xorg-server: Changes to 'debian-squeeze'
ChangeLog | 205 +++++++++++++++++++++++++++++++++++++++++
debian/changelog | 10 ++
glx/glxcmds.c | 188 +++++++++++++++++++++++++++++++++++--
glx/glxcmdsswap.c | 171 ++++++++++++++++++++++++++++++++--
glx/xfont.c | 2
hw/xfree86/common/xf86Xinput.c | 8 -
hw/xquartz/GL/Makefile.am | 2
os/utils.c | 4
8 files changed, 563 insertions(+), 27 deletions(-)
New commits:
commit 869682effd2abbd48c47653e63d451e24666830a
Author: Julien Cristau <jcristau@debian.org>
Date: Sat Oct 29 18:54:27 2011 +0200
Upload to squeeze
diff --git a/debian/changelog b/debian/changelog
index 7c2935c..4d8d03c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-xorg-server (2:1.7.7-14) UNRELEASED; urgency=low
+xorg-server (2:1.7.7-14) squeeze; urgency=low
* GLX: add missing input sanitization (CVE-2010-4818). Also fix a couple
swapping issues.
@@ -6,7 +6,7 @@ xorg-server (2:1.7.7-14) UNRELEASED; urgency=low
* File permission change vulnerability (CVE-2011-4029).
* xf86ScaleAxis: support for high resolution devices.
- -- Julien Cristau <jcristau@debian.org> Fri, 21 Oct 2011 20:56:40 +0200
+ -- Julien Cristau <jcristau@debian.org> Sat, 29 Oct 2011 18:44:58 +0200
xorg-server (2:1.7.7-13) stable; urgency=low
commit 7fb763b4b6150ceb37fbd209ee59498489db1afc
Author: Julien Cristau <jcristau@debian.org>
Date: Fri Oct 21 20:58:43 2011 +0200
Changelogs
diff --git a/ChangeLog b/ChangeLog
index b9683ab..f3261ee 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,208 @@
+commit 03ff880e8bf20cdecaf27f03391ea31545ecc22c
+Author: Matthieu Herrb <matthieu.herrb@laas.fr>
+Date: Mon Oct 17 22:27:35 2011 +0200
+
+ Fix CVE-2011-4029: File permission change vulnerability.
+
+ Use fchmod() to change permissions of the lock file instead
+ of chmod(), thus avoid the race that can be exploited to set
+ a symbolic link to any file or directory in the system.
+
+ Signed-off-by: Matthieu Herrb <matthieu.herrb@laas.fr>
+ Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+ (cherry picked from commit b67581cf825940fdf52bf2e0af4330e695d724a4)
+ (cherry picked from commit 12f65819ffb04103f170ecd7e281348de618fc4c)
+
+commit 3394ae378da567025ac94a2c2ff04f2a0b113962
+Author: Matthieu Herrb <matthieu.herrb@laas.fr>
+Date: Mon Oct 17 22:26:12 2011 +0200
+
+ Fix CVE-2011-4028: File disclosure vulnerability.
+
+ use O_NOFOLLOW to open the existing lock file, so symbolic links
+ aren't followed, thus avoid revealing if it point to an existing
+ file.
+
+ Signed-off-by: Matthieu Herrb <matthieu.herrb@laas.fr>
+ Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+ (cherry picked from commit 6ba44b91e37622ef8c146d8f2ac92d708a18ed34)
+ (cherry picked from commit f80d23357874db19bc124dee70239fb182977883)
+
+commit 656307e93a7c72b147805e3741ebb02baf876150
+Author: Julien Cristau <jcristau@debian.org>
+Date: Sun Jan 23 13:35:54 2011 +0100
+
+ glx: Work around wrong request lengths sent by mesa
+
+ mesa used to send too long requests for GLXDestroyPixmap,
+ GLXDestroyWindow, GLXChangeDrawableAttributes, GLXGetDrawableAttributes
+ and GLXGetFBConfigsSGIX.
+
+ Fixes a regression introduced in ec9c97c6bf70b523bc500bd3adf62176f1bb33a4
+ X.Org bug#33324 <https://bugs.freedesktop.org/show_bug.cgi?id=33324>
+
+ Reported-by: xunx.fang@intel.com
+ Signed-off-by: Julien Cristau <jcristau@debian.org>
+ Reviewed-by: Adam Jackson <ajax@redhat.com>
+ (cherry picked from commit 402b329c3aa8ddbebaa1f593306a02d4cd6fed26)
+
+commit c821bd84e594e86d5dd766f680064e88a29a10d1
+Author: Julien Cristau <jcristau@debian.org>
+Date: Wed Jan 26 13:06:53 2011 +0100
+
+ glx: fix BindTexImageEXT length check
+
+ The request is followed by a list of attributes.
+
+ X.Org bug#33449
+
+ Reported-and-tested-by: meng <mengmeng.meng@intel.com>
+ Signed-off-by: Julien Cristau <jcristau@debian.org>
+ Reviewed-by: Adam Jackson <ajax@redhat.com>
+ (cherry picked from commit 1137c11be0f82049d28024eaf963c6f76e0d4334)
+
+commit 5b76d710d3cebbfb8a5f02eaa7920f73deadff21
+Author: Julien Cristau <jcristau@debian.org>
+Date: Sun Jan 23 17:05:26 2011 +0100
+
+ glx: fix request length check for CreateGLXPbufferSGIX
+
+ The request is followed by an attribute list.
