering command.
  */
-typedef int (*gl_proto_size_func)(const GLbyte *, Bool);
+typedef int (*gl_proto_size_func)(const GLbyte *, Bool, int);
 
 typedef struct {
     int bytes;
@@ -250,6 +250,47 @@ extern void glxSwapQueryServerStringRepl
  * Routines for computing the size of variably-sized rendering commands.
  */
 
+static _X_INLINE int
+safe_add(int a, int b)
+{
+    if (a < 0 || b < 0)
+        return -1;
+
+    if (INT_MAX - a < b)
+        return -1;
+
+    return a + b;
+}
+
+static _X_INLINE int
+safe_mul(int a, int b)
+{
+    if (a < 0 || b < 0)
+        return -1;
+
+    if (a == 0 || b == 0)
+        return 0;
+
+    if (a > INT_MAX / b)
+        return -1;
+
+    return a * b;
+}
+
+static _X_INLINE int
+safe_pad(int a)
+{
+    int ret;
+
+    if (a < 0)
+        return -1;
+
+    if ((ret = safe_add(a, 3)) < 0)
+        return -1;
+
+    return ret & (GLuint)~3;
+}
+
 extern int __glXTypeSize(GLenum enm);
 extern int __glXImageSize(GLenum format, GLenum type,
     GLenum target, GLsizei w, GLsizei h, GLsizei d,
Index: xsrc/external/mit/xorg-server/dist/glx/indirect_program.c
diff -u xsrc/external/mit/xorg-server/dist/glx/indirect_program.c:1.1.1.1.2.2 xsrc/external/mit/xorg-server/dist/glx/indirect_program.c:1.1.1.1.2.2.2.1
--- xsrc/external/mit/xorg-server/dist/glx/indirect_program.c:1.1.1.1.2.2	Thu Sep 17 03:34:56 2009
+++ xsrc/external/mit/xorg-server/dist/glx/indirect_program.c	Tue Dec  9 19:56:35 2014
@@ -72,6 +72,8 @@ int DoGetProgramString(struct __GLXclien
     ClientPtr client = cl->client;
 
 
+    REQUEST_FIXED_SIZE(xGLXVendorPrivateWithReplyReq, 8);
+
     pc += __GLX_VENDPRIV_HDR_SIZE;
     if (cx != NULL) {
 	GLenum target;
Index: xsrc/external/mit/xorg-server/dist/glx/indirect_reqsize.c
diff -u xsrc/external/mit/xorg-server/dist/glx/indirect_reqsize.c:1.1.1.1.2.2 xsrc/external/mit/xorg-server/dist/glx/indirect_reqsize.c:1.1.1.1.2.2.2.1
--- xsrc/external/mit/xorg-server/dist/glx/indirect_reqsize.c:1.1.1.1.2.2	Thu Sep 17 03:34:57 2009
+++ xsrc/external/mit/xorg-server/dist/glx/indirect_reqsize.c	Tue Dec  9 19:56:35 2014
@@ -32,25 +32,23 @@
 #include "indirect_size.h"
 #include "indirect_reqsize.h"
 
-#define __GLX_PAD(x)  (((x) + 3) & ~3)
-
 #if defined(__CYGWIN__) || defined(__MINGW32__)
 #  undef HAVE_ALIAS
 #endif
 #ifdef HAVE_ALIAS
 #  define ALIAS2(from,to) \
-    GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap ) \
+    GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap, int reqlen ) \
         __attribute__ ((alias( # to )));
 #  define ALIAS(from,to) ALIAS2( from, __glX ## to ## ReqSize )
 #else
 #  define ALIAS(from,to) \
-    GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap ) \
-    { return __glX ## to ## ReqSize( pc, swap ); }
+    GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap, int reqlen ) \
+    { return __glX ## to ## ReqSize( pc, swap, reqlen ); }
 #endif
 
 
 int
-__glXCallListsReqSize(const GLbyte *pc, Bool swap)
+__glXCallListsReqSize(const GLbyte *pc, Bool swap, int reqlen)
 {
     GLsizei n = *(GLsizei *) (pc + 0);
     GLenum type = *(GLenum *) (pc + 4);
@@ -62,11 +60,11 @@ __glXCallListsReqSize(const GLbyte *pc, 
     }
 
     compsize = __glCallLists_size(type);
-    return __GLX_PAD((compsize * n));
+    return safe_pad(safe_mul(compsize, n));
 }
 
 int
-__glXBitmapReqSize(const GLbyte *pc, Bool swap)
+__glXBitmapReqSize(const GLbyte *pc, Bool swap, int reqlen)
 {
     GLint row_length = *(GLint *) (pc + 4);
     GLint image_height = 0;
@@ -90,7 +88,7 @@ __glXBitmapReqSize(const GLbyte *pc, Boo
 }
 
 int
-__glXFogfvReqSize(const GLbyte *pc, Bool swap)
+__glXFogfvReqSize(const GLbyte *pc, Bool swap, int reqlen)
 {
     GLenum pname = *(GLenum *) (pc + 0);
     GLsizei compsize;
@@ -100,11 +98,11 @@ __glXFogfvReqSize(const GLbyte *pc, Bool
     }
 
     compsize = __glFogfv_size(pname);
-    return __GLX_PAD((compsize * 4));
+    return safe_pad(safe_mul(compsize, 4));
 }
 
 int
-__glXLightfvReqSize(const GLbyte *pc, Bool swap)
+__glXLightfvReqSize(const GLbyte *pc, Bool swap, int reqlen)
 {
     GLenum pname = *(GLenum *) (pc + 4);
     GLsizei compsize;
@@ -114,11 +112,11 @@ __glXLightfvReqSize(const GLbyte *pc, Bo
     }
 
     compsize = __glLightfv_size(pname);
-    return __GLX_PAD((compsize * 4));
+    return safe_pad(safe_mul(compsize, 4));
 }
 
 int
-__glXLightModelfvReqSize(const GLbyte *pc, Bool swap)
+__glXLightModelfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
 {
     GLenum pname = *(GLenum *) (pc + 0);
     GLsizei compsize;
@@ -128,11 +126,11 @@ __glXLightModelfvReqSize(const GLbyte *p
     }
 
     compsize = __glLightModelfv_size(pname);
-    return __GLX_PAD((compsize * 4));
+    return safe_pad(safe_mul(compsize, 4));
 }
 
 int
-__glXMaterialfvReqSize(const GLbyte *pc, Bool swap)
+__glXMaterialfvReqSize(const GLbyte *pc, Bool swap, int reqlen)
 {
     GLenum pname = *(GLenum *) (pc + 4);
     GLsizei compsize;
@@ -142,11 +140,11 @@ __glXMaterialfvReqSize(const GLbyte *pc,
     }
 
     compsize = __glMaterialfv_size(pname);
-    return __GLX_PAD((compsize * 4));
+    return safe_pad(safe_mul(compsize, 4));
 }
 
 int
-__glXPolygonStippleReqSize(const GLbyte *pc, Bool swap)
+__glXPolygonStippleReqSize(const GLbyte *pc, Bool swap, int reqlen)
 {
     GLint row_length = *(GLint *) (pc + 4);
     GLint image_height = 0;
@@ -166,7 +164,7 @@ __glXPolygonStippleReqSize(const GLbyte 
 }
 
 int
-__glXTexParameterfvReqSize(const GLbyte *pc, Bool swap)
+__glXTexParameterfvReqSize(const GLbyte *pc, Bool swap, int reqlen)
 {
     GLenum pname = *(GLenum *) (pc + 4);
     GLsizei compsize;
@@ -176,11 +174,11 @@ __glXTexParameterfvReqSize(const GLbyte 
     }
 
     compsize = __glTexParameterfv_size(pname);
-    return __GLX_PAD((compsize * 4));
+    return safe_pad(safe_mul(compsize, 4));
 }
 
 int
-__glXTexImage1DReqSize(const GLbyte *pc, Bool swap)
+__glXTexImage1DReqSize(const GLbyte *pc, Bool swap, int reqlen)
 {
     GLint row_length = *(GLint *) (pc + 4);
     GLint image_height = 0;
@@ -208,7 +206,7 @@ __glXTexImage1DReqSize(const GLbyte *pc,
 }
 
 int
-__glXTexImage2DReqSize(const GLbyte *pc, Bool swap)
+__glXTexImage2DReqSize(const GLbyte *pc, Bool swap, int reqlen)
 {
     GLint row_length = *(GLint *) (pc + 4);
     GLint image_height = 0;
@@ -238,7 +236,7 @@ __glXTexImage2DReqSize(const GLbyte *pc,
 }
 
 int
-__glXTexEnvfvReqSize(const GLbyte *pc, Bool swap)
+__glXTexEnvfvReqSize(const GLbyte *pc, Bool swap, int reqlen)
 {
     GLenum pname = *(GLenum *) (pc + 4);
     GLsizei compsize;
@@ -248,11 +246,11 @@ __glXTexEnvfvReqSize(const GLbyte *pc, B
     }
 
     compsize = __glTexEnvfv_size(pname);
-    return __GLX_PAD((compsize * 4));
+    return safe_pad(safe_mul(compsize, 4));
 }
 
 int
-__glXTexGendvReqSize(const GLbyte *pc, Bool swap)
+__glXTexGendvReqSize(const GLbyte *pc, Bool swap, int reqlen)
 {
     GLenum pname = *(GLenum *) (pc + 4);
     GLsizei compsize;
@@ -262,11 +260,11 @@ __glXTexGendvReqSize(const GLbyte *pc, B
     }
 
     compsize = __glTexGendv_size(pname);
-    return __GLX_PAD((compsize * 8));
+    return safe_pad(safe_mul(compsize, 8));
 }
 
 int
-__glXTexGenfvReqSize(const GLbyte *pc, Bool swap)
+__glXTexGenfvReqSize(const GLbyte *pc, Bool swap, int reqlen)
 {
     GLenum pname = *(GLenum *) (pc + 4);
     GLsizei compsize;
@@ -276,11 +274,11 @@ __glXTexGenfvReqSize(const GLbyte *pc, B
     }
 
     compsize = __glTexGenfv_size(pname);
-    return __GLX_PAD((compsize * 4));
+    return safe_pad(safe_mul(compsize, 4));
 }
 
 int
-__glXPixelMapfvReqSize(const GLbyte *pc, Bool swap)
+__glXPixelMapfvReqSize(const GLbyte *pc, Bool swap, int reqlen)
 {
     GLsizei mapsize = *(GLsizei *) (pc + 4);
 
@@ -288,11 +286,11 @@ __glXPixelMapfvReqSize(const GLbyte *pc,
         mapsize = bswap_32(mapsize);
     }
 
