[Xquartz-changes] xserver: Branch 'server-1.16-branch' - 68 commits
Jeremy Huddleston
jeremyhu at freedesktop.org
Sun Feb 15 01:08:24 PST 2015
Xext/shm.c | 15 +-
Xext/xcmisc.c | 1
Xext/xvdisp.c | 20 +++
Xi/chgdctl.c | 8 +
Xi/chgfctl.c | 2
Xi/sendexev.c | 3
Xi/xiallowev.c | 2
Xi/xichangecursor.c | 2
Xi/xichangehierarchy.c | 35 +++++
Xi/xigetclientpointer.c | 1
Xi/xigrabdev.c | 9 +
Xi/xipassivegrab.c | 12 +-
Xi/xiproperty.c | 14 +-
Xi/xiquerydevice.c | 1
Xi/xiquerypointer.c | 2
Xi/xiselectev.c | 8 +
Xi/xisetclientpointer.c | 3
Xi/xisetdevfocus.c | 4
Xi/xiwarppointer.c | 2
config/udev.c | 30 +++--
configure.ac | 5
dbe/dbe.c | 17 ++
dix/devices.c | 2
dix/dispatch.c | 3
dix/region.c | 20 ++-
dri3/dri3_request.c | 6 +
fb/fbseg.c | 20 +--
fb/fbwindow.c | 2
glx/clientinfo.c | 20 ++-
glx/glxcmds.c | 85 ++++++++------
glx/glxcmdsswap.c | 4
glx/glxserver.h | 43 +++++++
glx/indirect_dispatch.c | 25 ++++
glx/indirect_dispatch_swap.c | 26 ++++
glx/indirect_program.c | 2
glx/indirect_reqsize.c | 142 +++++++++++-------------
glx/indirect_reqsize.h | 181 +++++++++++++++++++------------
glx/indirect_texture_compression.c | 4
glx/indirect_util.c | 9 +
glx/rensize.c | 114 +++++++++++--------
glx/single2.c | 23 +++
glx/single2swap.c | 19 ++-
glx/singlepix.c | 60 ++++++----
glx/singlepixswap.c | 50 ++++++--
glx/swap_interval.c | 2
glx/unpack.h | 3
hw/xfree86/common/xf86Bus.c | 3
hw/xfree86/common/xf86platformBus.c | 24 +++-
hw/xfree86/common/xf86platformBus.h | 1
hw/xfree86/dri2/dri2.c | 3
hw/xfree86/dri2/dri2ext.c | 3
hw/xquartz/GL/indirect.c | 37 +++++-
hw/xwayland/Makefile.am | 4
include/dix.h | 7 +
include/regionstr.h | 10 +
man/Xserver.man | 10 +
os/WaitFor.c | 41 ++++---
os/access.c | 6 +
os/rpcauth.c | 4
present/present.c | 24 ++--
present/present_event.c | 2
present/present_request.c | 6 +
randr/rroutput.c | 6 -
randr/rrscreen.c | 22 +++
randr/rrsdispatch.c | 4
randr/rrxinerama.c | 12 +-
render/render.c | 20 ++-
test/Makefile.am | 2
test/misc.c | 37 ++++++
test/xi1/Makefile.am | 34 +++++
test/xi1/protocol-xchangedevicecontrol.c | 122 ++++++++++++++++++++
test/xi2/protocol-xigetclientpointer.c | 5
test/xi2/protocol-xipassivegrabdevice.c | 8 +
test/xi2/protocol-xiquerypointer.c | 4
test/xi2/protocol-xiwarppointer.c | 3
xfixes/select.c | 1
xkb/xkb.c | 100 ++++++++++-------
77 files changed, 1196 insertions(+), 430 deletions(-)
New commits:
commit 87c6ecdec88bb9ebbda240979575fd33da38a39c
Author: Jeremy Huddleston Sequoia <jeremyhu at apple.com>
Date: Sun Jun 1 04:29:19 2014 -0700
XQuartz: GLX: Use __glXEnableExtension to build extensions list
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu at apple.com>
(cherry picked from commit 3790001ea29658872aebda00a03170e392b47878)
diff --git a/hw/xquartz/GL/indirect.c b/hw/xquartz/GL/indirect.c
index 19b7d86..4e6ab3d 100644
--- a/hw/xquartz/GL/indirect.c
+++ b/hw/xquartz/GL/indirect.c
@@ -52,6 +52,7 @@
#include "visualConfigs.h"
#include "dri.h"
+#include "extension_string.h"
#include "darwin.h"
#define GLAQUA_DEBUG_MSG(msg, args ...) ASL_LOG(ASL_LEVEL_DEBUG, "GLXAqua", \
@@ -111,6 +112,10 @@ typedef struct __GLXAquaDrawable __GLXAquaDrawable;
*/
struct __GLXAquaScreen {
__GLXscreen base;
+
+ /* Supported GLX extensions */
+ unsigned char glx_enable_bits[__GLX_EXT_BYTES];
+
int index;
int num_vis;
};
@@ -541,13 +546,33 @@ __glXAquaScreenProbe(ScreenPtr pScreen)
screen->base.GLXmajor = 1;
screen->base.GLXminor = 4;
- screen->base.GLXextensions = strdup("GLX_SGIX_fbconfig "
- "GLX_SGIS_multisample "
- "GLX_ARB_multisample "
- "GLX_EXT_visual_info "
- "GLX_EXT_import_context ");
- /*We may be able to add more GLXextensions at a later time. */
+ memset(screen->glx_enable_bits, 0, __GLX_EXT_BYTES);
+
+ __glXEnableExtension(screen->glx_enable_bits, "GLX_EXT_visual_info");
+ __glXEnableExtension(screen->glx_enable_bits, "GLX_EXT_visual_rating");
+ __glXEnableExtension(screen->glx_enable_bits, "GLX_EXT_import_context");
+ __glXEnableExtension(screen->glx_enable_bits, "GLX_OML_swap_method");
+ __glXEnableExtension(screen->glx_enable_bits, "GLX_SGIX_fbconfig");
+
+ __glXEnableExtension(screen->glx_enable_bits, "GLX_SGIS_multisample");
+ __glXEnableExtension(screen->glx_enable_bits, "GLX_ARB_multisample");
+
+ //__glXEnableExtension(screen->glx_enable_bits, "GLX_ARB_create_context");
+ //__glXEnableExtension(screen->glx_enable_bits, "GLX_ARB_create_context_profile");
+
+ // Generate the GLX extensions string (overrides that set by __glXScreenInit())
+ {
+ unsigned int buffer_size =
+ __glXGetExtensionString(screen->glx_enable_bits, NULL);
+ if (buffer_size > 0) {
+ free(screen->base.GLXextensions);
+
+ screen->base.GLXextensions = xnfalloc(buffer_size);
+ __glXGetExtensionString(screen->glx_enable_bits,
+ screen->base.GLXextensions);
+ }
+ }
return &screen->base;
}
commit ff76b219f6513b5ef63105165c301f7d69da0e05
Author: Julien Cristau <jcristau at debian.org>
Date: Wed Feb 11 00:33:17 2015 +0100
Bump to 1.16.4
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/configure.ac b/configure.ac
index 2964c34..efcaa1f 100644
--- a/configure.ac
+++ b/configure.ac
@@ -26,7 +26,7 @@ dnl
dnl Process this file with autoconf to create configure.
AC_PREREQ(2.60)
-AC_INIT([xorg-server], 1.16.3, [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], xorg-server)
+AC_INIT([xorg-server], 1.16.4, [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], xorg-server)
RELEASE_DATE="2014-12-20"
RELEASE_NAME="Marionberry Pie"
AC_CONFIG_SRCDIR([Makefile.am])
commit 8f61533b16635a0a13f4048235246edb138fa40b
Author: Olivier Fourdan <ofourdan at redhat.com>
Date: Fri Jan 16 08:44:45 2015 +0100
xkb: Check strings length against request size
Ensure that the given strings length in an XkbSetGeometry request remain
within the limits of the size of the request.
Signed-off-by: Olivier Fourdan <ofourdan at redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
(cherry picked from commit 20079c36cf7d377938ca5478447d8b9045cb7d43)
(cherry picked from commit f160e722672dbb2b5215870b47bcc51461d96ff1)
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/xkb/xkb.c b/xkb/xkb.c
index 6fc938b..c8a9e9e 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
@@ -4957,25 +4957,29 @@ ProcXkbGetGeometry(ClientPtr client)
/***====================================================================***/
-static char *
-_GetCountedString(char **wire_inout, Bool swap)
+static Status
+_GetCountedString(char **wire_inout, ClientPtr client, char **str)
{
- char *wire, *str;
+ char *wire, *next;
CARD16 len;
wire = *wire_inout;
len = *(CARD16 *) wire;
- if (swap) {
+ if (client->swapped) {
swaps(&len);
}
- str = malloc(len + 1);
- if (str) {
- memcpy(str, &wire[2], len);
- str[len] = '\0';
- }
- wire += XkbPaddedSize(len + 2);
- *wire_inout = wire;
- return str;
+ next = wire + XkbPaddedSize(len + 2);
+ /* Check we're still within the size of the request */
+ if (client->req_len <
+ bytes_to_int32(next - (char *) client->requestBuffer))
+ return BadValue;
+ *str = malloc(len + 1);
+ if (!*str)
+ return BadAlloc;
+ memcpy(*str, &wire[2], len);
+ *(*str + len) = '\0';
+ *wire_inout = next;
+ return Success;
}
static Status
@@ -4987,6 +4991,7 @@ _CheckSetDoodad(char **wire_inout,
xkbAnyDoodadWireDesc any;
xkbTextDoodadWireDesc text;
XkbDoodadPtr doodad;
+ Status status;
dWire = (xkbDoodadWireDesc *) (*wire_inout);
any = dWire->any;
@@ -5036,8 +5041,14 @@ _CheckSetDoodad(char **wire_inout,
doodad->text.width = text.width;
doodad->text.height = text.height;
doodad->text.color_ndx = dWire->text.colorNdx;
- doodad->text.text = _GetCountedString(&wire, client->swapped);
- doodad->text.font = _GetCountedString(&wire, client->swapped);
+ status = _GetCountedString(&wire, client, &doodad->text.text);
+ if (status != Success)
+ return status;
+ status = _GetCountedString(&wire, client, &doodad->text.font);
+ if (status != Success) {
+ free (doodad->text.text);
+ return status;
+ }
break;
case XkbIndicatorDoodad:
if (dWire->indicator.onColorNdx >= geom->num_colors) {
@@ -5072,7 +5083,9 @@ _CheckSetDoodad(char **wire_inout,
}
doodad->logo.color_ndx = dWire->logo.colorNdx;
doodad->logo.shape_ndx = dWire->logo.shapeNdx;
- doodad->logo.logo_name = _GetCountedString(&wire, client->swapped);
+ status = _GetCountedString(&wire, client, &doodad->logo.logo_name);
+ if (status != Success)
+ return status;
break;
default:
client->errorValue = _XkbErrCode2(0x4F, dWire->any.type);
@@ -5304,18 +5317,20 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSetGeometryReq * req, ClientPtr client)
char *wire;
wire = (char *) &req[1];
- geom->label_font = _GetCountedString(&wire, client->swapped);
+ status = _GetCountedString(&wire, client, &geom->label_font);
+ if (status != Success)
+ return status;
for (i = 0; i < req->nProperties; i++) {
char *name, *val;
- name = _GetCountedString(&wire, client->swapped);
- if (!name)
- return BadAlloc;
- val = _GetCountedString(&wire, client->swapped);
- if (!val) {
+ status = _GetCountedString(&wire, client, &name);
+ if (status != Success)
+ return status;
+ status = _GetCountedString(&wire, client, &val);
+ if (status != Success) {
free(name);
- return BadAlloc;
+ return status;
}
if (XkbAddGeomProperty(geom, name, val) == NULL) {
free(name);
@@ -5349,9 +5364,9 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSetGeometryReq * req, ClientPtr client)
for (i = 0; i < req->nColors; i++) {
char *name;
- name = _GetCountedString(&wire, client->swapped);
- if (!name)
- return BadAlloc;
+ status = _GetCountedString(&wire, client, &name);
+ if (status != Success)
+ return status;
if (!XkbAddGeomColor(geom, name, geom->num_colors)) {
free(name);
return BadAlloc;
commit 747cea16c4de1f48e838e1388301a2e24a3da6c4
Author: Olivier Fourdan <ofourdan at redhat.com>
Date: Fri Jan 16 20:08:59 2015 +0100
xkb: Don't swap XkbSetGeometry data in the input buffer
The XkbSetGeometry request embeds data which needs to be swapped when the
server and the client have different endianess.
_XkbSetGeometry() invokes functions that swap these data directly in the
input buffer.
However, ProcXkbSetGeometry() may call _XkbSetGeometry() more than once
(if there is more than one keyboard), thus causing on swapped clients the
same data to be swapped twice in memory, further causing a server crash
because the strings lengths on the second time are way off bounds.
To allow _XkbSetGeometry() to run reliably more than once with swapped
clients, do not swap the data in the buffer, use variables instead.
Signed-off-by: Olivier Fourdan <ofourdan at redhat.com>
Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
(cherry picked from commit 81c90dc8f0aae3b65730409b1b615b5fa7280ebd)
(cherry picked from commit 29be310c303914090298ddda93a5bd5d00a94945)
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/xkb/xkb.c b/xkb/xkb.c
index dc570f0..6fc938b 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
@@ -4961,14 +4961,13 @@ static char *
_GetCountedString(char **wire_inout, Bool swap)
{
char *wire, *str;
- CARD16 len, *plen;
+ CARD16 len;
wire = *wire_inout;
- plen = (CARD16 *) wire;
+ len = *(CARD16 *) wire;
if (swap) {
- swaps(plen);
+ swaps(&len);
}
- len = *plen;
str = malloc(len + 1);
if (str) {
memcpy(str, &wire[2], len);
@@ -4985,25 +4984,28 @@ _CheckSetDoodad(char **wire_inout,
{
char *wire;
xkbDoodadWireDesc *dWire;
+ xkbAnyDoodadWireDesc any;
+ xkbTextDoodadWireDesc text;
XkbDoodadPtr doodad;
dWire = (xkbDoodadWireDesc *) (*wire_inout);
+ any = dWire->any;
wire = (char *) &dWire[1];
if (client->swapped) {
- swapl(&dWire->any.name);
- swaps(&dWire->any.top);
- swaps(&dWire->any.left);
- swaps(&dWire->any.angle);
+ swapl(&any.name);
+ swaps(&any.top);
+ swaps(&any.left);
+ swaps(&any.angle);
}
CHK_ATOM_ONLY(dWire->any.name);
- doodad = XkbAddGeomDoodad(geom, section, dWire->any.name);
+ doodad = XkbAddGeomDoodad(geom, section, any.name);
if (!doodad)
return BadAlloc;
doodad->any.type = dWire->any.type;
doodad->any.priority = dWire->any.priority;
- doodad->any.top = dWire->any.top;
- doodad->any.left = dWire->any.left;
- doodad->any.angle = dWire->any.angle;
+ doodad->any.top = any.top;
+ doodad->any.left = any.left;
+ doodad->any.angle = any.angle;
switch (doodad->any.type) {
case XkbOutlineDoodad:
case XkbSolidDoodad:
@@ -5026,12 +5028,13 @@ _CheckSetDoodad(char **wire_inout,
dWire->text.colorNdx);
return BadMatch;
}
+ text = dWire->text;
if (client->swapped) {
- swaps(&dWire->text.width);
- swaps(&dWire->text.height);
+ swaps(&text.width);
+ swaps(&text.height);
}
- doodad->text.width = dWire->text.width;
- doodad->text.height = dWire->text.height;
+ doodad->text.width = text.width;
+ doodad->text.height = text.height;
doodad->text.color_ndx = dWire->text.colorNdx;
doodad->text.text = _GetCountedString(&wire, client->swapped);
doodad->text.font = _GetCountedString(&wire, client->swapped);
commit 0722a8043c89e7224c398eef270611cc65c1e219
Author: Chris Wilson <chris at chris-wilson.co.uk>
Date: Sat Jan 17 10:09:54 2015 +0000
dri2: SourceOffloads may be for DRI3 only
As a DDX may declare offload support without supporting DRI2
(because it is using an alternative acceleration mechanism like DRI3),
when iterating the list of offload_source Screens to find a matching
DRI2 provider we need to check before assuming it is DRI2 capable.
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=88514
Signed-off-by: Chris Wilson <chris at chris-wilson.co.uk>
Reviewed-by: Dave Airlie <airlied at redhat.com>
Signed-off-by: Keith Packard <keithp at keithp.com>
(cherry picked from commit 082931014811e587a9734cbf4d88fd948979b641)
diff --git a/hw/xfree86/dri2/dri2.c b/hw/xfree86/dri2/dri2.c
index 6459f11..f64ba7c 100644
--- a/hw/xfree86/dri2/dri2.c
+++ b/hw/xfree86/dri2/dri2.c
@@ -156,6 +156,9 @@ GetScreenPrime(ScreenPtr master, int prime_id)
DRI2ScreenPtr ds;
ds = DRI2GetScreen(slave);
+ if (ds == NULL)
+ continue;
+
if (ds->prime_id == prime_id)
return slave;
}
commit f7e3478fe7817457017f31eb51803c4d03c69249
Author: Adam Jackson <ajax at redhat.com>
Date: Mon Jan 5 16:48:11 2015 -0500
dix: make RegionInit legal C++
The CVE fix in:
commit 97015a07b9e15d8ec5608b95d95ec0eb51202acb
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Wed Jan 22 22:37:15 2014 -0800
dix: integer overflow in RegionSizeof() [CVE-2014-8092 3/4]
offended the C++ demons:
../../include/regionstr.h:147:45: error: invalid conversion from 'void*' to
'pixman_region16_data_t* {aka pixman_region16_data*}' [-fpermissive]
Normally this isn't a problem, because around here we have the sense and
common decency to not use C++, but this does make tigervnc fail to build,
which is a little rude of us.
Signed-off-by: Adam Jackson <ajax at redhat.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Signed-off-by: Keith Packard <keithp at keithp.com>
(cherry picked from commit bb23fbf5bb278113c9c481875423b4d128180972)
diff --git a/include/regionstr.h b/include/regionstr.h
index 33df87f..00343f2 100644
--- a/include/regionstr.h
+++ b/include/regionstr.h
@@ -144,7 +144,7 @@ RegionInit(RegionPtr _pReg, BoxPtr _rect, int _size)
size_t rgnSize;
(_pReg)->extents = RegionEmptyBox;
if (((_size) > 1) && ((rgnSize = RegionSizeof(_size)) > 0) &&
- (((_pReg)->data = malloc(rgnSize)) != NULL)) {
+ (((_pReg)->data = (RegDataPtr) malloc(rgnSize)) != NULL)) {
(_pReg)->data->size = (_size);
(_pReg)->data->numRects = 0;
}
commit 645ae07fac78dd2444fd744d3bf9b27e27d06e41
Author: Dave Airlie <airlied at redhat.com>
Date: Fri Jan 30 09:59:49 2015 +1000
config/udev: Respect seat assignments when assigned devices
Jonathan Dieter posted a few patches to do this inside the Xorg
server but it makes no sense to do it there, just have the code
we use to probe the device list at startup check seat assignments
using the same code we check at hotplug time.
Bugilla: https://bugzilla.redhat.com/show_bug.cgi?id=1183654
Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
Acked-by: Hans de Goede <hdegoede at redhat.com>
Tested-by: Jonathan Dieter <jdieter at lesbg.com>
Signed-off-by: Dave Airlie <airlied at redhat.com>
Signed-off-by: Keith Packard <keithp at keithp.com>
(cherry picked from commit 697b696e5e24d0679f133183a3bb0852025377c2)
diff --git a/config/udev.c b/config/udev.c
index a1b72c1..71215af 100644
--- a/config/udev.c
+++ b/config/udev.c
@@ -69,6 +69,24 @@ static const char *itoa(int i)
return itoa_buf;
}
+static Bool
+check_seat(struct udev_device *udev_device)
+{
+ const char *dev_seat;
+
+ dev_seat = udev_device_get_property_value(udev_device, "ID_SEAT");
+ if (!dev_seat)
+ dev_seat = "seat0";
+
+ if (SeatId && strcmp(dev_seat, SeatId))
+ return FALSE;
+
+ if (!SeatId && strcmp(dev_seat, "seat0"))
+ return FALSE;
+
+ return TRUE;
+}
+
static void
device_added(struct udev_device *udev_device)
{
@@ -83,7 +101,6 @@ device_added(struct udev_device *udev_device)
struct udev_list_entry *set, *entry;
struct udev_device *parent;
int rc;
- const char *dev_seat;
dev_t devnum;
path = udev_device_get_devnode(udev_device);
@@ -93,14 +110,7 @@ device_added(struct udev_device *udev_device)
if (!path || !syspath)
return;
- dev_seat = udev_device_get_property_value(udev_device, "ID_SEAT");
- if (!dev_seat)
- dev_seat = "seat0";
-
- if (SeatId && strcmp(dev_seat, SeatId))
- return;
-
- if (!SeatId && strcmp(dev_seat, "seat0"))
+ if (!check_seat(udev_device))
return;
devnum = udev_device_get_devnum(udev_device);
@@ -506,6 +516,8 @@ config_udev_odev_probe(config_odev_probe_proc_ptr probe_callback)
goto no_probe;
else if (strncmp(sysname, "card", 4) != 0)
goto no_probe;
+ else if (!check_seat(udev_device))
+ goto no_probe;
config_udev_odev_setup_attribs(path, syspath, major(devnum),
minor(devnum), probe_callback);
commit cdcf9e95108853e5ea2ed825a25e8f3b4d527535
Author: Dave Airlie <airlied at redhat.com>
Date: Wed Jan 7 09:19:27 2015 +1000
randr: attempt to fix primary on slave output (v2)
If the user wants to set one of the slave devices as
the primary output, we shouldn't fail to do so,
we were returning BadMatch which was tripping up
gnome-settings-daemon and bad things ensues.
Fix all the places we use primaryOutput to work
out primaryCrtc and take it into a/c when slave
gpus are in use.
v2: review from Aaron, fix indent, unhide has_primary from
macro. I left the int vs Bool alone to be consistent with
code below, a future patch could fix both.
Signed-off-by: Dave Airlie <airlied at redhat.com>
Reviewed-by: Aaron Plattner <aplattner at nvidia.com>
Signed-off-by: Keith Packard <keithp at keithp.com>
(cherry picked from commit df1b401f57ad4b4925bad66684445b476562f26f)
diff --git a/randr/rroutput.c b/randr/rroutput.c
index f824f50..1649309 100644
--- a/randr/rroutput.c
+++ b/randr/rroutput.c
@@ -540,7 +540,11 @@ ProcRRSetOutputPrimary(ClientPtr client)
if (stuff->output) {
VERIFY_RR_OUTPUT(stuff->output, output, DixReadAccess);
- if (output->pScreen != pWin->drawable.pScreen) {
+ if (!output->pScreen->isGPU && output->pScreen != pWin->drawable.pScreen) {
+ client->errorValue = stuff->window;
+ return BadMatch;
+ }
+ if (output->pScreen->isGPU && output->pScreen->current_master != pWin->drawable.pScreen) {
client->errorValue = stuff->window;
return BadMatch;
}
diff --git a/randr/rrscreen.c b/randr/rrscreen.c
index 36179ae..e7ea49d 100644
--- a/randr/rrscreen.c
+++ b/randr/rrscreen.c
@@ -322,8 +322,13 @@ static inline void swap_modeinfos(xRRModeInfo *modeinfos, int i)
swapl(&modeinfos[i].modeFlags);
}
-#define update_arrays(gpuscreen, pScrPriv) do { \
+#define update_arrays(gpuscreen, pScrPriv, primary_crtc, has_primary) do { \
for (j = 0; j < pScrPriv->numCrtcs; j++) { \
+ if (has_primary && \
+ primary_crtc == pScrPriv->crtcs[j]) { \
+ has_primary = 0; \
+ continue; \
+ }\
crtcs[crtc_count] = pScrPriv->crtcs[j]->id; \
if (client->swapped) \
swapl(&crtcs[crtc_count]); \
@@ -366,9 +371,11 @@ rrGetMultiScreenResources(ClientPtr client, Bool query, ScreenPtr pScreen)
unsigned long extraLen;
CARD8 *extra;
RRCrtc *crtcs;
+ RRCrtcPtr primary_crtc = NULL;
RROutput *outputs;
xRRModeInfo *modeinfos;
CARD8 *names;
+ int has_primary = 0;
/* we need to iterate all the GPU masters and all their output slaves */
total_crtcs = 0;
@@ -426,18 +433,25 @@ rrGetMultiScreenResources(ClientPtr client, Bool query, ScreenPtr pScreen)
modeinfos = (xRRModeInfo *)(outputs + total_outputs);
names = (CARD8 *)(modeinfos + total_modes);
- /* TODO primary */
crtc_count = 0;
output_count = 0;
mode_count = 0;
pScrPriv = rrGetScrPriv(pScreen);
- update_arrays(pScreen, pScrPriv);
+ if (pScrPriv->primaryOutput && pScrPriv->primaryOutput->crtc) {
+ has_primary = 1;
+ primary_crtc = pScrPriv->primaryOutput->crtc;
+ crtcs[0] = pScrPriv->primaryOutput->crtc->id;
+ if (client->swapped)
+ swapl(&crtcs[0]);
+ crtc_count = 1;
+ }
+ update_arrays(pScreen, pScrPriv, primary_crtc, has_primary);
xorg_list_for_each_entry(iter, &pScreen->output_slave_list, output_head) {
pScrPriv = rrGetScrPriv(iter);
- update_arrays(iter, pScrPriv);
+ update_arrays(iter, pScrPriv, primary_crtc, has_primary);
}
assert(bytes_to_int32((char *) names - (char *) extra) == rep.length);
diff --git a/randr/rrxinerama.c b/randr/rrxinerama.c
index 76d728c..363cead 100644
--- a/randr/rrxinerama.c
+++ b/randr/rrxinerama.c
@@ -344,15 +344,17 @@ ProcRRXineramaQueryScreens(ClientPtr client)
ScreenPtr slave;
rrScrPriv(pScreen);
int has_primary = 0;
+ RRCrtcPtr primary_crtc = NULL;
if (pScrPriv->primaryOutput && pScrPriv->primaryOutput->crtc) {
has_primary = 1;
+ primary_crtc = pScrPriv->primaryOutput->crtc;
RRXineramaWriteCrtc(client, pScrPriv->primaryOutput->crtc);
}
for (i = 0; i < pScrPriv->numCrtcs; i++) {
if (has_primary &&
- pScrPriv->primaryOutput->crtc == pScrPriv->crtcs[i]) {
+ primary_crtc == pScrPriv->crtcs[i]) {
has_primary = 0;
continue;
}
@@ -362,8 +364,14 @@ ProcRRXineramaQueryScreens(ClientPtr client)
xorg_list_for_each_entry(slave, &pScreen->output_slave_list, output_head) {
rrScrPrivPtr pSlavePriv;
pSlavePriv = rrGetScrPriv(slave);
- for (i = 0; i < pSlavePriv->numCrtcs; i++)
+ for (i = 0; i < pSlavePriv->numCrtcs; i++) {
+ if (has_primary &&
+ primary_crtc == pSlavePriv->crtcs[i]) {
+ has_primary = 0;
+ continue;
+ }
RRXineramaWriteCrtc(client, pSlavePriv->crtcs[i]);
+ }
}
}
commit 5c4da5634505556c8249ba6da0adee9fb2621096
Author: Nikhil Mahale <nmahale at nvidia.com>
Date: Sat Jan 24 17:06:59 2015 -0800
os: Fix timer race conditions
Fixing following kind of race-conditions -
WaitForSomething()
|
----> // timers -> timer-1 -> timer-2 -> null
while (timers && (int) (timers->expires - now) <= 0)
// prototype - DoTimer(OsTimerPtr timer, CARD32 now, OsTimerPtr *prev)
DoTimer(timers, now, &timers)
|
|
----> OsBlockSignals(); .... OS Signal comes just before blocking it,
.... timer-1 handler gets called.
// timer-1 gets served and scheduled again;
// timers -> timer-2 -> timer-1 -> null
....
*prev = timer->next;
timer->next = NULL; // timers -> null
// timers list gets corrupted here and timer-2 gets removed from list.
Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=86288
Signed-off-by: Nikhil Mahale <nmahale at nvidia.com>
Reviewed-by: Julien Cristau <jcristau at debian.org>
v2: Apply warning fixes from Keith Packard <keithp at keithp.com>
Reviewed-by: Aaron Plattner <aplattner at nvidia.com>
Signed-off-by: Aaron Plattner <aplattner at nvidia.com>
Signed-off-by: Keith Packard <keithp at keithp.com>
(cherry picked from commit fe4c774c572e3f55a7417f0ca336ae1479a966ad)
diff --git a/os/WaitFor.c b/os/WaitFor.c
index 3eb15b9..343de0c 100644
--- a/os/WaitFor.c
+++ b/os/WaitFor.c
@@ -121,9 +121,9 @@ struct _OsTimerRec {
void *arg;
};
-static void DoTimer(OsTimerPtr timer, CARD32 now, OsTimerPtr *prev);
+static void DoTimer(OsTimerPtr timer, CARD32 now, volatile OsTimerPtr *prev);
static void CheckAllTimers(void);
-static OsTimerPtr timers = NULL;
+static volatile OsTimerPtr timers = NULL;
/*****************
* WaitForSomething:
@@ -263,11 +263,14 @@ WaitForSomething(int *pClientsReady)
if ((int) (timers->expires - now) <= 0)
expired = 1;
- while (timers && (int) (timers->expires - now) <= 0)
- DoTimer(timers, now, &timers);
+ if (expired) {
+ OsBlockSignals();
+ while (timers && (int) (timers->expires - now) <= 0)
+ DoTimer(timers, now, &timers);
+ OsReleaseSignals();
- if (expired)
return 0;
+ }
}
}
else {
@@ -281,11 +284,14 @@ WaitForSomething(int *pClientsReady)
if ((int) (timers->expires - now) <= 0)
expired = 1;
- while (timers && (int) (timers->expires - now) <= 0)
- DoTimer(timers, now, &timers);
+ if (expired) {
+ OsBlockSignals();
+ while (timers && (int) (timers->expires - now) <= 0)
+ DoTimer(timers, now, &timers);
+ OsReleaseSignals();
- if (expired)
return 0;
+ }
}
}
if (someReady)
@@ -401,24 +407,25 @@ CheckAllTimers(void)
}
static void
-DoTimer(OsTimerPtr timer, CARD32 now, OsTimerPtr *prev)
+DoTimer(OsTimerPtr timer, CARD32 now, volatile OsTimerPtr *prev)
{
CARD32 newTime;
OsBlockSignals();
*prev = timer->next;
timer->next = NULL;
+ OsReleaseSignals();
+
newTime = (*timer->callback) (timer, now, timer->arg);
if (newTime)
TimerSet(timer, 0, newTime, timer->callback, timer->arg);
- OsReleaseSignals();
}
OsTimerPtr
TimerSet(OsTimerPtr timer, int flags, CARD32 millis,
OsTimerCallback func, void *arg)
{
- register OsTimerPtr *prev;
+ volatile OsTimerPtr *prev;
CARD32 now = GetTimeInMillis();
if (!timer) {
@@ -470,7 +477,7 @@ Bool
TimerForce(OsTimerPtr timer)
{
int rc = FALSE;
- OsTimerPtr *prev;
+ volatile OsTimerPtr *prev;
OsBlockSignals();
for (prev = &timers; *prev; prev = &(*prev)->next) {
@@ -487,7 +494,7 @@ TimerForce(OsTimerPtr timer)
void
TimerCancel(OsTimerPtr timer)
{
- OsTimerPtr *prev;
+ volatile OsTimerPtr *prev;
if (!timer)
return;
@@ -515,8 +522,12 @@ TimerCheck(void)
{
CARD32 now = GetTimeInMillis();
- while (timers && (int) (timers->expires - now) <= 0)
- DoTimer(timers, now, &timers);
+ if (timers && (int) (timers->expires - now) <= 0) {
+ OsBlockSignals();
+ while (timers && (int) (timers->expires - now) <= 0)
+ DoTimer(timers, now, &timers);
+ OsReleaseSignals();
+ }
}
void
commit f39ac527baab8a38d023e3a8416757ccfcead42a
Author: Keith Packard <keithp at keithp.com>
Date: Sat Jan 3 08:46:45 2015 -0800
dix: Allow zero-height PutImage requests
The length checking code validates PutImage height and byte width by
making sure that byte-width >= INT32_MAX / height. If height is zero,
this generates a divide by zero exception. Allow zero height requests
explicitly, bypassing the INT32_MAX check.
Signed-off-by: Keith Packard <keithp at keithp.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith at oracle.com>
(cherry picked from commit dc777c346d5d452a53b13b917c45f6a1bad2f20b)
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/dix/dispatch.c b/dix/dispatch.c
index 01820bc..4e24e62 100644
--- a/dix/dispatch.c
+++ b/dix/dispatch.c
@@ -1956,7 +1956,7 @@ ProcPutImage(ClientPtr client)
tmpImage = (char *) &stuff[1];
lengthProto = length;
- if (lengthProto >= (INT32_MAX / stuff->height))
+ if (stuff->height != 0 && lengthProto >= (INT32_MAX / stuff->height))
return BadLength;
if ((bytes_to_int32(lengthProto * stuff->height) +
commit 16f157cbf6b9c3193b4e622b9c4552e83a343e9d
Author: Julien Cristau <jcristau at debian.org>
Date: Sat Dec 20 12:38:41 2014 +0100
Bump to 1.16.3
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/configure.ac b/configure.ac
index 9308912..2964c34 100644
--- a/configure.ac
+++ b/configure.ac
@@ -26,8 +26,8 @@ dnl
dnl Process this file with autoconf to create configure.
AC_PREREQ(2.60)
-AC_INIT([xorg-server], 1.16.2.901, [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], xorg-server)
-RELEASE_DATE="2014-12-09"
+AC_INIT([xorg-server], 1.16.3, [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], xorg-server)
+RELEASE_DATE="2014-12-20"
RELEASE_NAME="Marionberry Pie"
AC_CONFIG_SRCDIR([Makefile.am])
AC_CONFIG_MACRO_DIR([m4])
commit 9b037af0410bb1f63d370d8b8be06135de7af600
Author: Julien Cristau <jcristau at debian.org>
Date: Tue Dec 9 20:55:02 2014 +0100
Bump to 1.16.2.901
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/configure.ac b/configure.ac
index 39bea68..9308912 100644
--- a/configure.ac
+++ b/configure.ac
@@ -26,8 +26,8 @@ dnl
dnl Process this file with autoconf to create configure.
AC_PREREQ(2.60)
-AC_INIT([xorg-server], 1.16.2, [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], xorg-server)
-RELEASE_DATE="2014-11-10"
+AC_INIT([xorg-server], 1.16.2.901, [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], xorg-server)
+RELEASE_DATE="2014-12-09"
RELEASE_NAME="Marionberry Pie"
AC_CONFIG_SRCDIR([Makefile.am])
AC_CONFIG_MACRO_DIR([m4])
commit f7ff55a374d91f8b513159809ed41c3e029a6074
Author: Keith Packard <keithp at keithp.com>
Date: Tue Dec 9 09:31:00 2014 -0800
dix: GetHosts bounds check using wrong pointer value [CVE-2014-8092 pt. 6]
GetHosts saves the pointer to allocated memory in *data, and then
wants to bounds-check writes to that region, but was mistakenly using
a bare 'data' instead of '*data'. Also, data is declared as void **,
so we need a cast to turn it into a byte pointer so we can actually do
pointer comparisons.
Signed-off-by: Keith Packard <keithp at keithp.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
(cherry picked from commit 1559a94395258fd73e369f1a2c98a44bfe21a486)
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/os/access.c b/os/access.c
index e5a0672..61624fd 100644
--- a/os/access.c
+++ b/os/access.c
@@ -1335,7 +1335,7 @@ GetHosts(void **data, int *pnHosts, int *pLen, BOOL * pEnabled)
}
for (host = validhosts; host; host = host->next) {
len = host->len;
- if ((ptr + sizeof(xHostEntry) + len) > (data + n))
+ if ((ptr + sizeof(xHostEntry) + len) > ((unsigned char *) *data + n))
break;
((xHostEntry *) ptr)->family = host->family;
((xHostEntry *) ptr)->length = len;
commit 8e7c4380a56ab05412f630e9b6e02580cb04a804
Author: Keith Packard <keithp at keithp.com>
Date: Tue Dec 9 09:30:59 2014 -0800
Missing parens in REQUEST_FIXED_SIZE macro [CVE-2014-8092 pt. 5]
The 'n' parameter must be surrounded by parens in both places to
prevent precedence from mis-computing things.
Signed-off-by: Keith Packard <keithp at keithp.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
(cherry picked from commit 9802a0162f738de03585ca3f3b8a8266494f7d45)
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/include/dix.h b/include/dix.h
index 4189286..c5c86b6 100644
--- a/include/dix.h
+++ b/include/dix.h
@@ -80,7 +80,7 @@ SOFTWARE.
#define REQUEST_FIXED_SIZE(req, n)\
if (((sizeof(req) >> 2) > client->req_len) || \
- ((n >> 2) >= client->req_len) || \
+ (((n) >> 2) >= client->req_len) || \
((((uint64_t) sizeof(req) + (n) + 3) >> 2) != (uint64_t) client->req_len)) \
return(BadLength)
commit 1069ca99298bf1e85e001bfde90b00a42afdb5d8
Author: Keith Packard <keithp at keithp.com>
Date: Tue Dec 9 09:30:58 2014 -0800
glx: Can't mix declarations and code in X.org sources [CVE-2014-8098 pt. 9]
We're using compiler compatibility settings which generate warnings
when a variable is declared after the first statement.
Signed-off-by: Keith Packard <keithp at keithp.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
(cherry picked from commit 61b17c0f10307e25e51e30e6fb1d3e3127f82d86)
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/glx/clientinfo.c b/glx/clientinfo.c
index c5fef30..74ad919 100644
--- a/glx/clientinfo.c
+++ b/glx/clientinfo.c
@@ -36,13 +36,14 @@ set_client_info(__GLXclientState * cl, xGLXSetClientInfoARBReq * req,
ClientPtr client = cl->client;
char *gl_extensions;
char *glx_extensions;
+ int size;
REQUEST_AT_LEAST_SIZE(xGLXSetClientInfoARBReq);
/* Verify that the size of the packet matches the size inferred from the
* sizes specified for the various fields.
*/
- int size = sz_xGLXSetClientInfoARBReq;
+ size = sz_xGLXSetClientInfoARBReq;
size = safe_add(size, safe_mul(req->numVersions, bytes_per_version));
size = safe_add(size, safe_pad(req->numGLExtensionBytes));
size = safe_add(size, safe_pad(req->numGLXExtensionBytes));
commit 044764b5c627d1a6e8ea1dd8cf741a26aeb4b2e7
Author: Keith Packard <keithp at keithp.com>
Date: Tue Dec 9 09:30:57 2014 -0800
dbe: Call to DDX SwapBuffers requires address of int, not unsigned int [CVE-2014-8097 pt. 2]
When the local types used to walk the DBE request were changed, this
changed the type of the parameter passed to the DDX SwapBuffers API,
but there wasn't a matching change in the API definition.
At this point, with the API frozen, I just stuck a new variable in
with the correct type. Because we've already bounds-checked nStuff to
be smaller than UINT32_MAX / sizeof(DbeSwapInfoRec), we know it will
fit in a signed int without overflow.
Signed-off-by: Keith Packard <keithp at keithp.com
Reviewed-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
(cherry picked from commit b20912c3d45cbbde3c443e6c3d9e189092fe65e1)
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/dbe/dbe.c b/dbe/dbe.c
index 719e640..fc3d475 100644
--- a/dbe/dbe.c
+++ b/dbe/dbe.c
@@ -452,6 +452,7 @@ ProcDbeSwapBuffers(ClientPtr client)
int error;
unsigned int i, j;
unsigned int nStuff;
+ int nStuff_i; /* DDX API requires int for nStuff */
REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq);
nStuff = stuff->n; /* use local variable for performance. */
@@ -527,9 +528,10 @@ ProcDbeSwapBuffers(ClientPtr client)
* could deal with cross-screen synchronization.
*/
- while (nStuff > 0) {
+ nStuff_i = nStuff;
+ while (nStuff_i > 0) {
pDbeScreenPriv = DBE_SCREEN_PRIV_FROM_WINDOW(swapInfo[0].pWindow);
- error = (*pDbeScreenPriv->SwapBuffers) (client, &nStuff, swapInfo);
+ error = (*pDbeScreenPriv->SwapBuffers) (client, &nStuff_i, swapInfo);
if (error != Success) {
free(swapInfo);
return error;
commit 73b1880eb37bd8ffbc3e36739e94f9b56b8323b9
Author: Robert Morell <rmorell at nvidia.com>
Date: Wed Nov 12 18:51:43 2014 -0800
glx: Fix mask truncation in __glXGetAnswerBuffer [CVE-2014-8093 6/6]
On a system where sizeof(unsigned) != sizeof(intptr_t), the unary
bitwise not operation will result in a mask that clears all high bits
from temp_buf in the expression:
temp_buf = (temp_buf + mask) & ~mask;
Signed-off-by: Robert Morell <rmorell at nvidia.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
(cherry picked from commit 7e7630bbb775573eea2a2335adb9d190c3e1e971)
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/glx/indirect_util.c b/glx/indirect_util.c
index 183af83..cebb782 100644
--- a/glx/indirect_util.c
+++ b/glx/indirect_util.c
@@ -73,7 +73,7 @@ __glXGetAnswerBuffer(__GLXclientState * cl, size_t required_size,
void *local_buffer, size_t local_size, unsigned alignment)
{
void *buffer = local_buffer;
- const unsigned mask = alignment - 1;
+ const intptr_t mask = alignment - 1;
if (local_size < required_size) {
size_t worst_case_size;
commit 912df16404b80ea143bd75cdacc0d0976bae4c96
Author: Adam Jackson <ajax at redhat.com>
Date: Mon Nov 10 12:13:48 2014 -0500
glx: Pass remaining request length into ->varsize (v2) [CVE-2014-8098 8/8]
v2: Handle more multiplies in indirect_reqsize.c (Julien Cristau)
Reviewed-by: Julien Cristau <jcristau at debian.org>
Reviewed-by: Michal Srb <msrb at suse.com>
Reviewed-by: Andy Ritger <aritger at nvidia.com>
Signed-off-by: Adam Jackson <ajax at redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
(cherry picked from commit e883c170c15493ab3637c0a01890f5a7ca4e16a5)
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/glx/glxcmds.c b/glx/glxcmds.c
index a7bbe8c..336a873 100644
--- a/glx/glxcmds.c
+++ b/glx/glxcmds.c
@@ -2065,7 +2065,8 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
if (entry.varsize) {
/* variable size command */
extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE,
- client->swapped);
+ client->swapped,
+ left - __GLX_RENDER_HDR_SIZE);
if (extra < 0) {
return BadLength;
}
@@ -2142,6 +2143,7 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
if (cl->largeCmdRequestsSoFar == 0) {
__GLXrenderSizeData entry;
int extra = 0;
+ int left = (req->length << 2) - sz_xGLXRenderLargeReq;
size_t cmdlen;
int err;
@@ -2182,7 +2184,8 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
** will be in the 1st request, so it's okay to do this.
*/
extra = (*entry.varsize) (pc + __GLX_RENDER_LARGE_HDR_SIZE,
- client->swapped);
+ client->swapped,
+ left - __GLX_RENDER_LARGE_HDR_SIZE);
if (extra < 0) {
return BadLength;
}
diff --git a/glx/glxserver.h b/glx/glxserver.h
index 9482601..9088ec4 100644
--- a/glx/glxserver.h
+++ b/glx/glxserver.h
@@ -177,7 +177,7 @@ typedef int (*__GLXprocPtr) (__GLXclientState *, char *pc);
/*
* Tables for computing the size of each rendering command.
*/
-typedef int (*gl_proto_size_func) (const GLbyte *, Bool);
+typedef int (*gl_proto_size_func) (const GLbyte *, Bool, int);
typedef struct {
int bytes;
diff --git a/glx/indirect_reqsize.c b/glx/indirect_reqsize.c
index 026afb6..092a421 100644
--- a/glx/indirect_reqsize.c
+++ b/glx/indirect_reqsize.c
@@ -31,24 +31,22 @@
#include "indirect_size.h"
#include "indirect_reqsize.h"
-#define __GLX_PAD(x) (((x) + 3) & ~3)
-
#if defined(__CYGWIN__) || defined(__MINGW32__)
#undef HAVE_ALIAS
#endif
#ifdef HAVE_ALIAS
#define ALIAS2(from,to) \
- GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap ) \
+ GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap, int reqlen ) \
__attribute__ ((alias( # to )));
#define ALIAS(from,to) ALIAS2( from, __glX ## to ## ReqSize )
#else
#define ALIAS(from,to) \
- GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap ) \
- { return __glX ## to ## ReqSize( pc, swap ); }
+ GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap, int reqlen ) \
+ { return __glX ## to ## ReqSize( pc, swap, reqlen ); }
#endif
int
-__glXCallListsReqSize(const GLbyte * pc, Bool swap)
+__glXCallListsReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLsizei n = *(GLsizei *) (pc + 0);
GLenum type = *(GLenum *) (pc + 4);
@@ -60,11 +58,11 @@ __glXCallListsReqSize(const GLbyte * pc, Bool swap)
}
compsize = __glCallLists_size(type);
- return __GLX_PAD((compsize * n));
+ return safe_pad(safe_mul(compsize, n));
}
int
-__glXBitmapReqSize(const GLbyte * pc, Bool swap)
+__glXBitmapReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLint row_length = *(GLint *) (pc + 4);
GLint image_height = 0;
@@ -88,7 +86,7 @@ __glXBitmapReqSize(const GLbyte * pc, Bool swap)
}
int
-__glXFogfvReqSize(const GLbyte * pc, Bool swap)
+__glXFogfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLenum pname = *(GLenum *) (pc + 0);
GLsizei compsize;
@@ -98,11 +96,11 @@ __glXFogfvReqSize(const GLbyte * pc, Bool swap)
}
compsize = __glFogfv_size(pname);
- return __GLX_PAD((compsize * 4));
+ return safe_pad(safe_mul(compsize, 4));
}
int
-__glXLightfvReqSize(const GLbyte * pc, Bool swap)
+__glXLightfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLenum pname = *(GLenum *) (pc + 4);
GLsizei compsize;
@@ -112,11 +110,11 @@ __glXLightfvReqSize(const GLbyte * pc, Bool swap)
}
compsize = __glLightfv_size(pname);
- return __GLX_PAD((compsize * 4));
+ return safe_pad(safe_mul(compsize, 4));
}
int
-__glXLightModelfvReqSize(const GLbyte * pc, Bool swap)
+__glXLightModelfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLenum pname = *(GLenum *) (pc + 0);
GLsizei compsize;
@@ -126,11 +124,11 @@ __glXLightModelfvReqSize(const GLbyte * pc, Bool swap)
}
compsize = __glLightModelfv_size(pname);
- return __GLX_PAD((compsize * 4));
+ return safe_pad(safe_mul(compsize, 4));
}
int
-__glXMaterialfvReqSize(const GLbyte * pc, Bool swap)
+__glXMaterialfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLenum pname = *(GLenum *) (pc + 4);
GLsizei compsize;
@@ -140,11 +138,11 @@ __glXMaterialfvReqSize(const GLbyte * pc, Bool swap)
}
compsize = __glMaterialfv_size(pname);
- return __GLX_PAD((compsize * 4));
+ return safe_pad(safe_mul(compsize, 4));
}
int
-__glXPolygonStippleReqSize(const GLbyte * pc, Bool swap)
+__glXPolygonStippleReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLint row_length = *(GLint *) (pc + 4);
GLint image_height = 0;
@@ -164,7 +162,7 @@ __glXPolygonStippleReqSize(const GLbyte * pc, Bool swap)
}
int
-__glXTexParameterfvReqSize(const GLbyte * pc, Bool swap)
+__glXTexParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLenum pname = *(GLenum *) (pc + 4);
GLsizei compsize;
@@ -174,11 +172,11 @@ __glXTexParameterfvReqSize(const GLbyte * pc, Bool swap)
}
compsize = __glTexParameterfv_size(pname);
- return __GLX_PAD((compsize * 4));
+ return safe_pad(safe_mul(compsize, 4));
}
int
-__glXTexImage1DReqSize(const GLbyte * pc, Bool swap)
+__glXTexImage1DReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLint row_length = *(GLint *) (pc + 4);
GLint image_height = 0;
@@ -206,7 +204,7 @@ __glXTexImage1DReqSize(const GLbyte * pc, Bool swap)
}
int
-__glXTexImage2DReqSize(const GLbyte * pc, Bool swap)
+__glXTexImage2DReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLint row_length = *(GLint *) (pc + 4);
GLint image_height = 0;
@@ -236,7 +234,7 @@ __glXTexImage2DReqSize(const GLbyte * pc, Bool swap)
}
int
-__glXTexEnvfvReqSize(const GLbyte * pc, Bool swap)
+__glXTexEnvfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLenum pname = *(GLenum *) (pc + 4);
GLsizei compsize;
@@ -246,11 +244,11 @@ __glXTexEnvfvReqSize(const GLbyte * pc, Bool swap)
}
compsize = __glTexEnvfv_size(pname);
- return __GLX_PAD((compsize * 4));
+ return safe_pad(safe_mul(compsize, 4));
}
int
-__glXTexGendvReqSize(const GLbyte * pc, Bool swap)
+__glXTexGendvReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLenum pname = *(GLenum *) (pc + 4);
GLsizei compsize;
@@ -260,11 +258,11 @@ __glXTexGendvReqSize(const GLbyte * pc, Bool swap)
}
compsize = __glTexGendv_size(pname);
- return __GLX_PAD((compsize * 8));
+ return safe_pad(safe_mul(compsize, 8));
}
int
-__glXTexGenfvReqSize(const GLbyte * pc, Bool swap)
+__glXTexGenfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLenum pname = *(GLenum *) (pc + 4);
GLsizei compsize;
@@ -274,11 +272,11 @@ __glXTexGenfvReqSize(const GLbyte * pc, Bool swap)
}
compsize = __glTexGenfv_size(pname);
- return __GLX_PAD((compsize * 4));
+ return safe_pad(safe_mul(compsize, 4));
}
int
-__glXPixelMapfvReqSize(const GLbyte * pc, Bool swap)
+__glXPixelMapfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLsizei mapsize = *(GLsizei *) (pc + 4);
@@ -286,11 +284,11 @@ __glXPixelMapfvReqSize(const GLbyte * pc, Bool swap)
mapsize = bswap_32(mapsize);
}
- return __GLX_PAD((mapsize * 4));
+ return safe_pad(safe_mul(mapsize, 4));
}
int
-__glXPixelMapusvReqSize(const GLbyte * pc, Bool swap)
+__glXPixelMapusvReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLsizei mapsize = *(GLsizei *) (pc + 4);
@@ -298,11 +296,11 @@ __glXPixelMapusvReqSize(const GLbyte * pc, Bool swap)
mapsize = bswap_32(mapsize);
}
- return __GLX_PAD((mapsize * 2));
+ return safe_pad(safe_mul(mapsize, 2));
}
int
-__glXDrawPixelsReqSize(const GLbyte * pc, Bool swap)
+__glXDrawPixelsReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLint row_length = *(GLint *) (pc + 4);
GLint image_height = 0;
@@ -330,7 +328,7 @@ __glXDrawPixelsReqSize(const GLbyte * pc, Bool swap)
}
int
-__glXPrioritizeTexturesReqSize(const GLbyte * pc, Bool swap)
+__glXPrioritizeTexturesReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLsizei n = *(GLsizei *) (pc + 0);
@@ -338,11 +336,11 @@ __glXPrioritizeTexturesReqSize(const GLbyte * pc, Bool swap)
n = bswap_32(n);
}
- return __GLX_PAD((n * 4) + (n * 4));
+ return safe_pad(safe_add(safe_mul(n, 4), safe_mul(n, 4)));
}
int
-__glXTexSubImage1DReqSize(const GLbyte * pc, Bool swap)
+__glXTexSubImage1DReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLint row_length = *(GLint *) (pc + 4);
GLint image_height = 0;
@@ -370,7 +368,7 @@ __glXTexSubImage1DReqSize(const GLbyte * pc, Bool swap)
}
int
-__glXTexSubImage2DReqSize(const GLbyte * pc, Bool swap)
+__glXTexSubImage2DReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLint row_length = *(GLint *) (pc + 4);
GLint image_height = 0;
@@ -400,7 +398,7 @@ __glXTexSubImage2DReqSize(const GLbyte * pc, Bool swap)
}
int
-__glXColorTableReqSize(const GLbyte * pc, Bool swap)
+__glXColorTableReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLint row_length = *(GLint *) (pc + 4);
GLint image_height = 0;
@@ -428,7 +426,7 @@ __glXColorTableReqSize(const GLbyte * pc, Bool swap)
}
int
-__glXColorTableParameterfvReqSize(const GLbyte * pc, Bool swap)
+__glXColorTableParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLenum pname = *(GLenum *) (pc + 4);
GLsizei compsize;
@@ -438,11 +436,11 @@ __glXColorTableParameterfvReqSize(const GLbyte * pc, Bool swap)
}
compsize = __glColorTableParameterfv_size(pname);
- return __GLX_PAD((compsize * 4));
+ return safe_pad(safe_mul(compsize, 4));
}
int
-__glXColorSubTableReqSize(const GLbyte * pc, Bool swap)
+__glXColorSubTableReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLint row_length = *(GLint *) (pc + 4);
GLint image_height = 0;
@@ -470,7 +468,7 @@ __glXColorSubTableReqSize(const GLbyte * pc, Bool swap)
}
int
-__glXConvolutionFilter1DReqSize(const GLbyte * pc, Bool swap)
+__glXConvolutionFilter1DReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLint row_length = *(GLint *) (pc + 4);
GLint image_height = 0;
@@ -498,7 +496,7 @@ __glXConvolutionFilter1DReqSize(const GLbyte * pc, Bool swap)
}
int
-__glXConvolutionFilter2DReqSize(const GLbyte * pc, Bool swap)
+__glXConvolutionFilter2DReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLint row_length = *(GLint *) (pc + 4);
