From a883cf1545abd89bb2cadfa659718884b56fd234 Mon Sep 17 00:00:00 2001 From: Julien Cristau Date: Sun, 23 Jan 2011 17:05:26 +0100 Subject: [PATCH 1/3] glx: fix request length check for CreateGLXPbufferSGIX The request is followed by an attribute list. Signed-off-by: Julien Cristau Reviewed-by: Adam Jackson --- glx/glxcmds.c | 2 +- glx/glxcmdsswap.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/glx/glxcmds.c b/glx/glxcmds.c index 3ef567d10..0b375c382 100644 --- a/glx/glxcmds.c +++ b/glx/glxcmds.c @@ -1436,7 +1436,7 @@ int __glXDisp_CreateGLXPbufferSGIX(__GLXclientState *cl, GLbyte *pc) ClientPtr client = cl->client; xGLXCreateGLXPbufferSGIXReq *req = (xGLXCreateGLXPbufferSGIXReq *) pc; - REQUEST_SIZE_MATCH(xGLXCreateGLXPbufferSGIXReq); + REQUEST_AT_LEAST_SIZE(xGLXCreateGLXPbufferSGIXReq); return DoCreatePbuffer(cl->client, req->screen, req->fbconfig, req->width, req->height, req->pbuffer); diff --git a/glx/glxcmdsswap.c b/glx/glxcmdsswap.c index 3bb4cade9..9d96c9de3 100644 --- a/glx/glxcmdsswap.c +++ b/glx/glxcmdsswap.c @@ -421,7 +421,7 @@ int __glXDispSwap_CreateGLXPbufferSGIX(__GLXclientState *cl, GLbyte *pc) xGLXCreateGLXPbufferSGIXReq *req = (xGLXCreateGLXPbufferSGIXReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; - REQUEST_SIZE_MATCH(xGLXCreateGLXPbufferSGIXReq); + REQUEST_AT_LEAST_SIZE(xGLXCreateGLXPbufferSGIXReq); __GLX_SWAP_INT(&req->screen); __GLX_SWAP_INT(&req->fbconfig); From 1137c11be0f82049d28024eaf963c6f76e0d4334 Mon Sep 17 00:00:00 2001 From: Julien Cristau Date: Wed, 26 Jan 2011 13:06:53 +0100 Subject: [PATCH 2/3] glx: fix BindTexImageEXT length check The request is followed by a list of attributes. X.Org bug#33449 Reported-and-tested-by: meng Signed-off-by: Julien Cristau Reviewed-by: Adam Jackson --- glx/glxcmds.c | 10 +++++++++- glx/glxcmdsswap.c | 6 +++++- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/glx/glxcmds.c b/glx/glxcmds.c index 0b375c382..5d633dfc5 100644 --- a/glx/glxcmds.c +++ b/glx/glxcmds.c @@ -1697,13 +1697,21 @@ int __glXDisp_BindTexImageEXT(__GLXclientState *cl, GLbyte *pc) GLXDrawable drawId; int buffer; int error; + CARD32 num_attribs; - REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 8); + if ((sizeof(xGLXVendorPrivateReq) + 12) >> 2 > client->req_len) + return BadLength; pc += __GLX_VENDPRIV_HDR_SIZE; drawId = *((CARD32 *) (pc)); buffer = *((INT32 *) (pc + 4)); + num_attribs = *((CARD32 *) (pc + 8)); + if (num_attribs > (UINT32_MAX >> 3)) { + client->errorValue = num_attribs; + return BadValue; + } + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 12 + (num_attribs << 3)); if (buffer != GLX_FRONT_LEFT_EXT) return __glXError(GLXBadPixmap); diff --git a/glx/glxcmdsswap.c b/glx/glxcmdsswap.c index 9d96c9de3..d58de6299 100644 --- a/glx/glxcmdsswap.c +++ b/glx/glxcmdsswap.c @@ -648,19 +648,23 @@ int __glXDispSwap_BindTexImageEXT(__GLXclientState *cl, GLbyte *pc) xGLXVendorPrivateReq *req = (xGLXVendorPrivateReq *) pc; GLXDrawable *drawId; int *buffer; + CARD32 *num_attribs; __GLX_DECLARE_SWAP_VARIABLES; - REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 8); + if ((sizeof(xGLXVendorPrivateReq) + 12) >> 2 > client->req_len) + return BadLength; pc += __GLX_VENDPRIV_HDR_SIZE; drawId = ((GLXDrawable *) (pc)); buffer = ((int *) (pc + 4)); + num_attribs = ((CARD32 *) (pc + 8)); __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->contextTag); __GLX_SWAP_INT(drawId); __GLX_SWAP_INT(buffer); + __GLX_SWAP_INT(num_attribs); return __glXDisp_BindTexImageEXT(cl, (GLbyte *)pc); } From 402b329c3aa8ddbebaa1f593306a02d4cd6fed26 Mon Sep 17 00:00:00 2001 From: Julien Cristau Date: Sun, 23 Jan 2011 13:35:54 +0100 Subject: [PATCH 3/3] glx: Work around wrong request lengths sent by mesa mesa used to send too long requests for GLXDestroyPixmap, GLXDestroyWindow, GLXChangeDrawableAttributes, GLXGetDrawableAttributes and GLXGetFBConfigsSGIX. Fixes a regression introduced in ec9c97c6bf70b523bc500bd3adf62176f1bb33a4 X.Org bug#33324 Reported-by: xunx.fang@intel.com Signed-off-by: Julien Cristau Reviewed-by: Adam Jackson --- glx/glxcmds.c | 19 +++++++++++++++---- glx/glxcmdsswap.c | 12 +++++++----- 2 files changed, 22 insertions(+), 9 deletions(-) diff --git a/glx/glxcmds.c b/glx/glxcmds.c index 5d633dfc5..9b4bc9ec3 100644 --- a/glx/glxcmds.c +++ b/glx/glxcmds.c @@ -1132,7 +1132,8 @@ int __glXDisp_GetFBConfigsSGIX(__GLXclientState *cl, GLbyte *pc) { ClientPtr client = cl->client; xGLXGetFBConfigsSGIXReq *req = (xGLXGetFBConfigsSGIXReq *) pc; - REQUEST_SIZE_MATCH(xGLXGetFBConfigsSGIXReq); + /* work around mesa bug, don't use REQUEST_SIZE_MATCH */ + REQUEST_AT_LEAST_SIZE(xGLXGetFBConfigsSGIXReq); return DoGetFBConfigs(cl, req->screen); } @@ -1356,7 +1357,9 @@ int __glXDisp_DestroyPixmap(__GLXclientState *cl, GLbyte *pc) ClientPtr client = cl->client; xGLXDestroyPixmapReq *req = (xGLXDestroyPixmapReq *) pc; - REQUEST_SIZE_MATCH(xGLXDestroyPixmapReq); + /* should be REQUEST_SIZE_MATCH, but mesa's glXDestroyPixmap used to set + * length to 3 instead of 2 */ + REQUEST_AT_LEAST_SIZE(xGLXDestroyPixmapReq); return DoDestroyDrawable(cl, req->glxpixmap, GLX_DRAWABLE_PIXMAP); } @@ -1498,7 +1501,13 @@ int __glXDisp_ChangeDrawableAttributes(__GLXclientState *cl, GLbyte *pc) client->errorValue = req->numAttribs; return BadValue; } +#if 0 + /* mesa sends an additional 8 bytes */ REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3); +#else + if (((sizeof(xGLXChangeDrawableAttributesReq) + (req->numAttribs << 3)) >> 2) < client->req_len) + return BadLength; +#endif return DoChangeDrawableAttributes(cl->client, req->drawable, req->numAttribs, (CARD32 *) (req + 1)); @@ -1563,7 +1572,8 @@ int __glXDisp_DestroyWindow(__GLXclientState *cl, GLbyte *pc) ClientPtr client = cl->client; xGLXDestroyWindowReq *req = (xGLXDestroyWindowReq *) pc; - REQUEST_SIZE_MATCH(xGLXDestroyWindowReq); + /* mesa's glXDestroyWindow used to set length to 3 instead of 2 */ + REQUEST_AT_LEAST_SIZE(xGLXDestroyWindowReq); return DoDestroyDrawable(cl, req->glxwindow, GLX_DRAWABLE_WINDOW); } @@ -1872,7 +1882,8 @@ int __glXDisp_GetDrawableAttributes(__GLXclientState *cl, GLbyte *pc) ClientPtr client = cl->client; xGLXGetDrawableAttributesReq *req = (xGLXGetDrawableAttributesReq *)pc; - REQUEST_SIZE_MATCH(xGLXGetDrawableAttributesReq); + /* this should be REQUEST_SIZE_MATCH, but mesa sends an additional 4 bytes */ + REQUEST_AT_LEAST_SIZE(xGLXGetDrawableAttributesReq); return DoGetDrawableAttributes(cl, req->drawable); } diff --git a/glx/glxcmdsswap.c b/glx/glxcmdsswap.c index d58de6299..76e6fb629 100644 --- a/glx/glxcmdsswap.c +++ b/glx/glxcmdsswap.c @@ -279,7 +279,7 @@ int __glXDispSwap_GetFBConfigsSGIX(__GLXclientState *cl, GLbyte *pc) xGLXGetFBConfigsSGIXReq *req = (xGLXGetFBConfigsSGIXReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; - REQUEST_SIZE_MATCH(xGLXGetFBConfigsSGIXReq); + REQUEST_AT_LEAST_SIZE(xGLXGetFBConfigsSGIXReq); __GLX_SWAP_INT(&req->screen); return __glXDisp_GetFBConfigsSGIX(cl, pc); @@ -368,7 +368,7 @@ int __glXDispSwap_DestroyPixmap(__GLXclientState *cl, GLbyte *pc) xGLXDestroyGLXPixmapReq *req = (xGLXDestroyGLXPixmapReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; - REQUEST_SIZE_MATCH(xGLXDestroyGLXPixmapReq); + REQUEST_AT_LEAST_SIZE(xGLXDestroyGLXPixmapReq); __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->glxpixmap); @@ -476,7 +476,9 @@ int __glXDispSwap_ChangeDrawableAttributes(__GLXclientState *cl, GLbyte *pc) client->errorValue = req->numAttribs; return BadValue; } - REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3); + if (((sizeof(xGLXChangeDrawableAttributesReq) + (req->numAttribs << 3)) >> 2) < client->req_len) + return BadLength; + attribs = (CARD32*)(req + 1); __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1); @@ -542,7 +544,7 @@ int __glXDispSwap_DestroyWindow(__GLXclientState *cl, GLbyte *pc) xGLXDestroyWindowReq *req = (xGLXDestroyWindowReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; - REQUEST_SIZE_MATCH(xGLXDestroyWindowReq); + REQUEST_AT_LEAST_SIZE(xGLXDestroyWindowReq); __GLX_SWAP_INT(&req->glxwindow); @@ -742,7 +744,7 @@ int __glXDispSwap_GetDrawableAttributes(__GLXclientState *cl, GLbyte *pc) xGLXGetDrawableAttributesReq *req = (xGLXGetDrawableAttributesReq *)pc; __GLX_DECLARE_SWAP_VARIABLES; - REQUEST_SIZE_MATCH(xGLXGetDrawableAttributesReq); + REQUEST_AT_LEAST_SIZE(xGLXGetDrawableAttributesReq); __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->drawable);