-    return __GLX_PAD((mapsize * 4));
+    return safe_pad(safe_mul(mapsize, 4));
 }
 
 int
-__glXPixelMapusvReqSize(const GLbyte *pc, Bool swap)
+__glXPixelMapusvReqSize(const GLbyte *pc, Bool swap, int reqlen)
 {
     GLsizei mapsize = *(GLsizei *) (pc + 4);
 
@@ -300,11 +298,11 @@ __glXPixelMapusvReqSize(const GLbyte *pc
         mapsize = bswap_32(mapsize);
     }
 
-    return __GLX_PAD((mapsize * 2));
+    return safe_pad(safe_mul(mapsize, 2));
 }
 
 int
-__glXDrawPixelsReqSize(const GLbyte *pc, Bool swap)
+__glXDrawPixelsReqSize(const GLbyte *pc, Bool swap, int reqlen)
 {
     GLint row_length = *(GLint *) (pc + 4);
     GLint image_height = 0;
@@ -332,7 +330,7 @@ __glXDrawPixelsReqSize(const GLbyte *pc,
 }
 
 int
-__glXPrioritizeTexturesReqSize(const GLbyte *pc, Bool swap)
+__glXPrioritizeTexturesReqSize(const GLbyte *pc, Bool swap, int reqlen)
 {
     GLsizei n = *(GLsizei *) (pc + 0);
 
@@ -340,11 +338,11 @@ __glXPrioritizeTexturesReqSize(const GLb
         n = bswap_32(n);
     }
 
-    return __GLX_PAD((n * 4) + (n * 4));
+    return safe_pad(safe_add(safe_mul(n, 4), safe_mul(n, 4)));
 }
 
 int
-__glXTexSubImage1DReqSize(const GLbyte *pc, Bool swap)
+__glXTexSubImage1DReqSize(const GLbyte *pc, Bool swap, int reqlen)
 {
     GLint row_length = *(GLint *) (pc + 4);
     GLint image_height = 0;
@@ -372,7 +370,7 @@ __glXTexSubImage1DReqSize(const GLbyte *
 }
 
 int
-__glXTexSubImage2DReqSize(const GLbyte *pc, Bool swap)
+__glXTexSubImage2DReqSize(const GLbyte *pc, Bool swap, int reqlen)
 {
     GLint row_length = *(GLint *) (pc + 4);
     GLint image_height = 0;
@@ -402,7 +400,7 @@ __glXTexSubImage2DReqSize(const GLbyte *
 }
 
 int
-__glXColorTableReqSize(const GLbyte *pc, Bool swap)
+__glXColorTableReqSize(const GLbyte *pc, Bool swap, int reqlen)
 {
     GLint row_length = *(GLint *) (pc + 4);
     GLint image_height = 0;
@@ -430,7 +428,7 @@ __glXColorTableReqSize(const GLbyte *pc,
 }
 
 int
-__glXColorTableParameterfvReqSize(const GLbyte *pc, Bool swap)
+__glXColorTableParameterfvReqSize(const GLbyte *pc, Bool swap, int reqlen)
 {
     GLenum pname = *(GLenum *) (pc + 4);
     GLsizei compsize;
@@ -440,11 +438,11 @@ __glXColorTableParameterfvReqSize(const 
     }
 
     compsize = __glColorTableParameterfv_size(pname);
-    return __GLX_PAD((compsize * 4));
+    return safe_pad(safe_mul(compsize, 4));
 }
 
 int
-__glXColorSubTableReqSize(const GLbyte *pc, Bool swap)
+__glXColorSubTableReqSize(const GLbyte *pc, Bool swap, int reqlen)
 {
     GLint row_length = *(GLint *) (pc + 4);
     GLint image_height = 0;
@@ -472,7 +470,7 @@ __glXColorSubTableReqSize(const GLbyte *
 }
 
 int
-__glXConvolutionFilter1DReqSize(const GLbyte *pc, Bool swap)
+__glXConvolutionFilter1DReqSize(const GLbyte *pc, Bool swap, int reqlen)
 {
     GLint row_length = *(GLint *) (pc + 4);
     GLint image_height = 0;
@@ -500,7 +498,7 @@ __glXConvolutionFilter1DReqSize(const GL
 }
 
 int
-__glXConvolutionFilter2DReqSize(const GLbyte *pc, Bool swap)
+__glXConvolutionFilter2DReqSize(const GLbyte *pc, Bool swap, int reqlen)
 {
     GLint row_length = *(GLint *) (pc + 4);
     GLint image_height = 0;
@@ -530,7 +528,7 @@ __glXConvolutionFilter2DReqSize(const GL
 }
 
 int
-__glXConvolutionParameterfvReqSize(const GLbyte *pc, Bool swap)
+__glXConvolutionParameterfvReqSize(const GLbyte *pc, Bool swap, int reqlen)
 {
     GLenum pname = *(GLenum *) (pc + 4);
     GLsizei compsize;
@@ -540,11 +538,11 @@ __glXConvolutionParameterfvReqSize(const
     }
 
     compsize = __glConvolutionParameterfv_size(pname);
-    return __GLX_PAD((compsize * 4));
+    return safe_pad(safe_mul(compsize, 4));
 }
 
 int
-__glXTexImage3DReqSize(const GLbyte *pc, Bool swap)
+__glXTexImage3DReqSize(const GLbyte *pc, Bool swap, int reqlen)
 {
     GLint row_length = *(GLint *) (pc + 4);
     GLint image_height = *(GLint *) (pc + 8);
@@ -581,7 +579,7 @@ __glXTexImage3DReqSize(const GLbyte *pc,
 }
 
 int
-__glXTexSubImage3DReqSize(const GLbyte *pc, Bool swap)
+__glXTexSubImage3DReqSize(const GLbyte *pc, Bool swap, int reqlen)
 {
     GLint row_length = *(GLint *) (pc + 4);
     GLint image_height = *(GLint *) (pc + 8);
@@ -615,7 +613,7 @@ __glXTexSubImage3DReqSize(const GLbyte *
 }
 
 int
-__glXCompressedTexImage1DARBReqSize(const GLbyte *pc, Bool swap)
+__glXCompressedTexImage1DARBReqSize(const GLbyte *pc, Bool swap, int reqlen)
 {
     GLsizei imageSize = *(GLsizei *) (pc + 20);
 
@@ -623,11 +621,11 @@ __glXCompressedTexImage1DARBReqSize(cons
         imageSize = bswap_32(imageSize);
     }
 
-    return __GLX_PAD(imageSize);
+    return safe_pad(imageSize);
 }
 
 int
-__glXCompressedTexImage2DARBReqSize(const GLbyte *pc, Bool swap)
+__glXCompressedTexImage2DARBReqSize(const GLbyte *pc, Bool swap, int reqlen)
 {
     GLsizei imageSize = *(GLsizei *) (pc + 24);
 
@@ -635,11 +633,11 @@ __glXCompressedTexImage2DARBReqSize(cons
         imageSize = bswap_32(imageSize);
     }
 
-    return __GLX_PAD(imageSize);
+    return safe_pad(imageSize);
 }
 
 int
-__glXCompressedTexImage3DARBReqSize(const GLbyte *pc, Bool swap)
+__glXCompressedTexImage3DARBReqSize(const GLbyte *pc, Bool swap, int reqlen)
 {
     GLsizei imageSize = *(GLsizei *) (pc + 28);
 
@@ -647,11 +645,11 @@ __glXCompressedTexImage3DARBReqSize(cons
         imageSize = bswap_32(imageSize);
     }
 
-    return __GLX_PAD(imageSize);
+    return safe_pad(imageSize);
 }
 
 int
-__glXCompressedTexSubImage3DARBReqSize(const GLbyte *pc, Bool swap)
+__glXCompressedTexSubImage3DARBReqSize(const GLbyte *pc, Bool swap, int reqlen)
 {
     GLsizei imageSize = *(GLsizei *) (pc + 36);
 
@@ -659,11 +657,11 @@ __glXCompressedTexSubImage3DARBReqSize(c
         imageSize = bswap_32(imageSize);
     }
 
-    return __GLX_PAD(imageSize);
+    return safe_pad(imageSize);
 }
 
 int
-__glXProgramStringARBReqSize(const GLbyte *pc, Bool swap)
+__glXProgramStringARBReqSize(const GLbyte *pc, Bool swap, int reqlen)
 {
     GLsizei len = *(GLsizei *) (pc + 8);
 
@@ -671,11 +669,11 @@ __glXProgramStringARBReqSize(const GLbyt
         len = bswap_32(len);
     }
 
-    return __GLX_PAD(len);
+    return safe_pad(len);
 }
 
 int
-__glXDrawBuffersARBReqSize(const GLbyte *pc, Bool swap)
+__glXDrawBuffersARBReqSize(const GLbyte *pc, Bool swap, int reqlen)
 {
     GLsizei n = *(GLsizei *) (pc + 0);
 
@@ -683,11 +681,11 @@ __glXDrawBuffersARBReqSize(const GLbyte 
         n = bswap_32(n);
     }
 
-    return __GLX_PAD((n * 4));
+    return safe_pad(safe_mul(n, 4));
 }
 
 int
-__glXPointParameterfvEXTReqSize(const GLbyte *pc, Bool swap)
+__glXPointParameterfvEXTReqSize(const GLbyte *pc, Bool swap, int reqlen)
 {
     GLenum pname = *(GLenum *) (pc + 0);
     GLsizei compsize;
@@ -697,11 +695,11 @@ __glXPointParameterfvEXTReqSize(const GL
     }
 
     compsize = __glPointParameterfvEXT_size(pname);
-    return __GLX_PAD((compsize * 4));
+    return safe_pad(safe_mul(compsize, 4));
 }
 
 int
-__glXProgramParameters4dvNVReqSize(const GLbyte *pc, Bool swap)
+__glXProgramParameters4dvNVReqSize(const GLbyte *pc, Bool swap, int reqlen)
 {
     GLuint num = *(GLuint *) (pc + 8);
 
@@ -709,11 +707,11 @@ __glXProgramParameters4dvNVReqSize(const
         num = bswap_32(num);
     }
 
-    return __GLX_PAD((num * 32));
+    return safe_pad(safe_mul(num, 32));
 }
 
 int
-__glXProgramParameters4fvNVReqSize(const GLbyte *pc, Bool swap)
+__glXProgramParameters4fvNVReqSize(const GLbyte *pc, Bool swap, int reqlen)
 {
     GLuint num = *(GLuint *) (pc + 8);
 
@@ -721,11 +719,11 @@ __glXProgramParameters4fvNVReqSize(const
         num = bswap_32(num);
     }
 
