glapi/glx: Add overflow checks to the client-side indirect code

Coverity complains that the computed sizes can lead to negative lengths
passed to memcpy. If that happens we've been handed invalid arguments
anyway, so just bomb out.

The funky "0%s" is because the size string for the variable-length part
of the request is of the form "+ safe_pad() ...", and a unary + would
coerce the result to always be positive, defeating the overflow check.

Signed-off-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Matt Turner <mattst88@gmail.com>

diff --git a/src/mapi/glapi/gen/glX_proto_send.py b/src/mapi/glapi/gen/glX_proto_send.py
index 10abcfff7797a25fb0c8b8a624c71740af1e8681..26e7ab6674e8bab52859902a0e373cd0e79e3bcd 100644 (file)
--- a/src/mapi/glapi/gen/glX_proto_send.py
+++ b/src/mapi/glapi/gen/glX_proto_send.py
@@ -635,6 +635,15 @@ generic_%u_byte( GLint rop, const void * ptr )
         if name != None and name not in f.glx_vendorpriv_names:
             print '#endif'
 
+        if f.command_variable_length() != "":
+            print "    if (0%s < 0) {" % f.command_variable_length()
+            print "        __glXSetError(gc, GL_INVALID_VALUE);"
+            if f.return_type != 'void':
+                print "        return 0;"
+            else:
+                print "        return;"
+            print "    }"
+
         condition_list = []
         for p in f.parameterIterateCounters():
             condition_list.append( "%s >= 0" % (p.name) )