From a1c5cd426c0381124f7c320d5a7b760a9a36af75 Mon Sep 17 00:00:00 2001 From: Adam Jackson Date: Tue, 24 May 2016 15:45:11 -0400 Subject: glapi/glx: Add overflow checks to the client-side indirect code Coverity complains that the computed sizes can lead to negative lengths passed to memcpy. If that happens we've been handed invalid arguments anyway, so just bomb out. The funky "0%s" is because the size string for the variable-length part of the request is of the form "+ safe_pad() ...", and a unary + would coerce the result to always be positive, defeating the overflow check. Signed-off-by: Adam Jackson Reviewed-by: Matt Turner --- src/mapi/glapi/gen/glX_proto_send.py | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'src/mapi') diff --git a/src/mapi/glapi/gen/glX_proto_send.py b/src/mapi/glapi/gen/glX_proto_send.py index 10abcfff779..26e7ab6674e 100644 --- a/src/mapi/glapi/gen/glX_proto_send.py +++ b/src/mapi/glapi/gen/glX_proto_send.py @@ -635,6 +635,15 @@ generic_%u_byte( GLint rop, const void * ptr ) if name != None and name not in f.glx_vendorpriv_names: print '#endif' + if f.command_variable_length() != "": + print " if (0%s < 0) {" % f.command_variable_length() + print " __glXSetError(gc, GL_INVALID_VALUE);" + if f.return_type != 'void': + print " return 0;" + else: + print " return;" + print " }" + condition_list = [] for p in f.parameterIterateCounters(): condition_list.append( "%s >= 0" % (p.name) ) -- cgit v1.2.3