GLint image_height = 0;
@@ -528,7 +526,7 @@ __glXConvolutionFilter2DReqSize(const GLbyte * pc, Bool swap)
}
int
-__glXConvolutionParameterfvReqSize(const GLbyte * pc, Bool swap)
+__glXConvolutionParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLenum pname = *(GLenum *) (pc + 4);
GLsizei compsize;
@@ -538,11 +536,11 @@ __glXConvolutionParameterfvReqSize(const GLbyte * pc, Bool swap)
}
compsize = __glConvolutionParameterfv_size(pname);
- return __GLX_PAD((compsize * 4));
+ return safe_pad(safe_mul(compsize, 4));
}
int
-__glXTexImage3DReqSize(const GLbyte * pc, Bool swap)
+__glXTexImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLint row_length = *(GLint *) (pc + 4);
GLint image_height = *(GLint *) (pc + 8);
@@ -579,7 +577,7 @@ __glXTexImage3DReqSize(const GLbyte * pc, Bool swap)
}
int
-__glXTexSubImage3DReqSize(const GLbyte * pc, Bool swap)
+__glXTexSubImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLint row_length = *(GLint *) (pc + 4);
GLint image_height = *(GLint *) (pc + 8);
@@ -613,7 +611,7 @@ __glXTexSubImage3DReqSize(const GLbyte * pc, Bool swap)
}
int
-__glXCompressedTexImage1DReqSize(const GLbyte * pc, Bool swap)
+__glXCompressedTexImage1DReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLsizei imageSize = *(GLsizei *) (pc + 20);
@@ -621,11 +619,11 @@ __glXCompressedTexImage1DReqSize(const GLbyte * pc, Bool swap)
imageSize = bswap_32(imageSize);
}
- return __GLX_PAD(imageSize);
+ return safe_pad(imageSize);
}
int
-__glXCompressedTexImage2DReqSize(const GLbyte * pc, Bool swap)
+__glXCompressedTexImage2DReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLsizei imageSize = *(GLsizei *) (pc + 24);
@@ -633,11 +631,11 @@ __glXCompressedTexImage2DReqSize(const GLbyte * pc, Bool swap)
imageSize = bswap_32(imageSize);
}
- return __GLX_PAD(imageSize);
+ return safe_pad(imageSize);
}
int
-__glXCompressedTexImage3DReqSize(const GLbyte * pc, Bool swap)
+__glXCompressedTexImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLsizei imageSize = *(GLsizei *) (pc + 28);
@@ -645,11 +643,11 @@ __glXCompressedTexImage3DReqSize(const GLbyte * pc, Bool swap)
imageSize = bswap_32(imageSize);
}
- return __GLX_PAD(imageSize);
+ return safe_pad(imageSize);
}
int
-__glXCompressedTexSubImage3DReqSize(const GLbyte * pc, Bool swap)
+__glXCompressedTexSubImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLsizei imageSize = *(GLsizei *) (pc + 36);
@@ -657,11 +655,11 @@ __glXCompressedTexSubImage3DReqSize(const GLbyte * pc, Bool swap)
imageSize = bswap_32(imageSize);
}
- return __GLX_PAD(imageSize);
+ return safe_pad(imageSize);
}
int
-__glXPointParameterfvReqSize(const GLbyte * pc, Bool swap)
+__glXPointParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLenum pname = *(GLenum *) (pc + 0);
GLsizei compsize;
@@ -671,11 +669,11 @@ __glXPointParameterfvReqSize(const GLbyte * pc, Bool swap)
}
compsize = __glPointParameterfv_size(pname);
- return __GLX_PAD((compsize * 4));
+ return safe_pad(safe_mul(compsize, 4));
}
int
-__glXDrawBuffersReqSize(const GLbyte * pc, Bool swap)
+__glXDrawBuffersReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLsizei n = *(GLsizei *) (pc + 0);
@@ -683,11 +681,11 @@ __glXDrawBuffersReqSize(const GLbyte * pc, Bool swap)
n = bswap_32(n);
}
- return __GLX_PAD((n * 4));
+ return safe_pad(safe_mul(n, 4));
}
int
-__glXProgramStringARBReqSize(const GLbyte * pc, Bool swap)
+__glXProgramStringARBReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLsizei len = *(GLsizei *) (pc + 8);
@@ -695,11 +693,11 @@ __glXProgramStringARBReqSize(const GLbyte * pc, Bool swap)
len = bswap_32(len);
}
- return __GLX_PAD(len);
+ return safe_pad(len);
}
int
-__glXVertexAttribs1dvNVReqSize(const GLbyte * pc, Bool swap)
+__glXVertexAttribs1dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLsizei n = *(GLsizei *) (pc + 4);
@@ -707,11 +705,11 @@ __glXVertexAttribs1dvNVReqSize(const GLbyte * pc, Bool swap)
n = bswap_32(n);
}
- return __GLX_PAD((n * 8));
+ return safe_pad(safe_mul(n, 8));
}
int
-__glXVertexAttribs2dvNVReqSize(const GLbyte * pc, Bool swap)
+__glXVertexAttribs2dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLsizei n = *(GLsizei *) (pc + 4);
@@ -719,11 +717,11 @@ __glXVertexAttribs2dvNVReqSize(const GLbyte * pc, Bool swap)
n = bswap_32(n);
}
- return __GLX_PAD((n * 16));
+ return safe_pad(safe_mul(n, 16));
}
int
-__glXVertexAttribs3dvNVReqSize(const GLbyte * pc, Bool swap)
+__glXVertexAttribs3dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLsizei n = *(GLsizei *) (pc + 4);
@@ -731,11 +729,11 @@ __glXVertexAttribs3dvNVReqSize(const GLbyte * pc, Bool swap)
n = bswap_32(n);
}
- return __GLX_PAD((n * 24));
+ return safe_pad(safe_mul(n, 24));
}
int
-__glXVertexAttribs3fvNVReqSize(const GLbyte * pc, Bool swap)
+__glXVertexAttribs3fvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLsizei n = *(GLsizei *) (pc + 4);
@@ -743,11 +741,11 @@ __glXVertexAttribs3fvNVReqSize(const GLbyte * pc, Bool swap)
n = bswap_32(n);
}
- return __GLX_PAD((n * 12));
+ return safe_pad(safe_mul(n, 12));
}
int
-__glXVertexAttribs3svNVReqSize(const GLbyte * pc, Bool swap)
+__glXVertexAttribs3svNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLsizei n = *(GLsizei *) (pc + 4);
@@ -755,11 +753,11 @@ __glXVertexAttribs3svNVReqSize(const GLbyte * pc, Bool swap)
n = bswap_32(n);
}
- return __GLX_PAD((n * 6));
+ return safe_pad(safe_mul(n, 6));
}
int
-__glXVertexAttribs4dvNVReqSize(const GLbyte * pc, Bool swap)
+__glXVertexAttribs4dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLsizei n = *(GLsizei *) (pc + 4);
@@ -767,7 +765,7 @@ __glXVertexAttribs4dvNVReqSize(const GLbyte * pc, Bool swap)
n = bswap_32(n);
}
- return __GLX_PAD((n * 32));
+ return safe_pad(safe_mul(n, 32));
}
ALIAS(Fogiv, Fogfv)
diff --git a/glx/indirect_reqsize.h b/glx/indirect_reqsize.h
index 43e1e69..f0d8893 100644
--- a/glx/indirect_reqsize.h
+++ b/glx/indirect_reqsize.h
@@ -36,115 +36,156 @@
#define PURE
#endif
-extern PURE _X_HIDDEN int __glXCallListsReqSize(const GLbyte * pc, Bool swap);
-extern PURE _X_HIDDEN int __glXBitmapReqSize(const GLbyte * pc, Bool swap);
-extern PURE _X_HIDDEN int __glXFogfvReqSize(const GLbyte * pc, Bool swap);
-extern PURE _X_HIDDEN int __glXFogivReqSize(const GLbyte * pc, Bool swap);
-extern PURE _X_HIDDEN int __glXLightfvReqSize(const GLbyte * pc, Bool swap);
-extern PURE _X_HIDDEN int __glXLightivReqSize(const GLbyte * pc, Bool swap);
-extern PURE _X_HIDDEN int __glXLightModelfvReqSize(const GLbyte * pc,
- Bool swap);
-extern PURE _X_HIDDEN int __glXLightModelivReqSize(const GLbyte * pc,
- Bool swap);
-extern PURE _X_HIDDEN int __glXMaterialfvReqSize(const GLbyte * pc, Bool swap);
-extern PURE _X_HIDDEN int __glXMaterialivReqSize(const GLbyte * pc, Bool swap);
+extern PURE _X_HIDDEN int __glXCallListsReqSize(const GLbyte * pc, Bool swap,
+ int reqlen);
+extern PURE _X_HIDDEN int __glXBitmapReqSize(const GLbyte * pc, Bool swap,
+ int reqlen);
+extern PURE _X_HIDDEN int __glXFogfvReqSize(const GLbyte * pc, Bool swap,
+ int reqlen);
+extern PURE _X_HIDDEN int __glXFogivReqSize(const GLbyte * pc, Bool swap,
+ int reqlen);
+extern PURE _X_HIDDEN int __glXLightfvReqSize(const GLbyte * pc, Bool swap,
+ int reqlen);
+extern PURE _X_HIDDEN int __glXLightivReqSize(const GLbyte * pc, Bool swap,
+ int reqlen);
+extern PURE _X_HIDDEN int __glXLightModelfvReqSize(const GLbyte * pc, Bool swap,
+ int reqlen);
+extern PURE _X_HIDDEN int __glXLightModelivReqSize(const GLbyte * pc, Bool swap,
+ int reqlen);
+extern PURE _X_HIDDEN int __glXMaterialfvReqSize(const GLbyte * pc, Bool swap,
+ int reqlen);
+extern PURE _X_HIDDEN int __glXMaterialivReqSize(const GLbyte * pc, Bool swap,
+ int reqlen);
extern PURE _X_HIDDEN int __glXPolygonStippleReqSize(const GLbyte * pc,
- Bool swap);
+ Bool swap, int reqlen);
extern PURE _X_HIDDEN int __glXTexParameterfvReqSize(const GLbyte * pc,
- Bool swap);
+ Bool swap, int reqlen);
extern PURE _X_HIDDEN int __glXTexParameterivReqSize(const GLbyte * pc,
- Bool swap);
-extern PURE _X_HIDDEN int __glXTexImage1DReqSize(const GLbyte * pc, Bool swap);
-extern PURE _X_HIDDEN int __glXTexImage2DReqSize(const GLbyte * pc, Bool swap);
-extern PURE _X_HIDDEN int __glXTexEnvfvReqSize(const GLbyte * pc, Bool swap);
-extern PURE _X_HIDDEN int __glXTexEnvivReqSize(const GLbyte * pc, Bool swap);
-extern PURE _X_HIDDEN int __glXTexGendvReqSize(const GLbyte * pc, Bool swap);
-extern PURE _X_HIDDEN int __glXTexGenfvReqSize(const GLbyte * pc, Bool swap);
-extern PURE _X_HIDDEN int __glXTexGenivReqSize(const GLbyte * pc, Bool swap);
-extern PURE _X_HIDDEN int __glXMap1dReqSize(const GLbyte * pc, Bool swap);
-extern PURE _X_HIDDEN int __glXMap1fReqSize(const GLbyte * pc, Bool swap);
-extern PURE _X_HIDDEN int __glXMap2dReqSize(const GLbyte * pc, Bool swap);
-extern PURE _X_HIDDEN int __glXMap2fReqSize(const GLbyte * pc, Bool swap);
-extern PURE _X_HIDDEN int __glXPixelMapfvReqSize(const GLbyte * pc, Bool swap);
-extern PURE _X_HIDDEN int __glXPixelMapuivReqSize(const GLbyte * pc, Bool swap);
-extern PURE _X_HIDDEN int __glXPixelMapusvReqSize(const GLbyte * pc, Bool swap);
-extern PURE _X_HIDDEN int __glXDrawPixelsReqSize(const GLbyte * pc, Bool swap);
-extern PURE _X_HIDDEN int __glXDrawArraysReqSize(const GLbyte * pc, Bool swap);
+ Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXTexImage1DReqSize(const GLbyte * pc, Bool swap,
+ int reqlen);
+extern PURE _X_HIDDEN int __glXTexImage2DReqSize(const GLbyte * pc, Bool swap,
+ int reqlen);
+extern PURE _X_HIDDEN int __glXTexEnvfvReqSize(const GLbyte * pc, Bool swap,
+ int reqlen);
+extern PURE _X_HIDDEN int __glXTexEnvivReqSize(const GLbyte * pc, Bool swap,
+ int reqlen);
+extern PURE _X_HIDDEN int __glXTexGendvReqSize(const GLbyte * pc, Bool swap,
+ int reqlen);
+extern PURE _X_HIDDEN int __glXTexGenfvReqSize(const GLbyte * pc, Bool swap,
+ int reqlen);
+extern PURE _X_HIDDEN int __glXTexGenivReqSize(const GLbyte * pc, Bool swap,
+ int reqlen);
+extern PURE _X_HIDDEN int __glXMap1dReqSize(const GLbyte * pc, Bool swap,
+ int reqlen);
+extern PURE _X_HIDDEN int __glXMap1fReqSize(const GLbyte * pc, Bool swap,
+ int reqlen);
+extern PURE _X_HIDDEN int __glXMap2dReqSize(const GLbyte * pc, Bool swap,
+ int reqlen);
+extern PURE _X_HIDDEN int __glXMap2fReqSize(const GLbyte * pc, Bool swap,
+ int reqlen);
+extern PURE _X_HIDDEN int __glXPixelMapfvReqSize(const GLbyte * pc, Bool swap,
+ int reqlen);
+extern PURE _X_HIDDEN int __glXPixelMapuivReqSize(const GLbyte * pc, Bool swap,
+ int reqlen);
+extern PURE _X_HIDDEN int __glXPixelMapusvReqSize(const GLbyte * pc, Bool swap,
+ int reqlen);
+extern PURE _X_HIDDEN int __glXDrawPixelsReqSize(const GLbyte * pc, Bool swap,
+ int reqlen);
+extern PURE _X_HIDDEN int __glXDrawArraysReqSize(const GLbyte * pc, Bool swap,
+ int reqlen);
extern PURE _X_HIDDEN int __glXPrioritizeTexturesReqSize(const GLbyte * pc,
- Bool swap);
+ Bool swap, int reqlen);
extern PURE _X_HIDDEN int __glXTexSubImage1DReqSize(const GLbyte * pc,
- Bool swap);
+ Bool swap, int reqlen);
extern PURE _X_HIDDEN int __glXTexSubImage2DReqSize(const GLbyte * pc,
- Bool swap);
-extern PURE _X_HIDDEN int __glXColorTableReqSize(const GLbyte * pc, Bool swap);
+ Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXColorTableReqSize(const GLbyte * pc, Bool swap,
+ int reqlen);
extern PURE _X_HIDDEN int __glXColorTableParameterfvReqSize(const GLbyte * pc,
- Bool swap);
+ Bool swap,
+ int reqlen);
extern PURE _X_HIDDEN int __glXColorTableParameterivReqSize(const GLbyte * pc,
- Bool swap);
+ Bool swap,
+ int reqlen);
extern PURE _X_HIDDEN int __glXColorSubTableReqSize(const GLbyte * pc,
- Bool swap);
+ Bool swap, int reqlen);
extern PURE _X_HIDDEN int __glXConvolutionFilter1DReqSize(const GLbyte * pc,
- Bool swap);
+ Bool swap,
+ int reqlen);
extern PURE _X_HIDDEN int __glXConvolutionFilter2DReqSize(const GLbyte * pc,
- Bool swap);
+ Bool swap,
+ int reqlen);
extern PURE _X_HIDDEN int __glXConvolutionParameterfvReqSize(const GLbyte * pc,
- Bool swap);
+ Bool swap,
+ int reqlen);
extern PURE _X_HIDDEN int __glXConvolutionParameterivReqSize(const GLbyte * pc,
- Bool swap);
+ Bool swap,
+ int reqlen);
extern PURE _X_HIDDEN int __glXSeparableFilter2DReqSize(const GLbyte * pc,
- Bool swap);
-extern PURE _X_HIDDEN int __glXTexImage3DReqSize(const GLbyte * pc, Bool swap);
+ Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXTexImage3DReqSize(const GLbyte * pc, Bool swap,
+ int reqlen);
extern PURE _X_HIDDEN int __glXTexSubImage3DReqSize(const GLbyte * pc,
- Bool swap);
+ Bool swap, int reqlen);
extern PURE _X_HIDDEN int __glXCompressedTexImage1DReqSize(const GLbyte * pc,
- Bool swap);
+ Bool swap,
+ int reqlen);
extern PURE _X_HIDDEN int __glXCompressedTexImage2DReqSize(const GLbyte * pc,
- Bool swap);
+ Bool swap,
+ int reqlen);
extern PURE _X_HIDDEN int __glXCompressedTexImage3DReqSize(const GLbyte * pc,
- Bool swap);
+ Bool swap,
+ int reqlen);
extern PURE _X_HIDDEN int __glXCompressedTexSubImage1DReqSize(const GLbyte * pc,
- Bool swap);
+ Bool swap,
+ int reqlen);
extern PURE _X_HIDDEN int __glXCompressedTexSubImage2DReqSize(const GLbyte * pc,
- Bool swap);
+ Bool swap,
+ int reqlen);
extern PURE _X_HIDDEN int __glXCompressedTexSubImage3DReqSize(const GLbyte * pc,
- Bool swap);
+ Bool swap,
+ int reqlen);
extern PURE _X_HIDDEN int __glXPointParameterfvReqSize(const GLbyte * pc,
- Bool swap);
+ Bool swap, int reqlen);
extern PURE _X_HIDDEN int __glXPointParameterivReqSize(const GLbyte * pc,
- Bool swap);
-extern PURE _X_HIDDEN int __glXDrawBuffersReqSize(const GLbyte * pc, Bool swap);
+ Bool swap, int reqlen);
+extern PURE _X_HIDDEN int __glXDrawBuffersReqSize(const GLbyte * pc, Bool swap,
+ int reqlen);
extern PURE _X_HIDDEN int __glXProgramStringARBReqSize(const GLbyte * pc,
- Bool swap);
+ Bool swap, int reqlen);
extern PURE _X_HIDDEN int __glXDeleteFramebuffersReqSize(const GLbyte * pc,
- Bool swap);
+ Bool swap, int reqlen);
extern PURE _X_HIDDEN int __glXDeleteRenderbuffersReqSize(const GLbyte * pc,
- Bool swap);
+ Bool swap,
+ int reqlen);
extern PURE _X_HIDDEN int __glXVertexAttribs1dvNVReqSize(const GLbyte * pc,
- Bool swap);
+ Bool swap, int reqlen);
extern PURE _X_HIDDEN int __glXVertexAttribs1fvNVReqSize(const GLbyte * pc,
- Bool swap);
+ Bool swap, int reqlen);
extern PURE _X_HIDDEN int __glXVertexAttribs1svNVReqSize(const GLbyte * pc,
- Bool swap);
+ Bool swap, int reqlen);
extern PURE _X_HIDDEN int __glXVertexAttribs2dvNVReqSize(const GLbyte * pc,
- Bool swap);
+ Bool swap, int reqlen);
extern PURE _X_HIDDEN int __glXVertexAttribs2fvNVReqSize(const GLbyte * pc,
- Bool swap);
+ Bool swap, int reqlen);
extern PURE _X_HIDDEN int __glXVertexAttribs2svNVReqSize(const GLbyte * pc,
- Bool swap);
+ Bool swap, int reqlen);
extern PURE _X_HIDDEN int __glXVertexAttribs3dvNVReqSize(const GLbyte * pc,
- Bool swap);
+ Bool swap, int reqlen);
extern PURE _X_HIDDEN int __glXVertexAttribs3fvNVReqSize(const GLbyte * pc,
- Bool swap);
+ Bool swap, int reqlen);
extern PURE _X_HIDDEN int __glXVertexAttribs3svNVReqSize(const GLbyte * pc,
- Bool swap);
+ Bool swap, int reqlen);
extern PURE _X_HIDDEN int __glXVertexAttribs4dvNVReqSize(const GLbyte * pc,
- Bool swap);
+ Bool swap, int reqlen);
extern PURE _X_HIDDEN int __glXVertexAttribs4fvNVReqSize(const GLbyte * pc,
- Bool swap);
+ Bool swap, int reqlen);
extern PURE _X_HIDDEN int __glXVertexAttribs4svNVReqSize(const GLbyte * pc,
- Bool swap);
+ Bool swap, int reqlen);
extern PURE _X_HIDDEN int __glXVertexAttribs4ubvNVReqSize(const GLbyte * pc,
- Bool swap);
+ Bool swap,
+ int reqlen);
#undef PURE
diff --git a/glx/rensize.c b/glx/rensize.c
index 6ee0f9c..a532467 100644
--- a/glx/rensize.c
+++ b/glx/rensize.c
@@ -44,7 +44,7 @@
((a & 0xff00U)<<8) | ((a & 0xffU)<<24))
int
-__glXMap1dReqSize(const GLbyte * pc, Bool swap)
+__glXMap1dReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLenum target;
GLint order;
@@ -61,7 +61,7 @@ __glXMap1dReqSize(const GLbyte * pc, Bool swap)
}
int
-__glXMap1fReqSize(const GLbyte * pc, Bool swap)
+__glXMap1fReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLenum target;
GLint order;
@@ -86,7 +86,7 @@ Map2Size(int k, int majorOrder, int minorOrder)
}
int
-__glXMap2dReqSize(const GLbyte * pc, Bool swap)
+__glXMap2dReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLenum target;
GLint uorder, vorder;
@@ -103,7 +103,7 @@ __glXMap2dReqSize(const GLbyte * pc, Bool swap)
}
int
-__glXMap2fReqSize(const GLbyte * pc, Bool swap)
+__glXMap2fReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
GLenum target;
GLint uorder, vorder;
@@ -359,13 +359,14 @@ __glXTypeSize(GLenum enm)
}
int
-__glXDrawArraysReqSize(const GLbyte * pc, Bool swap)
+__glXDrawArraysReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
__GLXdispatchDrawArraysHeader *hdr = (__GLXdispatchDrawArraysHeader *) pc;
__GLXdispatchDrawArraysComponentHeader *compHeader;
GLint numVertexes = hdr->numVertexes;
GLint numComponents = hdr->numComponents;
GLint arrayElementSize = 0;
+ GLint x, size;
int i;
if (swap) {
@@ -374,6 +375,13 @@ __glXDrawArraysReqSize(const GLbyte * pc, Bool swap)
}
pc += sizeof(__GLXdispatchDrawArraysHeader);
+ reqlen -= sizeof(__GLXdispatchDrawArraysHeader);
+
+ size = safe_mul(sizeof(__GLXdispatchDrawArraysComponentHeader),
+ numComponents);
+ if (size < 0 || reqlen < 0 || reqlen < size)
+ return -1;
+
compHeader = (__GLXdispatchDrawArraysComponentHeader *) pc;
for (i = 0; i < numComponents; i++) {
@@ -417,17 +425,18 @@ __glXDrawArraysReqSize(const GLbyte * pc, Bool swap)
return -1;
}
- arrayElementSize += __GLX_PAD(numVals * __glXTypeSize(datatype));
+ x = safe_pad(safe_mul(numVals, __glXTypeSize(datatype)));
+ if ((arrayElementSize = safe_add(arrayElementSize, x)) < 0)
+ return -1;
pc += sizeof(__GLXdispatchDrawArraysComponentHeader);
}
- return ((numComponents * sizeof(__GLXdispatchDrawArraysComponentHeader)) +
- (numVertexes * arrayElementSize));
+ return safe_add(size, safe_mul(numVertexes, arrayElementSize));
}
int
-__glXSeparableFilter2DReqSize(const GLbyte * pc, Bool swap)
+__glXSeparableFilter2DReqSize(const GLbyte * pc, Bool swap, int reqlen)
{
__GLXdispatchConvolutionFilterHeader *hdr =
(__GLXdispatchConvolutionFilterHeader *) pc;
commit 92de7a90a1f48b7fd37b8c78f6a2b8dfa13714a6
Author: Adam Jackson <ajax at redhat.com>
Date: Mon Nov 10 12:13:47 2014 -0500
glx: Length checking for non-generated single requests (v2) [CVE-2014-8098 7/8]
v2:
Fix single versus vendor-private length checking for ARB_imaging subset
extensions. (Julien Cristau)
v3:
Fix single versus vendor-private length checking for ARB_imaging subset
extensions. (Julien Cristau)
Reviewed-by: Michal Srb <msrb at suse.com>
Reviewed-by: Andy Ritger <aritger at nvidia.com>
Signed-off-by: Adam Jackson <ajax at redhat.com>
Signed-off-by: Julien Cristau <jcristau at debian.org>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
(cherry picked from commit 984583a497c813df5827ae22483133e704fee79c)
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/glx/indirect_texture_compression.c b/glx/indirect_texture_compression.c
index 2018de6..d2768f2 100644
--- a/glx/indirect_texture_compression.c
+++ b/glx/indirect_texture_compression.c
@@ -43,6 +43,8 @@ __glXDisp_GetCompressedTexImage(struct __GLXclientStateRec *cl, GLbyte * pc)
__GLXcontext *const cx = __glXForceCurrent(cl, req->contextTag, &error);
ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
+
pc += __GLX_SINGLE_HDR_SIZE;
if (cx != NULL) {
const GLenum target = *(GLenum *) (pc + 0);
@@ -87,6 +89,8 @@ __glXDispSwap_GetCompressedTexImage(struct __GLXclientStateRec *cl, GLbyte * pc)
__glXForceCurrent(cl, bswap_32(req->contextTag), &error);
ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
+
pc += __GLX_SINGLE_HDR_SIZE;
if (cx != NULL) {
const GLenum target = (GLenum) bswap_32(*(int *) (pc + 0));
diff --git a/glx/single2.c b/glx/single2.c
index 53b661d..a6ea614 100644
--- a/glx/single2.c
+++ b/glx/single2.c
@@ -45,11 +45,14 @@
int
__glXDisp_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
{
+ ClientPtr client = cl->client;
GLsizei size;
GLenum type;
__GLXcontext *cx;
int error;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
+
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
return error;
@@ -76,10 +79,13 @@ __glXDisp_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
int
__glXDisp_SelectBuffer(__GLXclientState * cl, GLbyte * pc)
{
+ ClientPtr client = cl->client;
__GLXcontext *cx;
GLsizei size;
int error;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
return error;
@@ -104,7 +110,7 @@ __glXDisp_SelectBuffer(__GLXclientState * cl, GLbyte * pc)
int
__glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc)
{
- ClientPtr client;
+ ClientPtr client = cl->client;
xGLXRenderModeReply reply;
__GLXcontext *cx;
GLint nitems = 0, retBytes = 0, retval, newModeCheck;
@@ -112,6 +118,8 @@ __glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc)
GLenum newMode;
int error;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
return error;
@@ -188,7 +196,6 @@ __glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc)
** selection array, as per the API for glRenderMode itself.
*/
noChangeAllowed:;
- client = cl->client;
reply = (xGLXRenderModeReply) {
.type = X_Reply,
.sequenceNumber = client->sequence,
@@ -207,9 +214,12 @@ __glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc)
int
__glXDisp_Flush(__GLXclientState * cl, GLbyte * pc)
{
+ ClientPtr client = cl->client;
__GLXcontext *cx;
int error;
+ REQUEST_SIZE_MATCH(xGLXSingleReq);
+
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
return error;
@@ -223,10 +233,12 @@ __glXDisp_Flush(__GLXclientState * cl, GLbyte * pc)
int
__glXDisp_Finish(__GLXclientState * cl, GLbyte * pc)
{
+ ClientPtr client = cl->client;
__GLXcontext *cx;
- ClientPtr client;
int error;
+ REQUEST_SIZE_MATCH(xGLXSingleReq);
+
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
return error;
@@ -317,7 +329,7 @@ __glXcombine_strings(const char *cext_string, const char *sext_string)
int
DoGetString(__GLXclientState * cl, GLbyte * pc, GLboolean need_swap)
{
- ClientPtr client;
+ ClientPtr client = cl->client;
__GLXcontext *cx;
GLenum name;
const char *string;
@@ -327,6 +339,8 @@ DoGetString(__GLXclientState * cl, GLbyte * pc, GLboolean need_swap)
char *buf = NULL, *buf1 = NULL;
GLint length = 0;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
/* If the client has the opposite byte order, swap the contextTag and
* the name.