-    return __GLX_PAD((num * 16));
+    return safe_pad(safe_mul(num, 16));
 }
 
 int
-__glXVertexAttribs1dvNVReqSize(const GLbyte *pc, Bool swap)
+__glXVertexAttribs1dvNVReqSize(const GLbyte *pc, Bool swap, int reqlen)
 {
     GLsizei n = *(GLsizei *) (pc + 4);
 
@@ -733,11 +731,11 @@ __glXVertexAttribs1dvNVReqSize(const GLb
         n = bswap_32(n);
     }
 
-    return __GLX_PAD((n * 8));
+    return safe_pad(safe_mul(n, 8));
 }
 
 int
-__glXVertexAttribs2dvNVReqSize(const GLbyte *pc, Bool swap)
+__glXVertexAttribs2dvNVReqSize(const GLbyte *pc, Bool swap, int reqlen)
 {
     GLsizei n = *(GLsizei *) (pc + 4);
 
@@ -745,11 +743,11 @@ __glXVertexAttribs2dvNVReqSize(const GLb
         n = bswap_32(n);
     }
 
-    return __GLX_PAD((n * 16));
+    return safe_pad(safe_mul(n, 16));
 }
 
 int
-__glXVertexAttribs3dvNVReqSize(const GLbyte *pc, Bool swap)
+__glXVertexAttribs3dvNVReqSize(const GLbyte *pc, Bool swap, int reqlen)
 {
     GLsizei n = *(GLsizei *) (pc + 4);
 
@@ -757,11 +755,11 @@ __glXVertexAttribs3dvNVReqSize(const GLb
         n = bswap_32(n);
     }
 
-    return __GLX_PAD((n * 24));
+    return safe_pad(safe_mul(n, 24));
 }
 
 int
-__glXVertexAttribs3fvNVReqSize(const GLbyte *pc, Bool swap)
+__glXVertexAttribs3fvNVReqSize(const GLbyte *pc, Bool swap, int reqlen)
 {
     GLsizei n = *(GLsizei *) (pc + 4);
 
@@ -769,11 +767,11 @@ __glXVertexAttribs3fvNVReqSize(const GLb
         n = bswap_32(n);
     }
 
-    return __GLX_PAD((n * 12));
+    return safe_pad(safe_mul(n, 12));
 }
 
 int
-__glXVertexAttribs3svNVReqSize(const GLbyte *pc, Bool swap)
+__glXVertexAttribs3svNVReqSize(const GLbyte *pc, Bool swap, int reqlen)
 {
     GLsizei n = *(GLsizei *) (pc + 4);
 
@@ -781,11 +779,11 @@ __glXVertexAttribs3svNVReqSize(const GLb
         n = bswap_32(n);
     }
 
-    return __GLX_PAD((n * 6));
+    return safe_pad(safe_mul(n, 6));
 }
 
 int
-__glXVertexAttribs4dvNVReqSize(const GLbyte *pc, Bool swap)
+__glXVertexAttribs4dvNVReqSize(const GLbyte *pc, Bool swap, int reqlen)
 {
     GLsizei n = *(GLsizei *) (pc + 4);
 
@@ -793,11 +791,11 @@ __glXVertexAttribs4dvNVReqSize(const GLb
         n = bswap_32(n);
     }
 
-    return __GLX_PAD((n * 32));
+    return safe_pad(safe_mul(n, 32));
 }
 
 int
-__glXProgramNamedParameter4fvNVReqSize(const GLbyte *pc, Bool swap)
+__glXProgramNamedParameter4fvNVReqSize(const GLbyte *pc, Bool swap, int reqlen)
 {
     GLsizei len = *(GLsizei *) (pc + 4);
 
@@ -805,7 +803,7 @@ __glXProgramNamedParameter4fvNVReqSize(c
         len = bswap_32(len);
     }
 
-    return __GLX_PAD(len);
+    return safe_pad(len);
 }
 
 ALIAS(Fogiv, Fogfv)
Index: xsrc/external/mit/xorg-server/dist/glx/indirect_reqsize.h
diff -u xsrc/external/mit/xorg-server/dist/glx/indirect_reqsize.h:1.1.1.1.2.2 xsrc/external/mit/xorg-server/dist/glx/indirect_reqsize.h:1.1.1.1.2.2.2.1
--- xsrc/external/mit/xorg-server/dist/glx/indirect_reqsize.h:1.1.1.1.2.2	Thu Sep 17 03:34:57 2009
+++ xsrc/external/mit/xorg-server/dist/glx/indirect_reqsize.h	Tue Dec  9 19:56:35 2014
@@ -40,80 +40,80 @@
 #    define PURE
 #  endif
 
-extern PURE HIDDEN int __glXCallListsReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXBitmapReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXFogfvReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXFogivReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXLightfvReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXLightivReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXLightModelfvReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXLightModelivReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXMaterialfvReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXMaterialivReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXPolygonStippleReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXTexParameterfvReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXTexParameterivReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXTexImage1DReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXTexImage2DReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXTexEnvfvReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXTexEnvivReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXTexGendvReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXTexGenfvReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXTexGenivReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXMap1dReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXMap1fReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXMap2dReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXMap2fReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXPixelMapfvReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXPixelMapuivReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXPixelMapusvReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXDrawPixelsReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXDrawArraysReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXPrioritizeTexturesReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXTexSubImage1DReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXTexSubImage2DReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXColorTableReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXColorTableParameterfvReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXColorTableParameterivReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXColorSubTableReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXConvolutionFilter1DReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXConvolutionFilter2DReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXConvolutionParameterfvReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXConvolutionParameterivReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXSeparableFilter2DReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXTexImage3DReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXTexSubImage3DReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXCompressedTexImage1DARBReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXCompressedTexImage2DARBReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXCompressedTexImage3DARBReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXCompressedTexSubImage1DARBReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXCompressedTexSubImage2DARBReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXCompressedTexSubImage3DARBReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXProgramStringARBReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXDrawBuffersARBReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXPointParameterfvEXTReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXLoadProgramNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXProgramParameters4dvNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXProgramParameters4fvNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXRequestResidentProgramsNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXVertexAttribs1dvNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXVertexAttribs1fvNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXVertexAttribs1svNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXVertexAttribs2dvNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXVertexAttribs2fvNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXVertexAttribs2svNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXVertexAttribs3dvNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXVertexAttribs3fvNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXVertexAttribs3svNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXVertexAttribs4dvNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXVertexAttribs4fvNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXVertexAttribs4svNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXVertexAttribs4ubvNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXPointParameterivNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXProgramNamedParameter4dvNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXProgramNamedParameter4fvNVReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXDeleteFramebuffersEXTReqSize(const GLbyte *pc, Bool swap);
-extern PURE HIDDEN int __glXDeleteRenderbuffersEXTReqSize(const GLbyte *pc, Bool swap);
+extern PURE HIDDEN int __glXCallListsReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXBitmapReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXFogfvReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXFogivReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXLightfvReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXLightivReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXLightModelfvReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXLightModelivReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXMaterialfvReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXMaterialivReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXPolygonStippleReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXTexParameterfvReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXTexParameterivReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXTexImage1DReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXTexImage2DReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXTexEnvfvReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXTexEnvivReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXTexGendvReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXTexGenfvReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXTexGenivReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXMap1dReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXMap1fReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXMap2dReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXMap2fReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXPixelMapfvReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXPixelMapuivReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXPixelMapusvReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXDrawPixelsReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXDrawArraysReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXPrioritizeTexturesReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXTexSubImage1DReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXTexSubImage2DReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXColorTableReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXColorTableParameterfvReqSize(const GLbyte *pc, Bool swa, int reqlenp);
+extern PURE HIDDEN int __glXColorTableParameterivReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXColorSubTableReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXConvolutionFilter1DReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXConvolutionFilter2DReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXConvolutionParameterfvReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXConvolutionParameterivReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXSeparableFilter2DReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXTexImage3DReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXTexSubImage3DReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXCompressedTexImage1DARBReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXCompressedTexImage2DARBReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXCompressedTexImage3DARBReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXCompressedTexSubImage1DARBReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXCompressedTexSubImage2DARBReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXCompressedTexSubImage3DARBReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXProgramStringARBReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXDrawBuffersARBReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXPointParameterfvEXTReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXLoadProgramNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXProgramParameters4dvNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXProgramParameters4fvNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXRequestResidentProgramsNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXVertexAttribs1dvNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXVertexAttribs1fvNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXVertexAttribs1svNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXVertexAttribs2dvNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXVertexAttribs2fvNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXVertexAttribs2svNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXVertexAttribs3dvNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXVertexAttribs3fvNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXVertexAttribs3svNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXVertexAttribs4dvNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXVertexAttribs4fvNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXVertexAttribs4svNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXVertexAttribs4ubvNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXPointParameterivNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXProgramNamedParameter4dvNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXProgramNamedParameter4fvNVReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXDeleteFramebuffersEXTReqSize(const GLbyte *pc, Bool swap, int reqlen);
+extern PURE HIDDEN int __glXDeleteRenderbuffersEXTReqSize(const GLbyte *pc, Bool swap, int reqlen);
 
 #  undef HIDDEN
 #  undef PURE
Index: xsrc/external/mit/xorg-server/dist/glx/indirect_texture_compression.c
diff -u xsrc/external/mit/xorg-server/dist/glx/indirect_texture_compression.c:1.1.1.1.2.2 xsrc/external/mit/xorg-server/dist/glx/indirect_texture_compression.c:1.1.1.1.2.2.2.1
--- xsrc/external/mit/xorg-server/dist/glx/indirect_texture_compression.c:1.1.1.1.2.2	Thu Sep 17 03:34:57 2009
+++ xsrc/external/mit/xorg-server/dist/glx/indirect_texture_compression.c	Tue Dec  9 19:56:35 2014
@@ -48,6 +48,8 @@ int __glXDisp_GetCompressedTexImageARB(s
     ClientPtr client = cl->client;
 
 
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
+
     pc += __GLX_SINGLE_HDR_SIZE;
     if ( cx != NULL ) {
 	const GLenum target = *(GLenum *)(pc + 0);
@@ -88,6 +90,8 @@ int __glXDispSwap_GetCompressedTexImageA
     ClientPtr client = cl->client;
 
