aboutsummaryrefslogtreecommitdiffstats
path: root/src/mapi
diff options
context:
space:
mode:
authorAdam Jackson <[email protected]>2016-05-24 15:45:11 -0400
committerAdam Jackson <[email protected]>2016-06-08 14:39:46 -0400
commita1c5cd426c0381124f7c320d5a7b760a9a36af75 (patch)
treea043f8fea0957398880915ea732336b10232746d /src/mapi
parent26b69ad250ee23e70831626a88f70f6ddf2e1bcc (diff)
glapi/glx: Add overflow checks to the client-side indirect code
Coverity complains that the computed sizes can lead to negative lengths passed to memcpy. If that happens we've been handed invalid arguments anyway, so just bomb out. The funky "0%s" is because the size string for the variable-length part of the request is of the form "+ safe_pad() ...", and a unary + would coerce the result to always be positive, defeating the overflow check. Signed-off-by: Adam Jackson <[email protected]> Reviewed-by: Matt Turner <[email protected]>
Diffstat (limited to 'src/mapi')
-rw-r--r--src/mapi/glapi/gen/glX_proto_send.py9
1 files changed, 9 insertions, 0 deletions
diff --git a/src/mapi/glapi/gen/glX_proto_send.py b/src/mapi/glapi/gen/glX_proto_send.py
index 10abcfff779..26e7ab6674e 100644
--- a/src/mapi/glapi/gen/glX_proto_send.py
+++ b/src/mapi/glapi/gen/glX_proto_send.py
@@ -635,6 +635,15 @@ generic_%u_byte( GLint rop, const void * ptr )
if name != None and name not in f.glx_vendorpriv_names:
print '#endif'
+ if f.command_variable_length() != "":
+ print " if (0%s < 0) {" % f.command_variable_length()
+ print " __glXSetError(gc, GL_INVALID_VALUE);"
+ if f.return_type != 'void':
+ print " return 0;"
+ else:
+ print " return;"
+ print " }"
+
condition_list = []
for p in f.parameterIterateCounters():
condition_list.append( "%s >= 0" % (p.name) )