frederik
/
xserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

glx: fix BindTexImageEXT length check 

The request is followed by a list of attributes.

X.Org bug#33449

Reported-and-tested-by: meng <mengmeng.meng@intel.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Adam Jackson <ajax@redhat.com>
This commit is contained in:
Julien Cristau 2011-01-26 13:06:53 +01:00
parent a883cf1545
commit 1137c11be0
2 changed files with 14 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
glx/glxcmds.c
View File

@ -1697,13 +1697,21 @@ int __glXDisp_BindTexImageEXT(__GLXclientState *cl, GLbyte *pc)
GLXDrawable drawId;
int buffer;
int error;
CARD32 num_attribs;
REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 8);
if ((sizeof(xGLXVendorPrivateReq) + 12) >> 2 > client->req_len)
return BadLength;
pc += __GLX_VENDPRIV_HDR_SIZE;
drawId = *((CARD32 *) (pc));
buffer = *((INT32 *) (pc + 4));
num_attribs = *((CARD32 *) (pc + 8));
if (num_attribs > (UINT32_MAX >> 3)) {
client->errorValue = num_attribs;
return BadValue;
}
REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 12 + (num_attribs << 3));
if (buffer != GLX_FRONT_LEFT_EXT)
return __glXError(GLXBadPixmap);

6
glx/glxcmdsswap.c
View File

@ -648,19 +648,23 @@ int __glXDispSwap_BindTexImageEXT(__GLXclientState *cl, GLbyte *pc)
xGLXVendorPrivateReq *req = (xGLXVendorPrivateReq *) pc;
GLXDrawable *drawId;
int *buffer;
CARD32 *num_attribs;
__GLX_DECLARE_SWAP_VARIABLES;
REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 8);
if ((sizeof(xGLXVendorPrivateReq) + 12) >> 2 > client->req_len)
return BadLength;
pc += __GLX_VENDPRIV_HDR_SIZE;
drawId = ((GLXDrawable *) (pc));
buffer = ((int *) (pc + 4));
num_attribs = ((CARD32 *) (pc + 8));
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->contextTag);
__GLX_SWAP_INT(drawId);
__GLX_SWAP_INT(buffer);
__GLX_SWAP_INT(num_attribs);
return __glXDisp_BindTexImageEXT(cl, (GLbyte *)pc);
}