 
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
+
     pc += __GLX_SINGLE_HDR_SIZE;
     if ( cx != NULL ) {
 	const GLenum target = (GLenum) bswap_32( *(int *)(pc + 0) );
Index: xsrc/external/mit/xorg-server/dist/glx/indirect_util.c
diff -u xsrc/external/mit/xorg-server/dist/glx/indirect_util.c:1.1.1.1.2.2 xsrc/external/mit/xorg-server/dist/glx/indirect_util.c:1.1.1.1.2.2.2.1
--- xsrc/external/mit/xorg-server/dist/glx/indirect_util.c:1.1.1.1.2.2	Thu Sep 17 03:34:57 2009
+++ xsrc/external/mit/xorg-server/dist/glx/indirect_util.c	Tue Dec  9 19:56:35 2014
@@ -81,12 +81,17 @@ __glXGetAnswerBuffer( __GLXclientState *
     void * local_buffer, size_t local_size, unsigned alignment )
 {
     void * buffer = local_buffer;
-    const unsigned mask = alignment - 1;
+    const intptr_t mask = alignment - 1;
 
     if ( local_size < required_size ) {
-        const size_t worst_case_size = required_size + alignment;
+        size_t worst_case_size;
         intptr_t  temp_buf;
 
+        if (required_size < SIZE_MAX - alignment)
+            worst_case_size = required_size + alignment;
+        else
+            return NULL;
+
         if ( cl->returnBufSize < worst_case_size ) {
 	    void * temp = xrealloc( cl->returnBuf, worst_case_size );
 	    
Index: xsrc/external/mit/xorg-server/dist/glx/rensize.c
diff -u xsrc/external/mit/xorg-server/dist/glx/rensize.c:1.1.1.1.2.2 xsrc/external/mit/xorg-server/dist/glx/rensize.c:1.1.1.1.2.2.2.1
--- xsrc/external/mit/xorg-server/dist/glx/rensize.c:1.1.1.1.2.2	Thu Sep 17 03:34:57 2009
+++ xsrc/external/mit/xorg-server/dist/glx/rensize.c	Tue Dec  9 19:56:35 2014
@@ -43,16 +43,10 @@
   (((a & 0xff000000U)>>24) | ((a & 0xff0000U)>>8) | \
    ((a & 0xff00U)<<8) | ((a & 0xffU)<<24))
 
-static int Map1Size( GLint k, GLint order)
-{
-    if (order <= 0 || k < 0) return -1;
-    return k * order;
-}
-
-int __glXMap1dReqSize( const GLbyte *pc, Bool swap )
+int __glXMap1dReqSize( const GLbyte *pc, Bool swap, int reqlen )
 {
     GLenum target;
-    GLint order, k;
+    GLint order;
 
     target = *(GLenum*) (pc + 16);
     order = *(GLint*) (pc + 20);
@@ -60,14 +54,15 @@ int __glXMap1dReqSize( const GLbyte *pc,
 	target = SWAPL( target );
 	order = SWAPL( order );
     }
-    k = __glMap1d_size( target );
-    return 8 * Map1Size( k, order );
+    if (order < 1)
+        return -1;
+    return safe_mul(8, safe_mul(__glMap1d_size(target), order));
 }
 
-int __glXMap1fReqSize( const GLbyte *pc, Bool swap )
+int __glXMap1fReqSize( const GLbyte *pc, Bool swap, int reqlen )
 {
     GLenum target;
-    GLint order, k;
+    GLint order;
 
     target = *(GLenum *)(pc + 0);
     order = *(GLint *)(pc + 12);
@@ -75,20 +70,22 @@ int __glXMap1fReqSize( const GLbyte *pc,
 	target = SWAPL( target );
 	order = SWAPL( order );
     }
-    k = __glMap1f_size(target);
-    return 4 * Map1Size(k, order);
+    if (order < 1)
+        return -1;
+    return safe_mul(4, safe_mul(__glMap1f_size(target), order));
 }
 
 static int Map2Size(int k, int majorOrder, int minorOrder)
 {
-    if (majorOrder <= 0 || minorOrder <= 0 || k < 0) return -1;
-    return k * majorOrder * minorOrder;
+    if (majorOrder < 1 || minorOrder < 1)
+         return -1;
+    return safe_mul(k, safe_mul(majorOrder, minorOrder));
 }
 
-int __glXMap2dReqSize( const GLbyte *pc, Bool swap )
+int __glXMap2dReqSize( const GLbyte *pc, Bool swap, int reqlen )
 {
     GLenum target;
-    GLint uorder, vorder, k;
+    GLint uorder, vorder;
 
     target = *(GLenum *)(pc + 32);
     uorder = *(GLint *)(pc + 36);
@@ -98,14 +95,13 @@ int __glXMap2dReqSize( const GLbyte *pc,
 	uorder = SWAPL( uorder );
 	vorder = SWAPL( vorder );
     }
-    k = __glMap2d_size( target );
-    return 8 * Map2Size( k, uorder, vorder );
+    return safe_mul(8, Map2Size(__glMap2d_size(target), uorder, vorder));
 }
 
-int __glXMap2fReqSize( const GLbyte *pc, Bool swap )
+int __glXMap2fReqSize( const GLbyte *pc, Bool swap, int reqlen )
 {
     GLenum target;
-    GLint uorder, vorder, k;
+    GLint uorder, vorder;
 
     target = *(GLenum *)(pc + 0);
     uorder = *(GLint *)(pc + 12);
@@ -115,8 +111,7 @@ int __glXMap2fReqSize( const GLbyte *pc,
 	uorder = SWAPL( uorder );
 	vorder = SWAPL( vorder );
     }
-    k = __glMap2f_size( target );
-    return 4 * Map2Size( k, uorder, vorder );
+    return safe_mul(4, Map2Size(__glMap2f_size(target), uorder, vorder));
 }
 
 /**
@@ -166,13 +161,16 @@ int __glXImageSize( GLenum format, GLenu
     GLint bytesPerElement, elementsPerGroup, groupsPerRow;
     GLint groupSize, rowSize, padding, imageSize;
 
+    if (w == 0 || h == 0 || d == 0)
+        return 0;
+
     if (w < 0 || h < 0 || d < 0 ||
 	(type == GL_BITMAP &&
 	 (format != GL_COLOR_INDEX && format != GL_STENCIL_INDEX))) {
 	return -1;
     }
-    if (w==0 || h==0 || d == 0) return 0;
 
+    /* proxy targets have no data */
     switch( target ) {
     case GL_PROXY_TEXTURE_1D:
     case GL_PROXY_TEXTURE_2D:
@@ -189,6 +187,12 @@ int __glXImageSize( GLenum format, GLenu
 	return 0;
     }
 
+    /* real data has to have real sizes */
+    if (imageHeight < 0 || rowLength < 0 || skipImages < 0 || skipRows < 0)
+        return -1;
+    if (alignment != 1 && alignment != 2 && alignment != 4 && alignment != 8)
+        return -1;
+
     if (type == GL_BITMAP) {
 	if (rowLength > 0) {
 	    groupsPerRow = rowLength;
@@ -196,11 +200,13 @@ int __glXImageSize( GLenum format, GLenu
 	    groupsPerRow = w;
 	}
 	rowSize = (groupsPerRow + 7) >> 3;
+	if (rowSize < 0)
+	    return -1;
 	padding = (rowSize % alignment);
 	if (padding) {
 	    rowSize += alignment - padding;
 	}
-	return ((h + skipRows) * rowSize);
+	return safe_mul(safe_add(h, skipRows), rowSize);
     } else {
 	switch(format) {
 	  case GL_COLOR_INDEX:
@@ -212,6 +218,11 @@ int __glXImageSize( GLenum format, GLenu
 	  case GL_ALPHA:
 	  case GL_LUMINANCE:
 	  case GL_INTENSITY:
+          case GL_RED_INTEGER_EXT:
+          case GL_GREEN_INTEGER_EXT:
+          case GL_BLUE_INTEGER_EXT:
+          case GL_ALPHA_INTEGER_EXT:
+          case GL_LUMINANCE_INTEGER_EXT:
 	    elementsPerGroup = 1;
 	    break;
 	  case GL_422_EXT:
@@ -222,14 +233,19 @@ int __glXImageSize( GLenum format, GLenu
 	  case GL_DEPTH_STENCIL_MESA:
 	  case GL_YCBCR_MESA:
 	  case GL_LUMINANCE_ALPHA:
+          case GL_LUMINANCE_ALPHA_INTEGER_EXT:
 	    elementsPerGroup = 2;
 	    break;
 	  case GL_RGB:
 	  case GL_BGR:
+          case GL_RGB_INTEGER_EXT:
+          case GL_BGR_INTEGER_EXT:
 	    elementsPerGroup = 3;
 	    break;
 	  case GL_RGBA:
 	  case GL_BGRA:
+          case GL_RGBA_INTEGER_EXT:
+          case GL_BGRA_INTEGER_EXT:
 	  case GL_ABGR_EXT:
 	    elementsPerGroup = 4;
 	    break;
@@ -281,23 +297,27 @@ int __glXImageSize( GLenum format, GLenu
 	  default:
 	    return -1;
 	}
+        /* known safe by the switches above, not checked */
 	groupSize = bytesPerElement * elementsPerGroup;
 	if (rowLength > 0) {
 	    groupsPerRow = rowLength;
 	} else {
 	    groupsPerRow = w;
 	}
-	rowSize = groupsPerRow * groupSize;
+        if ((rowSize = safe_mul(groupsPerRow, groupSize)) < 0)
+            return -1;
 	padding = (rowSize % alignment);
 	if (padding) {
 	    rowSize += alignment - padding;
 	}
-	if (imageHeight > 0) {
-	    imageSize = (imageHeight + skipRows) * rowSize;
-	} else {
-	    imageSize = (h + skipRows) * rowSize;
-	}
-	return ((d + skipImages) * imageSize);
+
+        if (imageHeight > 0)
+            h = imageHeight;
+        h = safe_add(h, skipRows);
+
+        imageSize = safe_mul(h, rowSize);
+
+        return safe_mul(safe_add(d, skipImages), imageSize);
     }
 }
 
