1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
|
From ef2807731903ff05a618fe2cbd532fe2472f7d0d Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Tue, 27 Sep 2011 14:56:00 -0400
Subject: [PATCH] CVE-2011-4818: Additional coverage for swap barriers and
hyperpipe
These have since been dropped, so the straight backport does not cover
these cases.
Signed-off-by: Adam Jackson <ajax@redhat.com>
---
glx/glxcmds.c | 30 ++++++++++++++++++++++++------
1 files changed, 24 insertions(+), 6 deletions(-)
diff --git a/glx/glxcmds.c b/glx/glxcmds.c
index 922a6c1..fd0df31 100644
--- a/glx/glxcmds.c
+++ b/glx/glxcmds.c
@@ -2204,6 +2204,8 @@ int __glXDisp_BindSwapBarrierSGIX(__GLXclientState *cl, GLbyte *pc)
int screen, rc;
__GLXscreen *pGlxScreen;
+ REQUEST_SIZE_MATCH(xGLXBindSwapBarrierSGIXReq);
+
rc = dixLookupDrawable(&pDraw, drawable, client, 0, DixGetAttrAccess);
pGlxScreen = glxGetScreen(pDraw->pScreen);
if (rc == Success && (pDraw->type == DRAWABLE_WINDOW)) {
@@ -2233,9 +2235,13 @@ int __glXDisp_QueryMaxSwapBarriersSGIX(__GLXclientState *cl, GLbyte *pc)
(xGLXQueryMaxSwapBarriersSGIXReq *) pc;
xGLXQueryMaxSwapBarriersSGIXReply reply;
int screen = req->screen;
+ int err;
__GLXscreen *pGlxScreen;
- pGlxScreen = glxGetScreen(screenInfo.screens[screen]);
+ REQUEST_SIZE_MATCH(xGLXQueryMaxSwapBarriersSGIXReq);
+ if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err))
+ return err;
+
if (pGlxScreen->swapBarrierFuncs)
reply.max = pGlxScreen->swapBarrierFuncs->queryMaxSwapBarriersFunc(screen);
else
@@ -2265,14 +2271,17 @@ int __glXDisp_QueryHyperpipeNetworkSGIX(__GLXclientState *cl, GLbyte *pc)
xGLXQueryHyperpipeNetworkSGIXReply reply;
int screen = req->screen;
void *rdata = NULL;
-
+ int err;
int length=0;
int npipes=0;
int n= 0;
__GLXscreen *pGlxScreen;
- pGlxScreen = glxGetScreen(screenInfo.screens[screen]);
+ REQUEST_SIZE_MATCH(xGLXQueryHyperpipeNetworkSGIXReq);
+
+ if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err))
+ return err;
if (pGlxScreen->hyperpipeFuncs) {
rdata =
(pGlxScreen->hyperpipeFuncs->queryHyperpipeNetworkFunc(screen, &npipes, &n));
@@ -2308,11 +2317,14 @@ int __glXDisp_DestroyHyperpipeConfigSGIX (__GLXclientState *cl, GLbyte *pc)
int screen = req->screen;
int success = GLX_BAD_HYPERPIPE_SGIX;
int hpId ;
+ int err;
__GLXscreen *pGlxScreen;
hpId = req->hpId;
- pGlxScreen = glxGetScreen(screenInfo.screens[screen]);
+ REQUEST_SIZE_MATCH(xGLXDestroyHyperpipeConfigSGIXReq);
+ if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err))
+ return err;
if (pGlxScreen->hyperpipeFuncs) {
success = pGlxScreen->hyperpipeFuncs->destroyHyperpipeConfigFunc(screen, hpId);
}
@@ -2346,11 +2358,14 @@ int __glXDisp_QueryHyperpipeConfigSGIX(__GLXclientState *cl, GLbyte *pc)
int npipes=0;
int n= 0;
int hpId;
+ int err;
__GLXscreen *pGlxScreen;
hpId = req->hpId;
- pGlxScreen = glxGetScreen(screenInfo.screens[screen]);
+ REQUEST_SIZE_MATCH(xGLXQueryHyperpipeConfigSGIXReq);
+ if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err))
+ return err;
if (pGlxScreen->hyperpipeFuncs) {
rdata = pGlxScreen->hyperpipeFuncs->queryHyperpipeConfigFunc(screen, hpId,&npipes, &n);
}
@@ -2387,12 +2402,15 @@ int __glXDisp_HyperpipeConfigSGIX(__GLXclientState *cl, GLbyte *pc)
xGLXHyperpipeConfigSGIXReply reply;
int screen = req->screen;
void *rdata;
+ int err;
int npipes=0, networkId;
int hpId=-1;
__GLXscreen *pGlxScreen;
- pGlxScreen = glxGetScreen(screenInfo.screens[screen]);
+ REQUEST_SIZE_MATCH(xGLXHyperpipeConfigSGIXReq);
+ if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err))
+ return err;
networkId = (int)req->networkId;
npipes = (int)req->npipes;
rdata = (void *)(req +1);
--
1.7.6
|