+
+ Signed-off-by: Julien Cristau <jcristau@debian.org>
+ Reviewed-by: Adam Jackson <ajax@redhat.com>
+ (cherry picked from commit a883cf1545abd89bb2cadfa659718884b56fd234)
+
+commit 7ed56f793fe9bfe1fd2b70157523952cf6070fd8
+Author: Julien Cristau <jcristau@debian.org>
+Date: Wed Nov 10 22:39:54 2010 +0100
+
+ glx: validate numAttribs field before using it
+
+ Reviewed-by: Kristian Høgsberg <krh@bitplanet.net>
+ Reviewed-by: Daniel Stone <daniel@fooishbar.org>
+ Signed-off-by: Julien Cristau <jcristau@debian.org>
+ (cherry picked from commit d9225b9602c85603ae616a7381c784f5cf5e811c)
+
+commit 4f6ee6177c76d480fe2c477b0ca19ad337928373
+Author: Julien Cristau <jcristau@debian.org>
+Date: Sun Aug 22 16:20:45 2010 +0100
+
+ glx: swap the request arrays entirely, not just half of them
+
+ Various glx requests include a list of pairs of attributes. We were
+ only swapping the first half.
+
+ Reviewed-by: Kristian Høgsberg <krh@bitplanet.net>
+ Reviewed-by: Daniel Stone <daniel@fooishbar.org>
+ Signed-off-by: Julien Cristau <jcristau@debian.org>
+ (cherry picked from commit 62319e8381ebd645ae36b25e5fc3c0e9b098387b)
+
+commit 00130263a222de904a4500c5410706aa5ec693dc
+Author: Julien Cristau <jcristau@debian.org>
+Date: Sun Aug 22 00:50:05 2010 +0100
+
+ glx: check request length before swapping
+
+ Reviewed-by: Kristian Høgsberg <krh@bitplanet.net>
+ Reviewed-by: Daniel Stone <daniel@fooishbar.org>
+ Signed-off-by: Julien Cristau <jcristau@debian.org>
+ (cherry picked from commit 6c69235a9dfc52e4b4e47630ff4bab1a820eb543)
+
+commit 6ff0bcfcc0eb02640456beacaaa93ee762c84507
+Author: Julien Cristau <jcristau@debian.org>
+Date: Sat Jul 3 19:47:55 2010 +0100
+
+ glx: validate request lengths
+
+ Reviewed-by: Adam Jackson <ajax@redhat.com>
+ Reviewed-by: Kristian Høgsberg <krh@bitplanet.net>
+ Reviewed-by: Daniel Stone <daniel@fooishbar.org>
+ Signed-off-by: Julien Cristau <jcristau@debian.org>
+ (cherry-picked from commit ec9c97c6bf70b523bc500bd3adf62176f1bb33a4)
+
+commit 94458a6e09761e3b7937bb639ea4c12972328c7f
+Author: Jeremy Huddleston <jeremyhu@apple.com>
+Date: Sun Mar 13 15:10:00 2011 -0700
+
+ XQuartz GL: Add $(GL_CFLAGS) to CFLAGS
+
+ This fixes a build failure I found on tinderbox.
+
+ Signed-off-by: Jeremy Huddleston <jeremyhu@apple.com>
+ (cherry picked from commit f641e4b34aa91ecda29e546b8b975e72ce037ed0)
+
+ Conflicts:
+
+ hw/xquartz/GL/Makefile.am
+
+ Signed-off-by: Jeremy Huddleston <jeremyhu@apple.com>
+
+commit ee8664ee8573d810a8768a2e10dd896b630697ff
+Author: Benjamin Tissoires <tissoire@cena.fr>
+Date: Wed Apr 14 17:27:51 2010 +0200
+
+ xf86ScaleAxis: support for high resolution devices
+
+ High resolution devices was generating integer overflow.
+ For instance the wacom Cintiq 21UX has an axis value up to
+ 87000. Thus the term (dSx * (Cx - Rxlow)) is greater than
+ MAX_INT32.
+
+ Using 64bits integer avoids such problem.
+
+ Signed-off-by: Philippe Ribet <ribet@cena.fr>
+ Signed-off-by: Benjamin Tissoires <tissoire@cena.fr>
+ Reviewed-by: Keith Packard <keithp@keithp.com>
+ Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+ (cherry picked from commit a780e5b3638a0ff81301fc68aca15b47ba0befb7)
+
+commit 01bc98e313b8ee62c506d0f8f408d54b71d1dfa6
+Author: Julien Cristau <jcristau@debian.org>
+Date: Sat Jul 3 19:42:26 2010 +0100
+
+ glx: make sure screen is non-negative in validGlxScreen
+
+ Reviewed-by: Adam Jackson <ajax@redhat.com>
+ Reviewed-by: Kristian Høgsberg <krh@bitplanet.net>
+ Reviewed-by: Daniel Stone <daniel@fooishbar.org>
+ Signed-off-by: Julien Cristau <jcristau@debian.org>
+ (cherry picked from commit 3f0d3f4d97bce75c1828635c322b6560a45a037f)
+
+commit d77ffa918b2aaa3ca1deb17ed0145199d0f863da
+Author: Julien Cristau <jcristau@debian.org>
+Date: Mon Jan 31 14:14:47 2011 +0100
+
+ Revert "randr: check for virtual size limits before set crtc"
+
+ Apparently these checks break rotation with the nvidia drivers:
+ https://bbs.archlinux.org/viewtopic.php?pid=877761
+ http://bugs.debian.org/611619
+ Let's not do that in a stable branch.
