tigervnc/contrib/packages/rpm/el5/SOURCES/cve-2011-4818-extra.patch

From ef2807731903ff05a618fe2cbd532fe2472f7d0d Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Tue, 27 Sep 2011 14:56:00 -0400
Subject: [PATCH] CVE-2011-4818: Additional coverage for swap barriers and
 hyperpipe

These have since been dropped, so the straight backport does not cover
these cases.

Signed-off-by: Adam Jackson <ajax@redhat.com>
---
 glx/glxcmds.c |   30 ++++++++++++++++++++++++------
 1 files changed, 24 insertions(+), 6 deletions(-)

diff --git a/glx/glxcmds.c b/glx/glxcmds.c
index 922a6c1..fd0df31 100644
--- a/glx/glxcmds.c
+++ b/glx/glxcmds.c
@@ -2204,6 +2204,8 @@ int __glXDisp_BindSwapBarrierSGIX(__GLXclientState *cl, GLbyte *pc)
     int screen, rc;
     __GLXscreen *pGlxScreen;
 
+    REQUEST_SIZE_MATCH(xGLXBindSwapBarrierSGIXReq);
+
     rc = dixLookupDrawable(&pDraw, drawable, client, 0, DixGetAttrAccess);
     pGlxScreen = glxGetScreen(pDraw->pScreen);
     if (rc == Success && (pDraw->type == DRAWABLE_WINDOW)) {
@@ -2233,9 +2235,13 @@ int __glXDisp_QueryMaxSwapBarriersSGIX(__GLXclientState *cl, GLbyte *pc)
                                     (xGLXQueryMaxSwapBarriersSGIXReq *) pc;
     xGLXQueryMaxSwapBarriersSGIXReply reply;
     int screen = req->screen;
+    int err;
     __GLXscreen *pGlxScreen;
 
-    pGlxScreen = glxGetScreen(screenInfo.screens[screen]);
+    REQUEST_SIZE_MATCH(xGLXQueryMaxSwapBarriersSGIXReq);
+    if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err))
+	return err;
+
     if (pGlxScreen->swapBarrierFuncs)
         reply.max = pGlxScreen->swapBarrierFuncs->queryMaxSwapBarriersFunc(screen);
     else
@@ -2265,14 +2271,17 @@ int __glXDisp_QueryHyperpipeNetworkSGIX(__GLXclientState *cl, GLbyte *pc)
     xGLXQueryHyperpipeNetworkSGIXReply reply;
     int screen = req->screen;
     void *rdata = NULL;
-
+    int err;
     int length=0;
     int npipes=0;
 
     int n= 0;
     __GLXscreen *pGlxScreen;
 
-    pGlxScreen = glxGetScreen(screenInfo.screens[screen]);
+    REQUEST_SIZE_MATCH(xGLXQueryHyperpipeNetworkSGIXReq);
+
+    if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err))
+	return err;
     if (pGlxScreen->hyperpipeFuncs) {
         rdata =
             (pGlxScreen->hyperpipeFuncs->queryHyperpipeNetworkFunc(screen, &npipes, &n));
@@ -2308,11 +2317,14 @@ int __glXDisp_DestroyHyperpipeConfigSGIX (__GLXclientState *cl, GLbyte *pc)
     int screen = req->screen;
     int  success = GLX_BAD_HYPERPIPE_SGIX;
     int hpId ;
+    int err;
     __GLXscreen *pGlxScreen;
 
     hpId = req->hpId;
 
-    pGlxScreen = glxGetScreen(screenInfo.screens[screen]);
+    REQUEST_SIZE_MATCH(xGLXDestroyHyperpipeConfigSGIXReq);
+    if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err))
+	return err;
     if (pGlxScreen->hyperpipeFuncs) {
         success = pGlxScreen->hyperpipeFuncs->destroyHyperpipeConfigFunc(screen, hpId);
     }
@@ -2346,11 +2358,14 @@ int __glXDisp_QueryHyperpipeConfigSGIX(__GLXclientState *cl, GLbyte *pc)
     int npipes=0;
     int n= 0;
     int hpId;
+    int err;
     __GLXscreen *pGlxScreen;
 
     hpId = req->hpId;
 
-    pGlxScreen = glxGetScreen(screenInfo.screens[screen]);
+    REQUEST_SIZE_MATCH(xGLXQueryHyperpipeConfigSGIXReq);
+    if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err))
+	return err;
     if (pGlxScreen->hyperpipeFuncs) {
         rdata = pGlxScreen->hyperpipeFuncs->queryHyperpipeConfigFunc(screen, hpId,&npipes, &n);
     }
@@ -2387,12 +2402,15 @@ int __glXDisp_HyperpipeConfigSGIX(__GLXclientState *cl, GLbyte *pc)
     xGLXHyperpipeConfigSGIXReply reply;
     int screen = req->screen;
     void *rdata;
+    int err;
 
     int npipes=0, networkId;
     int hpId=-1;
     __GLXscreen *pGlxScreen;
 
-    pGlxScreen = glxGetScreen(screenInfo.screens[screen]);
+    REQUEST_SIZE_MATCH(xGLXHyperpipeConfigSGIXReq);
+    if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err))
+	return err;
     networkId = (int)req->networkId;
     npipes = (int)req->npipes;
     rdata = (void *)(req +1);
-- 
1.7.6