@@ -318,13 +338,14 @@ int __glXTypeSize(GLenum enm)
   }
 }
 
-int __glXDrawArraysReqSize( const GLbyte *pc, Bool swap )
+int __glXDrawArraysReqSize( const GLbyte *pc, Bool swap, int reqlen )
 {
     __GLXdispatchDrawArraysHeader *hdr = (__GLXdispatchDrawArraysHeader *) pc;
     __GLXdispatchDrawArraysComponentHeader *compHeader;
     GLint numVertexes = hdr->numVertexes;
     GLint numComponents = hdr->numComponents;
     GLint arrayElementSize = 0;
+    GLint x, size;
     int i;
 
     if (swap) {
@@ -333,6 +354,13 @@ int __glXDrawArraysReqSize( const GLbyte
     }
 
     pc += sizeof(__GLXdispatchDrawArraysHeader);
+    reqlen -= sizeof(__GLXdispatchDrawArraysHeader);
+
+    size = safe_mul(sizeof(__GLXdispatchDrawArraysComponentHeader),
+                    numComponents);
+    if (size < 0 || reqlen < 0 || reqlen < size)
+        return -1;
+
     compHeader = (__GLXdispatchDrawArraysComponentHeader *) pc;
 
     for (i=0; i<numComponents; i++) {
@@ -381,11 +409,10 @@ int __glXDrawArraysReqSize( const GLbyte
 	pc += sizeof(__GLXdispatchDrawArraysComponentHeader);
     }
 
-    return ((numComponents * sizeof(__GLXdispatchDrawArraysComponentHeader)) +
-	    (numVertexes * arrayElementSize));
+    return safe_add(size, safe_mul(numVertexes, arrayElementSize));
 }
 
-int __glXSeparableFilter2DReqSize( const GLbyte *pc, Bool swap )
+int __glXSeparableFilter2DReqSize( const GLbyte *pc, Bool swap, int reqlen )
 {
     __GLXdispatchConvolutionFilterHeader *hdr =
 			(__GLXdispatchConvolutionFilterHeader *) pc;
@@ -410,9 +437,8 @@ int __glXSeparableFilter2DReqSize( const
     /* XXX Should rowLength be used for either or both image? */
     image1size = __glXImageSize( format, type, 0, w, 1, 1,
 				 0, rowLength, 0, 0, alignment );
-    image1size = __GLX_PAD(image1size);
     image2size = __glXImageSize( format, type, 0, h, 1, 1,
 				 0, rowLength, 0, 0, alignment );
-    return image1size + image2size;
 
+    return safe_add(safe_pad(image1size), image2size);
 }
Index: xsrc/external/mit/xorg-server/dist/glx/single2.c
diff -u xsrc/external/mit/xorg-server/dist/glx/single2.c:1.1.1.1.2.2 xsrc/external/mit/xorg-server/dist/glx/single2.c:1.1.1.1.2.2.2.1
--- xsrc/external/mit/xorg-server/dist/glx/single2.c:1.1.1.1.2.2	Thu Sep 17 03:34:57 2009
+++ xsrc/external/mit/xorg-server/dist/glx/single2.c	Tue Dec  9 19:56:35 2014
@@ -49,11 +49,14 @@
 
 int __glXDisp_FeedbackBuffer(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     GLsizei size;
     GLenum type;
     __GLXcontext *cx;
     int error;
 
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
+
     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
     if (!cx) {
 	return error;
@@ -79,10 +82,13 @@ int __glXDisp_FeedbackBuffer(__GLXclient
 
 int __glXDisp_SelectBuffer(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     __GLXcontext *cx;
     GLsizei size;
     int error;
 
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
     if (!cx) {
 	return error;
@@ -107,7 +113,7 @@ int __glXDisp_SelectBuffer(__GLXclientSt
 
 int __glXDisp_RenderMode(__GLXclientState *cl, GLbyte *pc)
 {
-    ClientPtr client;
+    ClientPtr client = cl->client;
     xGLXRenderModeReply reply;
     __GLXcontext *cx;
     GLint nitems=0, retBytes=0, retval, newModeCheck;
@@ -115,6 +121,8 @@ int __glXDisp_RenderMode(__GLXclientStat
     GLenum newMode;
     int error;
 
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
     if (!cx) {
 	return error;
@@ -189,7 +197,6 @@ int __glXDisp_RenderMode(__GLXclientStat
     ** selection array, as per the API for glRenderMode itself.
     */
   noChangeAllowed:;
-    client = cl->client;
     reply.length = nitems;
     reply.type = X_Reply;
     reply.sequenceNumber = client->sequence;
@@ -205,9 +212,12 @@ int __glXDisp_RenderMode(__GLXclientStat
 
 int __glXDisp_Flush(__GLXclientState *cl, GLbyte *pc)
 {
+	ClientPtr client = cl->client;
 	__GLXcontext *cx;
 	int error;
 
+	REQUEST_SIZE_MATCH(xGLXSingleReq);
+
 	cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
 	if (!cx) {
 		return error;
@@ -220,10 +230,12 @@ int __glXDisp_Flush(__GLXclientState *cl
 
 int __glXDisp_Finish(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     __GLXcontext *cx;
-    ClientPtr client;
     int error;
 
+    REQUEST_SIZE_MATCH(xGLXSingleReq);
+
     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
     if (!cx) {
 	return error;
@@ -309,7 +321,7 @@ char *__glXcombine_strings(const char *c
 
 int DoGetString(__GLXclientState *cl, GLbyte *pc, GLboolean need_swap)
 {
-    ClientPtr client;
+    ClientPtr client = cl->client;
     __GLXcontext *cx;
     GLenum name;
     const char *string;
@@ -318,6 +330,8 @@ int DoGetString(__GLXclientState *cl, GL
     char *buf = NULL, *buf1 = NULL;
     GLint length = 0;
 
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
     /* If the client has the opposite byte order, swap the contextTag and
      * the name.
      */
@@ -334,7 +348,6 @@ int DoGetString(__GLXclientState *cl, GL
     pc += __GLX_SINGLE_HDR_SIZE;
     name = *(GLenum *)(pc + 0);
     string = (const char *) CALL_GetString( GET_DISPATCH(), (name) );
-    client = cl->client;
 
     /*
     ** Restrict extensions to those that are supported by both the
Index: xsrc/external/mit/xorg-server/dist/glx/single2swap.c
diff -u xsrc/external/mit/xorg-server/dist/glx/single2swap.c:1.1.1.1.2.2 xsrc/external/mit/xorg-server/dist/glx/single2swap.c:1.1.1.1.2.2.2.1
--- xsrc/external/mit/xorg-server/dist/glx/single2swap.c:1.1.1.1.2.2	Thu Sep 17 03:34:57 2009
+++ xsrc/external/mit/xorg-server/dist/glx/single2swap.c	Tue Dec  9 19:56:35 2014
@@ -45,12 +45,15 @@
 
 int __glXDispSwap_FeedbackBuffer(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     GLsizei size;
     GLenum type;
     __GLX_DECLARE_SWAP_VARIABLES;
     __GLXcontext *cx;
     int error;
 
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
+
     __GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag);
     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
     if (!cx) {
@@ -79,11 +82,14 @@ int __glXDispSwap_FeedbackBuffer(__GLXcl
 
 int __glXDispSwap_SelectBuffer(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     __GLXcontext *cx;
     GLsizei size;
     __GLX_DECLARE_SWAP_VARIABLES;
     int error;
 
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
     __GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag);
     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
     if (!cx) {
@@ -110,7 +116,7 @@ int __glXDispSwap_SelectBuffer(__GLXclie
 
 int __glXDispSwap_RenderMode(__GLXclientState *cl, GLbyte *pc)
 {
-    ClientPtr client;
+    ClientPtr client = cl->client;
     __GLXcontext *cx;
     xGLXRenderModeReply reply;
     GLint nitems=0, retBytes=0, retval, newModeCheck;
@@ -120,6 +126,8 @@ int __glXDispSwap_RenderMode(__GLXclient
     __GLX_DECLARE_SWAP_ARRAY_VARIABLES;
     int error;
 
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
     __GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag);
     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
     if (!cx) {
@@ -198,7 +206,6 @@ int __glXDispSwap_RenderMode(__GLXclient
     ** selection array, as per the API for glRenderMode itself.
     */
   noChangeAllowed:;
-    client = cl->client;
     reply.length = nitems;
     reply.type = X_Reply;
     reply.sequenceNumber = client->sequence;
@@ -219,10 +226,13 @@ int __glXDispSwap_RenderMode(__GLXclient
 
 int __glXDispSwap_Flush(__GLXclientState *cl, GLbyte *pc)
 {
+	ClientPtr client = cl->client;
 	__GLXcontext *cx;
 	int error;
 	__GLX_DECLARE_SWAP_VARIABLES;
 
+	REQUEST_SIZE_MATCH(xGLXSingleReq);
+
 	__GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag);
 	cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
 	if (!cx) {
@@ -236,11 +246,13 @@ int __glXDispSwap_Flush(__GLXclientState
 
 int __glXDispSwap_Finish(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     __GLXcontext *cx;
-    ClientPtr client;
     int error;
     __GLX_DECLARE_SWAP_VARIABLES;
 
+    REQUEST_SIZE_MATCH(xGLXSingleReq);
+
     __GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag);
     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
     if (!cx) {
@@ -252,7 +264,6 @@ int __glXDispSwap_Finish(__GLXclientStat
     __GLX_NOTE_FLUSHED_CMDS(cx);
 
     /* Send empty reply packet to indicate finish is finished */
-    client = cl->client;
     __GLX_BEGIN_REPLY(0);
     __GLX_PUT_RETVAL(0);
     __GLX_SWAP_REPLY_HEADER();
Index: xsrc/external/mit/xorg-server/dist/glx/singlepix.c
diff -u xsrc/external/mit/xorg-server/dist/glx/singlepix.c:1.1.1.1.2.2 xsrc/external/mit/xorg-server/dist/glx/singlepix.c:1.1.1.1.2.2.2.1
--- xsrc/external/mit/xorg-server/dist/glx/singlepix.c:1.1.1.1.2.2	Thu Sep 17 03:34:57 2009
+++ xsrc/external/mit/xorg-server/dist/glx/singlepix.c	Tue Dec  9 19:56:35 2014
@@ -55,6 +55,8 @@ int __glXDisp_ReadPixels(__GLXclientStat
     int error;
     char *answer, answerBuffer[200];
 
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 28);
+
     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
     if (!cx) {
 	return error;
@@ -68,7 +70,8 @@ int __glXDisp_ReadPixels(__GLXclientStat
     swapBytes = *(GLboolean *)(pc + 24);
     lsbFirst = *(GLboolean *)(pc + 25);
     compsize = __glReadPixels_size(format,type,width,height);
-    if (compsize < 0) compsize = 0;
+    if (compsize < 0)
+        return BadLength;
 
     CALL_PixelStorei( GET_DISPATCH(), (GL_PACK_SWAP_BYTES, swapBytes) );
     CALL_PixelStorei( GET_DISPATCH(), (GL_PACK_LSB_FIRST, lsbFirst) );
@@ -106,6 +109,8 @@ int __glXDisp_GetTexImage(__GLXclientSta
     char *answer, answerBuffer[200];
     GLint width=0, height=0, depth=1;
 