+
+ This reverts commit 6a6d907e77777057cadbd80572119c09732385cd.
+
+ Signed-off-by: Julien Cristau <jcristau@debian.org>
+
+commit 5549d99acbc38c8a1f12d649c42f044392ec7af0
+Author: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Fri Sep 3 11:54:41 2010 +1000
+
+ mi: handle DGA subtypes when determining the master device.
+
+ The subtype in the DGA event is the core type and all ET_ event types (where
+ applicable) are identical to the core types. Thus the switch statement below
+ will work as required and assign the right master device.
+
+ Fixes a crasher bug on keyboard devices with valuators. If a device sends a
+ motion event while grabbed and a DGA client is active (but has not selected
+ input through DGA), the valuator event is posted through the VCK and
+ eventually results in a NULL-pointer dereference on dev->valuator.
+
+ Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+ (cherry picked from commit 31ab9f8860848504df18a8be9d19b817b191e0df)
+ (cherry picked from commit faecab3b13bbaecf4f35f49b833d1b79a5fb647d)
+
commit 2fd67c34549f1703e8ca522f92be518b18f90e81
Author: Ville Syrjälä <ville.syrjala@nokia.com>
Date: Thu Dec 16 18:22:13 2010 +0200
diff --git a/debian/changelog b/debian/changelog
index ba68ab8..7c2935c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+xorg-server (2:1.7.7-14) UNRELEASED; urgency=low
+
+ * GLX: add missing input sanitization (CVE-2010-4818). Also fix a couple
+ swapping issues.
+ * File disclosure vulnerability (CVE-2011-4028).
+ * File permission change vulnerability (CVE-2011-4029).
+ * xf86ScaleAxis: support for high resolution devices.
+
+ -- Julien Cristau <jcristau@debian.org> Fri, 21 Oct 2011 20:56:40 +0200
+
xorg-server (2:1.7.7-13) stable; urgency=low
* bug script: Report KMS configuration files and their contents.
commit 03ff880e8bf20cdecaf27f03391ea31545ecc22c
Author: Matthieu Herrb <matthieu.herrb@laas.fr>
Date: Mon Oct 17 22:27:35 2011 +0200
Fix CVE-2011-4029: File permission change vulnerability.
Use fchmod() to change permissions of the lock file instead
of chmod(), thus avoid the race that can be exploited to set
a symbolic link to any file or directory in the system.
Signed-off-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit b67581cf825940fdf52bf2e0af4330e695d724a4)
(cherry picked from commit 12f65819ffb04103f170ecd7e281348de618fc4c)
diff --git a/os/utils.c b/os/utils.c
index 7032227..adc75bc 100644
--- a/os/utils.c
+++ b/os/utils.c
@@ -315,7 +315,7 @@ LockServer(void)
FatalError("Could not create lock file in %s\n", tmp);
(void) sprintf(pid_str, "%10ld\n", (long)getpid());
(void) write(lfd, pid_str, 11);
- (void) chmod(tmp, 0444);
+ (void) fchmod(lfd, 0444);
(void) close(lfd);
/*
commit 3394ae378da567025ac94a2c2ff04f2a0b113962
Author: Matthieu Herrb <matthieu.herrb@laas.fr>
Date: Mon Oct 17 22:26:12 2011 +0200
Fix CVE-2011-4028: File disclosure vulnerability.
use O_NOFOLLOW to open the existing lock file, so symbolic links
aren't followed, thus avoid revealing if it point to an existing
file.
Signed-off-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 6ba44b91e37622ef8c146d8f2ac92d708a18ed34)
(cherry picked from commit f80d23357874db19bc124dee70239fb182977883)
diff --git a/os/utils.c b/os/utils.c
index d7c8388..7032227 100644
--- a/os/utils.c
+++ b/os/utils.c
@@ -336,7 +336,7 @@ LockServer(void)
/*
* Read the pid from the existing file
*/
- lfd = open(LockFile, O_RDONLY);
+ lfd = open(LockFile, O_RDONLY|O_NOFOLLOW);
if (lfd < 0) {
unlink(tmp);
FatalError("Can't read lock file %s\n", LockFile);
commit 656307e93a7c72b147805e3741ebb02baf876150
Author: Julien Cristau <jcristau@debian.org>
Date: Sun Jan 23 13:35:54 2011 +0100
glx: Work around wrong request lengths sent by mesa
mesa used to send too long requests for GLXDestroyPixmap,
GLXDestroyWindow, GLXChangeDrawableAttributes, GLXGetDrawableAttributes
and GLXGetFBConfigsSGIX.