*/
@@ -343,7 +357,6 @@ DoGetString(__GLXclientState * cl, GLbyte * pc, GLboolean need_swap)
pc += __GLX_SINGLE_HDR_SIZE;
name = *(GLenum *) (pc + 0);
string = (const char *) glGetString(name);
- client = cl->client;
if (string == NULL)
string = "";
diff --git a/glx/single2swap.c b/glx/single2swap.c
index 764501f..5349069 100644
--- a/glx/single2swap.c
+++ b/glx/single2swap.c
@@ -41,6 +41,7 @@
int
__glXDispSwap_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
{
+ ClientPtr client = cl->client;
GLsizei size;
GLenum type;
@@ -48,6 +49,8 @@ __glXDispSwap_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
__GLXcontext *cx;
int error;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
+
__GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@@ -77,12 +80,15 @@ __glXDispSwap_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
int
__glXDispSwap_SelectBuffer(__GLXclientState * cl, GLbyte * pc)
{
+ ClientPtr client = cl->client;
__GLXcontext *cx;
GLsizei size;
__GLX_DECLARE_SWAP_VARIABLES;
int error;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
__GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@@ -109,7 +115,7 @@ __glXDispSwap_SelectBuffer(__GLXclientState * cl, GLbyte * pc)
int
__glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc)
{
- ClientPtr client;
+ ClientPtr client = cl->client;
__GLXcontext *cx;
xGLXRenderModeReply reply;
GLint nitems = 0, retBytes = 0, retval, newModeCheck;
@@ -120,6 +126,8 @@ __glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc)
__GLX_DECLARE_SWAP_ARRAY_VARIABLES;
int error;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
__GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@@ -200,7 +208,6 @@ __glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc)
** selection array, as per the API for glRenderMode itself.
*/
noChangeAllowed:;
- client = cl->client;
reply = (xGLXRenderModeReply) {
.type = X_Reply,
.sequenceNumber = client->sequence,
@@ -224,11 +231,14 @@ __glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc)
int
__glXDispSwap_Flush(__GLXclientState * cl, GLbyte * pc)
{
+ ClientPtr client = cl->client;
__GLXcontext *cx;
int error;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXSingleReq);
+
__GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@@ -243,12 +253,14 @@ __glXDispSwap_Flush(__GLXclientState * cl, GLbyte * pc)
int
__glXDispSwap_Finish(__GLXclientState * cl, GLbyte * pc)
{
+ ClientPtr client = cl->client;
__GLXcontext *cx;
- ClientPtr client;
int error;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXSingleReq);
+
__GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@@ -260,7 +272,6 @@ __glXDispSwap_Finish(__GLXclientState * cl, GLbyte * pc)
cx->hasUnflushedCommands = GL_FALSE;
/* Send empty reply packet to indicate finish is finished */
- client = cl->client;
__GLX_BEGIN_REPLY(0);
__GLX_PUT_RETVAL(0);
__GLX_SWAP_REPLY_HEADER();
diff --git a/glx/singlepix.c b/glx/singlepix.c
index 8b6c261..54ed7fd 100644
--- a/glx/singlepix.c
+++ b/glx/singlepix.c
@@ -51,6 +51,8 @@ __glXDisp_ReadPixels(__GLXclientState * cl, GLbyte * pc)
int error;
char *answer, answerBuffer[200];
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 28);
+
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
return error;
@@ -100,6 +102,8 @@ __glXDisp_GetTexImage(__GLXclientState * cl, GLbyte * pc)
char *answer, answerBuffer[200];
GLint width = 0, height = 0, depth = 1;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 20);
+
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
return error;
@@ -157,6 +161,8 @@ __glXDisp_GetPolygonStipple(__GLXclientState * cl, GLbyte * pc)
GLubyte answerBuffer[200];
char *answer;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
return error;
@@ -217,15 +223,13 @@ GetSeparableFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1);
- if (compsize < 0)
+ if ((compsize = safe_pad(compsize)) < 0)
return BadLength;
- if (compsize2 < 0)
+ if ((compsize2 = safe_pad(compsize2)) < 0)
return BadLength;
- compsize = __GLX_PAD(compsize);
- compsize2 = __GLX_PAD(compsize2);
glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
- __GLX_GET_ANSWER_BUFFER(answer, cl, compsize + compsize2, 1);
+ __GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1);
__glXClearErrorOccured();
glGetSeparableFilter(*(GLenum *) (pc + 0), *(GLenum *) (pc + 4),
*(GLenum *) (pc + 8), answer, answer + compsize, NULL);
@@ -249,7 +253,8 @@ int
__glXDisp_GetSeparableFilter(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
-
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
return GetSeparableFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
}
@@ -257,7 +262,8 @@ int
__glXDisp_GetSeparableFilterEXT(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
-
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
return GetSeparableFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
}
@@ -323,7 +329,8 @@ int
__glXDisp_GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
-
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
return GetConvolutionFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
}
@@ -331,7 +338,8 @@ int
__glXDisp_GetConvolutionFilterEXT(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
-
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
return GetConvolutionFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
}
@@ -390,7 +398,8 @@ int
__glXDisp_GetHistogram(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
-
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
return GetHistogram(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
}
@@ -398,7 +407,8 @@ int
__glXDisp_GetHistogramEXT(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
-
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
return GetHistogram(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
}
@@ -450,7 +460,8 @@ int
__glXDisp_GetMinmax(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
-
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
return GetMinmax(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
}
@@ -458,7 +469,8 @@ int
__glXDisp_GetMinmaxEXT(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
-
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
return GetMinmax(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
}
@@ -517,7 +529,8 @@ int
__glXDisp_GetColorTable(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
-
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
return GetColorTable(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
}
@@ -525,6 +538,7 @@ int
__glXDisp_GetColorTableSGI(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
-
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
return GetColorTable(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
}
diff --git a/glx/singlepixswap.c b/glx/singlepixswap.c
index 8dc304f..9eff592 100644
--- a/glx/singlepixswap.c
+++ b/glx/singlepixswap.c
@@ -53,6 +53,8 @@ __glXDispSwap_ReadPixels(__GLXclientState * cl, GLbyte * pc)
int error;
char *answer, answerBuffer[200];
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 28);
+
__GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@@ -114,6 +116,8 @@ __glXDispSwap_GetTexImage(__GLXclientState * cl, GLbyte * pc)
char *answer, answerBuffer[200];
GLint width = 0, height = 0, depth = 1;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 20);
+
__GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@@ -184,6 +188,8 @@ __glXDispSwap_GetPolygonStipple(__GLXclientState * cl, GLbyte * pc)
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
__GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@@ -251,15 +257,13 @@ GetSeparableFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1);
- if (compsize < 0)
+ if ((compsize = safe_pad(compsize)) < 0)
return BadLength;
- if (compsize2 < 0)
+ if ((compsize2 = safe_pad(compsize2)) < 0)
return BadLength;
- compsize = __GLX_PAD(compsize);
- compsize2 = __GLX_PAD(compsize2);
glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
- __GLX_GET_ANSWER_BUFFER(answer, cl, compsize + compsize2, 1);
+ __GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1);
__glXClearErrorOccured();
glGetSeparableFilter(*(GLenum *) (pc + 0), *(GLenum *) (pc + 4),
*(GLenum *) (pc + 8), answer, answer + compsize, NULL);
@@ -285,7 +289,9 @@ int
__glXDispSwap_GetSeparableFilter(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
return GetSeparableFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
}
@@ -293,7 +299,9 @@ int
__glXDispSwap_GetSeparableFilterEXT(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
return GetSeparableFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
}
@@ -367,7 +375,9 @@ int
__glXDispSwap_GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
return GetConvolutionFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
}
@@ -375,7 +385,9 @@ int
__glXDispSwap_GetConvolutionFilterEXT(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
return GetConvolutionFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
}
@@ -441,7 +453,9 @@ int
__glXDispSwap_GetHistogram(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
return GetHistogram(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
}
@@ -449,7 +463,9 @@ int
__glXDispSwap_GetHistogramEXT(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
return GetHistogram(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
}
@@ -507,7 +523,9 @@ int
__glXDispSwap_GetMinmax(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
return GetMinmax(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
}
@@ -515,7 +533,9 @@ int
__glXDispSwap_GetMinmaxEXT(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
return GetMinmax(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
}
@@ -581,7 +601,9 @@ int
__glXDispSwap_GetColorTable(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
return GetColorTable(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
}
@@ -589,6 +611,8 @@ int
__glXDispSwap_GetColorTableSGI(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
return GetColorTable(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
}
commit 44ed4a6547136a0945cd85f93b83392cf53f58f2
Author: Adam Jackson <ajax at redhat.com>
Date: Mon Nov 10 12:13:46 2014 -0500
glx: Length-checking for non-generated vendor private requests [CVE-2014-8098 6/8]
Reviewed-by: Keith Packard <keithp at keithp.com>
Reviewed-by: Michal Srb <msrb at suse.com>
Reviewed-by: Andy Ritger <aritger at nvidia.com>
Signed-off-by: Adam Jackson <ajax at redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
(cherry picked from commit 44ba149f28ece93c2fbfc9cc980588de5322dd4b)
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/glx/indirect_program.c b/glx/indirect_program.c
index d503262..01562e6 100644
--- a/glx/indirect_program.c
+++ b/glx/indirect_program.c
@@ -56,6 +56,8 @@ DoGetProgramString(struct __GLXclientStateRec *cl, GLbyte * pc,
__GLXcontext *const cx = __glXForceCurrent(cl, req->contextTag, &error);
ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateWithReplyReq, 8);
+
pc += __GLX_VENDPRIV_HDR_SIZE;
if (cx != NULL) {
GLenum target;
diff --git a/glx/swap_interval.c b/glx/swap_interval.c
index 17bc992..2320550 100644
--- a/glx/swap_interval.c
+++ b/glx/swap_interval.c
@@ -46,6 +46,8 @@ DoSwapInterval(__GLXclientState * cl, GLbyte * pc, int do_swap)
__GLXcontext *cx;
GLint interval;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 4);
+
cx = __glXLookupContextByTag(cl, tag);
if ((cx == NULL) || (cx->pGlxScreen == NULL)) {
commit fe9672204ad9edc09c4ae6ba1b9e9de09ec98287
Author: Adam Jackson <ajax at redhat.com>
Date: Mon Nov 10 12:13:45 2014 -0500
glx: Request length checks for SetClientInfoARB [CVE-2014-8098 5/8]
Reviewed-by: Keith Packard <keithp at keithp.com>
Reviewed-by: Julien Cristau <jcristau at debian.org>
Reviewed-by: Michal Srb <msrb at suse.com>
Reviewed-by: Andy Ritger <aritger at nvidia.com>
Signed-off-by: Adam Jackson <ajax at redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
(cherry picked from commit afe177020d1fb776c6163f21eddc82cb185b95ca)
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/glx/clientinfo.c b/glx/clientinfo.c
index 4aaa4c9..c5fef30 100644
--- a/glx/clientinfo.c
+++ b/glx/clientinfo.c
@@ -33,18 +33,21 @@ static int
set_client_info(__GLXclientState * cl, xGLXSetClientInfoARBReq * req,
unsigned bytes_per_version)
{
+ ClientPtr client = cl->client;
char *gl_extensions;
char *glx_extensions;
+ REQUEST_AT_LEAST_SIZE(xGLXSetClientInfoARBReq);
+
/* Verify that the size of the packet matches the size inferred from the
* sizes specified for the various fields.
*/
- const unsigned expected_size = sz_xGLXSetClientInfoARBReq
- + (req->numVersions * bytes_per_version)
- + __GLX_PAD(req->numGLExtensionBytes)
- + __GLX_PAD(req->numGLXExtensionBytes);
+ int size = sz_xGLXSetClientInfoARBReq;
+ size = safe_add(size, safe_mul(req->numVersions, bytes_per_version));
+ size = safe_add(size, safe_pad(req->numGLExtensionBytes));
+ size = safe_add(size, safe_pad(req->numGLXExtensionBytes));
- if (req->length != (expected_size / 4))
+ if (size < 0 || req->length != (size / 4))
return BadLength;
/* Verify that the actual length of the GL extension string matches what's
@@ -80,8 +83,11 @@ __glXDisp_SetClientInfoARB(__GLXclientState * cl, GLbyte * pc)
int
__glXDispSwap_SetClientInfoARB(__GLXclientState * cl, GLbyte * pc)
{
+ ClientPtr client = cl->client;
xGLXSetClientInfoARBReq *req = (xGLXSetClientInfoARBReq *) pc;
+ REQUEST_AT_LEAST_SIZE(xGLXSetClientInfoARBReq);
+
req->length = bswap_16(req->length);
req->numVersions = bswap_32(req->numVersions);
req->numGLExtensionBytes = bswap_32(req->numGLExtensionBytes);
@@ -99,8 +105,11 @@ __glXDisp_SetClientInfo2ARB(__GLXclientState * cl, GLbyte * pc)
int
__glXDispSwap_SetClientInfo2ARB(__GLXclientState * cl, GLbyte * pc)
{
+ ClientPtr client = cl->client;
xGLXSetClientInfoARBReq *req = (xGLXSetClientInfoARBReq *) pc;
+ REQUEST_AT_LEAST_SIZE(xGLXSetClientInfoARBReq);
+
req->length = bswap_16(req->length);
req->numVersions = bswap_32(req->numVersions);
req->numGLExtensionBytes = bswap_32(req->numGLExtensionBytes);
commit 525db4433b042ad5a116ca0366498f5bc36e1640
Author: Adam Jackson <ajax at redhat.com>
Date: Mon Nov 10 12:13:44 2014 -0500
glx: Top-level length checking for swapped VendorPrivate requests [CVE-2014-8098 4/8]
Reviewed-by: Keith Packard <keithp at keithp.com>
Reviewed-by: Julien Cristau <jcristau at debian.org>
Reviewed-by: Michal Srb <msrb at suse.com>
Reviewed-by: Andy Ritger <aritger at nvidia.com>
Signed-off-by: Adam Jackson <ajax at redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
(cherry picked from commit c91e4abc3b892f42802efa20fef7ada442c2d3f5)
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/glx/glxcmdsswap.c b/glx/glxcmdsswap.c
index 5d179f3..9ec1222 100644
--- a/glx/glxcmdsswap.c
+++ b/glx/glxcmdsswap.c
@@ -958,11 +958,13 @@ __glXDispSwap_RenderLarge(__GLXclientState * cl, GLbyte * pc)
int
__glXDispSwap_VendorPrivate(__GLXclientState * cl, GLbyte * pc)
{
+ ClientPtr client = cl->client;
xGLXVendorPrivateReq *req;
GLint vendorcode;
__GLXdispatchVendorPrivProcPtr proc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateReq);
req = (xGLXVendorPrivateReq *) pc;
__GLX_SWAP_SHORT(&req->length);
@@ -985,11 +987,13 @@ __glXDispSwap_VendorPrivate(__GLXclientState * cl, GLbyte * pc)
int
__glXDispSwap_VendorPrivateWithReply(__GLXclientState * cl, GLbyte * pc)
{
+ ClientPtr client = cl->client;
xGLXVendorPrivateWithReplyReq *req;
GLint vendorcode;
__GLXdispatchVendorPrivProcPtr proc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateWithReplyReq);
req = (xGLXVendorPrivateWithReplyReq *) pc;
__GLX_SWAP_SHORT(&req->length);
commit cbf197e1c97ae0402abfc35514ef62120baee3a6
Author: Adam Jackson <ajax at redhat.com>
Date: Mon Nov 10 12:13:43 2014 -0500
glx: Length checking for RenderLarge requests (v2) [CVE-2014-8098 3/8]
This is a half-measure until we start passing request length into the
varsize function, but it's better than the nothing we had before.
v2: Verify that there's at least a large render header's worth of
dataBytes (Julien Cristau)
Reviewed-by: Michal Srb <msrb at suse.com>
Reviewed-by: Andy Ritger <aritger at nvidia.com>
Signed-off-by: Adam Jackson <ajax at redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
(cherry picked from commit a33a939e6abb255b14d8dbc85fcbd2c55b958bae)
Signed-off-by: Julien Cristau <jcristau at debian.org>
Conflicts:
glx/glxcmds.c
diff --git a/glx/glxcmds.c b/glx/glxcmds.c
index 96fec30..a7bbe8c 100644
--- a/glx/glxcmds.c
+++ b/glx/glxcmds.c
@@ -2107,6 +2107,8 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_AT_LEAST_SIZE(xGLXRenderLargeReq);
+
req = (xGLXRenderLargeReq *) pc;
if (client->swapped) {
__GLX_SWAP_SHORT(&req->length);
@@ -2122,12 +2124,14 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
__glXResetLargeCommandStatus(cl);
return error;
}
+ if (safe_pad(req->dataBytes) < 0)
+ return BadLength;
dataBytes = req->dataBytes;
/*
** Check the request length.
*/
- if ((req->length << 2) != __GLX_PAD(dataBytes) + sz_xGLXRenderLargeReq) {
+ if ((req->length << 2) != safe_pad(dataBytes) + sz_xGLXRenderLargeReq) {
client->errorValue = req->length;
/* Reset in case this isn't 1st request. */
__glXResetLargeCommandStatus(cl);
@@ -2137,7 +2141,7 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
if (cl->largeCmdRequestsSoFar == 0) {
__GLXrenderSizeData entry;
- int extra;
+ int extra = 0;
size_t cmdlen;
int err;
@@ -2150,13 +2154,17 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
return __glXError(GLXBadLargeRequest);
}
+ if (dataBytes < __GLX_RENDER_LARGE_HDR_SIZE)
+ return BadLength;
+
hdr = (__GLXrenderLargeHeader *) pc;
if (client->swapped) {
__GLX_SWAP_INT(&hdr->length);
__GLX_SWAP_INT(&hdr->opcode);
}
- cmdlen = hdr->length;
opcode = hdr->opcode;
+ if ((cmdlen = safe_pad(hdr->length)) < 0)
+ return BadLength;
/*
** Check for core opcodes and grab entry data.
@@ -2178,17 +2186,13 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
if (extra < 0) {
return BadLength;
}
- /* large command's header is 4 bytes longer, so add 4 */
- if (cmdlen != __GLX_PAD(entry.bytes + 4 + extra)) {
- return BadLength;
- }
}
- else {
- /* constant size command */
- if (cmdlen != __GLX_PAD(entry.bytes + 4)) {
- return BadLength;
- }
+
+ /* the +4 is safe because we know entry.bytes is small */
+ if (cmdlen != safe_pad(safe_add(entry.bytes + 4, extra))) {
+ return BadLength;
}
+
/*
** Make enough space in the buffer, then copy the entire request.
*/
@@ -2215,6 +2219,7 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
** We are receiving subsequent (i.e. not the first) requests of a
** multi request command.
*/
+ int bytesSoFar; /* including this packet */
/*
** Check the request number and the total request count.
@@ -2233,11 +2238,18 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
/*
** Check that we didn't get too much data.
*/
- if ((cl->largeCmdBytesSoFar + dataBytes) > cl->largeCmdBytesTotal) {
+ if ((bytesSoFar = safe_add(cl->largeCmdBytesSoFar, dataBytes)) < 0) {
+ client->errorValue = dataBytes;
+ __glXResetLargeCommandStatus(cl);
+ return __glXError(GLXBadLargeRequest);
+ }
+
+ if (bytesSoFar > cl->largeCmdBytesTotal) {
client->errorValue = dataBytes;
__glXResetLargeCommandStatus(cl);
return __glXError(GLXBadLargeRequest);
}
+
memcpy(cl->largeCmdBuf + cl->largeCmdBytesSoFar, pc, dataBytes);
cl->largeCmdBytesSoFar += dataBytes;
cl->largeCmdRequestsSoFar++;
@@ -2249,17 +2261,16 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
** This is the last request; it must have enough bytes to complete
** the command.
*/
- /* NOTE: the two pad macros have been added below; they are needed
- ** because the client library pads the total byte count, but not
- ** the per-request byte counts. The Protocol Encoding says the
- ** total byte count should not be padded, so a proposal will be
- ** made to the ARB to relax the padding constraint on the total
- ** byte count, thus preserving backward compatibility. Meanwhile,
- ** the padding done below fixes a bug that did not allow
- ** large commands of odd sizes to be accepted by the server.
+ /* NOTE: the pad macro below is needed because the client library
+ ** pads the total byte count, but not the per-request byte counts.
+ ** The Protocol Encoding says the total byte count should not be
+ ** padded, so a proposal will be made to the ARB to relax the
+ ** padding constraint on the total byte count, thus preserving
+ ** backward compatibility. Meanwhile, the padding done below
+ ** fixes a bug that did not allow large commands of odd sizes to
+ ** be accepted by the server.
*/
- if (__GLX_PAD(cl->largeCmdBytesSoFar) !=
- __GLX_PAD(cl->largeCmdBytesTotal)) {
+ if (safe_pad(cl->largeCmdBytesSoFar) != cl->largeCmdBytesTotal) {
client->errorValue = dataBytes;
__glXResetLargeCommandStatus(cl);
return __glXError(GLXBadLargeRequest);
commit 7590915c9d76ff7efdc6398a37351df9fab2ce7d
Author: Adam Jackson <ajax at redhat.com>
Date: Mon Nov 10 12:13:42 2014 -0500
glx: Integer overflow protection for non-generated render requests (v3) [CVE-2014-8093 5/6]
v2:
Fix constants in __glXMap2fReqSize (Michal Srb)
Validate w/h/d for proxy targets too (Keith Packard)
v3:
Fix Map[12]Size to correctly reject order == 0 (Julien Cristau)
Reviewed-by: Keith Packard <keithp at keithp.com>
Reviewed-by: Michal Srb <msrb at suse.com>
Reviewed-by: Andy Ritger <aritger at nvidia.com>
Signed-off-by: Adam Jackson <ajax at redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
(cherry picked from commit 698888e6671d54c7ae41e9d456f7f5483a3459d2)
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/glx/rensize.c b/glx/rensize.c
index 10f76bc..6ee0f9c 100644
--- a/glx/rensize.c
+++ b/glx/rensize.c
@@ -43,19 +43,11 @@
(((a & 0xff000000U)>>24) | ((a & 0xff0000U)>>8) | \
((a & 0xff00U)<<8) | ((a & 0xffU)<<24))
-static int
-Map1Size(GLint k, GLint order)
-{
- if (order <= 0 || k < 0)
- return -1;
- return k * order;
-}
-
int
__glXMap1dReqSize(const GLbyte * pc, Bool swap)
{
GLenum target;
- GLint order, k;
+ GLint order;
target = *(GLenum *) (pc + 16);
order = *(GLint *) (pc + 20);
@@ -63,15 +55,16 @@ __glXMap1dReqSize(const GLbyte * pc, Bool swap)
target = SWAPL(target);
order = SWAPL(order);
}
- k = __glMap1d_size(target);
- return 8 * Map1Size(k, order);
+ if (order < 1)
+ return -1;
+ return safe_mul(8, safe_mul(__glMap1d_size(target), order));
}
int
__glXMap1fReqSize(const GLbyte * pc, Bool swap)
{
GLenum target;
- GLint order, k;
+ GLint order;
target = *(GLenum *) (pc + 0);
order = *(GLint *) (pc + 12);
@@ -79,23 +72,24 @@ __glXMap1fReqSize(const GLbyte * pc, Bool swap)
target = SWAPL(target);
order = SWAPL(order);
}
- k = __glMap1f_size(target);
- return 4 * Map1Size(k, order);
+ if (order < 1)
+ return -1;
+ return safe_mul(4, safe_mul(__glMap1f_size(target), order));
}
static int
Map2Size(int k, int majorOrder, int minorOrder)
{
- if (majorOrder <= 0 || minorOrder <= 0 || k < 0)
+ if (majorOrder < 1 || minorOrder < 1)
return -1;
- return k * majorOrder * minorOrder;
+ return safe_mul(k, safe_mul(majorOrder, minorOrder));
}
int
__glXMap2dReqSize(const GLbyte * pc, Bool swap)
{
GLenum target;
- GLint uorder, vorder, k;
+ GLint uorder, vorder;
target = *(GLenum *) (pc + 32);
uorder = *(GLint *) (pc + 36);
@@ -105,15 +99,14 @@ __glXMap2dReqSize(const GLbyte * pc, Bool swap)
uorder = SWAPL(uorder);
vorder = SWAPL(vorder);
}
- k = __glMap2d_size(target);
- return 8 * Map2Size(k, uorder, vorder);
+ return safe_mul(8, Map2Size(__glMap2d_size(target), uorder, vorder));
}
int
__glXMap2fReqSize(const GLbyte * pc, Bool swap)
{
GLenum target;
- GLint uorder, vorder, k;
+ GLint uorder, vorder;
target = *(GLenum *) (pc + 0);
uorder = *(GLint *) (pc + 12);
@@ -123,8 +116,7 @@ __glXMap2fReqSize(const GLbyte * pc, Bool swap)
uorder = SWAPL(uorder);
vorder = SWAPL(vorder);
}
- k = __glMap2f_size(target);
- return 4 * Map2Size(k, uorder, vorder);
+ return safe_mul(4, Map2Size(__glMap2f_size(target), uorder, vorder));
}
/**
@@ -175,14 +167,16 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
GLint bytesPerElement, elementsPerGroup, groupsPerRow;
GLint groupSize, rowSize, padding, imageSize;
+ if (w == 0 || h == 0 || d == 0)
+ return 0;
+
if (w < 0 || h < 0 || d < 0 ||
(type == GL_BITMAP &&
(format != GL_COLOR_INDEX && format != GL_STENCIL_INDEX))) {
return -1;
}
- if (w == 0 || h == 0 || d == 0)
- return 0;
+ /* proxy targets have no data */
switch (target) {
case GL_PROXY_TEXTURE_1D:
case GL_PROXY_TEXTURE_2D:
@@ -199,6 +193,12 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
return 0;
}
+ /* real data has to have real sizes */
+ if (imageHeight < 0 || rowLength < 0 || skipImages < 0 || skipRows < 0)
+ return -1;
+ if (alignment != 1 && alignment != 2 && alignment != 4 && alignment != 8)
+ return -1;
+
if (type == GL_BITMAP) {
if (rowLength > 0) {
groupsPerRow = rowLength;
@@ -207,11 +207,14 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
groupsPerRow = w;
}
rowSize = bits_to_bytes(groupsPerRow);
+ if (rowSize < 0)
+ return -1;
padding = (rowSize % alignment);
if (padding) {
rowSize += alignment - padding;
}
- return ((h + skipRows) * rowSize);
+
+ return safe_mul(safe_add(h, skipRows), rowSize);
}
else {
switch (format) {
@@ -303,6 +306,7 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
default:
return -1;
}
+ /* known safe by the switches above, not checked */
groupSize = bytesPerElement * elementsPerGroup;
if (rowLength > 0) {
groupsPerRow = rowLength;
@@ -310,18 +314,21 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
else {
groupsPerRow = w;
}
- rowSize = groupsPerRow * groupSize;
+
+ if ((rowSize = safe_mul(groupsPerRow, groupSize)) < 0)
+ return -1;
padding = (rowSize % alignment);
if (padding) {
rowSize += alignment - padding;
}
- if (imageHeight > 0) {
- imageSize = (imageHeight + skipRows) * rowSize;
- }
- else {
- imageSize = (h + skipRows) * rowSize;
- }
- return ((d + skipImages) * imageSize);
+
+ if (imageHeight > 0)
+ h = imageHeight;
+ h = safe_add(h, skipRows);
+
+ imageSize = safe_mul(h, rowSize);
+
+ return safe_mul(safe_add(d, skipImages), imageSize);
}
}
@@ -445,9 +452,7 @@ __glXSeparableFilter2DReqSize(const GLbyte * pc, Bool swap)
/* XXX Should rowLength be used for either or both image? */
image1size = __glXImageSize(format, type, 0, w, 1, 1,
0, rowLength, 0, 0, alignment);
- image1size = __GLX_PAD(image1size);
image2size = __glXImageSize(format, type, 0, h, 1, 1,
0, rowLength, 0, 0, alignment);
- return image1size + image2size;
-
+ return safe_add(safe_pad(image1size), image2size);
}
commit 20bc891f767a398bff3301369f8a78f9e65b7eda
Author: Julien Cristau <jcristau at debian.org>
Date: Mon Nov 10 12:13:41 2014 -0500
glx: Length checking for GLXRender requests (v2) [CVE-2014-8098 2/8]
v2:
Remove can't-happen comparison for cmdlen < 0 (Michal Srb)
Reviewed-by: Adam Jackson <ajax at redhat.com>
Reviewed-by: Michal Srb <msrb at suse.com>
Reviewed-by: Andy Ritger <aritger at nvidia.com>
Signed-off-by: Julien Cristau <jcristau at debian.org>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
(cherry picked from commit be09e0c988ffdb0371293af49fb4ea8f49ed324a)
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/glx/glxcmds.c b/glx/glxcmds.c
index f8328af..96fec30 100644
--- a/glx/glxcmds.c
+++ b/glx/glxcmds.c
@@ -2023,7 +2023,7 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
left = (req->length << 2) - sz_xGLXRenderReq;
while (left > 0) {
__GLXrenderSizeData entry;
- int extra;
+ int extra = 0;
__GLXdispatchRenderProcPtr proc;
int err;
@@ -2042,6 +2042,9 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
cmdlen = hdr->length;
opcode = hdr->opcode;
+ if (left < cmdlen)
+ return BadLength;
+
/*
** Check for core opcodes and grab entry data.
*/
@@ -2055,6 +2058,10 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
return __glXError(GLXBadRenderRequest);
}
+ if (cmdlen < entry.bytes) {
+ return BadLength;
+ }
+
if (entry.varsize) {
/* variable size command */
extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE,
@@ -2062,17 +2069,9 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
if (extra < 0) {
return BadLength;
}
- if (cmdlen != __GLX_PAD(entry.bytes + extra)) {
- return BadLength;
- }
}
- else {
- /* constant size command */
- if (cmdlen != __GLX_PAD(entry.bytes)) {
- return BadLength;
- }
- }
- if (left < cmdlen) {
+
+ if (cmdlen != safe_pad(safe_add(entry.bytes, extra))) {
return BadLength;
}
commit 233429c1d8c1183bead2d6f3726c92a7fc557ca9
Author: Adam Jackson <ajax at redhat.com>
Date: Mon Nov 10 12:13:40 2014 -0500
glx: Add safe_{add,mul,pad} (v3) [CVE-2014-8093 4/6]
These are paranoid about integer overflow, and will return -1 if their
operation would overflow a (signed) integer or if either argument is
negative.
Note that RenderLarge requests are sized with a uint32_t so in principle
this could be sketchy there, but dix limits bigreqs to 128M so you
shouldn't ever notice, and honestly if you're sending more than 2G of
rendering commands you're already doing something very wrong.
v2: Use INT_MAX for consistency with the rest of the server (jcristau)
v3: Reject negative arguments (anholt)
Reviewed-by: Keith Packard <keithp at keithp.com>
Reviewed-by: Julien Cristau <jcristau at debian.org>
Reviewed-by: Michal Srb <msrb at suse.com>
Reviewed-by: Andy Ritger <aritger at nvidia.com>
Signed-off-by: Adam Jackson <ajax at redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
(cherry picked from commit 2a5cbc17fc72185bf0fa06fef26d1f782de72595)
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/glx/glxserver.h b/glx/glxserver.h
index a324b29..9482601 100644
--- a/glx/glxserver.h
+++ b/glx/glxserver.h
@@ -228,6 +228,47 @@ extern void glxSwapQueryServerStringReply(ClientPtr client,
* Routines for computing the size of variably-sized rendering commands.
*/
+static _X_INLINE int
+safe_add(int a, int b)
+{
+ if (a < 0 || b < 0)
+ return -1;
+
+ if (INT_MAX - a < b)
+ return -1;
+
+ return a + b;
+}
+
+static _X_INLINE int
+safe_mul(int a, int b)
+{
+ if (a < 0 || b < 0)
+ return -1;
+
+ if (a == 0 || b == 0)
+ return 0;
+
+ if (a > INT_MAX / b)
+ return -1;
+
+ return a * b;
+}
+
+static _X_INLINE int
+safe_pad(int a)
+{
+ int ret;
+
+ if (a < 0)
+ return -1;
+
+ if ((ret = safe_add(a, 3)) < 0)
+ return -1;
+
+ return ret & (GLuint)~3;
+}
+
extern int __glXTypeSize(GLenum enm);
extern int __glXImageSize(GLenum format, GLenum type,
GLenum target, GLsizei w, GLsizei h, GLsizei d,
commit e7dc700de969242983ca0964e38e87a79675f7fa
Author: Adam Jackson <ajax at redhat.com>
Date: Mon Nov 10 12:13:39 2014 -0500
glx: Fix image size computation for EXT_texture_integer [CVE-2014-8098 1/8]
Without this we'd reject the request with BadLength. Note that some old
versions of Mesa had a bug in the same place, and would _send_ zero
bytes of image data; these will now be rejected, correctly.