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 20);
+
     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
     if (!cx) {
 	return error;
@@ -128,7 +133,8 @@ int __glXDisp_GetTexImage(__GLXclientSta
      * are illegal, but then width, height, and depth would still be zero anyway.
      */
     compsize = __glGetTexImage_size(target,level,format,type,width,height,depth);
-    if (compsize < 0) compsize = 0;
+    if (compsize < 0)
+        return BadLength;
 
     CALL_PixelStorei( GET_DISPATCH(), (GL_PACK_SWAP_BYTES, swapBytes) );
     __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1);
@@ -164,6 +170,8 @@ int __glXDisp_GetPolygonStipple(__GLXcli
     GLubyte answerBuffer[200];
     char *answer;
 
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
     if (!cx) {
 	return error;
@@ -222,13 +230,13 @@ static int GetSeparableFilter(__GLXclien
     compsize = __glGetTexImage_size(target,1,format,type,width,1,1);
     compsize2 = __glGetTexImage_size(target,1,format,type,height,1,1);
 
-    if (compsize < 0) compsize = 0;
-    if (compsize2 < 0) compsize2 = 0;
-    compsize = __GLX_PAD(compsize);
-    compsize2 = __GLX_PAD(compsize2);
+    if ((compsize = safe_pad(compsize)) < 0)
+        return BadLength;
+    if ((compsize2 = safe_pad(compsize2)) < 0)
+        return BadLength;
 
     CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, swapBytes));
-    __GLX_GET_ANSWER_BUFFER(answer,cl,compsize + compsize2,1);
+    __GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1);
     __glXClearErrorOccured();
     CALL_GetSeparableFilter( GET_DISPATCH(), (
 		  *(GLenum   *)(pc + 0),
@@ -256,14 +264,16 @@ static int GetSeparableFilter(__GLXclien
 int __glXDisp_GetSeparableFilter(__GLXclientState *cl, GLbyte *pc)
 {
     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
-
+    ClientPtr client = cl->client;
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
     return GetSeparableFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
 }
 
 int __glXDisp_GetSeparableFilterEXT(__GLXclientState *cl, GLbyte *pc)
 {
     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
-
+    ClientPtr client = cl->client;
+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
     return GetSeparableFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
 }
 
@@ -302,7 +312,8 @@ static int GetConvolutionFilter(__GLXcli
      * are illegal, but then width and height would still be zero anyway.
      */
     compsize = __glGetTexImage_size(target,1,format,type,width,height,1);
-    if (compsize < 0) compsize = 0;
+    if (compsize < 0)
+        return BadLength;
 
     CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, swapBytes));
     __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1);
@@ -331,14 +342,16 @@ static int GetConvolutionFilter(__GLXcli
 int __glXDisp_GetConvolutionFilter(__GLXclientState *cl, GLbyte *pc)
 {
     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
-
+    ClientPtr client = cl->client;
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
     return GetConvolutionFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
 }
 
 int __glXDisp_GetConvolutionFilterEXT(__GLXclientState *cl, GLbyte *pc)
 {
     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
-
+    ClientPtr client = cl->client;
+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
     return GetConvolutionFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
 }
 
@@ -371,7 +384,8 @@ static int GetHistogram(__GLXclientState
      * are illegal, but then width would still be zero anyway.
      */
     compsize = __glGetTexImage_size(target,1,format,type,width,1,1);
-    if (compsize < 0) compsize = 0;
+    if (compsize < 0)
+        return BadLength;
 
     CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, swapBytes));
     __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1);
@@ -394,14 +408,16 @@ static int GetHistogram(__GLXclientState
 int __glXDisp_GetHistogram(__GLXclientState *cl, GLbyte *pc)
 {
     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
-
+    ClientPtr client = cl->client;
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
     return GetHistogram(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
 }
 
 int __glXDisp_GetHistogramEXT(__GLXclientState *cl, GLbyte *pc)
 {
     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
-
+    ClientPtr client = cl->client;
+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
     return GetHistogram(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
 }
 
@@ -427,7 +443,8 @@ static int GetMinmax(__GLXclientState *c
     reset = *(GLboolean *)(pc + 13);
 
     compsize = __glGetTexImage_size(target,1,format,type,2,1,1);
-    if (compsize < 0) compsize = 0;
+    if (compsize < 0)
+        return BadLength;
 
     CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, swapBytes));
     __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1);
@@ -449,14 +466,16 @@ static int GetMinmax(__GLXclientState *c
 int __glXDisp_GetMinmax(__GLXclientState *cl, GLbyte *pc)
 {
     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
-
+    ClientPtr client = cl->client;
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
     return GetMinmax(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
 }
 
 int __glXDisp_GetMinmaxEXT(__GLXclientState *cl, GLbyte *pc)
 {
     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
-
+    ClientPtr client = cl->client;
+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
     return GetMinmax(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
 }
 
@@ -488,7 +507,8 @@ static int GetColorTable(__GLXclientStat
      * are illegal, but then width would still be zero anyway.
      */
     compsize = __glGetTexImage_size(target,1,format,type,width,1,1);
-    if (compsize < 0) compsize = 0;
+    if (compsize < 0)
+        return BadLength;
 
     CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, swapBytes));
     __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1);
@@ -516,13 +536,15 @@ static int GetColorTable(__GLXclientStat
 int __glXDisp_GetColorTable(__GLXclientState *cl, GLbyte *pc)
 {
     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
-
+    ClientPtr client = cl->client;
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
     return GetColorTable(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
 }
 
 int __glXDisp_GetColorTableSGI(__GLXclientState *cl, GLbyte *pc)
 {
     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
-
+    ClientPtr client = cl->client;
+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
     return GetColorTable(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
 }
Index: xsrc/external/mit/xorg-server/dist/glx/singlepixswap.c
diff -u xsrc/external/mit/xorg-server/dist/glx/singlepixswap.c:1.1.1.1.2.2 xsrc/external/mit/xorg-server/dist/glx/singlepixswap.c:1.1.1.1.2.2.2.1
--- xsrc/external/mit/xorg-server/dist/glx/singlepixswap.c:1.1.1.1.2.2	Thu Sep 17 03:34:57 2009
+++ xsrc/external/mit/xorg-server/dist/glx/singlepixswap.c	Tue Dec  9 19:56:35 2014
@@ -56,6 +56,8 @@ int __glXDispSwap_ReadPixels(__GLXclient
     int error;
     char *answer, answerBuffer[200];
 
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 28);
+
     __GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag);
     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
     if (!cx) {
@@ -77,7 +79,8 @@ int __glXDispSwap_ReadPixels(__GLXclient
     swapBytes = *(GLboolean *)(pc + 24);
     lsbFirst = *(GLboolean *)(pc + 25);
     compsize = __glReadPixels_size(format,type,width,height);
-    if (compsize < 0) compsize = 0;
+    if (compsize < 0)
+        return BadLength;
 
     CALL_PixelStorei( GET_DISPATCH(), (GL_PACK_SWAP_BYTES, !swapBytes) );
     CALL_PixelStorei( GET_DISPATCH(), (GL_PACK_LSB_FIRST, lsbFirst) );
@@ -118,6 +121,8 @@ int __glXDispSwap_GetTexImage(__GLXclien
     char *answer, answerBuffer[200];
     GLint width=0, height=0, depth=1;
 
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 20);
+
     __GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag);
     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
     if (!cx) {
@@ -146,7 +151,8 @@ int __glXDispSwap_GetTexImage(__GLXclien
      * are illegal, but then width, height, and depth would still be zero anyway.
      */
     compsize = __glGetTexImage_size(target,level,format,type,width,height,depth);
-    if (compsize < 0) compsize = 0;
+    if (compsize < 0)
+        return BadLength;
 
     CALL_PixelStorei( GET_DISPATCH(), (GL_PACK_SWAP_BYTES, !swapBytes) );
     __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1);
@@ -188,6 +194,8 @@ int __glXDispSwap_GetPolygonStipple(__GL
     char *answer;
     __GLX_DECLARE_SWAP_VARIABLES;
 
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
     __GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag);
     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
     if (!cx) {
@@ -252,13 +260,13 @@ static int GetSeparableFilter(__GLXclien
     compsize = __glGetTexImage_size(target,1,format,type,width,1,1);
     compsize2 = __glGetTexImage_size(target,1,format,type,height,1,1);
 
-    if (compsize < 0) compsize = 0;
-    if (compsize2 < 0) compsize2 = 0;
-    compsize = __GLX_PAD(compsize);
-    compsize2 = __GLX_PAD(compsize2);
+    if ((compsize = safe_pad(compsize)) < 0)
+        return BadLength;
+    if ((compsize2 = safe_pad(compsize2)) < 0)
+        return BadLength;
 
     CALL_PixelStorei( GET_DISPATCH(), (GL_PACK_SWAP_BYTES, !swapBytes) );
-    __GLX_GET_ANSWER_BUFFER(answer,cl,compsize + compsize2,1);
+    __GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1);
     __glXClearErrorOccured();
     CALL_GetSeparableFilter( GET_DISPATCH(), (
 		  *(GLenum   *)(pc + 0),
@@ -288,14 +296,18 @@ static int GetSeparableFilter(__GLXclien
 int __glXDispSwap_GetSeparableFilter(__GLXclientState *cl, GLbyte *pc)
 {
     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
+    ClientPtr client = cl->client;
 
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
     return GetSeparableFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
 }
 
 int __glXDispSwap_GetSeparableFilterEXT(__GLXclientState *cl, GLbyte *pc)
 {
     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
+    ClientPtr client = cl->client;
 
+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
     return GetSeparableFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
 }
 
@@ -336,7 +348,8 @@ static int GetConvolutionFilter(__GLXcli
      * are illegal, but then width and height would still be zero anyway.
      */
     compsize = __glGetTexImage_size(target,1,format,type,width,height,1);
-    if (compsize < 0) compsize = 0;
+    if (compsize < 0)
+        return BadLength;
 
     CALL_PixelStorei( GET_DISPATCH(), (GL_PACK_SWAP_BYTES, !swapBytes) );
     __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1);
@@ -367,14 +380,18 @@ static int GetConvolutionFilter(__GLXcli
 int __glXDispSwap_GetConvolutionFilter(__GLXclientState *cl, GLbyte *pc)
 {
     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
+    ClientPtr client = cl->client;
 
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
     return GetConvolutionFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
 }
 
 int __glXDispSwap_GetConvolutionFilterEXT(__GLXclientState *cl, GLbyte *pc)
 {
     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
+    ClientPtr client = cl->client;
 
+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
     return GetConvolutionFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
 }
 
