[PATCH 2/3] glx: fix BindTexImageEXT length check

Thu, 27 Jan 2011 01:32:54 -0800 

The request is followed by a list of attributes.

X.Org bug#33449

Reported-and-tested-by: meng <[email protected]>
Signed-off-by: Julien Cristau <[email protected]>
---
 glx/glxcmds.c |   10 +++++++++-
 1 files changed, 9 insertions(+), 1 deletions(-)

diff --git a/glx/glxcmds.c b/glx/glxcmds.c
index 0b375c3..5d633df 100644
--- a/glx/glxcmds.c
+++ b/glx/glxcmds.c
@@ -1697,13 +1697,21 @@ int __glXDisp_BindTexImageEXT(__GLXclientState *cl, 
GLbyte *pc)
     GLXDrawable                 drawId;
     int                         buffer;
     int                         error;
+    CARD32              num_attribs;
 
-    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 8);
+    if ((sizeof(xGLXVendorPrivateReq) + 12) >> 2 > client->req_len)
+       return BadLength;
 
     pc += __GLX_VENDPRIV_HDR_SIZE;
 
     drawId = *((CARD32 *) (pc));
     buffer = *((INT32 *)  (pc + 4));
+    num_attribs = *((CARD32 *) (pc + 8));
+    if (num_attribs > (UINT32_MAX >> 3)) {
+       client->errorValue = num_attribs;
+       return BadValue;
+    }
+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 12 + (num_attribs << 3));
 
     if (buffer != GLX_FRONT_LEFT_EXT)
        return __glXError(GLXBadPixmap);
-- 
1.7.2.3

_______________________________________________
[email protected]: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

Reply via email to