Reviewed-by: Keith Packard <keithp at keithp.com>
Reviewed-by: Julien Cristau <jcristau at debian.org>
Reviewed-by: Michal Srb <msrb at suse.com>
Reviewed-by: Andy Ritger <aritger at nvidia.com>
Signed-off-by: Adam Jackson <ajax at redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
(cherry picked from commit 13d36923e0ddb077f4854e354c3d5c80590b5d9d)
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/glx/rensize.c b/glx/rensize.c
index bcc3a53..10f76bc 100644
--- a/glx/rensize.c
+++ b/glx/rensize.c
@@ -224,6 +224,11 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
case GL_ALPHA:
case GL_LUMINANCE:
case GL_INTENSITY:
+ case GL_RED_INTEGER_EXT:
+ case GL_GREEN_INTEGER_EXT:
+ case GL_BLUE_INTEGER_EXT:
+ case GL_ALPHA_INTEGER_EXT:
+ case GL_LUMINANCE_INTEGER_EXT:
elementsPerGroup = 1;
break;
case GL_422_EXT:
@@ -234,14 +239,19 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
case GL_DEPTH_STENCIL_MESA:
case GL_YCBCR_MESA:
case GL_LUMINANCE_ALPHA:
+ case GL_LUMINANCE_ALPHA_INTEGER_EXT:
elementsPerGroup = 2;
break;
case GL_RGB:
case GL_BGR:
+ case GL_RGB_INTEGER_EXT:
+ case GL_BGR_INTEGER_EXT:
elementsPerGroup = 3;
break;
case GL_RGBA:
case GL_BGRA:
+ case GL_RGBA_INTEGER_EXT:
+ case GL_BGRA_INTEGER_EXT:
case GL_ABGR_EXT:
elementsPerGroup = 4;
break;
commit 25e0fe2b59189be91a84626bc45278c7596ac438
Author: Adam Jackson <ajax at redhat.com>
Date: Mon Nov 10 12:13:38 2014 -0500
glx: Additional paranoia in __glXGetAnswerBuffer / __GLX_GET_ANSWER_BUFFER (v2) [CVE-2014-8093 3/6]
If the computed reply size is negative, something went wrong, treat it
as an error.
v2: Be more careful about size_t being unsigned (Matthieu Herrb)
v3: SIZE_MAX not SIZE_T_MAX (Alan Coopersmith)
Reviewed-by: Julien Cristau <jcristau at debian.org>
Reviewed-by: Michal Srb <msrb at suse.com>
Reviewed-by: Andy Ritger <aritger at nvidia.com>
Signed-off-by: Adam Jackson <ajax at redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
(cherry picked from commit 717a1b37767b41e14859e5022ae9e679152821a9)
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/glx/indirect_util.c b/glx/indirect_util.c
index f9d1243..183af83 100644
--- a/glx/indirect_util.c
+++ b/glx/indirect_util.c
@@ -76,9 +76,14 @@ __glXGetAnswerBuffer(__GLXclientState * cl, size_t required_size,
const unsigned mask = alignment - 1;
if (local_size < required_size) {
- const size_t worst_case_size = required_size + alignment;
+ size_t worst_case_size;
intptr_t temp_buf;
+ if (required_size < SIZE_MAX - alignment)
+ worst_case_size = required_size + alignment;
+ else
+ return NULL;
+
if (cl->returnBufSize < worst_case_size) {
void *temp = realloc(cl->returnBuf, worst_case_size);
diff --git a/glx/unpack.h b/glx/unpack.h
index 52fba74..2b1ebcf 100644
--- a/glx/unpack.h
+++ b/glx/unpack.h
@@ -83,7 +83,8 @@ extern xGLXSingleReply __glXReply;
** pointer.
*/
#define __GLX_GET_ANSWER_BUFFER(res,cl,size,align) \
- if ((size) > sizeof(answerBuffer)) { \
+ if (size < 0) return BadLength; \
+ else if ((size) > sizeof(answerBuffer)) { \
int bump; \
if ((cl)->returnBufSize < (size)+(align)) { \
(cl)->returnBuf = (GLbyte*)realloc((cl)->returnBuf, \
commit de17ad13eb38af4bd5c8f085200bdab88496062f
Author: Adam Jackson <ajax at redhat.com>
Date: Mon Nov 10 12:13:37 2014 -0500
glx: Be more strict about rejecting invalid image sizes [CVE-2014-8093 2/6]
Before this we'd just clamp the image size to 0, which was just
hideously stupid; if the parameters were such that they'd overflow an
integer, you'd allocate a small buffer, then pass huge values into (say)
ReadPixels, and now you're scribbling over arbitrary server memory.
Reviewed-by: Keith Packard <keithp at keithp.com>
Reviewed-by: Julien Cristau <jcristau at debian.org>
Reviewed-by: Michal Srb <msrb at suse.com>
Reviewed-by: Andy Ritger <aritger at nvidia.com>
Signed-off-by: Adam Jackson <ajax at redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
(cherry picked from commit ab2ba9338aa5e85b4487bc7fbe69985c76483e01)
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/glx/singlepix.c b/glx/singlepix.c
index 506fdaa..8b6c261 100644
--- a/glx/singlepix.c
+++ b/glx/singlepix.c
@@ -65,7 +65,7 @@ __glXDisp_ReadPixels(__GLXclientState * cl, GLbyte * pc)
lsbFirst = *(GLboolean *) (pc + 25);
compsize = __glReadPixels_size(format, type, width, height);
if (compsize < 0)
- compsize = 0;
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
glPixelStorei(GL_PACK_LSB_FIRST, lsbFirst);
@@ -124,7 +124,7 @@ __glXDisp_GetTexImage(__GLXclientState * cl, GLbyte * pc)
compsize =
__glGetTexImage_size(target, level, format, type, width, height, depth);
if (compsize < 0)
- compsize = 0;
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
__GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
@@ -218,9 +218,9 @@ GetSeparableFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1);
if (compsize < 0)
- compsize = 0;
+ return BadLength;
if (compsize2 < 0)
- compsize2 = 0;
+ return BadLength;
compsize = __GLX_PAD(compsize);
compsize2 = __GLX_PAD(compsize2);
@@ -296,7 +296,7 @@ GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
*/
compsize = __glGetTexImage_size(target, 1, format, type, width, height, 1);
if (compsize < 0)
- compsize = 0;
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
__GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
@@ -365,7 +365,7 @@ GetHistogram(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
*/
compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
if (compsize < 0)
- compsize = 0;
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
__GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
@@ -426,7 +426,7 @@ GetMinmax(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
compsize = __glGetTexImage_size(target, 1, format, type, 2, 1, 1);
if (compsize < 0)
- compsize = 0;
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
__GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
@@ -491,7 +491,7 @@ GetColorTable(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
*/
compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
if (compsize < 0)
- compsize = 0;
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
__GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
diff --git a/glx/singlepixswap.c b/glx/singlepixswap.c
index 8469101..8dc304f 100644
--- a/glx/singlepixswap.c
+++ b/glx/singlepixswap.c
@@ -75,7 +75,7 @@ __glXDispSwap_ReadPixels(__GLXclientState * cl, GLbyte * pc)
lsbFirst = *(GLboolean *) (pc + 25);
compsize = __glReadPixels_size(format, type, width, height);
if (compsize < 0)
- compsize = 0;
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
glPixelStorei(GL_PACK_LSB_FIRST, lsbFirst);
@@ -144,7 +144,7 @@ __glXDispSwap_GetTexImage(__GLXclientState * cl, GLbyte * pc)
compsize =
__glGetTexImage_size(target, level, format, type, width, height, depth);
if (compsize < 0)
- compsize = 0;
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
__GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
@@ -252,9 +252,9 @@ GetSeparableFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1);
if (compsize < 0)
- compsize = 0;
+ return BadLength;
if (compsize2 < 0)
- compsize2 = 0;
+ return BadLength;
compsize = __GLX_PAD(compsize);
compsize2 = __GLX_PAD(compsize2);
@@ -338,7 +338,7 @@ GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
*/
compsize = __glGetTexImage_size(target, 1, format, type, width, height, 1);
if (compsize < 0)
- compsize = 0;
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
__GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
@@ -415,7 +415,7 @@ GetHistogram(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
*/
compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
if (compsize < 0)
- compsize = 0;
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
__GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
@@ -483,7 +483,7 @@ GetMinmax(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
compsize = __glGetTexImage_size(target, 1, format, type, 2, 1, 1);
if (compsize < 0)
- compsize = 0;
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
__GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
@@ -554,7 +554,7 @@ GetColorTable(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
*/
compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
if (compsize < 0)
- compsize = 0;
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
__GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
commit 1d496e046e398cd9d6d77edf8958967c86983bf0
Author: Adam Jackson <ajax at redhat.com>
Date: Mon Nov 10 12:13:36 2014 -0500
glx: Be more paranoid about variable-length requests [CVE-2014-8093 1/6]
If the size computation routine returns -1 we should just reject the
request outright. Clamping it to zero could give an attacker the
opportunity to also mangle cmdlen in such a way that the subsequent
length check passes, and the request would get executed, thus passing
data we wanted to reject to the renderer.
Reviewed-by: Keith Packard <keithp at keithp.com>
Reviewed-by: Julien Cristau <jcristau at debian.org>
Reviewed-by: Michal Srb <msrb at suse.com>
Reviewed-by: Andy Ritger <aritger at nvidia.com>
Signed-off-by: Adam Jackson <ajax at redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
(cherry picked from commit 23fe7718bb171e71db2d1a30505c2ca2988799d9)
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/glx/glxcmds.c b/glx/glxcmds.c
index 2fc3f4c..f8328af 100644
--- a/glx/glxcmds.c
+++ b/glx/glxcmds.c
@@ -2060,7 +2060,7 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE,
client->swapped);
if (extra < 0) {
- extra = 0;
+ return BadLength;
}
if (cmdlen != __GLX_PAD(entry.bytes + extra)) {
return BadLength;
@@ -2177,7 +2177,7 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
extra = (*entry.varsize) (pc + __GLX_RENDER_LARGE_HDR_SIZE,
client->swapped);
if (extra < 0) {
- extra = 0;
+ return BadLength;
}
/* large command's header is 4 bytes longer, so add 4 */
if (cmdlen != __GLX_PAD(entry.bytes + 4 + extra)) {
commit 5a4760babdfeb114d1e89df735496f042df352fe
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sun Feb 9 22:42:47 2014 -0800
Add REQUEST_FIXED_SIZE testcases to test/misc.c
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
(cherry picked from commit f4afd53f2aeaddf509bf9f71d1716dd273fd6e14)
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/test/misc.c b/test/misc.c
index dd792e6..66330a1 100644
--- a/test/misc.c
+++ b/test/misc.c
@@ -28,6 +28,8 @@
#include <stdint.h>
#include "misc.h"
#include "scrnintstr.h"
+#include "dix.h"
+#include "dixstruct.h"
ScreenInfo screenInfo;
@@ -155,11 +157,46 @@ dix_update_desktop_dimensions(void)
assert_dimensions(-w2, -h2, w2, h2);
}
+static int
+dix_request_fixed_size_overflow(ClientRec *client)
+{
+ xReq req = { 0 };
+
+ client->req_len = req.length = 1;
+ REQUEST_FIXED_SIZE(req, SIZE_MAX);
+ return Success;
+}
+
+static int
+dix_request_fixed_size_match(ClientRec *client)
+{
+ xReq req = { 0 };
+
+ client->req_len = req.length = 9;
+ REQUEST_FIXED_SIZE(req, 30);
+ return Success;
+}
+
+static void
+dix_request_size_checks(void)
+{
+ ClientRec client = { 0 };
+ int rc;
+
+ rc = dix_request_fixed_size_overflow(&client);
+ assert(rc == BadLength);
+
+ rc = dix_request_fixed_size_match(&client);
+ assert(rc == Success);
+}
+
+
int
main(int argc, char **argv)
{
dix_version_compare();
dix_update_desktop_dimensions();
+ dix_request_size_checks();
return 0;
}
commit efacb60e01513e9a96f2630159727835e2a8af0b
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sun Feb 9 21:28:05 2014 -0800
Add request length checking test cases for some Xinput 2.x requests
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
(cherry picked from commit 2df83bb122debc3c20cfc3d3b0edc85cd0270f79)
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/test/xi2/protocol-xigetclientpointer.c b/test/xi2/protocol-xigetclientpointer.c
index 28eb8d3..570c53e 100644
--- a/test/xi2/protocol-xigetclientpointer.c
+++ b/test/xi2/protocol-xigetclientpointer.c
@@ -124,6 +124,11 @@ test_XIGetClientPointer(void)
request.win = INVALID_WINDOW_ID;
request_XIGetClientPointer(&client_request, &request, BadWindow);
+ printf("Testing invalid length\n");
+ client_request.req_len -= 4;
+ request_XIGetClientPointer(&client_request, &request, BadLength);
+ client_request.req_len += 4;
+
test_data.cp_is_set = FALSE;
printf("Testing window None, unset ClientPointer.\n");
diff --git a/test/xi2/protocol-xipassivegrabdevice.c b/test/xi2/protocol-xipassivegrabdevice.c
index c747ddf..95d8ebf 100644
--- a/test/xi2/protocol-xipassivegrabdevice.c
+++ b/test/xi2/protocol-xipassivegrabdevice.c
@@ -139,6 +139,7 @@ request_XIPassiveGrabDevice(ClientPtr client, xXIPassiveGrabDeviceReq * req,
int local_modifiers;
int mask_len;
+ client_request.req_len = req->length;
rc = ProcXIPassiveGrabDevice(&client_request);
assert(rc == error);
@@ -190,6 +191,13 @@ test_XIPassiveGrabDevice(void)
request_XIPassiveGrabDevice(&client_request, request, BadDevice,
request->deviceid);
+ printf("Testing invalid length\n");
+ request->length -= 2;
+ request_XIPassiveGrabDevice(&client_request, request, BadLength,
+ client_request.errorValue);
+ /* re-init request since swapped length test leaves some values swapped */
+ request_init(request, XIPassiveGrabDevice);
+ request->grab_window = CLIENT_WINDOW_ID;
request->deviceid = XIAllMasterDevices;
printf("Testing invalid grab types\n");
diff --git a/test/xi2/protocol-xiquerypointer.c b/test/xi2/protocol-xiquerypointer.c
index fc66b64..c0421f6 100644
--- a/test/xi2/protocol-xiquerypointer.c
+++ b/test/xi2/protocol-xiquerypointer.c
@@ -201,6 +201,10 @@ test_XIQueryPointer(void)
test_data.dev = devices.mouse;
request.deviceid = devices.mouse->id;
request_XIQueryPointer(&client_request, &request, Success);
+
+ /* test REQUEST_SIZE_MATCH */
+ client_request.req_len -= 4;
+ request_XIQueryPointer(&client_request, &request, BadLength);
}
int
diff --git a/test/xi2/protocol-xiwarppointer.c b/test/xi2/protocol-xiwarppointer.c
index f7986c1..3aaaae6 100644
--- a/test/xi2/protocol-xiwarppointer.c
+++ b/test/xi2/protocol-xiwarppointer.c
@@ -198,6 +198,9 @@ test_XIWarpPointer(void)
request_XIWarpPointer(&client_request, &request, Success);
/* FIXME: src_x/y checks */
+
+ client_request.req_len -= 2; /* invalid length */
+ request_XIWarpPointer(&client_request, &request, BadLength);
}
int
commit 3b4aa58d565ea4542586cfc8be3f88d5616f77ed
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sun Feb 9 21:27:27 2014 -0800
Add request length checking test cases for some Xinput 1.x requests
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
(cherry picked from commit d153a85f7478a7a67ccb02fbca6390b0ab1732ee)
Signed-off-by: Julien Cristau <jcristau at debian.org>
Conflicts:
test/Makefile.am
diff --git a/configure.ac b/configure.ac
index ac8956c..39bea68 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2610,6 +2610,7 @@ hw/kdrive/linux/Makefile
hw/kdrive/src/Makefile
hw/xwayland/Makefile
test/Makefile
+test/xi1/Makefile
test/xi2/Makefile
xserver.ent
xorg-server.pc
diff --git a/test/Makefile.am b/test/Makefile.am
index 32edc7a..5849fbc 100644
--- a/test/Makefile.am
+++ b/test/Makefile.am
@@ -4,7 +4,7 @@ noinst_PROGRAMS = list string
if XORG
# Tests that require at least some DDX functions in order to fully link
# For now, requires xf86 ddx, could be adjusted to use another
-SUBDIRS += xi2
+SUBDIRS += xi1 xi2
noinst_PROGRAMS += xkb input xtest misc fixes xfree86 hashtabletest os signal-logging touch
endif
check_LTLIBRARIES = libxservertest.la
diff --git a/test/xi1/Makefile.am b/test/xi1/Makefile.am
new file mode 100644
index 0000000..907fa7a
--- /dev/null
+++ b/test/xi1/Makefile.am
@@ -0,0 +1,34 @@
+if ENABLE_UNIT_TESTS
+if HAVE_LD_WRAP
+noinst_PROGRAMS = \
+ protocol-xchangedevicecontrol
+
+TESTS=$(noinst_PROGRAMS)
+TESTS_ENVIRONMENT = $(XORG_MALLOC_DEBUG_ENV)
+
+AM_CFLAGS = $(DIX_CFLAGS) @XORG_CFLAGS@
+AM_CPPFLAGS = @XORG_INCS@ -I$(srcdir)/../xi2
+TEST_LDADD=../libxservertest.la $(XORG_SYS_LIBS) $(XSERVER_SYS_LIBS) $(GLX_SYS_LIBS)
+COMMON_SOURCES=$(srcdir)/../xi2/protocol-common.c
+
+if SPECIAL_DTRACE_OBJECTS
+TEST_LDADD += $(OS_LIB) $(DIX_LIB)
+endif
+
+protocol_xchangedevicecontrol_LDADD=$(TEST_LDADD)
+
+protocol_xchangedevicecontrol_LDFLAGS=$(AM_LDFLAGS) -Wl,-wrap,WriteToClient
+
+protocol_xchangedevicecontrol_SOURCES=$(COMMON_SOURCES) protocol-xchangedevicecontrol.c
+
+else
+# Print that xi1-tests were skipped (exit code 77 for automake test harness)
+TESTS = xi1-tests
+CLEANFILES = $(TESTS)
+
+xi1-tests:
+ @echo 'echo "ld -wrap support required for xi1 unit tests, skipping"' > $@
+ @echo 'exit 77' >> $@
+ $(AM_V_GEN)chmod +x $@
+endif
+endif
diff --git a/test/xi1/protocol-xchangedevicecontrol.c b/test/xi1/protocol-xchangedevicecontrol.c
new file mode 100644
index 0000000..8e638b2
--- /dev/null
+++ b/test/xi1/protocol-xchangedevicecontrol.c
@@ -0,0 +1,122 @@
+/**
+ * Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice (including the next
+ * paragraph) shall be included in all copies or substantial portions of the
+ * Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ */
+
+#ifdef HAVE_DIX_CONFIG_H
+#include <dix-config.h>
+#endif
+
+/*
+ * Protocol testing for ChangeDeviceControl request.
+ */
+#include <stdint.h>
+#include <X11/X.h>
+#include <X11/Xproto.h>
+#include <X11/extensions/XIproto.h>
+#include "inputstr.h"
+#include "chgdctl.h"
+
+#include "protocol-common.h"
+
+static ClientRec client_request;
+
+static void
+reply_ChangeDeviceControl(ClientPtr client, int len, char *data, void *userdata)
+{
+ xChangeDeviceControlReply *rep = (xChangeDeviceControlReply *) data;
+
+ if (client->swapped) {
+ swapl(&rep->length);
+ swaps(&rep->sequenceNumber);
+ }
+
+ reply_check_defaults(rep, len, ChangeDeviceControl);
+
+ /* XXX: check status code in reply */
+}
+
+static void
+request_ChangeDeviceControl(ClientPtr client, xChangeDeviceControlReq * req,
+ xDeviceCtl *ctl, int error)
+{
+ int rc;
+
+ client_request.req_len = req->length;
+ rc = ProcXChangeDeviceControl(&client_request);
+ assert(rc == error);
+
+ /* XXX: ChangeDeviceControl doesn't seem to fill in errorValue to check */
+
+ client_request.swapped = TRUE;
+ swaps(&req->length);
+ swaps(&req->control);
+ swaps(&ctl->length);
+ swaps(&ctl->control);
+ /* XXX: swap other contents of ctl, depending on type */
+ rc = SProcXChangeDeviceControl(&client_request);
+ assert(rc == error);
+}
+
+static unsigned char *data[4096]; /* the request buffer */
+
+static void
+test_ChangeDeviceControl(void)
+{
+ xChangeDeviceControlReq *request = (xChangeDeviceControlReq *) data;
+ xDeviceCtl *control = (xDeviceCtl *) (&request[1]);
+
+ request_init(request, ChangeDeviceControl);
+
+ reply_handler = reply_ChangeDeviceControl;
+
+ client_request = init_client(request->length, request);
+
+ printf("Testing invalid lengths:\n");
+ printf(" -- no control struct\n");
+ request_ChangeDeviceControl(&client_request, request, control, BadLength);
+
+ printf(" -- xDeviceResolutionCtl\n");
+ request_init(request, ChangeDeviceControl);
+ request->control = DEVICE_RESOLUTION;
+ control->length = (sizeof(xDeviceResolutionCtl) >> 2);
+ request->length += control->length - 2;
+ request_ChangeDeviceControl(&client_request, request, control, BadLength);
+
+ printf(" -- xDeviceEnableCtl\n");
+ request_init(request, ChangeDeviceControl);
+ request->control = DEVICE_ENABLE;
+ control->length = (sizeof(xDeviceEnableCtl) >> 2);
+ request->length += control->length - 2;
+ request_ChangeDeviceControl(&client_request, request, control, BadLength);
+
+ /* XXX: Test functionality! */
+}
+
+int
+main(int argc, char **argv)
+{
+ init_simple();
+
+ test_ChangeDeviceControl();
+
+ return 0;
+}
commit 4f30f4dd47df6dfd363a15a12fd30b727c0bbaa8
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sun Jan 26 20:02:20 2014 -0800
xfixes: unvalidated length in SProcXFixesSelectSelectionInput [CVE-2014-8102]
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
(cherry picked from commit a0ece23a8bd300c8be10812d368dc8058c97c63e)
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/xfixes/select.c b/xfixes/select.c
index c088ed3..e964d58 100644
--- a/xfixes/select.c
+++ b/xfixes/select.c
@@ -201,6 +201,7 @@ SProcXFixesSelectSelectionInput(ClientPtr client)
{
REQUEST(xXFixesSelectSelectionInputReq);
+ REQUEST_SIZE_MATCH(xXFixesSelectSelectionInputReq);
swaps(&stuff->length);
swapl(&stuff->window);
swapl(&stuff->selection);
commit 18c7f1e49b16ce9264e77f9c244495ceb24e3f5a
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sun Jan 26 19:51:29 2014 -0800
render: unvalidated lengths in Render extn. swapped procs [CVE-2014-8100 2/2]
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
(cherry picked from commit 5d3a788aeb2fbd3ca2812747dc18c94a8b981c63)
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/render/render.c b/render/render.c
index 95e50a2..6083447 100644
--- a/render/render.c
+++ b/render/render.c
@@ -1995,7 +1995,7 @@ static int
SProcRenderQueryVersion(ClientPtr client)
{
REQUEST(xRenderQueryVersionReq);
-
+ REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
swaps(&stuff->length);
swapl(&stuff->majorVersion);
swapl(&stuff->minorVersion);
@@ -2006,6 +2006,7 @@ static int
SProcRenderQueryPictFormats(ClientPtr client)
{
REQUEST(xRenderQueryPictFormatsReq);
+ REQUEST_SIZE_MATCH(xRenderQueryPictFormatsReq);
swaps(&stuff->length);
return (*ProcRenderVector[stuff->renderReqType]) (client);
}
@@ -2014,6 +2015,7 @@ static int
SProcRenderQueryPictIndexValues(ClientPtr client)
{
REQUEST(xRenderQueryPictIndexValuesReq);
+ REQUEST_AT_LEAST_SIZE(xRenderQueryPictIndexValuesReq);
swaps(&stuff->length);
swapl(&stuff->format);
return (*ProcRenderVector[stuff->renderReqType]) (client);
@@ -2029,6 +2031,7 @@ static int
SProcRenderCreatePicture(ClientPtr client)
{
REQUEST(xRenderCreatePictureReq);
+ REQUEST_AT_LEAST_SIZE(xRenderCreatePictureReq);
swaps(&stuff->length);
swapl(&stuff->pid);
swapl(&stuff->drawable);
@@ -2042,6 +2045,7 @@ static int
SProcRenderChangePicture(ClientPtr client)
{
REQUEST(xRenderChangePictureReq);
+ REQUEST_AT_LEAST_SIZE(xRenderChangePictureReq);
swaps(&stuff->length);
swapl(&stuff->picture);
swapl(&stuff->mask);
@@ -2053,6 +2057,7 @@ static int
SProcRenderSetPictureClipRectangles(ClientPtr client)
{
REQUEST(xRenderSetPictureClipRectanglesReq);
+ REQUEST_AT_LEAST_SIZE(xRenderSetPictureClipRectanglesReq);
swaps(&stuff->length);
swapl(&stuff->picture);
swaps(&stuff->xOrigin);
@@ -2065,6 +2070,7 @@ static int
SProcRenderFreePicture(ClientPtr client)
{
REQUEST(xRenderFreePictureReq);
+ REQUEST_SIZE_MATCH(xRenderFreePictureReq);
swaps(&stuff->length);
swapl(&stuff->picture);
return (*ProcRenderVector[stuff->renderReqType]) (client);
@@ -2074,6 +2080,7 @@ static int
SProcRenderComposite(ClientPtr client)
{
REQUEST(xRenderCompositeReq);
+ REQUEST_SIZE_MATCH(xRenderCompositeReq);
swaps(&stuff->length);
swapl(&stuff->src);
swapl(&stuff->mask);
@@ -2093,6 +2100,7 @@ static int
SProcRenderScale(ClientPtr client)
{
REQUEST(xRenderScaleReq);
+ REQUEST_SIZE_MATCH(xRenderScaleReq);
swaps(&stuff->length);
swapl(&stuff->src);
swapl(&stuff->dst);
@@ -2193,6 +2201,7 @@ static int
SProcRenderCreateGlyphSet(ClientPtr client)
{
REQUEST(xRenderCreateGlyphSetReq);
+ REQUEST_SIZE_MATCH(xRenderCreateGlyphSetReq);
swaps(&stuff->length);
swapl(&stuff->gsid);
swapl(&stuff->format);
@@ -2203,6 +2212,7 @@ static int
SProcRenderReferenceGlyphSet(ClientPtr client)
{
REQUEST(xRenderReferenceGlyphSetReq);
+ REQUEST_SIZE_MATCH(xRenderReferenceGlyphSetReq);
swaps(&stuff->length);
swapl(&stuff->gsid);
swapl(&stuff->existing);
@@ -2213,6 +2223,7 @@ static int
SProcRenderFreeGlyphSet(ClientPtr client)
{
REQUEST(xRenderFreeGlyphSetReq);
+ REQUEST_SIZE_MATCH(xRenderFreeGlyphSetReq);
swaps(&stuff->length);
swapl(&stuff->glyphset);
return (*ProcRenderVector[stuff->renderReqType]) (client);
@@ -2227,6 +2238,7 @@ SProcRenderAddGlyphs(ClientPtr client)
xGlyphInfo *gi;
REQUEST(xRenderAddGlyphsReq);
+ REQUEST_AT_LEAST_SIZE(xRenderAddGlyphsReq);
swaps(&stuff->length);
swapl(&stuff->glyphset);
swapl(&stuff->nglyphs);
@@ -2261,6 +2273,7 @@ static int
SProcRenderFreeGlyphs(ClientPtr client)
{
REQUEST(xRenderFreeGlyphsReq);
+ REQUEST_AT_LEAST_SIZE(xRenderFreeGlyphsReq);
swaps(&stuff->length);
swapl(&stuff->glyphset);
SwapRestL(stuff);
@@ -2278,6 +2291,7 @@ SProcRenderCompositeGlyphs(ClientPtr client)
int size;
REQUEST(xRenderCompositeGlyphsReq);
+ REQUEST_AT_LEAST_SIZE(xRenderCompositeGlyphsReq);
switch (stuff->renderReqType) {
default:
commit 0ad9121071adf1425623170c9d3bc19333d0f1a2
Author: Julien Cristau <jcristau at debian.org>
Date: Tue Oct 28 10:30:04 2014 +0100
render: check request size before reading it [CVE-2014-8100 1/2]
Otherwise we may be reading outside of the client request.
