Index: /trunk/src/VBox/GuestHost/OpenGL/state_tracker/state_pixel.c =================================================================== --- /trunk/src/VBox/GuestHost/OpenGL/state_tracker/state_pixel.c (revision 74889) +++ /trunk/src/VBox/GuestHost/OpenGL/state_tracker/state_pixel.c (revision 74890) @@ -343,9 +343,15 @@ void STATE_APIENTRY crStatePixelMapusv (GLenum map, GLint mapsize, const GLushort * values) { - GLfloat fvalues[CR_MAX_PIXEL_MAP_TABLE]; - GLint i; + if (mapsize < 0 || mapsize > CR_MAX_PIXEL_MAP_TABLE) + { + crError("crStatePixelMapusv: parameter 'mapsize' is out of range"); + return; + } if (!crStateIsBufferBound(GL_PIXEL_UNPACK_BUFFER_ARB)) { + GLfloat fvalues[CR_MAX_PIXEL_MAP_TABLE]; + GLint i; + if (map==GL_PIXEL_MAP_I_TO_I || map==GL_PIXEL_MAP_S_TO_S) { for (i=0;i= INT32_MAX / sizeof(GLuint)) + { + crError("crServerDispatchGenBuffersARB: parameter 'n' is out of range"); + return; + } - crServerReturnValue( local_buffers, n * sizeof(*local_buffers) ); - crFree( local_buffers ); + local_buffers = (GLuint *)crCalloc(n * sizeof(*local_buffers)); + + if (!local_buffers) + { + crError("crServerDispatchGenBuffersARB: out of memory"); + return; + } + + crStateGenBuffersARB(n, local_buffers); + + crServerReturnValue( local_buffers, n * sizeof(*local_buffers) ); + crFree( local_buffers ); } @@ -50,19 +64,18 @@ void SERVER_DISPATCH_APIENTRY -crServerDispatchGetBufferSubDataARB(GLenum target, GLintptrARB offset, - GLsizeiptrARB size, void * data) +crServerDispatchGetBufferSubDataARB(GLenum target, GLintptrARB offset, GLsizeiptrARB size, void * data) { - void *b; + void *b; - b = crAlloc(size); - if (b) { - cr_server.head_spu->dispatch_table.GetBufferSubDataARB( target, offset, size, b ); + b = crCalloc(size); + if (b) { + cr_server.head_spu->dispatch_table.GetBufferSubDataARB( target, offset, size, b ); - crServerReturnValue( b, size ); - crFree( b ); - } - else { - crError("Out of memory in crServerDispatchGetBufferSubDataARB"); - } + crServerReturnValue( b, size ); + crFree( b ); + } + else { + crError("Out of memory in crServerDispatchGetBufferSubDataARB"); + } } Index: /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_framebuffer.c =================================================================== --- /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_framebuffer.c (revision 74889) +++ /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_framebuffer.c (revision 74890) @@ -26,6 +26,14 @@ crServerDispatchGenFramebuffersEXT(GLsizei n, GLuint *framebuffers) { - GLuint *local_buffers = (GLuint *) crAlloc(n * sizeof(*local_buffers)); + GLuint *local_buffers; (void) framebuffers; + + if (n >= INT32_MAX / sizeof(GLuint)) + { + crError("crServerDispatchGenFramebuffersEXT: parameter 'n' is out of range"); + return; + } + + local_buffers = (GLuint *)crCalloc(n * sizeof(*local_buffers)); crStateGenFramebuffersEXT(n, local_buffers); @@ -38,6 +46,14 @@ crServerDispatchGenRenderbuffersEXT(GLsizei n, GLuint *renderbuffers) { - GLuint *local_buffers = (GLuint *) crAlloc(n * sizeof(*local_buffers)); + GLuint *local_buffers; (void) renderbuffers; + + if (n >= INT32_MAX / sizeof(GLuint)) + { + crError("crServerDispatchGenRenderbuffersEXT: parameter 'n' is out of range"); + return; + } + + local_buffers = (GLuint *)crCalloc(n * sizeof(*local_buffers)); crStateGenRenderbuffersEXT(n, local_buffers); Index: /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_gentextures.c =================================================================== --- /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_gentextures.c (revision 74889) +++ /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_gentextures.c (revision 74890) @@ -14,6 +14,20 @@ void SERVER_DISPATCH_APIENTRY crServerDispatchGenTextures( GLsizei n, GLuint *textures ) { - GLuint *local_textures = (GLuint *) crAlloc(n*sizeof(*local_textures)); + GLuint *local_textures; (void) textures; + + if (n >= INT32_MAX / sizeof(GLuint)) + { + crError("crServerDispatchGenTextures: parameter 'n' is out of range"); + return; + } + + local_textures = (GLuint *)crCalloc(n * sizeof(*local_textures)); + + if (!local_textures) + { + crError("crServerDispatchGenTextures: out of memory"); + return; + } crStateGenTextures(n, local_textures); @@ -25,6 +39,21 @@ void SERVER_DISPATCH_APIENTRY crServerDispatchGenProgramsNV( GLsizei n, GLuint * ids ) { - GLuint *local_progs = (GLuint *) crAlloc( n*sizeof( *local_progs) ); + GLuint *local_progs; (void) ids; + + if (n >= INT32_MAX / sizeof(GLuint)) + { + crError("crServerDispatchGenProgramsNV: parameter 'n' is out of range"); + return; + } + + local_progs = (GLuint *)crCalloc(n * sizeof(*local_progs)); + + if (!local_progs) + { + crError("crServerDispatchGenProgramsNV: out of memory"); + return; + } + cr_server.head_spu->dispatch_table.GenProgramsNV( n, local_progs ); crServerReturnValue( local_progs, n*sizeof( *local_progs ) ); @@ -35,6 +64,21 @@ void SERVER_DISPATCH_APIENTRY crServerDispatchGenFencesNV( GLsizei n, GLuint * ids ) { - GLuint *local_fences = (GLuint *) crAlloc( n*sizeof( *local_fences) ); + GLuint *local_fences; (void) ids; + + if (n >= INT32_MAX / sizeof(GLuint)) + { + crError("crServerDispatchGenFencesNV: parameter 'n' is out of range"); + return; + } + + local_fences = (GLuint *)crCalloc(n * sizeof(*local_fences)); + + if (!local_fences) + { + crError("crServerDispatchGenFencesNV: out of memory"); + return; + } + cr_server.head_spu->dispatch_table.GenFencesNV( n, local_fences ); crServerReturnValue( local_fences, n*sizeof( *local_fences ) ); @@ -47,4 +91,19 @@ GLsizei i; (void) ids; + + if (n >= INT32_MAX / sizeof(GLuint)) + { + crError("crServerDispatchGenProgramsARB: parameter 'n' is out of range"); + return; + } + + local_progs = (GLuint *)crCalloc(n * sizeof(*local_progs)); + + if (!local_progs) + { + crError("crServerDispatchGenProgramsARB: out of memory"); + return; + } + cr_server.head_spu->dispatch_table.GenProgramsARB( n, local_progs ); Index: /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_getshaders.c =================================================================== --- /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_getshaders.c (revision 74889) +++ /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_getshaders.c (revision 74890) @@ -40,5 +40,5 @@ if (bufSize < INT32_MAX / 2) - pLocal = (crGetActive_t*)crAlloc(bufSize + sizeof(crGetActive_t)); + pLocal = (crGetActive_t*)crCalloc(bufSize + sizeof(crGetActive_t)); if (!pLocal) @@ -49,6 +49,5 @@ return; } - /* zero out just the header to ensure it initially contains zero size values */ - memset(pLocal, 0, sizeof (*pLocal)); + cr_server.head_spu->dispatch_table.GetActiveAttrib(crStateGetProgramHWID(program), index, bufSize, &pLocal->length, &pLocal->size, &pLocal->type, (char*)&pLocal[1]); crServerReturnValue(pLocal, pLocal->length+1+sizeof(crGetActive_t)); @@ -61,5 +60,5 @@ if (bufSize < INT32_MAX / 2) - pLocal = (crGetActive_t*) crAlloc(bufSize + sizeof(crGetActive_t)); + pLocal = (crGetActive_t*) crCalloc(bufSize + sizeof(crGetActive_t)); if (!pLocal) @@ -70,6 +69,5 @@ return; } - /* zero out just the header to ensure it initially contains zero size values */ - memset(pLocal, 0, sizeof (*pLocal)); + cr_server.head_spu->dispatch_table.GetActiveUniform(crStateGetProgramHWID(program), index, bufSize, &pLocal->length, &pLocal->size, &pLocal->type, (char*)&pLocal[1]); crServerReturnValue(pLocal, pLocal->length+1+sizeof(crGetActive_t)); @@ -82,5 +80,5 @@ if (maxCount < INT32_MAX / sizeof(GLuint) / 2) - pLocal = (GLsizei*) crAlloc(maxCount * sizeof(GLuint) + sizeof(GLsizei)); + pLocal = (GLsizei*) crCalloc(maxCount * sizeof(GLuint) + sizeof(GLsizei)); if (!pLocal) @@ -111,5 +109,5 @@ if (maxCount < INT32_MAX / sizeof(VBoxGLhandleARB) / 2) - pLocal = (GLsizei*) crAlloc(maxCount * sizeof(VBoxGLhandleARB) + sizeof(GLsizei)); + pLocal = (GLsizei*) crCalloc(maxCount * sizeof(VBoxGLhandleARB) + sizeof(GLsizei)); if (!pLocal) @@ -143,5 +141,5 @@ if (maxLength < INT32_MAX / 2) - pLocal = (GLsizei*) crAlloc(maxLength + sizeof(GLsizei)); + pLocal = (GLsizei*) crCalloc(maxLength + sizeof(GLsizei)); if (!pLocal) @@ -167,5 +165,5 @@ if (bufSize < INT32_MAX / 2) - pLocal = (GLsizei*) crAlloc(bufSize + sizeof(GLsizei)); + pLocal = (GLsizei*) crCalloc(bufSize + sizeof(GLsizei)); if (!pLocal) @@ -187,5 +185,5 @@ if (bufSize < INT32_MAX / 2) - pLocal = (GLsizei*) crAlloc(bufSize + sizeof(GLsizei)); + pLocal = (GLsizei*) crCalloc(bufSize + sizeof(GLsizei)); if (!pLocal) @@ -208,5 +206,5 @@ if (bufSize < INT32_MAX / 2) - pLocal = (GLsizei*) crAlloc(bufSize + sizeof(GLsizei)); + pLocal = (GLsizei*) crCalloc(bufSize + sizeof(GLsizei)); if (!pLocal) @@ -233,5 +231,5 @@ if (maxcbData < INT32_MAX / 2) - pLocal = (GLsizei*) crAlloc(maxcbData + sizeof(GLsizei)); + pLocal = (GLsizei*) crCalloc(maxcbData + sizeof(GLsizei)); if (!pLocal) @@ -259,5 +257,5 @@ if (maxcbData < INT32_MAX / 2) - pLocal = (GLsizei*) crAlloc(maxcbData + sizeof(GLsizei)); + pLocal = (GLsizei*) crCalloc(maxcbData + sizeof(GLsizei)); if (!pLocal) @@ -292,5 +290,5 @@ GLfloat *pLocal; - pLocal = (GLfloat*) crAlloc(size); + pLocal = (GLfloat*) crCalloc(size); if (!pLocal) { @@ -311,5 +309,5 @@ GLint *pLocal; - pLocal = (GLint*) crAlloc(size); + pLocal = (GLint*) crCalloc(size); if (!pLocal) { Index: /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_getteximage.c =================================================================== --- /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_getteximage.c (revision 74889) +++ /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_getteximage.c (revision 74890) @@ -77,5 +77,5 @@ #endif - if (size && (buffer = crAlloc(size))) { + if (size && (buffer = crCalloc(size))) { /* Note, the other pixel PACK parameters (default values) should * be OK at this point. @@ -118,5 +118,5 @@ cr_server.head_spu->dispatch_table.GetTexLevelParameteriv(target, level, GL_TEXTURE_COMPRESSED_IMAGE_SIZE, &size); - if (size && (buffer = crAlloc(size))) { + if (size && (buffer = crCalloc(size))) { /* XXX the pixel PACK parameter should be OK at this point */ cr_server.head_spu->dispatch_table.GetCompressedTexImageARB(target, level, buffer); @@ -149,4 +149,6 @@ GLubyte local_mask[128]; + memset(local_mask, 0, sizeof(local_mask)); + cr_server.head_spu->dispatch_table.GetPolygonStipple( local_mask ); crServerReturnValue( &(local_mask[0]), 128*sizeof(GLubyte) ); Index: /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_glsl.c =================================================================== --- /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_glsl.c (revision 74889) +++ /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_glsl.c (revision 74890) @@ -182,5 +182,5 @@ GLint i; - if (n >= UINT32_MAX / sizeof(GLuint)) + if (n >= INT32_MAX / sizeof(GLuint)) { crError("crServerDispatchDeleteProgramsARB: parameter 'n' is out of range"); @@ -218,16 +218,36 @@ GLboolean *residences) { - GLboolean retval; - GLboolean *res = (GLboolean *) crAlloc(n * sizeof(GLboolean)); + GLboolean retval = GL_FALSE; + GLboolean *res; GLsizei i; - (void) residences; + if (n >= INT32_MAX / sizeof(GLuint)) + { + crError("crServerDispatchAreProgramsResidentNV: parameter 'n' is out of range"); + return GL_FALSE; + } + + res = (GLboolean *)crCalloc(n * sizeof(GLboolean)); + + if (!res) { + crError("crServerDispatchAreProgramsResidentNV: out of memory"); + return GL_FALSE; + } + if (!cr_server.sharedTextureObjects) { - GLuint *programs2 = (GLuint *) crAlloc(n * sizeof(GLuint)); - for (i = 0; i < n; i++) - programs2[i] = crServerTranslateProgramID(programs[i]); - retval = cr_server.head_spu->dispatch_table.AreProgramsResidentNV(n, programs2, res); - crFree(programs2); + GLuint *programs2 = (GLuint *) crCalloc(n * sizeof(GLuint)); + if (programs2) + { + for (i = 0; i < n; i++) + programs2[i] = crServerTranslateProgramID(programs[i]); + + retval = cr_server.head_spu->dispatch_table.AreProgramsResidentNV(n, programs2, res); + crFree(programs2); + } + else + { + crError("crServerDispatchAreProgramsResidentNV: out of memory"); + } } else { Index: /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_lists.c =================================================================== --- /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_lists.c (revision 74889) +++ /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_lists.c (revision 74890) @@ -230,5 +230,5 @@ crServerDispatchCallLists( GLsizei n, GLenum type, const GLvoid *lists ) { - if (n >= UINT32_MAX / sizeof(GLuint)) + if (n >= INT32_MAX / sizeof(GLuint)) { crError("crServerDispatchCallLists: parameter 'n' is out of range"); Index: /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_misc.c =================================================================== --- /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_misc.c (revision 74889) +++ /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_misc.c (revision 74890) @@ -26,27 +26,37 @@ GLubyte local_storage[4096]; GLint bytes = 0; + GLint cbType = 1; /* One byte by default. */ + + memset(local_storage, 0, sizeof(local_storage)); switch (type) { case GL_BYTE: case GL_UNSIGNED_BYTE: - bytes = count * sizeof(GLbyte); + cbType = sizeof(GLbyte); break; case GL_SHORT: case GL_UNSIGNED_SHORT: - bytes = count * sizeof(GLshort); + cbType = sizeof(GLshort); break; case GL_INT: case GL_UNSIGNED_INT: - bytes = count * sizeof(GLint); + cbType = sizeof(GLint); break; case GL_FLOAT: - bytes = count * sizeof(GLfloat); + cbType = sizeof(GLfloat); break; case GL_DOUBLE: - bytes = count * sizeof(GLdouble); + cbType = sizeof(GLdouble); break; default: crError("Bad type in crServerDispatchGetChromiumParametervCR"); } + + if (count < 0) /* 'GLsizei' is usually an 'int'. */ + count = 0; + else if ((size_t)count > sizeof(local_storage) / cbType) + count = sizeof(local_storage) / cbType; + + bytes = count * cbType; CRASSERT(bytes >= 0); Index: /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_occlude.c =================================================================== --- /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_occlude.c (revision 74889) +++ /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_occlude.c (revision 74890) @@ -14,8 +14,24 @@ crServerDispatchGenQueriesARB(GLsizei n, GLuint *queries) { - GLuint *local_queries = (GLuint *) crAlloc( n * sizeof(*local_queries) ); - (void) queries; - cr_server.head_spu->dispatch_table.GenQueriesARB( n, local_queries ); - crServerReturnValue( local_queries, n * sizeof(*local_queries) ); - crFree( local_queries ); + GLuint *local_queries; + (void) queries; + + if (n >= INT32_MAX / sizeof(GLuint)) + { + crError("crServerDispatchGenQueriesARB: parameter 'n' is out of range"); + return; + } + + local_queries = (GLuint *)crCalloc(n * sizeof(*local_queries)); + + if (!local_queries) + { + crError("crServerDispatchGenQueriesARB: out of memory"); + return; + } + + cr_server.head_spu->dispatch_table.GenQueriesARB( n, local_queries ); + + crServerReturnValue( local_queries, n * sizeof(*local_queries) ); + crFree( local_queries ); } Index: /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_readpixels.c =================================================================== --- /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_readpixels.c (revision 74889) +++ /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_readpixels.c (revision 74890) @@ -20,5 +20,4 @@ GLenum format, GLenum type, GLvoid *pixels) { - CRMessageReadPixels *rp; const GLint stride = READ_DATA( 24, GLint ); const GLint alignment = READ_DATA( 28, GLint ); @@ -27,5 +26,4 @@ const GLint bytes_per_row = READ_DATA( 40, GLint ); const GLint rowLength = READ_DATA( 44, GLint ); - const int msg_len = sizeof(*rp) + bytes_per_row * height; CRASSERT(bytes_per_row > 0); @@ -48,5 +46,21 @@ #endif { + CRMessageReadPixels *rp; + uint32_t msg_len; + + if (bytes_per_row < 0 || bytes_per_row > UINT32_MAX / 8 || height > UINT32_MAX / 8) + { + crError("crServerDispatchReadPixels: parameters out of range"); + return; + } + + msg_len = sizeof(*rp) + (uint32_t)bytes_per_row * height; + rp = (CRMessageReadPixels *) crAlloc( msg_len ); + if (!rp) + { + crError("crServerDispatchReadPixels: out of memory"); + return; + } /* Note: the ReadPixels data gets densely packed into the buffer Index: /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_retval.py =================================================================== --- /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_retval.py (revision 74889) +++ /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_retval.py (revision 74890) @@ -25,17 +25,23 @@ { CRMessageReadback *rb; - int msg_len = sizeof( *rb ) + payload_len; - + int msg_len; + /* Don't reply to client if we're loading VM snapshot*/ if (cr_server.bIsInLoadingState) return; - + if (cr_server.curClient->conn->type == CR_FILE) { return; } - + + if (payload_len >= INT32_MAX - sizeof( *rb )) + { + return; + } + + msg_len = sizeof( *rb ) + payload_len; rb = (CRMessageReadback *) crAlloc( msg_len ); - + rb->header.type = CR_MESSAGE_READBACK; CRDBGPTR_PRINTRB(cr_server.curClient->conn->u32ClientID, &cr_server.writeback_ptr); Index: /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_texture.c =================================================================== --- /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_texture.c (revision 74889) +++ /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_texture.c (revision 74890) @@ -236,10 +236,18 @@ void SERVER_DISPATCH_APIENTRY crServerDispatchPrioritizeTextures( GLsizei n, const GLuint * textures, const GLclampf * priorities ) { - GLuint *newTextures = (GLuint *) crAlloc(n * sizeof(GLuint)); + GLuint *newTextures; GLint i; + if (n >= INT32_MAX / sizeof(GLuint)) + { + crError("crServerDispatchPrioritizeTextures: parameter 'n' is out of range"); + return; + } + + newTextures = (GLuint *)crAlloc(n * sizeof(GLuint)); + if (!newTextures) { - crError("crServerDispatchDeleteTextures: out of memory"); + crError("crServerDispatchPrioritizeTextures: out of memory"); return; } @@ -271,11 +279,32 @@ GLboolean *residences) { - GLboolean retval; + GLboolean retval = GL_FALSE; GLsizei i; - GLboolean *res = (GLboolean *) crAlloc(n * sizeof(GLboolean)); - GLuint *textures2 = (GLuint *) crAlloc(n * sizeof(GLuint)); - + GLboolean *res; + GLuint *textures2; (void) residences; + if (n >= INT32_MAX / sizeof(GLuint)) + { + crError("crServerDispatchAreTexturesResident: parameter 'n' is out of range"); + return GL_FALSE; + } + + res = (GLboolean *)crCalloc(n * sizeof(GLboolean)); + if (!res) + { + crError("crServerDispatchAreTexturesResident: out of memory"); + return GL_FALSE; + } + + textures2 = (GLuint *)crAlloc(n * sizeof(GLuint)); + + if (!textures2) + { + crError("crServerDispatchAreTexturesResident: out of memory"); + crFree(res); + return GL_FALSE; + } + for (i = 0; i < n; i++) { Index: /trunk/src/VBox/HostServices/SharedOpenGL/dlm/dlm_lists.c =================================================================== --- /trunk/src/VBox/HostServices/SharedOpenGL/dlm/dlm_lists.c (revision 74889) +++ /trunk/src/VBox/HostServices/SharedOpenGL/dlm/dlm_lists.c (revision 74890) @@ -353,4 +353,10 @@ crDebug("DLM: CallLists(%d, %u, %p).", n, type, lists); + + if (n >= INT32_MAX / sizeof(GLuint)) + { + crError("crDLMCallLists: parameter 'n' is out of range"); + return; + } if (pListState) Index: /trunk/src/VBox/HostServices/SharedOpenGL/unpacker/unpack_map.c =================================================================== --- /trunk/src/VBox/HostServices/SharedOpenGL/unpacker/unpack_map.c (revision 74889) +++ /trunk/src/VBox/HostServices/SharedOpenGL/unpacker/unpack_map.c (revision 74890) @@ -8,83 +8,131 @@ #include "cr_error.h" #include "cr_mem.h" +#include "state/cr_limits.h" void crUnpackMap2d(void) { - GLenum target = READ_DATA(sizeof(int) + 0, GLenum); - GLdouble u1 = READ_DOUBLE(sizeof(int) + 4); - GLdouble u2 = READ_DOUBLE(sizeof(int) + 12); - GLint ustride = READ_DATA(sizeof(int) + 20, GLint); - GLint uorder = READ_DATA(sizeof(int) + 24, GLint); - GLdouble v1 = READ_DOUBLE(sizeof(int) + 28); - GLdouble v2 = READ_DOUBLE(sizeof(int) + 36); - GLint vstride = READ_DATA(sizeof(int) + 44, GLint); - GLint vorder = READ_DATA(sizeof(int) + 48, GLint); + GLenum target = READ_DATA(sizeof(int) + 0, GLenum); + GLdouble u1 = READ_DOUBLE(sizeof(int) + 4); + GLdouble u2 = READ_DOUBLE(sizeof(int) + 12); + GLint ustride = READ_DATA(sizeof(int) + 20, GLint); + GLint uorder = READ_DATA(sizeof(int) + 24, GLint); + GLdouble v1 = READ_DOUBLE(sizeof(int) + 28); + GLdouble v2 = READ_DOUBLE(sizeof(int) + 36); + GLint vstride = READ_DATA(sizeof(int) + 44, GLint); + GLint vorder = READ_DATA(sizeof(int) + 48, GLint); + GLdouble *points = DATA_POINTER(sizeof(int) + 52, GLdouble); + GLint cbMax; - int n_points = READ_DATA(0, int) - (sizeof(int) + 52); - GLdouble *points; + if (uorder < 1 || uorder > CR_MAX_EVAL_ORDER || + vorder < 1 || vorder > CR_MAX_EVAL_ORDER || + ustride < 1 || ustride > INT32_MAX / (ssize_t)sizeof(double) / uorder / 8 || + vstride < 1 || vstride > INT32_MAX / (ssize_t)sizeof(double) / vorder / 8 ) + { + crError("crUnpackMap2d: parameters out of range"); + return; + } - if (n_points & 0x7) - crError("crUnpackMap2d: n_points=%d, expected multiple of 8\n", n_points); - points = (GLdouble *) crAlloc(n_points); - crMemcpy(points, DATA_POINTER(sizeof(int) + 52, GLdouble), n_points); + cbMax = (ustride * uorder + vstride * vorder) * sizeof(double); + if (!DATA_POINTER_CHECK(cbMax - 1)) + { + crError("crUnpackMap2d: parameters out of range"); + return; + } - cr_unpackDispatch.Map2d(target, u1, u2, ustride, uorder, v1, v2, vstride, vorder, - points); - crFree(points); + cr_unpackDispatch.Map2d(target, u1, u2, ustride, uorder, v1, v2, vstride, vorder, points); - INCR_VAR_PTR(); + INCR_VAR_PTR(); } void crUnpackMap2f(void) { - GLenum target = READ_DATA(sizeof(int) + 0, GLenum); - GLfloat u1 = READ_DATA(sizeof(int) + 4, GLfloat); - GLfloat u2 = READ_DATA(sizeof(int) + 8, GLfloat); - GLint ustride = READ_DATA(sizeof(int) + 12, GLint); - GLint uorder = READ_DATA(sizeof(int) + 16, GLint); - GLfloat v1 = READ_DATA(sizeof(int) + 20, GLfloat); - GLfloat v2 = READ_DATA(sizeof(int) + 24, GLfloat); - GLint vstride = READ_DATA(sizeof(int) + 28, GLint); - GLint vorder = READ_DATA(sizeof(int) + 32, GLint); - GLfloat *points = DATA_POINTER(sizeof(int) + 36 , GLfloat); + GLenum target = READ_DATA(sizeof(int) + 0, GLenum); + GLfloat u1 = READ_DATA(sizeof(int) + 4, GLfloat); + GLfloat u2 = READ_DATA(sizeof(int) + 8, GLfloat); + GLint ustride = READ_DATA(sizeof(int) + 12, GLint); + GLint uorder = READ_DATA(sizeof(int) + 16, GLint); + GLfloat v1 = READ_DATA(sizeof(int) + 20, GLfloat); + GLfloat v2 = READ_DATA(sizeof(int) + 24, GLfloat); + GLint vstride = READ_DATA(sizeof(int) + 28, GLint); + GLint vorder = READ_DATA(sizeof(int) + 32, GLint); + GLfloat *points = DATA_POINTER(sizeof(int) + 36, GLfloat); + GLint cbMax; - cr_unpackDispatch.Map2f(target, u1, u2, ustride, uorder, v1, v2, vstride, vorder, - points); - INCR_VAR_PTR(); + if (uorder < 1 || uorder > CR_MAX_EVAL_ORDER || + vorder < 1 || vorder > CR_MAX_EVAL_ORDER || + ustride < 1 || ustride > INT32_MAX / (ssize_t)sizeof(float) / uorder / 8 || + vstride < 1 || vstride > INT32_MAX / (ssize_t)sizeof(float) / vorder / 8) + { + crError("crUnpackMap2d: parameters out of range"); + return; + } + + cbMax = (ustride * uorder + vstride * vorder) * sizeof(float); + if (!DATA_POINTER_CHECK(cbMax - 1)) + { + crError("crUnpackMap2f: parameters out of range"); + return; + } + + cr_unpackDispatch.Map2f(target, u1, u2, ustride, uorder, v1, v2, vstride, vorder, points); + + INCR_VAR_PTR(); } void crUnpackMap1d(void) { - GLenum target = READ_DATA(sizeof(int) + 0, GLenum); - GLdouble u1 = READ_DOUBLE(sizeof(int) + 4); - GLdouble u2 = READ_DOUBLE(sizeof(int) + 12); - GLint stride = READ_DATA(sizeof(int) + 20, GLint); - GLint order = READ_DATA(sizeof(int) + 24, GLint); + GLenum target = READ_DATA(sizeof(int) + 0, GLenum); + GLdouble u1 = READ_DOUBLE(sizeof(int) + 4); + GLdouble u2 = READ_DOUBLE(sizeof(int) + 12); + GLint stride = READ_DATA(sizeof(int) + 20, GLint); + GLint order = READ_DATA(sizeof(int) + 24, GLint); + GLdouble *points = DATA_POINTER(sizeof(int) + 28, GLdouble); + GLint cbMax; - int n_points = READ_DATA(0, int) - (sizeof(int) + 28); - GLdouble *points; + if (order < 1 || order > CR_MAX_EVAL_ORDER || + stride < 1 || stride > INT32_MAX / (ssize_t)sizeof(double) / order / 8) + { + crError("crUnpackMap1d: parameters out of range"); + return; + } - if (n_points & 0x7) - crError("crUnpackMap1d: n_points=%d, expected multiple of 8\n", n_points); - points = (GLdouble *) crAlloc(n_points); - crMemcpy(points, DATA_POINTER(sizeof(int) + 28, GLdouble), n_points); - - cr_unpackDispatch.Map1d(target, u1, u2, stride, order, points); - crFree(points); + cbMax = stride * order * sizeof(double); + if (!DATA_POINTER_CHECK(cbMax - 1)) + { + crError("crUnpackMap1d: parameters out of range"); + return; + } - INCR_VAR_PTR(); + cr_unpackDispatch.Map1d(target, u1, u2, stride, order, points); + + INCR_VAR_PTR(); } void crUnpackMap1f(void) { - GLenum target = READ_DATA(sizeof(int) + 0, GLenum); - GLfloat u1 = READ_DATA(sizeof(int) + 4, GLfloat); - GLfloat u2 = READ_DATA(sizeof(int) + 8, GLfloat); - GLint stride = READ_DATA(sizeof(int) + 12, GLint); - GLint order = READ_DATA(sizeof(int) + 16, GLint); - GLfloat *points = DATA_POINTER(sizeof(int) + 20, GLfloat); + GLenum target = READ_DATA(sizeof(int) + 0, GLenum); + GLfloat u1 = READ_DATA(sizeof(int) + 4, GLfloat); + GLfloat u2 = READ_DATA(sizeof(int) + 8, GLfloat); + GLint stride = READ_DATA(sizeof(int) + 12, GLint); + GLint order = READ_DATA(sizeof(int) + 16, GLint); + GLfloat *points = DATA_POINTER(sizeof(int) + 20, GLfloat); + GLint cbMax; - cr_unpackDispatch.Map1f(target, u1, u2, stride, order, points); - INCR_VAR_PTR(); + if (order < 1 || order > CR_MAX_EVAL_ORDER || + stride < 1 || stride > INT32_MAX / (ssize_t)sizeof(float) / order / 8) + { + crError("crUnpackMap1f: parameters out of range"); + return; + } + + cbMax = stride * order * sizeof(float); + if (!DATA_POINTER_CHECK(cbMax - 1)) + { + crError("crUnpackMap1f: parameters out of range"); + return; + } + + cr_unpackDispatch.Map1f(target, u1, u2, stride, order, points); + INCR_VAR_PTR(); }