@@ -411,7 +428,8 @@ static int GetHistogram(__GLXclientState
      * are illegal, but then width would still be zero anyway.
      */
     compsize = __glGetTexImage_size(target,1,format,type,width,1,1);
-    if (compsize < 0) compsize = 0;
+    if (compsize < 0)
+        return BadLength;
 
     CALL_PixelStorei( GET_DISPATCH(), (GL_PACK_SWAP_BYTES, !swapBytes) );
     __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1);
@@ -435,14 +453,18 @@ static int GetHistogram(__GLXclientState
 int __glXDispSwap_GetHistogram(__GLXclientState *cl, GLbyte *pc)
 {
     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
+    ClientPtr client = cl->client;
 
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
     return GetHistogram(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
 }
 
 int __glXDispSwap_GetHistogramEXT(__GLXclientState *cl, GLbyte *pc)
 {
     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
+    ClientPtr client = cl->client;
 
+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
     return GetHistogram(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
 }
 
@@ -473,7 +495,8 @@ static int GetMinmax(__GLXclientState *c
     reset = *(GLboolean *)(pc + 13);
 
     compsize = __glGetTexImage_size(target,1,format,type,2,1,1);
-    if (compsize < 0) compsize = 0;
+    if (compsize < 0)
+        return BadLength;
 
     CALL_PixelStorei( GET_DISPATCH(), (GL_PACK_SWAP_BYTES, !swapBytes) );
     __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1);
@@ -495,14 +518,18 @@ static int GetMinmax(__GLXclientState *c
 int __glXDispSwap_GetMinmax(__GLXclientState *cl, GLbyte *pc)
 {
     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
+    ClientPtr client = cl->client;
 
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
     return GetMinmax(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
 }
 
 int __glXDispSwap_GetMinmaxEXT(__GLXclientState *cl, GLbyte *pc)
 {
     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
+    ClientPtr client = cl->client;
 
+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
     return GetMinmax(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
 }
 
@@ -538,7 +565,8 @@ static int GetColorTable(__GLXclientStat
      * are illegal, but then width would still be zero anyway.
      */
     compsize = __glGetTexImage_size(target,1,format,type,width,1,1);
-    if (compsize < 0) compsize = 0;
+    if (compsize < 0)
+        return BadLength;
 
     CALL_PixelStorei( GET_DISPATCH(), (GL_PACK_SWAP_BYTES, !swapBytes) );
     __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1);
@@ -567,13 +595,17 @@ static int GetColorTable(__GLXclientStat
 int __glXDispSwap_GetColorTable(__GLXclientState *cl, GLbyte *pc)
 {
     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
+    ClientPtr client = cl->client;
 
+    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
     return GetColorTable(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
 }
 
 int __glXDispSwap_GetColorTableSGI(__GLXclientState *cl, GLbyte *pc)
 {
     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
+    ClientPtr client = cl->client;
 
+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
     return GetColorTable(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
 }
Index: xsrc/external/mit/xorg-server/dist/glx/swap_interval.c
diff -u xsrc/external/mit/xorg-server/dist/glx/swap_interval.c:1.1.1.1.2.2 xsrc/external/mit/xorg-server/dist/glx/swap_interval.c:1.1.1.1.2.2.2.1
--- xsrc/external/mit/xorg-server/dist/glx/swap_interval.c:1.1.1.1.2.2	Thu Sep 17 03:34:58 2009
+++ xsrc/external/mit/xorg-server/dist/glx/swap_interval.c	Tue Dec  9 19:56:35 2014
@@ -52,6 +52,8 @@ int DoSwapInterval(__GLXclientState *cl,
     GLint interval;
 
 
+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 4);
+
     cx = __glXLookupContextByTag(cl, tag);
 
     LogMessage(X_ERROR, "%s: cx = %p, GLX screen = %p\n", __func__,
Index: xsrc/external/mit/xorg-server/dist/glx/unpack.h
diff -u xsrc/external/mit/xorg-server/dist/glx/unpack.h:1.1.1.1.2.2 xsrc/external/mit/xorg-server/dist/glx/unpack.h:1.1.1.1.2.2.2.1
--- xsrc/external/mit/xorg-server/dist/glx/unpack.h:1.1.1.1.2.2	Thu Sep 17 03:34:58 2009
+++ xsrc/external/mit/xorg-server/dist/glx/unpack.h	Tue Dec  9 19:56:35 2014
@@ -83,7 +83,8 @@ extern xGLXSingleReply __glXReply;
 ** pointer.
 */
 #define __GLX_GET_ANSWER_BUFFER(res,cl,size,align)			 \
-    if ((size) > sizeof(answerBuffer)) {				 \
+    if (size < 0) return BadLength;                                      \
+    else if ((size) > sizeof(answerBuffer)) {				 \
 	int bump;							 \
 	if ((cl)->returnBufSize < (size)+(align)) {			 \
 	    (cl)->returnBuf = (GLbyte*)Xrealloc((cl)->returnBuf,	 \

Index: xsrc/external/mit/xorg-server/dist/hw/xfree86/dri2/dri2ext.c
diff -u xsrc/external/mit/xorg-server/dist/hw/xfree86/dri2/dri2ext.c:1.1.1.2.2.2 xsrc/external/mit/xorg-server/dist/hw/xfree86/dri2/dri2ext.c:1.1.1.2.2.2.2.1
--- xsrc/external/mit/xorg-server/dist/hw/xfree86/dri2/dri2ext.c:1.1.1.2.2.2	Thu Sep 17 03:35:11 2009
+++ xsrc/external/mit/xorg-server/dist/hw/xfree86/dri2/dri2ext.c	Tue Dec  9 19:56:35 2014
@@ -274,6 +274,9 @@ ProcDRI2GetBuffersWithFormat(ClientPtr c
     unsigned int *attachments;
 
     REQUEST_FIXED_SIZE(xDRI2GetBuffersReq, stuff->count * (2 * 4));
+    if (stuff->count > (INT_MAX / 4))
+        return BadLength;
+
     if (!validDrawable(client, stuff->drawable, &pDrawable, &status))
 	return status;
 

Index: xsrc/external/mit/xorg-server/dist/include/dix.h
diff -u xsrc/external/mit/xorg-server/dist/include/dix.h:1.1.1.1.2.1 xsrc/external/mit/xorg-server/dist/include/dix.h:1.1.1.1.2.1.2.1
--- xsrc/external/mit/xorg-server/dist/include/dix.h:1.1.1.1.2.1	Thu Sep 17 03:35:43 2009
+++ xsrc/external/mit/xorg-server/dist/include/dix.h	Tue Dec  9 19:56:35 2014
@@ -72,9 +72,14 @@ SOFTWARE.
     if ((sizeof(req) >> 2) > client->req_len )\
          return(BadLength)
 
+#define REQUEST_AT_LEAST_EXTRA_SIZE(req, extra)  \
+    if (((sizeof(req) + ((uint64_t) extra)) >> 2) > client->req_len ) \
+         return(BadLength)
+
 #define REQUEST_FIXED_SIZE(req, n)\
     if (((sizeof(req) >> 2) > client->req_len) || \
-        (((sizeof(req) + (n) + 3) >> 2) != client->req_len)) \
+        ((n >> 2) >= client->req_len) || \
+        ((((uint64_t) sizeof(req) + (n) + 3) >> 2) != (uint64_t) client->req_len))  \
          return(BadLength)
 
 #define LEGAL_NEW_RESOURCE(id,client)\
Index: xsrc/external/mit/xorg-server/dist/include/misc.h
diff -u xsrc/external/mit/xorg-server/dist/include/misc.h:1.1.1.1.2.1 xsrc/external/mit/xorg-server/dist/include/misc.h:1.1.1.1.2.1.2.1
--- xsrc/external/mit/xorg-server/dist/include/misc.h:1.1.1.1.2.1	Thu Sep 17 03:35:43 2009
+++ xsrc/external/mit/xorg-server/dist/include/misc.h	Tue Dec  9 19:56:35 2014
@@ -183,6 +183,36 @@ typedef struct _xReq *xReqPtr;
 
 #endif
 
+/**
+ * Calculate the number of bytes needed to hold bits.
+ * @param bits The minimum number of bits needed. 
+ * @return The number of bytes needed to hold bits.
+ */
+static inline int 
+bits_to_bytes(const int bits) {
+    return ((bits + 7) >> 3);
+}
+/**
+ * Calculate the number of 4-byte units needed to hold the given number of 
+ * bytes.
+ * @param bytes The minimum number of bytes needed.
+ * @return The number of 4-byte units needed to hold bytes.
+ */
+static inline int
+bytes_to_int32(const int bytes) {
+    return (((bytes) + 3) >> 2);
+}
+  
+/** 
+ * Calculate the number of bytes (in multiples of 4) needed to hold bytes.
+ * @param bytes The minimum number of bytes needed.
+ * @return The closest multiple of 4 that is equal or higher than bytes.
+ */
+static inline int
+pad_to_int32(const int bytes) {
+    return (((bytes) + 3) & ~3);
+}
+
 /* some macros to help swap requests, replies, and events */
 
 #define LengthRestB(stuff) \

Index: xsrc/external/mit/xorg-server/dist/os/access.c
diff -u xsrc/external/mit/xorg-server/dist/os/access.c:1.1.1.1.2.1 xsrc/external/mit/xorg-server/dist/os/access.c:1.1.1.1.2.1.2.1
--- xsrc/external/mit/xorg-server/dist/os/access.c:1.1.1.1.2.1	Thu Sep 17 03:35:46 2009
+++ xsrc/external/mit/xorg-server/dist/os/access.c	Tue Dec  9 19:56:35 2014
@@ -1459,6 +1459,10 @@ GetHosts (
     {
 	nHosts++;
 	n += (((host->len + 3) >> 2) << 2) + sizeof(xHostEntry);
+        /* Could check for INT_MAX, but in reality having more than 1mb of
+           hostnames in the access list is ridiculous */
+        if (n >= 1048576)
+            break;
     }
     if (n)
     {
@@ -1470,6 +1474,8 @@ GetHosts (
         for (host = validhosts; host; host = host->next)
 	{
 	    len = host->len;
+            if ((ptr + sizeof(xHostEntry) + len) > ((unsigned char *)data + n))
+                break;
 	    ((xHostEntry *)ptr)->family = host->family;
 	    ((xHostEntry *)ptr)->length = len;
 	    ptr += sizeof(xHostEntry);
Index: xsrc/external/mit/xorg-server/dist/os/rpcauth.c
diff -u xsrc/external/mit/xorg-server/dist/os/rpcauth.c:1.1.1.1.2.1 xsrc/external/mit/xorg-server/dist/os/rpcauth.c:1.1.1.1.2.1.2.1
--- xsrc/external/mit/xorg-server/dist/os/rpcauth.c:1.1.1.1.2.1	Thu Sep 17 03:35:47 2009
+++ xsrc/external/mit/xorg-server/dist/os/rpcauth.c	Tue Dec  9 19:56:35 2014
@@ -67,6 +67,10 @@ authdes_ezdecode(char *inmsg, int len)
     SVCXPRT         xprt;
 
     temp_inmsg = (char *) xalloc(len);
+    if (temp_inmsg == NULL) {
+        why = AUTH_FAILED; /* generic error, since there is no AUTH_BADALLOC */
+        return NULL;
+    }
     memmove(temp_inmsg, inmsg, len);
 
     memset((char *)&msg, 0, sizeof(msg));