Signed-off-by: Julien Cristau <jcristau at debian.org>
Reviewed-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
(cherry picked from commit b5f9ef03df6a650571b29d3d1c1d2b67c6e84336)
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/render/render.c b/render/render.c
index 9ac4a98..95e50a2 100644
--- a/render/render.c
+++ b/render/render.c
@@ -276,11 +276,11 @@ ProcRenderQueryVersion(ClientPtr client)
REQUEST(xRenderQueryVersionReq);
+ REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
+
pRenderClient->major_version = stuff->majorVersion;
pRenderClient->minor_version = stuff->minorVersion;
- REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
-
if ((stuff->majorVersion * 1000 + stuff->minorVersion) <
(SERVER_RENDER_MAJOR_VERSION * 1000 + SERVER_RENDER_MINOR_VERSION)) {
rep.majorVersion = stuff->majorVersion;
commit df64ac720642c86efcc47b64621e8a0f1e705f16
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sun Jan 26 19:38:09 2014 -0800
randr: unvalidated lengths in RandR extension swapped procs [CVE-2014-8101]
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
(cherry picked from commit 3df2fcf12499ebdb26b9b67419ea485a42041f33)
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/randr/rrsdispatch.c b/randr/rrsdispatch.c
index 08c3b6a..47558cf 100644
--- a/randr/rrsdispatch.c
+++ b/randr/rrsdispatch.c
@@ -27,6 +27,7 @@ SProcRRQueryVersion(ClientPtr client)
{
REQUEST(xRRQueryVersionReq);
+ REQUEST_SIZE_MATCH(xRRQueryVersionReq);
swaps(&stuff->length);
swapl(&stuff->majorVersion);
swapl(&stuff->minorVersion);
@@ -38,6 +39,7 @@ SProcRRGetScreenInfo(ClientPtr client)
{
REQUEST(xRRGetScreenInfoReq);
+ REQUEST_SIZE_MATCH(xRRGetScreenInfoReq);
swaps(&stuff->length);
swapl(&stuff->window);
return (*ProcRandrVector[stuff->randrReqType]) (client);
@@ -69,6 +71,7 @@ SProcRRSelectInput(ClientPtr client)
{
REQUEST(xRRSelectInputReq);
+ REQUEST_SIZE_MATCH(xRRSelectInputReq);
swaps(&stuff->length);
swapl(&stuff->window);
swaps(&stuff->enable);
@@ -152,6 +155,7 @@ SProcRRConfigureOutputProperty(ClientPtr client)
{
REQUEST(xRRConfigureOutputPropertyReq);
+ REQUEST_AT_LEAST_SIZE(xRRConfigureOutputPropertyReq);
swaps(&stuff->length);
swapl(&stuff->output);
swapl(&stuff->property);
commit ea45001614b771933590a77fdd281b910c637c1b
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sun Jan 26 19:33:34 2014 -0800
present: unvalidated lengths in Present extension procs [CVE-2014-8103 2/2]
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
Reviewed-by: Julien Cristau <jcristau at debian.org>
(cherry picked from commit d155b7a8e38e74aee96bf52c20c8b6a330d7d462)
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/present/present_request.c b/present/present_request.c
index 835890d..7c53e72 100644
--- a/present/present_request.c
+++ b/present/present_request.c
@@ -210,6 +210,7 @@ proc_present_query_capabilities (ClientPtr client)
RRCrtcPtr crtc = NULL;
int r;
+ REQUEST_SIZE_MATCH(xPresentQueryCapabilitiesReq);
r = dixLookupWindow(&window, stuff->target, client, DixGetAttrAccess);
switch (r) {
case Success:
@@ -254,6 +255,7 @@ static int
sproc_present_query_version(ClientPtr client)
{
REQUEST(xPresentQueryVersionReq);
+ REQUEST_SIZE_MATCH(xPresentQueryVersionReq);
swaps(&stuff->length);
swapl(&stuff->majorVersion);
@@ -265,6 +267,7 @@ static int
sproc_present_pixmap(ClientPtr client)
{
REQUEST(xPresentPixmapReq);
+ REQUEST_AT_LEAST_SIZE(xPresentPixmapReq);
swaps(&stuff->length);
swapl(&stuff->window);
@@ -284,6 +287,7 @@ static int
sproc_present_notify_msc(ClientPtr client)
{
REQUEST(xPresentNotifyMSCReq);
+ REQUEST_SIZE_MATCH(xPresentNotifyMSCReq);
swaps(&stuff->length);
swapl(&stuff->window);
@@ -297,6 +301,7 @@ static int
sproc_present_select_input (ClientPtr client)
{
REQUEST(xPresentSelectInputReq);
+ REQUEST_SIZE_MATCH(xPresentSelectInputReq);
swaps(&stuff->length);
swapl(&stuff->window);
@@ -308,6 +313,7 @@ static int
sproc_present_query_capabilities (ClientPtr client)
{
REQUEST(xPresentQueryCapabilitiesReq);
+ REQUEST_SIZE_MATCH(xPresentQueryCapabilitiesReq);
swaps(&stuff->length);
swapl(&stuff->target);
return (*proc_present_vector[stuff->presentReqType]) (client);
commit e3a1255a727518332c4a8d2af30c357aee0d50f0
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sun Jan 26 19:28:05 2014 -0800
dri3: unvalidated lengths in DRI3 extension swapped procs [CVE-2014-8103 1/2]
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
(cherry picked from commit 0a6085aaf3581cca558d960ea176ddf3a41a2213)
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/dri3/dri3_request.c b/dri3/dri3_request.c
index fe45620..2d75588 100644
--- a/dri3/dri3_request.c
+++ b/dri3/dri3_request.c
@@ -321,6 +321,7 @@ static int
sproc_dri3_query_version(ClientPtr client)
{
REQUEST(xDRI3QueryVersionReq);
+ REQUEST_SIZE_MATCH(xDRI3QueryVersionReq);
swaps(&stuff->length);
swapl(&stuff->majorVersion);
@@ -332,6 +333,7 @@ static int
sproc_dri3_open(ClientPtr client)
{
REQUEST(xDRI3OpenReq);
+ REQUEST_SIZE_MATCH(xDRI3OpenReq);
swaps(&stuff->length);
swapl(&stuff->drawable);
@@ -343,6 +345,7 @@ static int
sproc_dri3_pixmap_from_buffer(ClientPtr client)
{
REQUEST(xDRI3PixmapFromBufferReq);
+ REQUEST_SIZE_MATCH(xDRI3PixmapFromBufferReq);
swaps(&stuff->length);
swapl(&stuff->pixmap);
@@ -358,6 +361,7 @@ static int
sproc_dri3_buffer_from_pixmap(ClientPtr client)
{
REQUEST(xDRI3BufferFromPixmapReq);
+ REQUEST_SIZE_MATCH(xDRI3BufferFromPixmapReq);
swaps(&stuff->length);
swapl(&stuff->pixmap);
@@ -368,6 +372,7 @@ static int
sproc_dri3_fence_from_fd(ClientPtr client)
{
REQUEST(xDRI3FenceFromFDReq);
+ REQUEST_SIZE_MATCH(xDRI3FenceFromFDReq);
swaps(&stuff->length);
swapl(&stuff->drawable);
@@ -379,6 +384,7 @@ static int
sproc_dri3_fd_from_fence(ClientPtr client)
{
REQUEST(xDRI3FDFromFenceReq);
+ REQUEST_SIZE_MATCH(xDRI3FDFromFenceReq);
swaps(&stuff->length);
swapl(&stuff->drawable);
commit c092c31c83706cc449787d2378b7d4970e9eba8f
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sun Jan 26 19:23:17 2014 -0800
Xv: unvalidated lengths in XVideo extension swapped procs [CVE-2014-8099]
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
(cherry picked from commit 32a95fb7c7dbe22c9441c62762dfa4a8ec54d6c3)
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/Xext/xvdisp.c b/Xext/xvdisp.c
index f2d49a2..c466af5 100644
--- a/Xext/xvdisp.c
+++ b/Xext/xvdisp.c
@@ -1207,6 +1207,7 @@ static int
SProcXvQueryExtension(ClientPtr client)
{
REQUEST(xvQueryExtensionReq);
+ REQUEST_SIZE_MATCH(xvQueryExtensionReq);
swaps(&stuff->length);
return XvProcVector[xv_QueryExtension] (client);
}
@@ -1215,6 +1216,7 @@ static int
SProcXvQueryAdaptors(ClientPtr client)
{
REQUEST(xvQueryAdaptorsReq);
+ REQUEST_SIZE_MATCH(xvQueryAdaptorsReq);
swaps(&stuff->length);
swapl(&stuff->window);
return XvProcVector[xv_QueryAdaptors] (client);
@@ -1224,6 +1226,7 @@ static int
SProcXvQueryEncodings(ClientPtr client)
{
REQUEST(xvQueryEncodingsReq);
+ REQUEST_SIZE_MATCH(xvQueryEncodingsReq);
swaps(&stuff->length);
swapl(&stuff->port);
return XvProcVector[xv_QueryEncodings] (client);
@@ -1233,6 +1236,7 @@ static int
SProcXvGrabPort(ClientPtr client)
{
REQUEST(xvGrabPortReq);
+ REQUEST_SIZE_MATCH(xvGrabPortReq);
swaps(&stuff->length);
swapl(&stuff->port);
swapl(&stuff->time);
@@ -1243,6 +1247,7 @@ static int
SProcXvUngrabPort(ClientPtr client)
{
REQUEST(xvUngrabPortReq);
+ REQUEST_SIZE_MATCH(xvUngrabPortReq);
swaps(&stuff->length);
swapl(&stuff->port);
swapl(&stuff->time);
@@ -1253,6 +1258,7 @@ static int
SProcXvPutVideo(ClientPtr client)
{
REQUEST(xvPutVideoReq);
+ REQUEST_SIZE_MATCH(xvPutVideoReq);
swaps(&stuff->length);
swapl(&stuff->port);
swapl(&stuff->drawable);
@@ -1272,6 +1278,7 @@ static int
SProcXvPutStill(ClientPtr client)
{
REQUEST(xvPutStillReq);
+ REQUEST_SIZE_MATCH(xvPutStillReq);
swaps(&stuff->length);
swapl(&stuff->port);
swapl(&stuff->drawable);
@@ -1291,6 +1298,7 @@ static int
SProcXvGetVideo(ClientPtr client)
{
REQUEST(xvGetVideoReq);
+ REQUEST_SIZE_MATCH(xvGetVideoReq);
swaps(&stuff->length);
swapl(&stuff->port);
swapl(&stuff->drawable);
@@ -1310,6 +1318,7 @@ static int
SProcXvGetStill(ClientPtr client)
{
REQUEST(xvGetStillReq);
+ REQUEST_SIZE_MATCH(xvGetStillReq);
swaps(&stuff->length);
swapl(&stuff->port);
swapl(&stuff->drawable);
@@ -1329,6 +1338,7 @@ static int
SProcXvPutImage(ClientPtr client)
{
REQUEST(xvPutImageReq);
+ REQUEST_AT_LEAST_SIZE(xvPutImageReq);
swaps(&stuff->length);
swapl(&stuff->port);
swapl(&stuff->drawable);
@@ -1352,6 +1362,7 @@ static int
SProcXvShmPutImage(ClientPtr client)
{
REQUEST(xvShmPutImageReq);
+ REQUEST_SIZE_MATCH(xvShmPutImageReq);
swaps(&stuff->length);
swapl(&stuff->port);
swapl(&stuff->drawable);
@@ -1379,6 +1390,7 @@ static int
SProcXvSelectVideoNotify(ClientPtr client)
{
REQUEST(xvSelectVideoNotifyReq);
+ REQUEST_SIZE_MATCH(xvSelectVideoNotifyReq);
swaps(&stuff->length);
swapl(&stuff->drawable);
return XvProcVector[xv_SelectVideoNotify] (client);
@@ -1388,6 +1400,7 @@ static int
SProcXvSelectPortNotify(ClientPtr client)
{
REQUEST(xvSelectPortNotifyReq);
+ REQUEST_SIZE_MATCH(xvSelectPortNotifyReq);
swaps(&stuff->length);
swapl(&stuff->port);
return XvProcVector[xv_SelectPortNotify] (client);
@@ -1397,6 +1410,7 @@ static int
SProcXvStopVideo(ClientPtr client)
{
REQUEST(xvStopVideoReq);
+ REQUEST_SIZE_MATCH(xvStopVideoReq);
swaps(&stuff->length);
swapl(&stuff->port);
swapl(&stuff->drawable);
@@ -1407,6 +1421,7 @@ static int
SProcXvSetPortAttribute(ClientPtr client)
{
REQUEST(xvSetPortAttributeReq);
+ REQUEST_SIZE_MATCH(xvSetPortAttributeReq);
swaps(&stuff->length);
swapl(&stuff->port);
swapl(&stuff->attribute);
@@ -1418,6 +1433,7 @@ static int
SProcXvGetPortAttribute(ClientPtr client)
{
REQUEST(xvGetPortAttributeReq);
+ REQUEST_SIZE_MATCH(xvGetPortAttributeReq);
swaps(&stuff->length);
swapl(&stuff->port);
swapl(&stuff->attribute);
@@ -1428,6 +1444,7 @@ static int
SProcXvQueryBestSize(ClientPtr client)
{
REQUEST(xvQueryBestSizeReq);
+ REQUEST_SIZE_MATCH(xvQueryBestSizeReq);
swaps(&stuff->length);
swapl(&stuff->port);
swaps(&stuff->vid_w);
@@ -1441,6 +1458,7 @@ static int
SProcXvQueryPortAttributes(ClientPtr client)
{
REQUEST(xvQueryPortAttributesReq);
+ REQUEST_SIZE_MATCH(xvQueryPortAttributesReq);
swaps(&stuff->length);
swapl(&stuff->port);
return XvProcVector[xv_QueryPortAttributes] (client);
@@ -1450,6 +1468,7 @@ static int
SProcXvQueryImageAttributes(ClientPtr client)
{
REQUEST(xvQueryImageAttributesReq);
+ REQUEST_SIZE_MATCH(xvQueryImageAttributesReq);
swaps(&stuff->length);
swapl(&stuff->port);
swapl(&stuff->id);
@@ -1462,6 +1481,7 @@ static int
SProcXvListImageFormats(ClientPtr client)
{
REQUEST(xvListImageFormatsReq);
+ REQUEST_SIZE_MATCH(xvListImageFormatsReq);
swaps(&stuff->length);
swapl(&stuff->port);
return XvProcVector[xv_ListImageFormats] (client);
commit 3d8e2731b5dae431fe68e79ff21d067aed65a077
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sun Jan 26 17:18:54 2014 -0800
xcmisc: unvalidated length in SProcXCMiscGetXIDList() [CVE-2014-8096]
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
(cherry picked from commit 7553082b9b883b5f130044f3d53bce2f0b660e52)
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/Xext/xcmisc.c b/Xext/xcmisc.c
index 034bfb6..1e91010 100644
--- a/Xext/xcmisc.c
+++ b/Xext/xcmisc.c
@@ -167,6 +167,7 @@ static int
SProcXCMiscGetXIDList(ClientPtr client)
{
REQUEST(xXCMiscGetXIDListReq);
+ REQUEST_SIZE_MATCH(xXCMiscGetXIDListReq);
swaps(&stuff->length);
swapl(&stuff->count);
commit 4d3d93c68b0af02f4bc4e75b0395bbbfb8a2f15c
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sun Jan 26 10:54:41 2014 -0800
Xi: unvalidated lengths in Xinput extension [CVE-2014-8095]
Multiple functions in the Xinput extension handling of requests from
clients failed to check that the length of the request sent by the
client was large enough to perform all the required operations and
thus could read or write to memory outside the bounds of the request
buffer.
This commit includes the creation of a new REQUEST_AT_LEAST_EXTRA_SIZE
macro in include/dix.h for the common case of needing to ensure a
request is large enough to include both the request itself and a
minimum amount of extra data following the request header.
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
(cherry picked from commit 73c63afb93c0af1bfd1969bf6e71c9edca586c77)
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/Xi/chgdctl.c b/Xi/chgdctl.c
index d078aa2..b3ee867 100644
--- a/Xi/chgdctl.c
+++ b/Xi/chgdctl.c
@@ -78,7 +78,7 @@ SProcXChangeDeviceControl(ClientPtr client)
REQUEST(xChangeDeviceControlReq);
swaps(&stuff->length);
- REQUEST_AT_LEAST_SIZE(xChangeDeviceControlReq);
+ REQUEST_AT_LEAST_EXTRA_SIZE(xChangeDeviceControlReq, sizeof(xDeviceCtl));
swaps(&stuff->control);
ctl = (xDeviceCtl *) &stuff[1];
swaps(&ctl->control);
@@ -115,7 +115,7 @@ ProcXChangeDeviceControl(ClientPtr client)
xDeviceEnableCtl *e;
REQUEST(xChangeDeviceControlReq);
- REQUEST_AT_LEAST_SIZE(xChangeDeviceControlReq);
+ REQUEST_AT_LEAST_EXTRA_SIZE(xChangeDeviceControlReq, sizeof(xDeviceCtl));
len = stuff->length - bytes_to_int32(sizeof(xChangeDeviceControlReq));
ret = dixLookupDevice(&dev, stuff->deviceid, client, DixManageAccess);
@@ -192,6 +192,10 @@ ProcXChangeDeviceControl(ClientPtr client)
break;
case DEVICE_ENABLE:
e = (xDeviceEnableCtl *) &stuff[1];
+ if ((len != bytes_to_int32(sizeof(xDeviceEnableCtl)))) {
+ ret = BadLength;
+ goto out;
+ }
if (IsXTestDevice(dev, NULL))
status = !Success;
diff --git a/Xi/chgfctl.c b/Xi/chgfctl.c
index 6dcf60c..224c2ba 100644
--- a/Xi/chgfctl.c
+++ b/Xi/chgfctl.c
@@ -467,6 +467,8 @@ ProcXChangeFeedbackControl(ClientPtr client)
xStringFeedbackCtl *f = ((xStringFeedbackCtl *) &stuff[1]);
if (client->swapped) {
+ if (len < bytes_to_int32(sizeof(xStringFeedbackCtl)))
+ return BadLength;
swaps(&f->num_keysyms);
}
if (len !=
diff --git a/Xi/sendexev.c b/Xi/sendexev.c
index 3c21386..183f88d 100644
--- a/Xi/sendexev.c
+++ b/Xi/sendexev.c
@@ -135,6 +135,9 @@ ProcXSendExtensionEvent(ClientPtr client)
if (ret != Success)
return ret;
+ if (stuff->num_events == 0)
+ return ret;
+
/* The client's event type must be one defined by an extension. */
first = ((xEvent *) &stuff[1]);
diff --git a/Xi/xiallowev.c b/Xi/xiallowev.c
index ebef233..ca263ef 100644
--- a/Xi/xiallowev.c
+++ b/Xi/xiallowev.c
@@ -48,6 +48,7 @@ int
SProcXIAllowEvents(ClientPtr client)
{
REQUEST(xXIAllowEventsReq);
+ REQUEST_AT_LEAST_SIZE(xXIAllowEventsReq);
swaps(&stuff->length);
swaps(&stuff->deviceid);
@@ -55,6 +56,7 @@ SProcXIAllowEvents(ClientPtr client)
if (stuff->length > 3) {
xXI2_2AllowEventsReq *req_xi22 = (xXI2_2AllowEventsReq *) stuff;
+ REQUEST_AT_LEAST_SIZE(xXI2_2AllowEventsReq);
swapl(&req_xi22->touchid);
swapl(&req_xi22->grab_window);
}
diff --git a/Xi/xichangecursor.c b/Xi/xichangecursor.c
index 7a1bb7a..8e6255b 100644
--- a/Xi/xichangecursor.c
+++ b/Xi/xichangecursor.c
@@ -57,11 +57,11 @@ int
SProcXIChangeCursor(ClientPtr client)
{
REQUEST(xXIChangeCursorReq);
+ REQUEST_SIZE_MATCH(xXIChangeCursorReq);
swaps(&stuff->length);
swapl(&stuff->win);
swapl(&stuff->cursor);
swaps(&stuff->deviceid);
- REQUEST_SIZE_MATCH(xXIChangeCursorReq);
return (ProcXIChangeCursor(client));
}
diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c
index 9e36354..2732445 100644
--- a/Xi/xichangehierarchy.c
+++ b/Xi/xichangehierarchy.c
@@ -411,7 +411,7 @@ int
ProcXIChangeHierarchy(ClientPtr client)
{
xXIAnyHierarchyChangeInfo *any;
- int required_len = sizeof(xXIChangeHierarchyReq);
+ size_t len; /* length of data remaining in request */
int rc = Success;
int flags[MAXDEVICES] = { 0 };
@@ -421,21 +421,46 @@ ProcXIChangeHierarchy(ClientPtr client)
if (!stuff->num_changes)
return rc;
+ if (stuff->length > (INT_MAX >> 2))
+ return BadAlloc;
+ len = (stuff->length << 2) - sizeof(xXIAnyHierarchyChangeInfo);
+
any = (xXIAnyHierarchyChangeInfo *) &stuff[1];
while (stuff->num_changes--) {
+ if (len < sizeof(xXIAnyHierarchyChangeInfo)) {
+ rc = BadLength;
+ goto unwind;
+ }
+
SWAPIF(swaps(&any->type));
SWAPIF(swaps(&any->length));
- required_len += any->length;
- if ((stuff->length * 4) < required_len)
+ if ((any->length > (INT_MAX >> 2)) || (len < (any->length << 2)))
return BadLength;
+#define CHANGE_SIZE_MATCH(type) \
+ do { \
+ if ((len < sizeof(type)) || (any->length != (sizeof(type) >> 2))) { \
+ rc = BadLength; \
+ goto unwind; \
+ } \
+ } while(0)
+
switch (any->type) {
case XIAddMaster:
{
xXIAddMasterInfo *c = (xXIAddMasterInfo *) any;
+ /* Variable length, due to appended name string */
+ if (len < sizeof(xXIAddMasterInfo)) {
+ rc = BadLength;
+ goto unwind;
+ }
SWAPIF(swaps(&c->name_len));
+ if (c->name_len > (len - sizeof(xXIAddMasterInfo))) {
+ rc = BadLength;
+ goto unwind;
+ }
rc = add_master(client, c, flags);
if (rc != Success)
@@ -446,6 +471,7 @@ ProcXIChangeHierarchy(ClientPtr client)
{
xXIRemoveMasterInfo *r = (xXIRemoveMasterInfo *) any;
+ CHANGE_SIZE_MATCH(xXIRemoveMasterInfo);
rc = remove_master(client, r, flags);
if (rc != Success)
goto unwind;
@@ -455,6 +481,7 @@ ProcXIChangeHierarchy(ClientPtr client)
{
xXIDetachSlaveInfo *c = (xXIDetachSlaveInfo *) any;
+ CHANGE_SIZE_MATCH(xXIDetachSlaveInfo);
rc = detach_slave(client, c, flags);
if (rc != Success)
goto unwind;
@@ -464,6 +491,7 @@ ProcXIChangeHierarchy(ClientPtr client)
{
xXIAttachSlaveInfo *c = (xXIAttachSlaveInfo *) any;
+ CHANGE_SIZE_MATCH(xXIAttachSlaveInfo);
rc = attach_slave(client, c, flags);
if (rc != Success)
goto unwind;
@@ -471,6 +499,7 @@ ProcXIChangeHierarchy(ClientPtr client)
break;
}
+ len -= any->length * 4;
any = (xXIAnyHierarchyChangeInfo *) ((char *) any + any->length * 4);
}
diff --git a/Xi/xigetclientpointer.c b/Xi/xigetclientpointer.c
index 3c90d58..306dd39 100644
--- a/Xi/xigetclientpointer.c
+++ b/Xi/xigetclientpointer.c
@@ -50,6 +50,7 @@ int
SProcXIGetClientPointer(ClientPtr client)
{
REQUEST(xXIGetClientPointerReq);
+ REQUEST_SIZE_MATCH(xXIGetClientPointerReq);
swaps(&stuff->length);
swapl(&stuff->win);
diff --git a/Xi/xigrabdev.c b/Xi/xigrabdev.c
index 63d95bc..e2a2ae3 100644
--- a/Xi/xigrabdev.c
+++ b/Xi/xigrabdev.c
@@ -47,6 +47,11 @@ int
SProcXIGrabDevice(ClientPtr client)
{
REQUEST(xXIGrabDeviceReq);
+ /*
+ * Check here for at least the length of the struct we swap, then
+ * let ProcXIGrabDevice check the full size after we swap mask_len.
