123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114 |
- From ef2807731903ff05a618fe2cbd532fe2472f7d0d Mon Sep 17 00:00:00 2001
- From: Adam Jackson <ajax@redhat.com>
- Date: Tue, 27 Sep 2011 14:56:00 -0400
- Subject: [PATCH] CVE-2011-4818: Additional coverage for swap barriers and
- hyperpipe
-
- These have since been dropped, so the straight backport does not cover
- these cases.
-
- Signed-off-by: Adam Jackson <ajax@redhat.com>
- ---
- glx/glxcmds.c | 30 ++++++++++++++++++++++++------
- 1 files changed, 24 insertions(+), 6 deletions(-)
-
- diff --git a/glx/glxcmds.c b/glx/glxcmds.c
- index 922a6c1..fd0df31 100644
- --- a/glx/glxcmds.c
- +++ b/glx/glxcmds.c
- @@ -2204,6 +2204,8 @@ int __glXDisp_BindSwapBarrierSGIX(__GLXclientState *cl, GLbyte *pc)
- int screen, rc;
- __GLXscreen *pGlxScreen;
-
- + REQUEST_SIZE_MATCH(xGLXBindSwapBarrierSGIXReq);
- +
- rc = dixLookupDrawable(&pDraw, drawable, client, 0, DixGetAttrAccess);
- pGlxScreen = glxGetScreen(pDraw->pScreen);
- if (rc == Success && (pDraw->type == DRAWABLE_WINDOW)) {
- @@ -2233,9 +2235,13 @@ int __glXDisp_QueryMaxSwapBarriersSGIX(__GLXclientState *cl, GLbyte *pc)
- (xGLXQueryMaxSwapBarriersSGIXReq *) pc;
- xGLXQueryMaxSwapBarriersSGIXReply reply;
- int screen = req->screen;
- + int err;
- __GLXscreen *pGlxScreen;
-
- - pGlxScreen = glxGetScreen(screenInfo.screens[screen]);
- + REQUEST_SIZE_MATCH(xGLXQueryMaxSwapBarriersSGIXReq);
- + if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err))
- + return err;
- +
- if (pGlxScreen->swapBarrierFuncs)
- reply.max = pGlxScreen->swapBarrierFuncs->queryMaxSwapBarriersFunc(screen);
- else
- @@ -2265,14 +2271,17 @@ int __glXDisp_QueryHyperpipeNetworkSGIX(__GLXclientState *cl, GLbyte *pc)
- xGLXQueryHyperpipeNetworkSGIXReply reply;
- int screen = req->screen;
- void *rdata = NULL;
- -
- + int err;
- int length=0;
- int npipes=0;
-
- int n= 0;
- __GLXscreen *pGlxScreen;
-
- - pGlxScreen = glxGetScreen(screenInfo.screens[screen]);
- + REQUEST_SIZE_MATCH(xGLXQueryHyperpipeNetworkSGIXReq);
- +
- + if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err))
- + return err;
- if (pGlxScreen->hyperpipeFuncs) {
- rdata =
- (pGlxScreen->hyperpipeFuncs->queryHyperpipeNetworkFunc(screen, &npipes, &n));
- @@ -2308,11 +2317,14 @@ int __glXDisp_DestroyHyperpipeConfigSGIX (__GLXclientState *cl, GLbyte *pc)
- int screen = req->screen;
- int success = GLX_BAD_HYPERPIPE_SGIX;
- int hpId ;
- + int err;
- __GLXscreen *pGlxScreen;
-
- hpId = req->hpId;
-
- - pGlxScreen = glxGetScreen(screenInfo.screens[screen]);
- + REQUEST_SIZE_MATCH(xGLXDestroyHyperpipeConfigSGIXReq);
- + if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err))
- + return err;
- if (pGlxScreen->hyperpipeFuncs) {
- success = pGlxScreen->hyperpipeFuncs->destroyHyperpipeConfigFunc(screen, hpId);
- }
- @@ -2346,11 +2358,14 @@ int __glXDisp_QueryHyperpipeConfigSGIX(__GLXclientState *cl, GLbyte *pc)
- int npipes=0;
- int n= 0;
- int hpId;
- + int err;
- __GLXscreen *pGlxScreen;
-
- hpId = req->hpId;
-
- - pGlxScreen = glxGetScreen(screenInfo.screens[screen]);
- + REQUEST_SIZE_MATCH(xGLXQueryHyperpipeConfigSGIXReq);
- + if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err))
- + return err;
- if (pGlxScreen->hyperpipeFuncs) {
- rdata = pGlxScreen->hyperpipeFuncs->queryHyperpipeConfigFunc(screen, hpId,&npipes, &n);
- }
- @@ -2387,12 +2402,15 @@ int __glXDisp_HyperpipeConfigSGIX(__GLXclientState *cl, GLbyte *pc)
- xGLXHyperpipeConfigSGIXReply reply;
- int screen = req->screen;
- void *rdata;
- + int err;
-
- int npipes=0, networkId;
- int hpId=-1;
- __GLXscreen *pGlxScreen;
-
- - pGlxScreen = glxGetScreen(screenInfo.screens[screen]);
- + REQUEST_SIZE_MATCH(xGLXHyperpipeConfigSGIXReq);
- + if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err))
- + return err;
- networkId = (int)req->networkId;
- npipes = (int)req->npipes;
- rdata = (void *)(req +1);
- --
- 1.7.6
|