Index: xsrc/external/mit/xorg-server/dist/randr/rrsdispatch.c
diff -u xsrc/external/mit/xorg-server/dist/randr/rrsdispatch.c:1.1.1.1.2.1 xsrc/external/mit/xorg-server/dist/randr/rrsdispatch.c:1.1.1.1.2.1.2.1
--- xsrc/external/mit/xorg-server/dist/randr/rrsdispatch.c:1.1.1.1.2.1	Thu Sep 17 03:35:47 2009
+++ xsrc/external/mit/xorg-server/dist/randr/rrsdispatch.c	Tue Dec  9 19:56:35 2014
@@ -28,6 +28,7 @@ SProcRRQueryVersion (ClientPtr client)
     register int n;
     REQUEST(xRRQueryVersionReq);
 
+    REQUEST_SIZE_MATCH(xRRQueryVersionReq);
     swaps(&stuff->length, n);
     swapl(&stuff->majorVersion, n);
     swapl(&stuff->minorVersion, n);
@@ -40,6 +41,7 @@ SProcRRGetScreenInfo (ClientPtr client)
     register int n;
     REQUEST(xRRGetScreenInfoReq);
 
+    REQUEST_SIZE_MATCH(xRRGetScreenInfoReq);
     swaps(&stuff->length, n);
     swapl(&stuff->window, n);
     return (*ProcRandrVector[stuff->randrReqType]) (client);
@@ -75,6 +77,7 @@ SProcRRSelectInput (ClientPtr client)
     register int n;
     REQUEST(xRRSelectInputReq);
 
+    REQUEST_SIZE_MATCH(xRRSelectInputReq);
     swaps(&stuff->length, n);
     swapl(&stuff->window, n);
     swaps(&stuff->enable, n);
@@ -165,6 +168,7 @@ SProcRRConfigureOutputProperty (ClientPt
     int n;
     REQUEST(xRRConfigureOutputPropertyReq);
 
+    REQUEST_AT_LEAST_SIZE(xRRConfigureOutputPropertyReq);
     swaps(&stuff->length, n);
     swapl(&stuff->output, n);
     swapl(&stuff->property, n);

Index: xsrc/external/mit/xorg-server/dist/render/render.c
diff -u xsrc/external/mit/xorg-server/dist/render/render.c:1.1.1.1.2.1 xsrc/external/mit/xorg-server/dist/render/render.c:1.1.1.1.2.1.2.1
--- xsrc/external/mit/xorg-server/dist/render/render.c:1.1.1.1.2.1	Thu Sep 17 03:35:48 2009
+++ xsrc/external/mit/xorg-server/dist/render/render.c	Tue Dec  9 19:56:35 2014
@@ -263,11 +263,11 @@ ProcRenderQueryVersion (ClientPtr client
     xRenderQueryVersionReply rep;
     register int n;
     REQUEST(xRenderQueryVersionReq);
+    REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
 
     pRenderClient->major_version = stuff->majorVersion;
     pRenderClient->minor_version = stuff->minorVersion;
 
-    REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
     rep.type = X_Reply;
     rep.length = 0;
     rep.sequenceNumber = client->sequence;
@@ -2093,6 +2093,7 @@ SProcRenderQueryVersion (ClientPtr clien
 {
     register int n;
     REQUEST(xRenderQueryVersionReq);
+    REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
 
     swaps(&stuff->length, n);
     swapl(&stuff->majorVersion, n);
@@ -2105,6 +2106,7 @@ SProcRenderQueryPictFormats (ClientPtr c
 {
     register int n;
     REQUEST(xRenderQueryPictFormatsReq);
+    REQUEST_SIZE_MATCH(xRenderQueryPictFormatsReq);
     swaps(&stuff->length, n);
     return (*ProcRenderVector[stuff->renderReqType]) (client);
 }
@@ -2114,6 +2116,7 @@ SProcRenderQueryPictIndexValues (ClientP
 {
     register int n;
     REQUEST(xRenderQueryPictIndexValuesReq);
+    REQUEST_AT_LEAST_SIZE(xRenderQueryPictIndexValuesReq);
     swaps(&stuff->length, n);
     swapl(&stuff->format, n);
     return (*ProcRenderVector[stuff->renderReqType]) (client);
@@ -2130,6 +2133,7 @@ SProcRenderCreatePicture (ClientPtr clie
 {
     register int n;
     REQUEST(xRenderCreatePictureReq);
+    REQUEST_AT_LEAST_SIZE(xRenderCreatePictureReq);
     swaps(&stuff->length, n);
     swapl(&stuff->pid, n);
     swapl(&stuff->drawable, n);
@@ -2144,6 +2148,7 @@ SProcRenderChangePicture (ClientPtr clie
 {
     register int n;
     REQUEST(xRenderChangePictureReq);
+    REQUEST_AT_LEAST_SIZE(xRenderChangePictureReq);
     swaps(&stuff->length, n);
     swapl(&stuff->picture, n);
     swapl(&stuff->mask, n);
@@ -2156,6 +2161,7 @@ SProcRenderSetPictureClipRectangles (Cli
 {
     register int n;
     REQUEST(xRenderSetPictureClipRectanglesReq);
+    REQUEST_AT_LEAST_SIZE(xRenderSetPictureClipRectanglesReq);
     swaps(&stuff->length, n);
     swapl(&stuff->picture, n);
     swaps(&stuff->xOrigin, n);
@@ -2169,6 +2175,7 @@ SProcRenderFreePicture (ClientPtr client
 {
     register int n;
     REQUEST(xRenderFreePictureReq);
+    REQUEST_SIZE_MATCH(xRenderFreePictureReq);
     swaps(&stuff->length, n);
     swapl(&stuff->picture, n);
     return (*ProcRenderVector[stuff->renderReqType]) (client);
@@ -2179,6 +2186,7 @@ SProcRenderComposite (ClientPtr client)
 {
     register int n;
     REQUEST(xRenderCompositeReq);
+    REQUEST_SIZE_MATCH(xRenderCompositeReq);
     swaps(&stuff->length, n);
     swapl(&stuff->src, n);
     swapl(&stuff->mask, n);
@@ -2199,6 +2207,7 @@ SProcRenderScale (ClientPtr client)
 {
     register int n;
     REQUEST(xRenderScaleReq);
+    REQUEST_SIZE_MATCH(xRenderScaleReq);
     swaps(&stuff->length, n);
     swapl(&stuff->src, n);
     swapl(&stuff->dst, n);
@@ -2304,6 +2313,7 @@ SProcRenderCreateGlyphSet (ClientPtr cli
 {
     register int n;
     REQUEST(xRenderCreateGlyphSetReq);
+    REQUEST_SIZE_MATCH(xRenderCreateGlyphSetReq);
     swaps(&stuff->length, n);
     swapl(&stuff->gsid, n);
     swapl(&stuff->format, n);
@@ -2315,6 +2325,7 @@ SProcRenderReferenceGlyphSet (ClientPtr 
 {
     register int n;
     REQUEST(xRenderReferenceGlyphSetReq);
+    REQUEST_SIZE_MATCH(xRenderReferenceGlyphSetReq);
     swaps(&stuff->length, n);
     swapl(&stuff->gsid, n);
     swapl(&stuff->existing, n);
@@ -2326,6 +2337,7 @@ SProcRenderFreeGlyphSet (ClientPtr clien
 {
     register int n;
     REQUEST(xRenderFreeGlyphSetReq);
+    REQUEST_SIZE_MATCH(xRenderFreeGlyphSetReq);
     swaps(&stuff->length, n);
     swapl(&stuff->glyphset, n);
     return (*ProcRenderVector[stuff->renderReqType]) (client);
@@ -2340,6 +2352,7 @@ SProcRenderAddGlyphs (ClientPtr client)
     void    *end;
     xGlyphInfo *gi;
     REQUEST(xRenderAddGlyphsReq);
+    REQUEST_AT_LEAST_SIZE(xRenderAddGlyphsReq);
     swaps(&stuff->length, n);
     swapl(&stuff->glyphset, n);
     swapl(&stuff->nglyphs, n);
@@ -2376,6 +2389,7 @@ SProcRenderFreeGlyphs (ClientPtr client)
 {
     register int n;
     REQUEST(xRenderFreeGlyphsReq);
+    REQUEST_AT_LEAST_SIZE(xRenderFreeGlyphsReq);
     swaps(&stuff->length, n);
     swapl(&stuff->glyphset, n);
     SwapRestL(stuff);
@@ -2394,6 +2408,7 @@ SProcRenderCompositeGlyphs (ClientPtr cl
     int		size;
     
     REQUEST(xRenderCompositeGlyphsReq);
+    REQUEST_AT_LEAST_SIZE(xRenderCompositeGlyphsReq);
     
     switch (stuff->renderReqType) {
     default:			    size = 1; break;

Index: xsrc/external/mit/xorg-server/dist/xfixes/select.c
diff -u xsrc/external/mit/xorg-server/dist/xfixes/select.c:1.1.1.1.2.1 xsrc/external/mit/xorg-server/dist/xfixes/select.c:1.1.1.1.2.1.2.1
--- xsrc/external/mit/xorg-server/dist/xfixes/select.c:1.1.1.1.2.1	Thu Sep 17 03:35:48 2009
+++ xsrc/external/mit/xorg-server/dist/xfixes/select.c	Tue Dec  9 19:56:35 2014
@@ -220,6 +220,7 @@ SProcXFixesSelectSelectionInput (ClientP
     register int n;
     REQUEST(xXFixesSelectSelectionInputReq);
 
+    REQUEST_SIZE_MATCH(xXFixesSelectSelectionInputReq);
     swaps(&stuff->length, n);
     swapl(&stuff->window, n);
     swapl(&stuff->selection, n);

CVS commit: [netbsd-5-1] xsrc/external/mit/xorg-server/dist

Reply via email to