+ */
+ REQUEST_AT_LEAST_SIZE(xXIGrabDeviceReq);
swaps(&stuff->length);
swaps(&stuff->deviceid);
@@ -71,7 +76,7 @@ ProcXIGrabDevice(ClientPtr client)
unsigned int pointer_mode;
REQUEST(xXIGrabDeviceReq);
- REQUEST_AT_LEAST_SIZE(xXIGrabDeviceReq);
+ REQUEST_FIXED_SIZE(xXIGrabDeviceReq, ((size_t) stuff->mask_len) * 4);
ret = dixLookupDevice(&dev, stuff->deviceid, client, DixGrabAccess);
if (ret != Success)
@@ -131,6 +136,7 @@ int
SProcXIUngrabDevice(ClientPtr client)
{
REQUEST(xXIUngrabDeviceReq);
+ REQUEST_SIZE_MATCH(xXIUngrabDeviceReq);
swaps(&stuff->length);
swaps(&stuff->deviceid);
@@ -148,6 +154,7 @@ ProcXIUngrabDevice(ClientPtr client)
TimeStamp time;
REQUEST(xXIUngrabDeviceReq);
+ REQUEST_SIZE_MATCH(xXIUngrabDeviceReq);
ret = dixLookupDevice(&dev, stuff->deviceid, client, DixGetAttrAccess);
if (ret != Success)
diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c
index 700622d..9241ffd 100644
--- a/Xi/xipassivegrab.c
+++ b/Xi/xipassivegrab.c
@@ -53,6 +53,7 @@ SProcXIPassiveGrabDevice(ClientPtr client)
uint32_t *mods;
REQUEST(xXIPassiveGrabDeviceReq);
+ REQUEST_AT_LEAST_SIZE(xXIPassiveGrabDeviceReq);
swaps(&stuff->length);
swaps(&stuff->deviceid);
@@ -63,6 +64,8 @@ SProcXIPassiveGrabDevice(ClientPtr client)
swaps(&stuff->mask_len);
swaps(&stuff->num_modifiers);
+ REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq,
+ ((uint32_t) stuff->mask_len + stuff->num_modifiers) *4);
mods = (uint32_t *) &stuff[1] + stuff->mask_len;
for (i = 0; i < stuff->num_modifiers; i++, mods++) {
@@ -92,7 +95,8 @@ ProcXIPassiveGrabDevice(ClientPtr client)
int mask_len;
REQUEST(xXIPassiveGrabDeviceReq);
- REQUEST_AT_LEAST_SIZE(xXIPassiveGrabDeviceReq);
+ REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq,
+ ((uint32_t) stuff->mask_len + stuff->num_modifiers) * 4);
if (stuff->deviceid == XIAllDevices)
dev = inputInfo.all_devices;
@@ -252,6 +256,7 @@ SProcXIPassiveUngrabDevice(ClientPtr client)
uint32_t *modifiers;
REQUEST(xXIPassiveUngrabDeviceReq);
+ REQUEST_AT_LEAST_SIZE(xXIPassiveUngrabDeviceReq);
swaps(&stuff->length);
swapl(&stuff->grab_window);
@@ -259,6 +264,8 @@ SProcXIPassiveUngrabDevice(ClientPtr client)
swapl(&stuff->detail);
swaps(&stuff->num_modifiers);
+ REQUEST_FIXED_SIZE(xXIPassiveUngrabDeviceReq,
+ ((uint32_t) stuff->num_modifiers) << 2);
modifiers = (uint32_t *) &stuff[1];
for (i = 0; i < stuff->num_modifiers; i++, modifiers++)
@@ -277,7 +284,8 @@ ProcXIPassiveUngrabDevice(ClientPtr client)
int i, rc;
REQUEST(xXIPassiveUngrabDeviceReq);
- REQUEST_AT_LEAST_SIZE(xXIPassiveUngrabDeviceReq);
+ REQUEST_FIXED_SIZE(xXIPassiveUngrabDeviceReq,
+ ((uint32_t) stuff->num_modifiers) << 2);
if (stuff->deviceid == XIAllDevices)
dev = inputInfo.all_devices;
diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
index 463607d..8e8e4b0 100644
--- a/Xi/xiproperty.c
+++ b/Xi/xiproperty.c
@@ -1013,10 +1013,9 @@ int
SProcXListDeviceProperties(ClientPtr client)
{
REQUEST(xListDevicePropertiesReq);
+ REQUEST_SIZE_MATCH(xListDevicePropertiesReq);
swaps(&stuff->length);
-
- REQUEST_SIZE_MATCH(xListDevicePropertiesReq);
return (ProcXListDeviceProperties(client));
}
@@ -1037,10 +1036,10 @@ int
SProcXDeleteDeviceProperty(ClientPtr client)
{
REQUEST(xDeleteDevicePropertyReq);
+ REQUEST_SIZE_MATCH(xDeleteDevicePropertyReq);
swaps(&stuff->length);
swapl(&stuff->property);
- REQUEST_SIZE_MATCH(xDeleteDevicePropertyReq);
return (ProcXDeleteDeviceProperty(client));
}
@@ -1048,13 +1047,13 @@ int
SProcXGetDeviceProperty(ClientPtr client)
{
REQUEST(xGetDevicePropertyReq);
+ REQUEST_SIZE_MATCH(xGetDevicePropertyReq);
swaps(&stuff->length);
swapl(&stuff->property);
swapl(&stuff->type);
swapl(&stuff->longOffset);
swapl(&stuff->longLength);
- REQUEST_SIZE_MATCH(xGetDevicePropertyReq);
return (ProcXGetDeviceProperty(client));
}
@@ -1253,11 +1252,10 @@ int
SProcXIListProperties(ClientPtr client)
{
REQUEST(xXIListPropertiesReq);
+ REQUEST_SIZE_MATCH(xXIListPropertiesReq);
swaps(&stuff->length);
swaps(&stuff->deviceid);
-
- REQUEST_SIZE_MATCH(xXIListPropertiesReq);
return (ProcXIListProperties(client));
}
@@ -1279,11 +1277,11 @@ int
SProcXIDeleteProperty(ClientPtr client)
{
REQUEST(xXIDeletePropertyReq);
+ REQUEST_SIZE_MATCH(xXIDeletePropertyReq);
swaps(&stuff->length);
swaps(&stuff->deviceid);
swapl(&stuff->property);
- REQUEST_SIZE_MATCH(xXIDeletePropertyReq);
return (ProcXIDeleteProperty(client));
}
@@ -1291,6 +1289,7 @@ int
SProcXIGetProperty(ClientPtr client)
{
REQUEST(xXIGetPropertyReq);
+ REQUEST_SIZE_MATCH(xXIGetPropertyReq);
swaps(&stuff->length);
swaps(&stuff->deviceid);
@@ -1298,7 +1297,6 @@ SProcXIGetProperty(ClientPtr client)
swapl(&stuff->type);
swapl(&stuff->offset);
swapl(&stuff->len);
- REQUEST_SIZE_MATCH(xXIGetPropertyReq);
return (ProcXIGetProperty(client));
}
diff --git a/Xi/xiquerydevice.c b/Xi/xiquerydevice.c
index 4e544f0..67a9a4f 100644
--- a/Xi/xiquerydevice.c
+++ b/Xi/xiquerydevice.c
@@ -54,6 +54,7 @@ int
SProcXIQueryDevice(ClientPtr client)
{
REQUEST(xXIQueryDeviceReq);
+ REQUEST_SIZE_MATCH(xXIQueryDeviceReq);
swaps(&stuff->length);
swaps(&stuff->deviceid);
diff --git a/Xi/xiquerypointer.c b/Xi/xiquerypointer.c
index e9bdd42..7ec0c85 100644
--- a/Xi/xiquerypointer.c
+++ b/Xi/xiquerypointer.c
@@ -63,6 +63,8 @@ int
SProcXIQueryPointer(ClientPtr client)
{
REQUEST(xXIQueryPointerReq);
+ REQUEST_SIZE_MATCH(xXIQueryPointerReq);
+
swaps(&stuff->length);
swaps(&stuff->deviceid);
swapl(&stuff->win);
diff --git a/Xi/xiselectev.c b/Xi/xiselectev.c
index 45a996e..168579f 100644
--- a/Xi/xiselectev.c
+++ b/Xi/xiselectev.c
@@ -114,6 +114,7 @@ int
SProcXISelectEvents(ClientPtr client)
{
int i;
+ int len;
xXIEventMask *evmask;
REQUEST(xXISelectEventsReq);
@@ -122,10 +123,17 @@ SProcXISelectEvents(ClientPtr client)
swapl(&stuff->win);
swaps(&stuff->num_masks);
+ len = stuff->length - bytes_to_int32(sizeof(xXISelectEventsReq));
evmask = (xXIEventMask *) &stuff[1];
for (i = 0; i < stuff->num_masks; i++) {
+ if (len < bytes_to_int32(sizeof(xXIEventMask)))
+ return BadLength;
+ len -= bytes_to_int32(sizeof(xXIEventMask));
swaps(&evmask->deviceid);
swaps(&evmask->mask_len);
+ if (len < evmask->mask_len)
+ return BadLength;
+ len -= evmask->mask_len;
evmask =
(xXIEventMask *) (((char *) &evmask[1]) + evmask->mask_len * 4);
}
diff --git a/Xi/xisetclientpointer.c b/Xi/xisetclientpointer.c
index 38ff51e..24d4a53 100644
--- a/Xi/xisetclientpointer.c
+++ b/Xi/xisetclientpointer.c
@@ -51,10 +51,11 @@ int
SProcXISetClientPointer(ClientPtr client)
{
REQUEST(xXISetClientPointerReq);
+ REQUEST_SIZE_MATCH(xXISetClientPointerReq);
+
swaps(&stuff->length);
swapl(&stuff->win);
swaps(&stuff->deviceid);
- REQUEST_SIZE_MATCH(xXISetClientPointerReq);
return (ProcXISetClientPointer(client));
}
diff --git a/Xi/xisetdevfocus.c b/Xi/xisetdevfocus.c
index 372ec24..96a9a16 100644
--- a/Xi/xisetdevfocus.c
+++ b/Xi/xisetdevfocus.c
@@ -44,6 +44,8 @@ int
SProcXISetFocus(ClientPtr client)
{
REQUEST(xXISetFocusReq);
+ REQUEST_AT_LEAST_SIZE(xXISetFocusReq);
+
swaps(&stuff->length);
swaps(&stuff->deviceid);
swapl(&stuff->focus);
@@ -56,6 +58,8 @@ int
SProcXIGetFocus(ClientPtr client)
{
REQUEST(xXIGetFocusReq);
+ REQUEST_AT_LEAST_SIZE(xXIGetFocusReq);
+
swaps(&stuff->length);
swaps(&stuff->deviceid);
diff --git a/Xi/xiwarppointer.c b/Xi/xiwarppointer.c
index 3f051f7..780758a 100644
--- a/Xi/xiwarppointer.c
+++ b/Xi/xiwarppointer.c
@@ -56,6 +56,8 @@ int
SProcXIWarpPointer(ClientPtr client)
{
REQUEST(xXIWarpPointerReq);
+ REQUEST_SIZE_MATCH(xXIWarpPointerReq);
+
swaps(&stuff->length);
swapl(&stuff->src_win);
swapl(&stuff->dst_win);
diff --git a/include/dix.h b/include/dix.h
index 9bbbba9..4189286 100644
--- a/include/dix.h
+++ b/include/dix.h
@@ -74,6 +74,10 @@ SOFTWARE.
if ((sizeof(req) >> 2) > client->req_len )\
return(BadLength)
+#define REQUEST_AT_LEAST_EXTRA_SIZE(req, extra) \
+ if (((sizeof(req) + ((uint64_t) extra)) >> 2) > client->req_len ) \
+ return(BadLength)
+
#define REQUEST_FIXED_SIZE(req, n)\
if (((sizeof(req) >> 2) > client->req_len) || \
((n >> 2) >= client->req_len) || \
commit d88c66541e4653bcccd083894657b45443d09970
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Wed Jan 22 23:12:04 2014 -0800
dbe: unvalidated lengths in DbeSwapBuffers calls [CVE-2014-8097]
ProcDbeSwapBuffers() has a 32bit (n) length value that it uses to read
from a buffer. The length is never validated, which can lead to out of
bound reads, and possibly returning the data read from out of bounds to
the misbehaving client via an X Error packet.
SProcDbeSwapBuffers() swaps data (for correct endianness) before
handing it off to the real proc. While doing the swapping, the
length field is not validated, which can cause memory corruption.
v2: reorder checks to avoid compilers optimizing out checks for overflow
that happen after we'd already have done the overflowing multiplications.
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
(cherry picked from commit 2ef42519c41e793579c9cea699c866fee3d9321f)
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/dbe/dbe.c b/dbe/dbe.c
index 8896720..719e640 100644
--- a/dbe/dbe.c
+++ b/dbe/dbe.c
@@ -450,18 +450,20 @@ ProcDbeSwapBuffers(ClientPtr client)
DbeSwapInfoPtr swapInfo;
xDbeSwapInfo *dbeSwapInfo;
int error;
- register int i, j;
- int nStuff;
+ unsigned int i, j;
+ unsigned int nStuff;
REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq);
nStuff = stuff->n; /* use local variable for performance. */
if (nStuff == 0) {
+ REQUEST_SIZE_MATCH(xDbeSwapBuffersReq);
return Success;
}
if (nStuff > UINT32_MAX / sizeof(DbeSwapInfoRec))
return BadAlloc;
+ REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, nStuff * sizeof(xDbeSwapInfo));
/* Get to the swap info appended to the end of the request. */
dbeSwapInfo = (xDbeSwapInfo *) &stuff[1];
@@ -914,13 +916,16 @@ static int
SProcDbeSwapBuffers(ClientPtr client)
{
REQUEST(xDbeSwapBuffersReq);
- register int i;
+ unsigned int i;
xDbeSwapInfo *pSwapInfo;
swaps(&stuff->length);
REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq);
swapl(&stuff->n);
+ if (stuff->n > UINT32_MAX / sizeof(DbeSwapInfoRec))
+ return BadAlloc;
+ REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, stuff->n * sizeof(xDbeSwapInfo));
if (stuff->n != 0) {
pSwapInfo = (xDbeSwapInfo *) stuff + 1;
commit db386cd6a1ccf62d3be9fc88994d48ef9f8375cf
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Wed Jan 22 23:40:18 2014 -0800
dri2: integer overflow in ProcDRI2GetBuffers() [CVE-2014-8094]
ProcDRI2GetBuffers() tries to validate a length field (count).
There is an integer overflow in the validation. This can cause
out of bound reads and memory corruption later on.
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
Reviewed-by: Julien Cristau <jcristau at debian.org>
(cherry picked from commit 6692670fde081bbfe9313f17d84037ae9116702a)
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/hw/xfree86/dri2/dri2ext.c b/hw/xfree86/dri2/dri2ext.c
index ffd66fa..221ec53 100644
--- a/hw/xfree86/dri2/dri2ext.c
+++ b/hw/xfree86/dri2/dri2ext.c
@@ -270,6 +270,9 @@ ProcDRI2GetBuffers(ClientPtr client)
unsigned int *attachments;
REQUEST_FIXED_SIZE(xDRI2GetBuffersReq, stuff->count * 4);
+ if (stuff->count > (INT_MAX / 4))
+ return BadLength;
+
if (!validDrawable(client, stuff->drawable, DixReadAccess | DixWriteAccess,
&pDrawable, &status))
return status;
commit 2883994f9f2d5cae63816db6945dfea618e4a2ee
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Wed Jan 22 23:44:46 2014 -0800
dix: integer overflow in REQUEST_FIXED_SIZE() [CVE-2014-8092 4/4]
Force use of 64-bit integers when evaluating data provided by clients
in 32-bit fields which can overflow when added or multiplied during
checks.
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
(cherry picked from commit e0e11644622a589129a01e11e5d105dc74a098de)
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/include/dix.h b/include/dix.h
index f42e236..9bbbba9 100644
--- a/include/dix.h
+++ b/include/dix.h
@@ -76,7 +76,8 @@ SOFTWARE.
#define REQUEST_FIXED_SIZE(req, n)\
if (((sizeof(req) >> 2) > client->req_len) || \
- (((sizeof(req) + (n) + 3) >> 2) != client->req_len)) \
+ ((n >> 2) >= client->req_len) || \
+ ((((uint64_t) sizeof(req) + (n) + 3) >> 2) != (uint64_t) client->req_len)) \
return(BadLength)
#define LEGAL_NEW_RESOURCE(id,client)\
commit c2515e9dfd5642e90f2b2526db02afc4ad217a53
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Wed Jan 22 22:37:15 2014 -0800
dix: integer overflow in RegionSizeof() [CVE-2014-8092 3/4]
RegionSizeof contains several integer overflows if a large length
value is passed in. Once we fix it to return 0 on overflow, we
also have to fix the callers to handle this error condition
v2: Fixed limit calculation in RegionSizeof as pointed out by jcristau.
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
Reviewed-by: Julien Cristau <jcristau at debian.org>
(cherry picked from commit 97015a07b9e15d8ec5608b95d95ec0eb51202acb)
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/dix/region.c b/dix/region.c
index 15f3d01..e5eed01 100644
--- a/dix/region.c
+++ b/dix/region.c
@@ -169,7 +169,6 @@ Equipment Corporation.
((r1)->y1 <= (r2)->y1) && \
((r1)->y2 >= (r2)->y2) )
-#define xallocData(n) malloc(RegionSizeof(n))
#define xfreeData(reg) if ((reg)->data && (reg)->data->size) free((reg)->data)
#define RECTALLOC_BAIL(pReg,n,bail) \
@@ -205,8 +204,9 @@ if (!(pReg)->data || (((pReg)->data->numRects + (n)) > (pReg)->data->size)) \
#define DOWNSIZE(reg,numRects) \
if (((numRects) < ((reg)->data->size >> 1)) && ((reg)->data->size > 50)) \
{ \
- RegDataPtr NewData; \
- NewData = (RegDataPtr)realloc((reg)->data, RegionSizeof(numRects)); \
+ size_t NewSize = RegionSizeof(numRects); \
+ RegDataPtr NewData = \
+ (NewSize > 0) ? realloc((reg)->data, NewSize) : NULL ; \
if (NewData) \
{ \
NewData->size = (numRects); \
@@ -345,17 +345,20 @@ Bool
RegionRectAlloc(RegionPtr pRgn, int n)
{
RegDataPtr data;
+ size_t rgnSize;
if (!pRgn->data) {
n++;
- pRgn->data = xallocData(n);
+ rgnSize = RegionSizeof(n);
+ pRgn->data = (rgnSize > 0) ? malloc(rgnSize) : NULL;
if (!pRgn->data)
return RegionBreak(pRgn);
pRgn->data->numRects = 1;
*RegionBoxptr(pRgn) = pRgn->extents;
}
else if (!pRgn->data->size) {
- pRgn->data = xallocData(n);
+ rgnSize = RegionSizeof(n);
+ pRgn->data = (rgnSize > 0) ? malloc(rgnSize) : NULL;
if (!pRgn->data)
return RegionBreak(pRgn);
pRgn->data->numRects = 0;
@@ -367,7 +370,8 @@ RegionRectAlloc(RegionPtr pRgn, int n)
n = 250;
}
n += pRgn->data->numRects;
- data = (RegDataPtr) realloc(pRgn->data, RegionSizeof(n));
+ rgnSize = RegionSizeof(n);
+ data = (rgnSize > 0) ? realloc(pRgn->data, rgnSize) : NULL;
if (!data)
return RegionBreak(pRgn);
pRgn->data = data;
@@ -1312,6 +1316,7 @@ RegionFromRects(int nrects, xRectangle *prect, int ctype)
{
RegionPtr pRgn;
+ size_t rgnSize;
RegDataPtr pData;
BoxPtr pBox;
int i;
@@ -1338,7 +1343,8 @@ RegionFromRects(int nrects, xRectangle *prect, int ctype)
}
return pRgn;
}
- pData = xallocData(nrects);
+ rgnSize = RegionSizeof(nrects);
+ pData = (rgnSize > 0) ? malloc(rgnSize) : NULL;
if (!pData) {
RegionBreak(pRgn);
return pRgn;
diff --git a/include/regionstr.h b/include/regionstr.h
index 4a0725d..33df87f 100644
--- a/include/regionstr.h
+++ b/include/regionstr.h
@@ -127,7 +127,10 @@ RegionEnd(RegionPtr reg)
static inline size_t
RegionSizeof(int n)
{
- return (sizeof(RegDataRec) + ((n) * sizeof(BoxRec)));
+ if (n < ((INT_MAX - sizeof(RegDataRec)) / sizeof(BoxRec)))
+ return (sizeof(RegDataRec) + ((n) * sizeof(BoxRec)));
+ else
+ return 0;
}
static inline void
@@ -138,9 +141,10 @@ RegionInit(RegionPtr _pReg, BoxPtr _rect, int _size)
(_pReg)->data = (RegDataPtr) NULL;
}
else {
+ size_t rgnSize;
(_pReg)->extents = RegionEmptyBox;
- if (((_size) > 1) && ((_pReg)->data =
- (RegDataPtr) malloc(RegionSizeof(_size)))) {
+ if (((_size) > 1) && ((rgnSize = RegionSizeof(_size)) > 0) &&
+ (((_pReg)->data = malloc(rgnSize)) != NULL)) {
(_pReg)->data->size = (_size);
(_pReg)->data->numRects = 0;
}
commit cbfdb284c943c202c1fd47e560bd980a74dd662b
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Mon Jan 6 23:30:14 2014 -0800
dix: integer overflow in GetHosts() [CVE-2014-8092 2/4]
GetHosts() iterates over all the hosts it has in memory, and copies
them to a buffer. The buffer length is calculated by iterating over
all the hosts and adding up all of their combined length. There is a
potential integer overflow, if there are lots and lots of hosts (with
a combined length of > ~4 gig). This should be possible by repeatedly
calling ProcChangeHosts() on 64bit machines with enough memory.
This patch caps the list at 1mb, because multi-megabyte hostname
lists for X access control are insane.
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
(cherry picked from commit bc8e20430b6f6378daf6ce4329029248a88af08b)
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/os/access.c b/os/access.c
index e8c0781..e5a0672 100644
--- a/os/access.c
+++ b/os/access.c
@@ -1323,6 +1323,10 @@ GetHosts(void **data, int *pnHosts, int *pLen, BOOL * pEnabled)
for (host = validhosts; host; host = host->next) {
nHosts++;
n += pad_to_int32(host->len) + sizeof(xHostEntry);
+ /* Could check for INT_MAX, but in reality having more than 1mb of
+ hostnames in the access list is ridiculous */
+ if (n >= 1048576)
+ break;
}
if (n) {
*data = ptr = malloc(n);
@@ -1331,6 +1335,8 @@ GetHosts(void **data, int *pnHosts, int *pLen, BOOL * pEnabled)
}
for (host = validhosts; host; host = host->next) {
len = host->len;
+ if ((ptr + sizeof(xHostEntry) + len) > (data + n))
+ break;
((xHostEntry *) ptr)->family = host->family;
((xHostEntry *) ptr)->length = len;
ptr += sizeof(xHostEntry);
commit b022d4ef9d89c806024bd0cd367da1b249cc2b2d
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Wed Jan 22 21:11:16 2014 -0800
dix: integer overflow in ProcPutImage() [CVE-2014-8092 1/4]
ProcPutImage() calculates a length field from a width, left pad and depth
specified by the client (if the specified format is XYPixmap).
The calculations for the total amount of memory the server needs for the
pixmap can overflow a 32-bit number, causing out-of-bounds memory writes
on 32-bit systems (since the length is stored in a long int variable).
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
(cherry picked from commit eeae42d60bf3d5663ea088581f6c28a82cd17829)
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/dix/dispatch.c b/dix/dispatch.c
index 4f830f7..01820bc 100644
--- a/dix/dispatch.c
+++ b/dix/dispatch.c
@@ -1956,6 +1956,9 @@ ProcPutImage(ClientPtr client)
tmpImage = (char *) &stuff[1];
lengthProto = length;
+ if (lengthProto >= (INT32_MAX / stuff->height))
+ return BadLength;
+
if ((bytes_to_int32(lengthProto * stuff->height) +
bytes_to_int32(sizeof(xPutImageReq))) != client->req_len)
return BadLength;
commit f1365eb0ec50bee7d99d4659319c4d93eb21642a
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Fri Jan 17 18:54:03 2014 -0800
unchecked malloc may allow unauthed client to crash Xserver [CVE-2014-8091]
authdes_ezdecode() calls malloc() using a length provided by the
connection handshake sent by a newly connected client in order
to authenticate to the server, so should be treated as untrusted.
It didn't check if malloc() failed before writing to the newly
allocated buffer, so could lead to a server crash if the server
fails to allocate memory (up to UINT16_MAX bytes, since the len
field is a CARD16 in the X protocol).
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
(cherry picked from commit 90cc925c5991fcb203f72d00b04419cd754a9b2c)
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/os/rpcauth.c b/os/rpcauth.c
index d60ea35..413cc61 100644
--- a/os/rpcauth.c
+++ b/os/rpcauth.c
@@ -66,6 +66,10 @@ authdes_ezdecode(const char *inmsg, int len)
SVCXPRT xprt;
temp_inmsg = malloc(len);
+ if (temp_inmsg == NULL) {
+ why = AUTH_FAILED; /* generic error, since there is no AUTH_BADALLOC */
+ return NULL;
+ }
memmove(temp_inmsg, inmsg, len);
memset((char *) &msg, 0, sizeof(msg));
commit 07b01bb5bd3587cd14d9dd2c8f4b145cf1757fe5
Author: Keith Packard <keithp at keithp.com>
Date: Thu Oct 9 15:17:17 2014 +0200
glx: check return from __glXGetAnswerBuffer
This function can return NULL; make sure every caller tests for that.
Reviewed-by: Adam Jackson <ajax at redhat.com>
Signed-off-by: Keith Packard <keithp at keithp.com>
(cherry picked from commit 61a292adf45405641de1c522a04c148e0a152acd)
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/glx/indirect_dispatch.c b/glx/indirect_dispatch.c
index 329b2e6..f6cabef 100644
--- a/glx/indirect_dispatch.c
+++ b/glx/indirect_dispatch.c
@@ -2464,6 +2464,9 @@ __glXDisp_AreTexturesResident(__GLXclientState * cl, GLbyte * pc)
GLboolean answerBuffer[200];
GLboolean *residences =
__glXGetAnswerBuffer(cl, n, answerBuffer, sizeof(answerBuffer), 1);
+
+ if (residences == NULL)
+ return BadAlloc;
retval =
glAreTexturesResident(n, (const GLuint *) (pc + 4), residences);
__glXSendReply(cl->client, residences, n, 1, GL_TRUE, retval);
@@ -2488,6 +2491,9 @@ __glXDisp_AreTexturesResidentEXT(__GLXclientState * cl, GLbyte * pc)
GLboolean answerBuffer[200];
GLboolean *residences =
__glXGetAnswerBuffer(cl, n, answerBuffer, sizeof(answerBuffer), 1);
+
+ if (residences == NULL)
+ return BadAlloc;
retval =
glAreTexturesResident(n, (const GLuint *) (pc + 4), residences);
__glXSendReply(cl->client, residences, n, 1, GL_TRUE, retval);
@@ -2593,6 +2599,9 @@ __glXDisp_GenTextures(__GLXclientState * cl, GLbyte * pc)
GLuint *textures =
__glXGetAnswerBuffer(cl, n * 4, answerBuffer, sizeof(answerBuffer),
4);
+
+ if (textures == NULL)
+ return BadAlloc;
glGenTextures(n, textures);
__glXSendReply(cl->client, textures, n, 4, GL_TRUE, 0);
error = Success;
@@ -2616,6 +2625,9 @@ __glXDisp_GenTexturesEXT(__GLXclientState * cl, GLbyte * pc)
GLuint *textures =
__glXGetAnswerBuffer(cl, n * 4, answerBuffer, sizeof(answerBuffer),
4);
+
+ if (textures == NULL)
+ return BadAlloc;
glGenTextures(n, textures);
__glXSendReply(cl->client, textures, n, 4, GL_TRUE, 0);
error = Success;
@@ -3883,6 +3895,9 @@ __glXDisp_GenQueries(__GLXclientState * cl, GLbyte * pc)
GLuint *ids =
__glXGetAnswerBuffer(cl, n * 4, answerBuffer, sizeof(answerBuffer),
4);
+
+ if (ids == NULL)
+ return BadAlloc;
GenQueries(n, ids);
__glXSendReply(cl->client, ids, n, 4, GL_TRUE, 0);
error = Success;
@@ -4253,6 +4268,9 @@ __glXDisp_GenProgramsARB(__GLXclientState * cl, GLbyte * pc)
GLuint *programs =
__glXGetAnswerBuffer(cl, n * 4, answerBuffer, sizeof(answerBuffer),
4);
+
+ if (programs == NULL)
+ return BadAlloc;
GenProgramsARB(n, programs);
__glXSendReply(cl->client, programs, n, 4, GL_TRUE, 0);
error = Success;
@@ -4630,6 +4648,10 @@ __glXDisp_GenFramebuffers(__GLXclientState * cl, GLbyte * pc)
GLuint *framebuffers =
__glXGetAnswerBuffer(cl, n * 4, answerBuffer, sizeof(answerBuffer),
4);
+
+ if (framebuffers == NULL)
+ return BadAlloc;
+
GenFramebuffers(n, framebuffers);
__glXSendReply(cl->client, framebuffers, n, 4, GL_TRUE, 0);
error = Success;
@@ -4655,6 +4677,9 @@ __glXDisp_GenRenderbuffers(__GLXclientState * cl, GLbyte * pc)
GLuint *renderbuffers =
__glXGetAnswerBuffer(cl, n * 4, answerBuffer, sizeof(answerBuffer),
4);
+
+ if (renderbuffers == NULL)
+ return BadAlloc;
GenRenderbuffers(n, renderbuffers);
__glXSendReply(cl->client, renderbuffers, n, 4, GL_TRUE, 0);
error = Success;
diff --git a/glx/indirect_dispatch_swap.c b/glx/indirect_dispatch_swap.c
index 647d0c9..c0bb64d 100644
--- a/glx/indirect_dispatch_swap.c
+++ b/glx/indirect_dispatch_swap.c
@@ -2731,6 +2731,9 @@ __glXDispSwap_AreTexturesResident(__GLXclientState * cl, GLbyte * pc)
GLboolean answerBuffer[200];
GLboolean *residences =
__glXGetAnswerBuffer(cl, n, answerBuffer, sizeof(answerBuffer), 1);
+
+ if (residences == NULL)
+ return BadAlloc;
retval =
glAreTexturesResident(n,
(const GLuint *)
@@ -2759,6 +2762,9 @@ __glXDispSwap_AreTexturesResidentEXT(__GLXclientState * cl, GLbyte * pc)
GLboolean answerBuffer[200];
GLboolean *residences =
__glXGetAnswerBuffer(cl, n, answerBuffer, sizeof(answerBuffer), 1);
+
+ if (residences == NULL)
+ return BadAlloc;
retval =
glAreTexturesResident(n,
(const GLuint *)
@@ -2878,6 +2884,9 @@ __glXDispSwap_GenTextures(__GLXclientState * cl, GLbyte * pc)
GLuint *textures =
__glXGetAnswerBuffer(cl, n * 4, answerBuffer, sizeof(answerBuffer),
4);
+
+ if (textures == NULL)
+ return BadAlloc;
glGenTextures(n, textures);
(void) bswap_32_array((uint32_t *) textures, n);
__glXSendReplySwap(cl->client, textures, n, 4, GL_TRUE, 0);
@@ -2903,6 +2912,9 @@ __glXDispSwap_GenTexturesEXT(__GLXclientState * cl, GLbyte * pc)
GLuint *textures =
__glXGetAnswerBuffer(cl, n * 4, answerBuffer, sizeof(answerBuffer),
4);
+
+ if (textures == NULL)
+ return BadAlloc;
glGenTextures(n, textures);
(void) bswap_32_array((uint32_t *) textures, n);
__glXSendReplySwap(cl->client, textures, n, 4, GL_TRUE, 0);
@@ -4290,6 +4302,9 @@ __glXDispSwap_GenQueries(__GLXclientState * cl, GLbyte * pc)
GLuint *ids =
__glXGetAnswerBuffer(cl, n * 4, answerBuffer, sizeof(answerBuffer),
4);
+ if (ids == NULL)
+ return BadAlloc;
+
GenQueries(n, ids);
(void) bswap_32_array((uint32_t *) ids, n);
__glXSendReplySwap(cl->client, ids, n, 4, GL_TRUE, 0);
@@ -4697,6 +4712,9 @@ __glXDispSwap_GenProgramsARB(__GLXclientState * cl, GLbyte * pc)
GLuint *programs =
__glXGetAnswerBuffer(cl, n * 4, answerBuffer, sizeof(answerBuffer),
4);
+ if (programs == NULL)
+ return BadAlloc;
+
GenProgramsARB(n, programs);
(void) bswap_32_array((uint32_t *) programs, n);
__glXSendReplySwap(cl->client, programs, n, 4, GL_TRUE, 0);
@@ -5122,6 +5140,10 @@ __glXDispSwap_GenFramebuffers(__GLXclientState * cl, GLbyte * pc)
GLuint *framebuffers =
__glXGetAnswerBuffer(cl, n * 4, answerBuffer, sizeof(answerBuffer),
4);
+
+ if (framebuffers == NULL)
+ return BadAlloc;
+
GenFramebuffers(n, framebuffers);
(void) bswap_32_array((uint32_t *) framebuffers, n);
__glXSendReplySwap(cl->client, framebuffers, n, 4, GL_TRUE, 0);
@@ -5149,6 +5171,10 @@ __glXDispSwap_GenRenderbuffers(__GLXclientState * cl, GLbyte * pc)
GLuint *renderbuffers =
__glXGetAnswerBuffer(cl, n * 4, answerBuffer, sizeof(answerBuffer),
4);
+
+ if (renderbuffers == NULL)
+ return BadAlloc;
+
GenRenderbuffers(n, renderbuffers);
(void) bswap_32_array((uint32_t *) renderbuffers, n);
__glXSendReplySwap(cl->client, renderbuffers, n, 4, GL_TRUE, 0);
commit d1bd02fb6746a4393e2538bf605b610e1764a413
Author: Mario Kleiner <mario.kleiner.de at gmail.com>
Date: Sat Dec 6 05:40:08 2014 +0100
present: Fix use of vsynced pageflips and honor PresentOptionAsync. (v4)
Pageflips for Pixmap presents were not synchronized to vblank on
drivers with support for PresentCapabilityAsync, due to some
missing init for vblank->sync_flips. The PresentOptionAsync
flag was completely ignored for pageflipped presents.
Vsynced flips only worked by accident on the intel-ddx, as that
driver doesn't have PresentCapabilityAsync support.
On nouveau-ddx, which supports PresentCapabilityAsync, this
always caused non-vsynced pageflips with pretty ugly tearing.
This patch fixes the problem, as tested on top of XOrg 1.16.2
on nouveau and intel.
v4: Add additional PresentCapabilityAsync caps check, as
suggested by Eric Anholt.
Please also apply to XOrg 1.17 and XOrg 1.16.2 stable.
Applying on top of XOrg 1.16.2 requires cherry-picking
commit 2051514652481a83bd7cf22e57cb0fcd40333f33
which trivially fixes lack of support for protocol option
PresentOptionCopy - get two bug fixes for the price of one!
Signed-off-by: Mario Kleiner <mario.kleiner.de at gmail.com>
Reviewed-by: Eric Anholt <eric at anholt.net>
Signed-off-by: Keith Packard <keithp at keithp.com>
(cherry picked from commit aae6460694ac3667abb8c34fdf3a7dae524827a4)
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/present/present.c b/present/present.c
index 5321c7a..8e4829e 100644
--- a/present/present.c
+++ b/present/present.c
@@ -829,10 +829,13 @@ present_pixmap(WindowPtr window,
vblank->notifies = notifies;
vblank->num_notifies = num_notifies;
- if (!screen_priv->info || !(screen_priv->info->capabilities & PresentCapabilityAsync))
+ if (!(options & PresentOptionAsync))
vblank->sync_flip = TRUE;
if (!(options & PresentOptionCopy) &&
+ !((options & PresentOptionAsync) &&
+ (!screen_priv->info ||
+ !(screen_priv->info->capabilities & PresentCapabilityAsync))) &&
pixmap != NULL &&
present_check_flip (target_crtc, window, pixmap, vblank->sync_flip, valid, x_off, y_off))
{
commit 77ef968c86b4ed1accd6f04ef7bc3d9700c22ed2
Author: Mario Kleiner <mario.kleiner.de at gmail.com>
Date: Sat Dec 6 05:40:07 2014 +0100
present: Avoid crashes in DebugPresent(), a bit more info.
DebugPresent() crashed the server when a dri3 drawable
was closed while a pageflipped present was still pending,
due to vblank->window-> Null-Ptr deref, so debug builds
caused new problems to debug.
E.g.,
glXSwapBuffers(...);
glXDestroyWindow(...);
-> Pageflip for non-existent window completes -> boom.
Also often happens when switching desktop compositor on/off
due to Present unflips, or when logging out of session.
Also add info if a Present is queued for copyswap or pageflip,
if the present is vsynced, and the serial no of the Present
request, to aid debugging of pageflip and vsync issues. The
serial number is useful as Mesa's dri3/present backend encodes
its sendSBC in the serial number, so one can easily correlate
server debug output with Mesa and with the SBC values returned
to actual OpenGL client applications via OML_sync_control and
INTEL_swap_events extension, makes debugging quite a bit more
easy.
Please also cherry-pick this for a 1.16.x stable update.
Signed-off-by: Mario Kleiner <mario.kleiner.de at gmail.com>
Reviewed-by: Eric Anholt <eric at anholt.net>
Signed-off-by: Keith Packard <keithp at keithp.com>
(cherry picked from commit 32d3100bd78efe41d468f7d66861296aee468b6f)
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/present/present.c b/present/present.c
index 93fc976..5321c7a 100644
--- a/present/present.c
+++ b/present/present.c
@@ -435,7 +435,7 @@ present_flip_notify(present_vblank_ptr vblank, uint64_t ust, uint64_t crtc_msc)
DebugPresent(("\tn %lld %p %8lld: %08lx -> %08lx\n",
vblank->event_id, vblank, vblank->target_msc,
vblank->pixmap ? vblank->pixmap->drawable.id : 0,
- vblank->window->drawable.id));
+ vblank->window ? vblank->window->drawable.id : 0));
assert (vblank == screen_priv->flip_pending);
@@ -854,10 +854,10 @@ present_pixmap(WindowPtr window,
}
if (pixmap)
- DebugPresent(("q %lld %p %8lld: %08lx -> %08lx (crtc %p)\n",
+ DebugPresent(("q %lld %p %8lld: %08lx -> %08lx (crtc %p) flip %d vsync %d serial %d\n",
vblank->event_id, vblank, target_msc,
vblank->pixmap->drawable.id, vblank->window->drawable.id,
- target_crtc));
+ target_crtc, vblank->flip, vblank->sync_flip, vblank->serial));
xorg_list_add(&vblank->event_queue, &present_exec_queue);
vblank->queued = TRUE;
@@ -949,7 +949,7 @@ present_vblank_destroy(present_vblank_ptr vblank)
DebugPresent(("\td %lld %p %8lld: %08lx -> %08lx\n",
vblank->event_id, vblank, vblank->target_msc,
vblank->pixmap ? vblank->pixmap->drawable.id : 0,
- vblank->window->drawable.id));
+ vblank->window ? vblank->window->drawable.id : 0));
/* Drop pixmap reference */
if (vblank->pixmap)
commit f1fc86d61ed97f21579d2125c26de858c1d3ee43
Author: Keith Packard <keithp at keithp.com>
Date: Wed Sep 10 14:02:13 2014 -0700
present: Support PresentOptionCopy
We added this option to the present protocol before 1.0 but somehow
never implemented it in the server. It's pretty simple; just don't
ever do flips if the application specifies Copy.
Signed-off-by: Keith Packard <keithp at keithp.com>
Reviewed-by: Adam Jackson <ajax at redhat.com>
(cherry picked from commit 2051514652481a83bd7cf22e57cb0fcd40333f33)
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/present/present.c b/present/present.c
index cf283f4..93fc976 100644
--- a/present/present.c
+++ b/present/present.c
@@ -832,7 +832,10 @@ present_pixmap(WindowPtr window,
if (!screen_priv->info || !(screen_priv->info->capabilities & PresentCapabilityAsync))
vblank->sync_flip = TRUE;
- if (pixmap && present_check_flip (target_crtc, window, pixmap, vblank->sync_flip, valid, x_off, y_off)) {
+ if (!(options & PresentOptionCopy) &&
+ pixmap != NULL &&
+ present_check_flip (target_crtc, window, pixmap, vblank->sync_flip, valid, x_off, y_off))
+ {
vblank->flip = TRUE;
if (vblank->sync_flip)
target_msc--;
commit 386329ec7238edfd1b680c4a7acd39947a161ab5
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Mon Dec 1 14:26:11 2014 -0800
Add -iglx & +iglx to Xserver.man
Covers the current state after commits 99f0365b1fbdfd9238b9f,
d0da0e9c3bb8fe0cd4879, & e3aa13b8d63ea2fba6eb4 were all applied.
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: James Jones <jajones at nvidia.com>
Reviewed-by: Robert Morell <rmorell at nvidia.com>
Signed-off-by: Keith Packard <keithp at keithp.com>
(cherry picked from commit b09d59342804db7dbb8056dca43dd39f54e290aa)
[alanc: Modified for server-1.16-branch to show +iglx as default instead of
-iglx, to match code in os/utils.c in server-1.16-branch.]
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/man/Xserver.man b/man/Xserver.man
index 7a74e85..a4097ad 100644
--- a/man/Xserver.man
+++ b/man/Xserver.man
@@ -181,6 +181,16 @@ prints a usage message.
.B \-I
causes all remaining command line arguments to be ignored.
.TP 8
+.B \-iglx
+Prohibit creating indirect GLX contexts. Indirect GLX is of limited use,
+since it lacks support for many modern OpenGL features and extensions;
+it's slower than direct contexts; and it opens a large attack surface for
+protocol parsing errors.
+.TP 8
+.B +iglx
+Allow creating indirect GLX contexts.
+This is the default unless \-iglx is specified.
+.TP 8
.B \-maxbigreqsize \fIsize\fP
sets the maximum big request to
.I size
commit a471a15c779377073fd5d6bb8cff40dff917eca9
Author: Alex Orange <crazycasta at gmail.com>
Date: Fri Oct 3 15:41:38 2014 -0600
fb: Fix Bresenham algorithms for commonly used small segments.
Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=54168
Fix errors introducted in 863d528a9f76d0e8f122aebf19f8564a4c67a938. Said
patch does indeed remove the problematic writes to bad memory, however
it also introduces errors in the algoritm. This patch has the effect of
reverting said patch and adding an if in the proper location to catch
the out of bounds memory write without causing problems to the overall
algorithm.
Signed-off-by: Alex Orange <crazycasta at gmail.com>
Reviewed-by: Peter Harris <pharris at opentext.com>
Tested-by: Peter Harris <pharris at opentext.com>
Signed-off-by: Keith Packard <keithp at keithp.com>
(cherry picked from commit 1b94fd77792310c80b0a2bcf4bf6d4e4c4c23bca)
diff --git a/fb/fbseg.c b/fb/fbseg.c
index 1848387..16e0426 100644
--- a/fb/fbseg.c
+++ b/fb/fbseg.c
@@ -65,12 +65,6 @@ fbBresSolid(DrawablePtr pDrawable,
if (axis == X_AXIS) {
bits = 0;
while (len--) {
- if (e >= 0) {
- WRITE(dst, FbDoMaskRRop (READ(dst), and, xor, bits));
- bits = 0;
- dst += dstStride;
- e += e3;
- }
bits |= mask;
mask = fbBresShiftMask(mask, signdx, dstBpp);
if (!mask) {
@@ -80,12 +74,23 @@ fbBresSolid(DrawablePtr pDrawable,
mask = mask0;
}
e += e1;
+ if (e >= 0) {
+ if (bits) {
+ WRITE(dst, FbDoMaskRRop (READ(dst), and, xor, bits));
+ bits = 0;
+ }
+ dst += dstStride;
+ e += e3;
+ }
}
if (bits)
WRITE(dst, FbDoMaskRRop(READ(dst), and, xor, bits));
}
else {
while (len--) {
+ WRITE(dst, FbDoMaskRRop(READ(dst), and, xor, mask));
+ dst += dstStride;
+ e += e1;
if (e >= 0) {
e += e3;
mask = fbBresShiftMask(mask, signdx, dstBpp);
@@ -94,9 +99,6 @@ fbBresSolid(DrawablePtr pDrawable,
mask = mask0;
}
}
- WRITE(dst, FbDoMaskRRop(READ(dst), and, xor, mask));
- dst += dstStride;
- e += e1;
}
}
commit 4393c7f1ba6140a02232f04fbb434a80d663a99d
Author: Julien Cristau <jcristau at debian.org>
Date: Mon Nov 10 16:38:52 2014 +0100
Bump to 1.16.2
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/configure.ac b/configure.ac
index 3a9a961..ac8956c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -26,8 +26,8 @@ dnl
dnl Process this file with autoconf to create configure.
AC_PREREQ(2.60)
-AC_INIT([xorg-server], 1.16.1.901, [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], xorg-server)
-RELEASE_DATE="2014-11-02"
+AC_INIT([xorg-server], 1.16.2, [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], xorg-server)
+RELEASE_DATE="2014-11-10"
RELEASE_NAME="Marionberry Pie"
AC_CONFIG_SRCDIR([Makefile.am])
AC_CONFIG_MACRO_DIR([m4])
commit 151ec89574c0d1b4566137d0f2d965ef48f04ec5
Author: Julien Cristau <jcristau at debian.org>
Date: Sun Nov 2 11:21:33 2014 +0100
Bump to 1.16.1.901
diff --git a/configure.ac b/configure.ac
index c556721..3a9a961 100644
--- a/configure.ac
+++ b/configure.ac
@@ -26,8 +26,8 @@ dnl
dnl Process this file with autoconf to create configure.
AC_PREREQ(2.60)
-AC_INIT([xorg-server], 1.16.1, [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], xorg-server)
-RELEASE_DATE="2014-09-21"
+AC_INIT([xorg-server], 1.16.1.901, [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], xorg-server)
+RELEASE_DATE="2014-11-02"
RELEASE_NAME="Marionberry Pie"
AC_CONFIG_SRCDIR([Makefile.am])
AC_CONFIG_MACRO_DIR([m4])
commit a4d9637504ea4c97ca22d86c9f2e275f5253470d
Author: Chris Wilson <chris at chris-wilson.co.uk>
Date: Thu Oct 16 14:09:08 2014 +0100
Xext/shm: Detach SHM segment after Pixmap is released
The GPU may still have a reference to the SHM segment which would only
be finally released when the Pixmap is destroy. So we can only detach
the SHM segment (and thereby making the memory unaccessible) after the
backend has had a chance to flush any remaining references.
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=85058
Signed-off-by: Chris Wilson <chris at chris-wilson.co.uk>
Reported-and-tested-by: gedgon at gmail.com
Reviewed-by: Adam Jackson <ajax at redhat.com>
Signed-off-by: Keith Packard <keithp at keithp.com>
(cherry picked from commit 9b29fa957a397664463c7c78fbcc2f34d1993271)
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/Xext/shm.c b/Xext/shm.c
index 4dad8b6..b787918 100644
--- a/Xext/shm.c
+++ b/Xext/shm.c
@@ -248,21 +248,20 @@ ShmDestroyPixmap(PixmapPtr pPixmap)
{
ScreenPtr pScreen = pPixmap->drawable.pScreen;
ShmScrPrivateRec *screen_priv = ShmGetScreenPriv(pScreen);
+ void *shmdesc = NULL;
Bool ret;
- if (pPixmap->refcnt == 1) {
- ShmDescPtr shmdesc;
-
- shmdesc = (ShmDescPtr) dixLookupPrivate(&pPixmap->devPrivates,
- shmPixmapPrivateKey);
- if (shmdesc)
- ShmDetachSegment((void *) shmdesc, pPixmap->drawable.id);
- }
+ if (pPixmap->refcnt == 1)
+ shmdesc = dixLookupPrivate(&pPixmap->devPrivates, shmPixmapPrivateKey);
pScreen->DestroyPixmap = screen_priv->destroyPixmap;
ret = (*pScreen->DestroyPixmap) (pPixmap);
screen_priv->destroyPixmap = pScreen->DestroyPixmap;
pScreen->DestroyPixmap = ShmDestroyPixmap;
+
+ if (shmdesc)
+ ShmDetachSegment(shmdesc, pPixmap->drawable.id);
+
return ret;
}
commit a7c207cc8e713092c51401baddbb3a30de398a34
Author: Axel Davy <axel.davy at ens.fr>
Date: Wed Oct 29 13:31:42 2014 +0100
Fix present_notify to return right away when querying current or past msc.
When the target msc is past or is the current one, we want to get immediate
feedback. This patch fixes this behaviour.
Signed-off-by: Axel Davy <axel.davy at ens.fr>
Reviewed-by: Keith Packard <keithp at keithp.com>
Signed-off-by: Keith Packard <keithp at keithp.com>
(cherry picked from commit 882f2d10d99a04a96afc0ce0c8937e16bec3afb5)
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/present/present.c b/present/present.c
index 4596c4a..cf283f4 100644
--- a/present/present.c
+++ b/present/present.c
@@ -858,7 +858,7 @@ present_pixmap(WindowPtr window,
xorg_list_add(&vblank->event_queue, &present_exec_queue);
vblank->queued = TRUE;
- if (target_msc >= crtc_msc) {
+ if ((pixmap && target_msc >= crtc_msc) || (!pixmap && target_msc > crtc_msc)) {
ret = present_queue_vblank(screen, target_crtc, vblank->event_id, target_msc);
if (ret != Success) {
xorg_list_del(&vblank->event_queue);
@@ -921,7 +921,7 @@ present_notify_msc(WindowPtr window,
0, 0,
NULL,
NULL, NULL,
- 0,
+ PresentOptionAsync,
target_msc, divisor, remainder, NULL, 0);
}
commit 27600a6b2056b8cf6af8b6b0f078164ef36c0767
Author: Axel Davy <axel.davy at ens.fr>
Date: Sat Sep 27 23:17:13 2014 +0200
Fix present_pixmap when using present_notify_msc
Calling present_notify_msc could cancel a pending pixmap presentation.
Signed-off-by: Axel Davy <axel.davy at ens.fr>
Reviewed-by: Keith Packard <keithp at keithp.com>
Signed-off-by: Keith Packard <keithp at keithp.com>
(cherry picked from commit 9bc01dfc7070a40f5948588895b3a11dd1636d0e)
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/present/present.c b/present/present.c
index 3aea0d7..4596c4a 100644
--- a/present/present.c
+++ b/present/present.c
@@ -762,7 +762,7 @@ present_pixmap(WindowPtr window,
* in the same frame
*/
- if (!update) {
+ if (!update && pixmap) {
xorg_list_for_each_entry_safe(vblank, tmp, &window_priv->vblank, window_list) {
if (!vblank->pixmap)
commit 0e62f275aa02c5694fd714f3bbd5271836142755
Author: Peter Hutterer <peter.hutterer at who-t.net>
Date: Mon Aug 4 10:47:03 2014 +1000
xkb: ignore floating slave devices when updating from master (#81885)
Introduced in 45fb3a934dc0db51584aba37c2f9d73deff9191d. When a device is
enabled, the master's locked state is pushed to the slave. If the device is
floating, no master exists and we triggered a NULL-pointer dereference
in XkbPushLockedStateToSlaves.
X.Org Bug 81885 <http://bugs.freedesktop.org/show_bug.cgi?id=81885>
Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
Reviewed-by: Daniel Stone <daniel at fooishbar.org>
Signed-off-by: Keith Packard <keithp at keithp.com>
(cherry picked from commit 1e30fc1b99bda040038e4fd56d1b27c686b44c75)
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/dix/devices.c b/dix/devices.c
index 7f079ff..9e1c546 100644
--- a/dix/devices.c
+++ b/dix/devices.c
@@ -416,7 +416,7 @@ EnableDevice(DeviceIntPtr dev, BOOL sendevent)
XISendDeviceHierarchyEvent(flags);
}
- if (!IsMaster(dev))
+ if (!IsMaster(dev) && !IsFloating(dev))
XkbPushLockedStateToSlaves(GetMaster(dev, MASTER_KEYBOARD), 0, 0);
RecalculateMasterButtons(dev);
commit f7ca20cacfd4e0304d01f29491ae8363fd482279
Author: Takashi Iwai <tiwai at suse.de>
Date: Tue Aug 19 15:57:22 2014 -0500
fb: Fix invalid bpp for 24bit depth window
We have a hack in fb layer for a 24bpp screen to use 32bpp images, and
fbCreateWindow() replaces its drawable.bitsPerPixel field
appropriately. But, the problem is that it always replaces when 32bpp
is passed. If the depth is 32, this results in bpp < depth, which is
actually invalid.
Meanwhile, fbCreatePixmap() has a more check and it creates with 24bpp
only when the passed depth <= 24 for avoiding such a problem.
This oneliner patch just adds the similar check in fbCreateWindow().
This (hopefully) fixes the long-standing broken graphics mess of
cirrus KMS with 24bpp.
Signed-off-by: Takashi Iwai <tiwai at suse.de>
Reviewed-by: Keith Packard <keithp at keithp.com>
(cherry picked from commit fe5018e0564118a7a8198fa286186fdb9ed818c7)
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/fb/fbwindow.c b/fb/fbwindow.c
index 368c4b8..c90175f 100644
--- a/fb/fbwindow.c
+++ b/fb/fbwindow.c
@@ -33,7 +33,7 @@ fbCreateWindow(WindowPtr pWin)
{
dixSetPrivate(&pWin->devPrivates, fbGetWinPrivateKey(pWin),
fbGetScreenPixmap(pWin->drawable.pScreen));
- if (pWin->drawable.bitsPerPixel == 32)
+ if (pWin->drawable.bitsPerPixel == 32 && pWin->drawable.depth <= 24)
pWin->drawable.bitsPerPixel =
fbGetScreenPrivate(pWin->drawable.pScreen)->win32bpp;
return TRUE;
commit 0e0951ce3eb33242934df9b683f8f5ca4fd501af
Author: Julien Cristau <jcristau at debian.org>
Date: Sun Sep 21 10:56:53 2014 +0200
Bump to 1.16.1
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/configure.ac b/configure.ac
index d93eb21..c556721 100644
--- a/configure.ac
+++ b/configure.ac
@@ -26,8 +26,8 @@ dnl
dnl Process this file with autoconf to create configure.
AC_PREREQ(2.60)
-AC_INIT([xorg-server], 1.16.0.901, [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], xorg-server)
-RELEASE_DATE="2014-09-15"
+AC_INIT([xorg-server], 1.16.1, [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], xorg-server)
+RELEASE_DATE="2014-09-21"
RELEASE_NAME="Marionberry Pie"
AC_CONFIG_SRCDIR([Makefile.am])
AC_CONFIG_MACRO_DIR([m4])
commit b501462e5da776e28a8e16d8573a6d17d7ebe15e
Author: Julien Cristau <jcristau at debian.org>
Date: Wed Sep 17 07:41:27 2014 +0200
xwayland: always include drm.xml in tarballs
Move drm.xml out of the automake conditional so make dist includes it
even if glamor-egl is disabled.
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=83960
Signed-off-by: Julien Cristau <jcristau at debian.org>
Reviewed-by: Eric Anholt <eric at anholt.net>
Signed-off-by: Keith Packard <keithp at keithp.com>
(cherry picked from commit af40913797e6595fb5466c2ff3110e9526a37b9f)
diff --git a/hw/xwayland/Makefile.am b/hw/xwayland/Makefile.am
index dc16b8b..4e0e1bb 100644
--- a/hw/xwayland/Makefile.am
+++ b/hw/xwayland/Makefile.am
@@ -39,8 +39,6 @@ nodist_Xwayland_SOURCES = \
CLEANFILES = $(nodist_Xwayland_SOURCES)
-EXTRA_DIST = drm.xml
-
xwayland-glamor.c : $(nodist_Xwayland_SOURCES)
glamor_lib = $(top_builddir)/glamor/libglamor.la
@@ -48,6 +46,8 @@ glamor_lib = $(top_builddir)/glamor/libglamor.la
Xwayland_LDADD += $(GLAMOR_LIBS) $(GBM_LIBS) -lEGL -lGL
endif
+EXTRA_DIST = drm.xml
+
relink:
$(AM_V_at)rm -f Xwayland$(EXEEXT) && $(MAKE) Xwayland$(EXEEXT)
commit 3ce47886c58b0640697f243a5df7060109c8346f
Author: Julien Cristau <jcristau at debian.org>
Date: Mon Sep 15 22:55:16 2014 +0200
Bump to 1.16.0.901
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/configure.ac b/configure.ac
index 1c327fd..d93eb21 100644
--- a/configure.ac
+++ b/configure.ac
@@ -26,8 +26,8 @@ dnl
dnl Process this file with autoconf to create configure.
AC_PREREQ(2.60)
-AC_INIT([xorg-server], 1.16.0, [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], xorg-server)
-RELEASE_DATE="2014-07-16"
+AC_INIT([xorg-server], 1.16.0.901, [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], xorg-server)
+RELEASE_DATE="2014-09-15"
RELEASE_NAME="Marionberry Pie"
AC_CONFIG_SRCDIR([Makefile.am])
AC_CONFIG_MACRO_DIR([m4])
commit c48d07cf0e6edfc92dcb97de66c2484a8ddba452
Author: Keith Packard <keithp at keithp.com>
Date: Thu Sep 4 08:36:07 2014 -0700
glx/present: Only send GLX_BufferSwapComplete for PresentCompleteKindPixmap
Present didn't provide the 'kind' argument to the
present_complete_notify hook that GLX uses to construct
GLX_BufferSwapComplete events, so GLX was reporting events for
PresentCompleteKindMSC notifications, which resulted in duplicate
GLX_BufferSwapComplete events and crashes in clutter.
See the gnome bug: https://bugzilla.gnome.org/show_bug.cgi?id=733282
Signed-off-by: Keith Packard <keithp at keithp.com>
Reviewed-by: Eric Anholt <eric at anholt.net>
(cherry picked from commit bf338efc678258d2d366dff2ed873752f98f0bfc)
[backport to 1.16: check 'kind' in the caller to avoid ABI change]
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/present/present_event.c b/present/present_event.c
index ff57eba..e9b8276 100644
--- a/present/present_event.c
+++ b/present/present_event.c
@@ -173,7 +173,7 @@ present_send_complete_notify(WindowPtr window, CARD8 kind, CARD8 mode, CARD32 se
}
}
}
- if (complete_notify)
+ if (complete_notify && kind == PresentCompleteKindPixmap)
(*complete_notify)(window, mode, serial, ust, msc);
}
commit fbe977941abb0a6db19b345652b6106d849899c1
Author: Thierry Reding <treding at nvidia.com>
Date: Thu Feb 13 13:36:12 2014 +0100
xfree86: Allow non-PCI devices as primary
On platforms that don't support PCI or have no GPU attached to the PCI
bus, there can still be a primary device on a non-PCI bus.
Signed-off-by: Thierry Reding <treding at nvidia.com>
Reviewed-by: Rob Clark <robdclark at gmail.com>
Tested-by: Rob Clark <robdclark at gmail.com>
Signed-off-by: Keith Packard <keithp at keithp.com>
(cherry picked from commit 5d133276de9c50146e80ffc69edd429c2afe98e6)
Signed-off-by: Hans de Goede <hdegoede at redhat.com>
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/hw/xfree86/common/xf86platformBus.c b/hw/xfree86/common/xf86platformBus.c
index 1890494..c541788 100644
--- a/hw/xfree86/common/xf86platformBus.c
+++ b/hw/xfree86/common/xf86platformBus.c
@@ -476,10 +476,9 @@ xf86platformProbeDev(DriverPtr drvp)
/* for non-seat0 servers assume first device is the master */
if (ServerIsNotSeat0())
break;
- if (xf86_platform_devices[j].pdev) {
- if (xf86IsPrimaryPlatform(&xf86_platform_devices[j]))
- break;
- }
+
+ if (xf86IsPrimaryPlatform(&xf86_platform_devices[j]))
+ break;
}
}
commit 484b881ecd7fbf5e1aabacfa96acb6f53475e32d
Author: Thierry Reding <treding at nvidia.com>
Date: Thu Feb 13 13:31:31 2014 +0100
xfree86: Fallback to first platform device as primary
When neither of the various bus implementations was able to find a
primary bus and device, fallback to using the platform bus as primary
bus and the first platform device as primary device.
Signed-off-by: Thierry Reding <treding at nvidia.com>
Reviewed-by: Rob Clark <robdclark at gmail.com>
Tested-by: Rob Clark <robdclark at gmail.com>
Signed-off-by: Keith Packard <keithp at keithp.com>
(cherry picked from commit 2f0183222b4279266e6ef60b923738ff55f0afba)
[hdegoede: backport to 1.16 which doesn't have syspath directly in OdevAttributes]
Signed-off-by: Hans de Goede <hdegoede at redhat.com>
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/hw/xfree86/common/xf86Bus.c b/hw/xfree86/common/xf86Bus.c
index b3b3f8c..bd3e4e3 100644
--- a/hw/xfree86/common/xf86Bus.c
+++ b/hw/xfree86/common/xf86Bus.c
@@ -210,6 +210,9 @@ xf86BusProbe(void)
#if (defined(__sparc__) || defined(__sparc)) && !defined(__OpenBSD__)
xf86SbusProbe();
#endif
+#ifdef XSERVER_PLATFORM_BUS
+ xf86platformPrimary();
+#endif
}
/*
diff --git a/hw/xfree86/common/xf86platformBus.c b/hw/xfree86/common/xf86platformBus.c
index eb1a3fb..1890494 100644
--- a/hw/xfree86/common/xf86platformBus.c
+++ b/hw/xfree86/common/xf86platformBus.c
@@ -635,4 +635,21 @@ void xf86platformVTProbe(void)
xf86PlatformReprobeDevice(i, xf86_platform_devices[i].attribs);
}
}
+
+void xf86platformPrimary(void)
+{
+ /* use the first platform device as a fallback */
+ if (primaryBus.type == BUS_NONE) {
+ xf86Msg(X_INFO, "no primary bus or device found\n");
+
+ if (xf86_num_platform_devices > 0) {
+ char *syspath = xf86_get_platform_attrib(0, ODEV_ATTRIB_SYSPATH);
+
+ primaryBus.id.plat = &xf86_platform_devices[0];
+ primaryBus.type = BUS_PLATFORM;
+
+ xf86Msg(X_NONE, "\tfalling back to %s\n", syspath);
+ }
+ }
+}
#endif
diff --git a/hw/xfree86/common/xf86platformBus.h b/hw/xfree86/common/xf86platformBus.h
index 5dee4e0..dec1956 100644
--- a/hw/xfree86/common/xf86platformBus.h
+++ b/hw/xfree86/common/xf86platformBus.h
@@ -77,6 +77,7 @@ extern _X_EXPORT int
xf86PlatformMatchDriver(char *matches[], int nmatches);
extern void xf86platformVTProbe(void);
+extern void xf86platformPrimary(void);
#endif
#endif
More information about the Xquartz-changes
mailing list