Fixes a regression introduced in ec9c97c6bf70b523bc500bd3adf62176f1bb33a4
X.Org bug#33324 <https://bugs.freedesktop.org/show_bug.cgi?id=33324>
Reported-by: xunx.fang@intel.com
Signed-off-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Adam Jackson <ajax@redhat.com>
(cherry picked from commit 402b329c3aa8ddbebaa1f593306a02d4cd6fed26)
diff --git a/glx/glxcmds.c b/glx/glxcmds.c
index f42cce8..ce6aeb3 100644
--- a/glx/glxcmds.c
+++ b/glx/glxcmds.c
@@ -1122,7 +1122,8 @@ int __glXDisp_GetFBConfigsSGIX(__GLXclientState *cl, GLbyte *pc)
{
ClientPtr client = cl->client;
xGLXGetFBConfigsSGIXReq *req = (xGLXGetFBConfigsSGIXReq *) pc;
- REQUEST_SIZE_MATCH(xGLXGetFBConfigsSGIXReq);
+ /* work around mesa bug, don't use REQUEST_SIZE_MATCH */
+ REQUEST_AT_LEAST_SIZE(xGLXGetFBConfigsSGIXReq);
return DoGetFBConfigs(cl, req->screen);
}
@@ -1346,7 +1347,9 @@ int __glXDisp_DestroyPixmap(__GLXclientState *cl, GLbyte *pc)
ClientPtr client = cl->client;
xGLXDestroyPixmapReq *req = (xGLXDestroyPixmapReq *) pc;
- REQUEST_SIZE_MATCH(xGLXDestroyPixmapReq);
+ /* should be REQUEST_SIZE_MATCH, but mesa's glXDestroyPixmap used to set
+ * length to 3 instead of 2 */
+ REQUEST_AT_LEAST_SIZE(xGLXDestroyPixmapReq);
return DoDestroyDrawable(cl, req->glxpixmap, GLX_DRAWABLE_PIXMAP);
}
@@ -1478,7 +1481,13 @@ int __glXDisp_ChangeDrawableAttributes(__GLXclientState *cl, GLbyte *pc)
client->errorValue = req->numAttribs;
return BadValue;
}
+#if 0
+ /* mesa sends an additional 8 bytes */
REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3);
+#else
+ if (((sizeof(xGLXChangeDrawableAttributesReq) + (req->numAttribs << 3)) >> 2) < client->req_len)
+ return BadLength;
+#endif
return DoChangeDrawableAttributes(cl->client, req->drawable,
req->numAttribs, (CARD32 *) (req + 1));
@@ -1540,7 +1549,8 @@ int __glXDisp_DestroyWindow(__GLXclientState *cl, GLbyte *pc)
ClientPtr client = cl->client;
xGLXDestroyWindowReq *req = (xGLXDestroyWindowReq *) pc;
- REQUEST_SIZE_MATCH(xGLXDestroyWindowReq);
+ /* mesa's glXDestroyWindow used to set length to 3 instead of 2 */
+ REQUEST_AT_LEAST_SIZE(xGLXDestroyWindowReq);
return DoDestroyDrawable(cl, req->glxwindow, GLX_DRAWABLE_WINDOW);
}
@@ -1849,7 +1859,8 @@ int __glXDisp_GetDrawableAttributes(__GLXclientState *cl, GLbyte *pc)
ClientPtr client = cl->client;
xGLXGetDrawableAttributesReq *req = (xGLXGetDrawableAttributesReq *)pc;
- REQUEST_SIZE_MATCH(xGLXGetDrawableAttributesReq);
+ /* this should be REQUEST_SIZE_MATCH, but mesa sends an additional 4 bytes */
+ REQUEST_AT_LEAST_SIZE(xGLXGetDrawableAttributesReq);
return DoGetDrawableAttributes(cl, req->drawable);
}
diff --git a/glx/glxcmdsswap.c b/glx/glxcmdsswap.c
index c200244..5947e64 100644
--- a/glx/glxcmdsswap.c
+++ b/glx/glxcmdsswap.c
@@ -280,7 +280,7 @@ int __glXDispSwap_GetFBConfigsSGIX(__GLXclientState *cl, GLbyte *pc)
xGLXGetFBConfigsSGIXReq *req = (xGLXGetFBConfigsSGIXReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
- REQUEST_SIZE_MATCH(xGLXGetFBConfigsSGIXReq);
+ REQUEST_AT_LEAST_SIZE(xGLXGetFBConfigsSGIXReq);
__GLX_SWAP_INT(&req->screen);
return __glXDisp_GetFBConfigsSGIX(cl, pc);
@@ -369,7 +369,7 @@ int __glXDispSwap_DestroyPixmap(__GLXclientState *cl, GLbyte *pc)
xGLXDestroyGLXPixmapReq *req = (xGLXDestroyGLXPixmapReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
- REQUEST_SIZE_MATCH(xGLXDestroyGLXPixmapReq);
+ REQUEST_AT_LEAST_SIZE(xGLXDestroyGLXPixmapReq);
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->glxpixmap);
@@ -477,7 +477,9 @@ int __glXDispSwap_ChangeDrawableAttributes(__GLXclientState *cl, GLbyte *pc)
client->errorValue = req->numAttribs;
return BadValue;
}
- REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3);
+ if (((sizeof(xGLXChangeDrawableAttributesReq) + (req->numAttribs << 3)) >> 2) < client->req_len)
+ return BadLength;
+
attribs = (CARD32*)(req + 1);
__GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
@@ -543,7 +545,7 @@ int __glXDispSwap_DestroyWindow(__GLXclientState *cl, GLbyte *pc)
xGLXDestroyWindowReq *req = (xGLXDestroyWindowReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
- REQUEST_SIZE_MATCH(xGLXDestroyWindowReq);
+ REQUEST_AT_LEAST_SIZE(xGLXDestroyWindowReq);
__GLX_SWAP_INT(&req->glxwindow);
@@ -743,7 +745,7 @@ int __glXDispSwap_GetDrawableAttributes(__GLXclientState *cl, GLbyte *pc)
xGLXGetDrawableAttributesReq *req = (xGLXGetDrawableAttributesReq *)pc;
__GLX_DECLARE_SWAP_VARIABLES;
- REQUEST_SIZE_MATCH(xGLXGetDrawableAttributesReq);
+ REQUEST_AT_LEAST_SIZE(xGLXGetDrawableAttributesReq);
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->drawable);
commit c821bd84e594e86d5dd766f680064e88a29a10d1
Author: Julien Cristau <jcristau@debian.org>
Date: Wed Jan 26 13:06:53 2011 +0100
glx: fix BindTexImageEXT length check
The request is followed by a list of attributes.
