Index: /trunk/src/VBox/GuestHost/OpenGL/include/cr_unpack.h =================================================================== --- /trunk/src/VBox/GuestHost/OpenGL/include/cr_unpack.h (revision 78075) +++ /trunk/src/VBox/GuestHost/OpenGL/include/cr_unpack.h (revision 78076) @@ -83,4 +83,9 @@ #define SET_RETURN_PTR( offset ) do { \ CRDBGPTR_CHECKZ(return_ptr); \ + if (!DATA_POINTER_CHECK(offset + sizeof(*return_ptr))) \ + { \ + crError("%s: SET_RETURN_PTR(%u) offset out of bounds\n", __FUNCTION__, offset); \ + return; \ + } \ crMemcpy( return_ptr, cr_unpackData + (offset), sizeof( *return_ptr ) ); \ } while (0); @@ -89,4 +94,9 @@ #define SET_WRITEBACK_PTR( offset ) do { \ CRDBGPTR_CHECKZ(writeback_ptr); \ + if (!DATA_POINTER_CHECK(offset + sizeof(*writeback_ptr))) \ + { \ + crError("%s: SET_WRITEBACK_PTR(%u) offset out of bounds\n", __FUNCTION__, offset); \ + return; \ + } \ crMemcpy( writeback_ptr, cr_unpackData + (offset), sizeof( *writeback_ptr ) ); \ } while (0); Index: /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_get.py =================================================================== --- /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_get.py (revision 78075) +++ /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_get.py (revision 78076) @@ -127,5 +127,5 @@ local_argname = 'local_%s' % lastParam[0] - print('\t%s %s[%d];' % ( local_argtype, local_argname, max_components[func_name] )) + print('\t%s %s[%d] = { 0 };' % ( local_argtype, local_argname, max_components[func_name] )) print('\t(void) %s;' % lastParam[0]) @@ -142,4 +142,5 @@ print('\tcrServerReturnValue(&(%s[0]), %d*sizeof(%s));' % (local_argname, max_components[func_name], local_argtype )) else: - print('\tcrServerReturnValue(&(%s[0]), crStateHlpComponentsCount(pname)*sizeof(%s));' % (local_argname, local_argtype )) + print('\tunsigned int cComponents = RT_MIN(crStateHlpComponentsCount(pname), RT_ELEMENTS(%s));' % local_argname) + print('\tcrServerReturnValue(&(%s[0]), cComponents*sizeof(%s));' % (local_argname, local_argtype )) print ('}\n') Index: /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_texture.c =================================================================== --- /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_texture.c (revision 78075) +++ /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_texture.c (revision 78076) @@ -176,5 +176,6 @@ crStateGetTexEnvfv( target, pname, local_params ); - crServerReturnValue( &(local_params[0]), crStateHlpComponentsCount(pname)*sizeof (GLfloat) ); + size_t cComponents = RT_MIN(crStateHlpComponentsCount(pname), RT_ELEMENTS(local_params)); + crServerReturnValue( &(local_params[0]), cComponents*sizeof (GLfloat) ); } @@ -188,5 +189,6 @@ crStateGetTexEnviv( target, pname, local_params ); - crServerReturnValue( &(local_params[0]), crStateHlpComponentsCount(pname)*sizeof (GLint) ); + size_t cComponents = RT_MIN(crStateHlpComponentsCount(pname), RT_ELEMENTS(local_params)); + crServerReturnValue( &(local_params[0]), cComponents*sizeof (GLint) ); } Index: /trunk/src/VBox/HostServices/SharedOpenGL/unpacker/unpack.py =================================================================== --- /trunk/src/VBox/HostServices/SharedOpenGL/unpacker/unpack.py (revision 78075) +++ /trunk/src/VBox/HostServices/SharedOpenGL/unpacker/unpack.py (revision 78076) @@ -170,4 +170,12 @@ print("{") + # Verify that the provided buffer length is what we expect. + packet_length = apiutil.PacketLength( params ) + print("\tif(!DATA_POINTER_CHECK(%d))" % packet_length); + print("\t{"); + print("\t\tcrError(\"crUnpack%s: parameters out of range\");" % func_name); + print("\t\treturn;"); + print("\t}"); + vector_func = apiutil.VectorFunction(func_name) if (vector_func and len(apiutil.Parameters(vector_func)) == 1): @@ -175,5 +183,4 @@ else: MakeNormalCall( return_type, func_name, params ) - packet_length = apiutil.PacketLength( params ) if packet_length == 0: print("\tINCR_DATA_PTR_NO_ARGS( );") @@ -330,4 +337,13 @@ print('static void crUnpackExtend%s(void)' % func_name) print('{') + + # Verify that the provided buffer length is what we expect. + packet_length = apiutil.PacketLength( params ) + print("\tif(!DATA_POINTER_CHECK(%d))" % packet_length); + print("\t{"); + print("\t\tcrError(\"crUnpack%s: parameters out of range\");" % func_name); + print("\t\treturn;"); + print("\t}"); + MakeNormalCall( return_type, func_name, params, 8 ) print('}\n')