glapi/glx: Add overflow checks to the client-side indirect code
Coverity complains that the computed sizes can lead to negative lengths passed to memcpy. If that happens we've been handed invalid arguments anyway, so just bomb out. The funky "0%s" is because the size string for the variable-length part of the request is of the form "+ safe_pad() ...", and a unary + would coerce the result to always be positive, defeating the overflow check. Signed-off-by: Adam Jackson <ajax@redhat.com> Reviewed-by: Matt Turner <mattst88@gmail.com>
This commit is contained in:
@@ -635,6 +635,15 @@ generic_%u_byte( GLint rop, const void * ptr )
|
||||
if name != None and name not in f.glx_vendorpriv_names:
|
||||
print '#endif'
|
||||
|
||||
if f.command_variable_length() != "":
|
||||
print " if (0%s < 0) {" % f.command_variable_length()
|
||||
print " __glXSetError(gc, GL_INVALID_VALUE);"
|
||||
if f.return_type != 'void':
|
||||
print " return 0;"
|
||||
else:
|
||||
print " return;"
|
||||
print " }"
|
||||
|
||||
condition_list = []
|
||||
for p in f.parameterIterateCounters():
|
||||
condition_list.append( "%s >= 0" % (p.name) )
|
||||
|
||||
Reference in New Issue
Block a user