X.Org bug#33449
Reported-and-tested-by: meng <mengmeng.meng@intel.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Adam Jackson <ajax@redhat.com>
(cherry picked from commit 1137c11be0f82049d28024eaf963c6f76e0d4334)
diff --git a/glx/glxcmds.c b/glx/glxcmds.c
index ff1249f..f42cce8 100644
--- a/glx/glxcmds.c
+++ b/glx/glxcmds.c
@@ -1674,13 +1674,21 @@ int __glXDisp_BindTexImageEXT(__GLXclientState *cl, GLbyte *pc)
GLXDrawable drawId;
int buffer;
int error;
+ CARD32 num_attribs;
- REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 8);
+ if ((sizeof(xGLXVendorPrivateReq) + 12) >> 2 > client->req_len)
+ return BadLength;
pc += __GLX_VENDPRIV_HDR_SIZE;
drawId = *((CARD32 *) (pc));
buffer = *((INT32 *) (pc + 4));
+ num_attribs = *((CARD32 *) (pc + 8));
+ if (num_attribs > (UINT32_MAX >> 3)) {
+ client->errorValue = num_attribs;
+ return BadValue;
+ }
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 12 + (num_attribs << 3));
if (buffer != GLX_FRONT_LEFT_EXT)
return __glXError(GLXBadPixmap);
diff --git a/glx/glxcmdsswap.c b/glx/glxcmdsswap.c
index 1155b23..c200244 100644
--- a/glx/glxcmdsswap.c
+++ b/glx/glxcmdsswap.c
@@ -649,19 +649,23 @@ int __glXDispSwap_BindTexImageEXT(__GLXclientState *cl, GLbyte *pc)
xGLXVendorPrivateReq *req = (xGLXVendorPrivateReq *) pc;
GLXDrawable *drawId;
int *buffer;
+ CARD32 *num_attribs;
__GLX_DECLARE_SWAP_VARIABLES;
- REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 8);
+ if ((sizeof(xGLXVendorPrivateReq) + 12) >> 2 > client->req_len)
+ return BadLength;
pc += __GLX_VENDPRIV_HDR_SIZE;
drawId = ((GLXDrawable *) (pc));
buffer = ((int *) (pc + 4));
+ num_attribs = ((CARD32 *) (pc + 8));
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->contextTag);
__GLX_SWAP_INT(drawId);
__GLX_SWAP_INT(buffer);
+ __GLX_SWAP_INT(num_attribs);
return __glXDisp_BindTexImageEXT(cl, (GLbyte *)pc);
}
commit 5b76d710d3cebbfb8a5f02eaa7920f73deadff21
Author: Julien Cristau <jcristau@debian.org>
Date: Sun Jan 23 17:05:26 2011 +0100
glx: fix request length check for CreateGLXPbufferSGIX
The request is followed by an attribute list.
Signed-off-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Adam Jackson <ajax@redhat.com>
(cherry picked from commit a883cf1545abd89bb2cadfa659718884b56fd234)
diff --git a/glx/glxcmds.c b/glx/glxcmds.c
index 83469a5..ff1249f 100644
--- a/glx/glxcmds.c
+++ b/glx/glxcmds.c
@@ -1416,7 +1416,7 @@ int __glXDisp_CreateGLXPbufferSGIX(__GLXclientState *cl, GLbyte *pc)
ClientPtr client = cl->client;
xGLXCreateGLXPbufferSGIXReq *req = (xGLXCreateGLXPbufferSGIXReq *) pc;
- REQUEST_SIZE_MATCH(xGLXCreateGLXPbufferSGIXReq);
+ REQUEST_AT_LEAST_SIZE(xGLXCreateGLXPbufferSGIXReq);
return DoCreatePbuffer(cl->client, req->screen, req->fbconfig,
req->width, req->height, req->pbuffer);
diff --git a/glx/glxcmdsswap.c b/glx/glxcmdsswap.c
index a0e0882..1155b23 100644
--- a/glx/glxcmdsswap.c
+++ b/glx/glxcmdsswap.c
@@ -422,7 +422,7 @@ int __glXDispSwap_CreateGLXPbufferSGIX(__GLXclientState *cl, GLbyte *pc)
xGLXCreateGLXPbufferSGIXReq *req = (xGLXCreateGLXPbufferSGIXReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
- REQUEST_SIZE_MATCH(xGLXCreateGLXPbufferSGIXReq);
+ REQUEST_AT_LEAST_SIZE(xGLXCreateGLXPbufferSGIXReq);
__GLX_SWAP_INT(&req->screen);
__GLX_SWAP_INT(&req->fbconfig);
commit 7ed56f793fe9bfe1fd2b70157523952cf6070fd8
Author: Julien Cristau <jcristau@debian.org>
Date: Wed Nov 10 22:39:54 2010 +0100
glx: validate numAttribs field before using it
Reviewed-by: Kristian Høgsberg <krh@bitplanet.net>
Reviewed-by: Daniel Stone <daniel@fooishbar.org>
Signed-off-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit d9225b9602c85603ae616a7381c784f5cf5e811c)
diff --git a/glx/glxcmds.c b/glx/glxcmds.c
index b8ee546..83469a5 100644
--- a/glx/glxcmds.c
+++ b/glx/glxcmds.c
@@ -1273,6 +1273,11 @@ int __glXDisp_CreatePixmap(__GLXclientState *cl, GLbyte *pc)
__GLXscreen *pGlxScreen;
int err;
+ REQUEST_AT_LEAST_SIZE(xGLXCreatePixmapReq);
+ if (req->numAttribs > (UINT32_MAX >> 3)) {
+ client->errorValue = req->numAttribs;
+ return BadValue;
+ }
REQUEST_FIXED_SIZE(xGLXCreatePixmapReq, req->numAttribs << 3);
if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err))
@@ -1376,6 +1381,11 @@ int __glXDisp_CreatePbuffer(__GLXclientState *cl, GLbyte *pc)
CARD32 *attrs;
int width, height, i;
+ REQUEST_AT_LEAST_SIZE(xGLXCreatePbufferReq);
+ if (req->numAttribs > (UINT32_MAX >> 3)) {
+ client->errorValue = req->numAttribs;
+ return BadValue;
+ }
REQUEST_FIXED_SIZE(xGLXCreatePbufferReq, req->numAttribs << 3);
attrs = (CARD32 *) (req + 1);
@@ -1463,6 +1473,11 @@ int __glXDisp_ChangeDrawableAttributes(__GLXclientState *cl, GLbyte *pc)
xGLXChangeDrawableAttributesReq *req =
(xGLXChangeDrawableAttributesReq *) pc;
+ REQUEST_AT_LEAST_SIZE(xGLXChangeDrawableAttributesReq);
+ if (req->numAttribs > (UINT32_MAX >> 3)) {
+ client->errorValue = req->numAttribs;
+ return BadValue;
+ }
REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3);
return DoChangeDrawableAttributes(cl->client, req->drawable,
@@ -1475,6 +1490,11 @@ int __glXDisp_ChangeDrawableAttributesSGIX(__GLXclientState *cl, GLbyte *pc)
xGLXChangeDrawableAttributesSGIXReq *req =
(xGLXChangeDrawableAttributesSGIXReq *)pc;
+ REQUEST_AT_LEAST_SIZE(xGLXChangeDrawableAttributesSGIXReq);
+ if (req->numAttribs > (UINT32_MAX >> 3)) {
+ client->errorValue = req->numAttribs;
+ return BadValue;
+ }
REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesSGIXReq, req->numAttribs << 3);
return DoChangeDrawableAttributes(cl->client, req->drawable,
@@ -1490,6 +1510,11 @@ int __glXDisp_CreateWindow(__GLXclientState *cl, GLbyte *pc)
DrawablePtr pDraw;
int err;
+ REQUEST_AT_LEAST_SIZE(xGLXCreateWindowReq);
+ if (req->numAttribs > (UINT32_MAX >> 3)) {
+ client->errorValue = req->numAttribs;
+ return BadValue;
+ }
REQUEST_FIXED_SIZE(xGLXCreateWindowReq, req->numAttribs << 3);
if (!validGlxScreen(client, req->screen, &pGlxScreen, &err))
diff --git a/glx/glxcmdsswap.c b/glx/glxcmdsswap.c
index cbd9b88..a0e0882 100644
--- a/glx/glxcmdsswap.c
+++ b/glx/glxcmdsswap.c
@@ -320,6 +320,10 @@ int __glXDispSwap_CreatePixmap(__GLXclientState *cl, GLbyte *pc)
__GLX_SWAP_INT(&req->glxpixmap);
__GLX_SWAP_INT(&req->numAttribs);
+ if (req->numAttribs > (UINT32_MAX >> 3)) {
+ client->errorValue = req->numAttribs;
+ return BadValue;
+ }
REQUEST_FIXED_SIZE(xGLXCreatePixmapReq, req->numAttribs << 3);
attribs = (CARD32*)(req + 1);
__GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
@@ -401,6 +405,10 @@ int __glXDispSwap_CreatePbuffer(__GLXclientState *cl, GLbyte *pc)
__GLX_SWAP_INT(&req->pbuffer);
__GLX_SWAP_INT(&req->numAttribs);
+ if (req->numAttribs > (UINT32_MAX >> 3)) {
+ client->errorValue = req->numAttribs;
+ return BadValue;
+ }
REQUEST_FIXED_SIZE(xGLXCreatePbufferReq, req->numAttribs << 3);
attribs = (CARD32*)(req + 1);
__GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
@@ -465,6 +473,10 @@ int __glXDispSwap_ChangeDrawableAttributes(__GLXclientState *cl, GLbyte *pc)
__GLX_SWAP_INT(&req->drawable);
__GLX_SWAP_INT(&req->numAttribs);
+ if (req->numAttribs > (UINT32_MAX >> 3)) {
+ client->errorValue = req->numAttribs;
+ return BadValue;
+ }
REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3);
attribs = (CARD32*)(req + 1);
__GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
@@ -487,6 +499,10 @@ int __glXDispSwap_ChangeDrawableAttributesSGIX(__GLXclientState *cl,
__GLX_SWAP_INT(&req->drawable);
__GLX_SWAP_INT(&req->numAttribs);
+ if (req->numAttribs > (UINT32_MAX >> 3)) {
+ client->errorValue = req->numAttribs;
+ return BadValue;
+ }
REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesSGIXReq, req->numAttribs << 3);
attribs = (CARD32*)(req + 1);
__GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
@@ -510,6 +526,10 @@ int __glXDispSwap_CreateWindow(__GLXclientState *cl, GLbyte *pc)
__GLX_SWAP_INT(&req->glxwindow);
__GLX_SWAP_INT(&req->numAttribs);
+ if (req->numAttribs > (UINT32_MAX >> 3)) {
+ client->errorValue = req->numAttribs;
+ return BadValue;
+ }
REQUEST_FIXED_SIZE(xGLXCreateWindowReq, req->numAttribs << 3);
attribs = (CARD32*)(req + 1);
__GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
commit 4f6ee6177c76d480fe2c477b0ca19ad337928373
Author: Julien Cristau <jcristau@debian.org>
Date: Sun Aug 22 16:20:45 2010 +0100
glx: swap the request arrays entirely, not just half of them
Various glx requests include a list of pairs of attributes. We were
only swapping the first half.
Reviewed-by: Kristian Høgsberg <krh@bitplanet.net>
Reviewed-by: Daniel Stone <daniel@fooishbar.org>
Signed-off-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit 62319e8381ebd645ae36b25e5fc3c0e9b098387b)
diff --git a/glx/glxcmdsswap.c b/glx/glxcmdsswap.c
index cca9843..cbd9b88 100644
--- a/glx/glxcmdsswap.c
+++ b/glx/glxcmdsswap.c
@@ -322,7 +322,7 @@ int __glXDispSwap_CreatePixmap(__GLXclientState *cl, GLbyte *pc)
REQUEST_FIXED_SIZE(xGLXCreatePixmapReq, req->numAttribs << 3);
attribs = (CARD32*)(req + 1);
- __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs);
+ __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
return __glXDisp_CreatePixmap(cl, pc);
}
@@ -403,7 +403,7 @@ int __glXDispSwap_CreatePbuffer(__GLXclientState *cl, GLbyte *pc)
REQUEST_FIXED_SIZE(xGLXCreatePbufferReq, req->numAttribs << 3);
attribs = (CARD32*)(req + 1);
- __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs);
+ __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
return __glXDisp_CreatePbuffer(cl, pc);
}
@@ -467,7 +467,7 @@ int __glXDispSwap_ChangeDrawableAttributes(__GLXclientState *cl, GLbyte *pc)
REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3);
attribs = (CARD32*)(req + 1);
- __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs);
+ __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
return __glXDisp_ChangeDrawableAttributes(cl, pc);
}
@@ -489,7 +489,7 @@ int __glXDispSwap_ChangeDrawableAttributesSGIX(__GLXclientState *cl,
REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesSGIXReq, req->numAttribs << 3);
attribs = (CARD32*)(req + 1);
- __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs);
+ __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
return __glXDisp_ChangeDrawableAttributesSGIX(cl, pc);
}
@@ -512,7 +512,7 @@ int __glXDispSwap_CreateWindow(__GLXclientState *cl, GLbyte *pc)
REQUEST_FIXED_SIZE(xGLXCreateWindowReq, req->numAttribs << 3);
attribs = (CARD32*)(req + 1);
- __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs);
+ __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
return __glXDisp_CreateWindow(cl, pc);
}
commit 00130263a222de904a4500c5410706aa5ec693dc
Author: Julien Cristau <jcristau@debian.org>
Date: Sun Aug 22 00:50:05 2010 +0100
glx: check request length before swapping
Reviewed-by: Kristian Høgsberg <krh@bitplanet.net>
Reviewed-by: Daniel Stone <daniel@fooishbar.org>
Signed-off-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit 6c69235a9dfc52e4b4e47630ff4bab1a820eb543)
diff --git a/glx/glxcmdsswap.c b/glx/glxcmdsswap.c
index c414dc8..cca9843 100644
--- a/glx/glxcmdsswap.c
+++ b/glx/glxcmdsswap.c
@@ -61,9 +61,12 @@
int __glXDispSwap_CreateContext(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXCreateContextReq *req = (xGLXCreateContextReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXCreateContextReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->context);
__GLX_SWAP_INT(&req->visual);
@@ -75,9 +78,12 @@ int __glXDispSwap_CreateContext(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_CreateNewContext(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXCreateNewContextReq *req = (xGLXCreateNewContextReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXCreateNewContextReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->context);
__GLX_SWAP_INT(&req->fbconfig);
@@ -90,10 +96,13 @@ int __glXDispSwap_CreateNewContext(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_CreateContextWithConfigSGIX(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXCreateContextWithConfigSGIXReq *req =
(xGLXCreateContextWithConfigSGIXReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXCreateContextWithConfigSGIXReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->context);
__GLX_SWAP_INT(&req->fbconfig);
@@ -106,9 +115,12 @@ int __glXDispSwap_CreateContextWithConfigSGIX(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_DestroyContext(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXDestroyContextReq *req = (xGLXDestroyContextReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXDestroyContextReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->context);
@@ -117,9 +129,12 @@ int __glXDispSwap_DestroyContext(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_MakeCurrent(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXMakeCurrentReq *req = (xGLXMakeCurrentReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXMakeCurrentReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->drawable);
__GLX_SWAP_INT(&req->context);
@@ -130,9 +145,12 @@ int __glXDispSwap_MakeCurrent(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_MakeContextCurrent(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXMakeContextCurrentReq *req = (xGLXMakeContextCurrentReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXMakeContextCurrentReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->drawable);
__GLX_SWAP_INT(&req->readdrawable);
@@ -144,9 +162,12 @@ int __glXDispSwap_MakeContextCurrent(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_MakeCurrentReadSGI(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXMakeCurrentReadSGIReq *req = (xGLXMakeCurrentReadSGIReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXMakeCurrentReadSGIReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->drawable);
__GLX_SWAP_INT(&req->readable);
@@ -158,9 +179,12 @@ int __glXDispSwap_MakeCurrentReadSGI(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_IsDirect(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXIsDirectReq *req = (xGLXIsDirectReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXIsDirectReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->context);
@@ -169,9 +193,12 @@ int __glXDispSwap_IsDirect(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_QueryVersion(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXQueryVersionReq *req = (xGLXQueryVersionReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXQueryVersionReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->majorVersion);
__GLX_SWAP_INT(&req->minorVersion);
@@ -181,9 +208,12 @@ int __glXDispSwap_QueryVersion(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_WaitGL(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXWaitGLReq *req = (xGLXWaitGLReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXWaitGLReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->contextTag);
@@ -192,9 +222,12 @@ int __glXDispSwap_WaitGL(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_WaitX(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXWaitXReq *req = (xGLXWaitXReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXWaitXReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->contextTag);
@@ -203,9 +236,12 @@ int __glXDispSwap_WaitX(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_CopyContext(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXCopyContextReq *req = (xGLXCopyContextReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXCopyContextReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->source);
__GLX_SWAP_INT(&req->dest);
@@ -216,36 +252,48 @@ int __glXDispSwap_CopyContext(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_GetVisualConfigs(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXGetVisualConfigsReq *req = (xGLXGetVisualConfigsReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXGetVisualConfigsReq);
+
__GLX_SWAP_INT(&req->screen);
return __glXDisp_GetVisualConfigs(cl, pc);
}
int __glXDispSwap_GetFBConfigs(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXGetFBConfigsReq *req = (xGLXGetFBConfigsReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXGetFBConfigsReq);
+
__GLX_SWAP_INT(&req->screen);
return __glXDisp_GetFBConfigs(cl, pc);
}
int __glXDispSwap_GetFBConfigsSGIX(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXGetFBConfigsSGIXReq *req = (xGLXGetFBConfigsSGIXReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXGetFBConfigsSGIXReq);
+
__GLX_SWAP_INT(&req->screen);
return __glXDisp_GetFBConfigsSGIX(cl, pc);
}
int __glXDispSwap_CreateGLXPixmap(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXCreateGLXPixmapReq *req = (xGLXCreateGLXPixmapReq *) pc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXCreateGLXPixmapReq);
+
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->screen);
__GLX_SWAP_INT(&req->visual);
@@ -257,17 +305,22 @@ int __glXDispSwap_CreateGLXPixmap(__GLXclientState *cl, GLbyte *pc)
int __glXDispSwap_CreatePixmap(__GLXclientState *cl, GLbyte *pc)
{
+ ClientPtr client = cl->client;
xGLXCreatePixmapReq *req = (xGLXCreatePixmapReq *) pc;
CARD32 *attribs;
Reply to: