From 98fbd6f58553ba0d193a06d2b7b1820ea4483e67 Mon Sep 17 00:00:00 2001

From: Adam Jackson <ajax@redhat.com>

Date: Mon, 10 Nov 2014 12:13:47 -0500

Subject: [PATCH 30/33] glx: Length checking for non-generated single requests

 (v2) [CVE-2014-8098 7/8]

v2:

Fix single versus vendor-private length checking for ARB_imaging subset

extensions. (Julien Cristau)

v3:

Fix single versus vendor-private length checking for ARB_imaging subset

extensions. (Julien Cristau)

Reviewed-by: Michal Srb <msrb@suse.com>

Reviewed-by: Andy Ritger <aritger@nvidia.com>

Signed-off-by: Adam Jackson <ajax@redhat.com>

Signed-off-by: Julien Cristau <jcristau@debian.org>

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>

---

 glx/indirect_texture_compression.c |  4 ++++

 glx/single2.c                      | 23 +++++++++++++++-----

 glx/single2swap.c                  | 19 ++++++++++++----

 glx/singlepix.c                    | 44 +++++++++++++++++++++++++-------------

 glx/singlepixswap.c                | 34 ++++++++++++++++++++++++-----

 5 files changed, 95 insertions(+), 29 deletions(-)

diff --git a/glx/indirect_texture_compression.c b/glx/indirect_texture_compression.c

index 94de47d..bb640ad 100644

--- a/glx/indirect_texture_compression.c

+++ b/glx/indirect_texture_compression.c

@@ -43,6 +43,8 @@ __glXDisp_GetCompressedTexImage(struct __GLXclientStateRec *cl, GLbyte * pc)

     __GLXcontext *const cx = __glXForceCurrent(cl, req->contextTag, &error);

     ClientPtr client = cl->client;

+    REQUEST_FIXED_SIZE(xGLXSingleReq, 8);

+

     pc += __GLX_SINGLE_HDR_SIZE;

     if (cx != NULL) {

         const GLenum target = *(GLenum *) (pc + 0);

@@ -85,6 +87,8 @@ __glXDispSwap_GetCompressedTexImage(struct __GLXclientStateRec *cl, GLbyte * pc)

         __glXForceCurrent(cl, bswap_32(req->contextTag), &error);

     ClientPtr client = cl->client;

+    REQUEST_FIXED_SIZE(xGLXSingleReq, 8);

+

     pc += __GLX_SINGLE_HDR_SIZE;

     if (cx != NULL) {

         const GLenum target = (GLenum) bswap_32(*(int *) (pc + 0));

diff --git a/glx/single2.c b/glx/single2.c

index 53b661d..a6ea614 100644

--- a/glx/single2.c

+++ b/glx/single2.c

@@ -45,11 +45,14 @@

 int

 __glXDisp_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)

 {

+    ClientPtr client = cl->client;

     GLsizei size;

     GLenum type;

     __GLXcontext *cx;

     int error;

+    REQUEST_FIXED_SIZE(xGLXSingleReq, 8);

+

     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);

     if (!cx) {

         return error;

@@ -76,10 +79,13 @@ __glXDisp_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)

 int

 __glXDisp_SelectBuffer(__GLXclientState * cl, GLbyte * pc)

 {

+    ClientPtr client = cl->client;

     __GLXcontext *cx;

     GLsizei size;

     int error;

+    REQUEST_FIXED_SIZE(xGLXSingleReq, 4);

+

     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);

     if (!cx) {

         return error;

@@ -104,7 +110,7 @@ __glXDisp_SelectBuffer(__GLXclientState * cl, GLbyte * pc)

 int

 __glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc)

 {

-    ClientPtr client;

+    ClientPtr client = cl->client;

     xGLXRenderModeReply reply;

     __GLXcontext *cx;

     GLint nitems = 0, retBytes = 0, retval, newModeCheck;

@@ -112,6 +118,8 @@ __glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc)

     GLenum newMode;

     int error;

+    REQUEST_FIXED_SIZE(xGLXSingleReq, 4);

+

     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);

     if (!cx) {

         return error;

@@ -188,7 +196,6 @@ __glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc)

      ** selection array, as per the API for glRenderMode itself.

      */

  noChangeAllowed:;

-    client = cl->client;

     reply = (xGLXRenderModeReply) {

         .type = X_Reply,

         .sequenceNumber = client->sequence,

@@ -207,9 +214,12 @@ __glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc)

 int

 __glXDisp_Flush(__GLXclientState * cl, GLbyte * pc)

 {

+    ClientPtr client = cl->client;

     __GLXcontext *cx;

     int error;

+    REQUEST_SIZE_MATCH(xGLXSingleReq);

+

     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);

     if (!cx) {

         return error;

@@ -223,10 +233,12 @@ __glXDisp_Flush(__GLXclientState * cl, GLbyte * pc)

 int

 __glXDisp_Finish(__GLXclientState * cl, GLbyte * pc)

 {

+    ClientPtr client = cl->client;

     __GLXcontext *cx;

-    ClientPtr client;

     int error;

+    REQUEST_SIZE_MATCH(xGLXSingleReq);

+

     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);

     if (!cx) {

         return error;

@@ -317,7 +329,7 @@ __glXcombine_strings(const char *cext_string, const char *sext_string)

 int

 DoGetString(__GLXclientState * cl, GLbyte * pc, GLboolean need_swap)

 {

-    ClientPtr client;

+    ClientPtr client = cl->client;

     __GLXcontext *cx;

     GLenum name;

     const char *string;

@@ -327,6 +339,8 @@ DoGetString(__GLXclientState * cl, GLbyte * pc, GLboolean need_swap)

     char *buf = NULL, *buf1 = NULL;

     GLint length = 0;

+    REQUEST_FIXED_SIZE(xGLXSingleReq, 4);

+

     /* If the client has the opposite byte order, swap the contextTag and

      * the name.

      */

@@ -343,7 +357,6 @@ DoGetString(__GLXclientState * cl, GLbyte * pc, GLboolean need_swap)

     pc += __GLX_SINGLE_HDR_SIZE;

     name = *(GLenum *) (pc + 0);

     string = (const char *) glGetString(name);

-    client = cl->client;

     if (string == NULL)

         string = "";

diff --git a/glx/single2swap.c b/glx/single2swap.c

index 764501f..5349069 100644

--- a/glx/single2swap.c

+++ b/glx/single2swap.c

@@ -41,6 +41,7 @@

 int

 __glXDispSwap_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)

 {

+    ClientPtr client = cl->client;

     GLsizei size;

     GLenum type;

@@ -48,6 +49,8 @@ __glXDispSwap_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)

     __GLXcontext *cx;

     int error;

+    REQUEST_FIXED_SIZE(xGLXSingleReq, 8);

+

     __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);

     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);

     if (!cx) {

@@ -77,12 +80,15 @@ __glXDispSwap_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)

 int

 __glXDispSwap_SelectBuffer(__GLXclientState * cl, GLbyte * pc)

 {

+    ClientPtr client = cl->client;

     __GLXcontext *cx;

     GLsizei size;

     __GLX_DECLARE_SWAP_VARIABLES;

     int error;

+    REQUEST_FIXED_SIZE(xGLXSingleReq, 4);

+

     __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);

     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);

     if (!cx) {

@@ -109,7 +115,7 @@ __glXDispSwap_SelectBuffer(__GLXclientState * cl, GLbyte * pc)

 int

 __glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc)

 {

-    ClientPtr client;

+    ClientPtr client = cl->client;

     __GLXcontext *cx;

     xGLXRenderModeReply reply;

     GLint nitems = 0, retBytes = 0, retval, newModeCheck;

@@ -120,6 +126,8 @@ __glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc)

     __GLX_DECLARE_SWAP_ARRAY_VARIABLES;

     int error;

+    REQUEST_FIXED_SIZE(xGLXSingleReq, 4);

+

     __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);

     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);

     if (!cx) {

@@ -200,7 +208,6 @@ __glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc)

      ** selection array, as per the API for glRenderMode itself.

      */

  noChangeAllowed:;

-    client = cl->client;

     reply = (xGLXRenderModeReply) {

         .type = X_Reply,

         .sequenceNumber = client->sequence,

@@ -224,11 +231,14 @@ __glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc)

 int

 __glXDispSwap_Flush(__GLXclientState * cl, GLbyte * pc)

 {

+    ClientPtr client = cl->client;

     __GLXcontext *cx;

     int error;

     __GLX_DECLARE_SWAP_VARIABLES;

+    REQUEST_SIZE_MATCH(xGLXSingleReq);

+

     __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);

     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);

     if (!cx) {

@@ -243,12 +253,14 @@ __glXDispSwap_Flush(__GLXclientState * cl, GLbyte * pc)

 int

 __glXDispSwap_Finish(__GLXclientState * cl, GLbyte * pc)

 {

+    ClientPtr client = cl->client;

     __GLXcontext *cx;

-    ClientPtr client;

     int error;

     __GLX_DECLARE_SWAP_VARIABLES;

+    REQUEST_SIZE_MATCH(xGLXSingleReq);

+

     __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);

     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);

     if (!cx) {

@@ -260,7 +272,6 @@ __glXDispSwap_Finish(__GLXclientState * cl, GLbyte * pc)

     cx->hasUnflushedCommands = GL_FALSE;

     /* Send empty reply packet to indicate finish is finished */

-    client = cl->client;

     __GLX_BEGIN_REPLY(0);

     __GLX_PUT_RETVAL(0);

     __GLX_SWAP_REPLY_HEADER();

diff --git a/glx/singlepix.c b/glx/singlepix.c

index 8b6c261..54ed7fd 100644

--- a/glx/singlepix.c

+++ b/glx/singlepix.c

@@ -51,6 +51,8 @@ __glXDisp_ReadPixels(__GLXclientState * cl, GLbyte * pc)

     int error;

     char *answer, answerBuffer[200];

+    REQUEST_FIXED_SIZE(xGLXSingleReq, 28);

+

     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);

     if (!cx) {

         return error;

@@ -100,6 +102,8 @@ __glXDisp_GetTexImage(__GLXclientState * cl, GLbyte * pc)

     char *answer, answerBuffer[200];

     GLint width = 0, height = 0, depth = 1;

+    REQUEST_FIXED_SIZE(xGLXSingleReq, 20);

+

     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);

     if (!cx) {

         return error;

@@ -157,6 +161,8 @@ __glXDisp_GetPolygonStipple(__GLXclientState * cl, GLbyte * pc)

     GLubyte answerBuffer[200];

     char *answer;

+    REQUEST_FIXED_SIZE(xGLXSingleReq, 4);

+

     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);

     if (!cx) {

         return error;

@@ -217,15 +223,13 @@ GetSeparableFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)

     compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);

     compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1);

-    if (compsize < 0)

+    if ((compsize = safe_pad(compsize)) < 0)

         return BadLength;

-    if (compsize2 < 0)

+    if ((compsize2 = safe_pad(compsize2)) < 0)

         return BadLength;

-    compsize = __GLX_PAD(compsize);

-    compsize2 = __GLX_PAD(compsize2);

     glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);

-    __GLX_GET_ANSWER_BUFFER(answer, cl, compsize + compsize2, 1);

+    __GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1);

     __glXClearErrorOccured();

     glGetSeparableFilter(*(GLenum *) (pc + 0), *(GLenum *) (pc + 4),

                          *(GLenum *) (pc + 8), answer, answer + compsize, NULL);

@@ -249,7 +253,8 @@ int

 __glXDisp_GetSeparableFilter(__GLXclientState * cl, GLbyte * pc)

 {

     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);

-

+    ClientPtr client = cl->client;

+    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);

     return GetSeparableFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);

 }

@@ -257,7 +262,8 @@ int

 __glXDisp_GetSeparableFilterEXT(__GLXclientState * cl, GLbyte * pc)

 {

     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);

-

+    ClientPtr client = cl->client;

+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);

     return GetSeparableFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);

 }

@@ -323,7 +329,8 @@ int

 __glXDisp_GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc)

 {

     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);

-

+    ClientPtr client = cl->client;

+    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);

     return GetConvolutionFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);

 }

@@ -331,7 +338,8 @@ int

 __glXDisp_GetConvolutionFilterEXT(__GLXclientState * cl, GLbyte * pc)

 {

     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);

-

+    ClientPtr client = cl->client;

+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);

     return GetConvolutionFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);

 }

@@ -390,7 +398,8 @@ int

 __glXDisp_GetHistogram(__GLXclientState * cl, GLbyte * pc)

 {

     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);

-

+    ClientPtr client = cl->client;

+    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);

     return GetHistogram(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);

 }

@@ -398,7 +407,8 @@ int

 __glXDisp_GetHistogramEXT(__GLXclientState * cl, GLbyte * pc)

 {

     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);

-

+    ClientPtr client = cl->client;

+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);

     return GetHistogram(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);

 }

@@ -450,7 +460,8 @@ int

 __glXDisp_GetMinmax(__GLXclientState * cl, GLbyte * pc)

 {

     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);

-

+    ClientPtr client = cl->client;

+    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);

     return GetMinmax(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);

 }

@@ -458,7 +469,8 @@ int

 __glXDisp_GetMinmaxEXT(__GLXclientState * cl, GLbyte * pc)

 {

     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);

-

+    ClientPtr client = cl->client;

+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);

     return GetMinmax(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);

 }

@@ -517,7 +529,8 @@ int

 __glXDisp_GetColorTable(__GLXclientState * cl, GLbyte * pc)

 {

     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);

-

+    ClientPtr client = cl->client;

+    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);

     return GetColorTable(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);

 }

@@ -525,6 +538,7 @@ int

 __glXDisp_GetColorTableSGI(__GLXclientState * cl, GLbyte * pc)

 {

     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);

-

+    ClientPtr client = cl->client;

+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);

     return GetColorTable(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);

 }

diff --git a/glx/singlepixswap.c b/glx/singlepixswap.c

index 8dc304f..9eff592 100644

--- a/glx/singlepixswap.c

+++ b/glx/singlepixswap.c

@@ -53,6 +53,8 @@ __glXDispSwap_ReadPixels(__GLXclientState * cl, GLbyte * pc)

     int error;

     char *answer, answerBuffer[200];

+    REQUEST_FIXED_SIZE(xGLXSingleReq, 28);

+

     __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);

     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);

     if (!cx) {

@@ -114,6 +116,8 @@ __glXDispSwap_GetTexImage(__GLXclientState * cl, GLbyte * pc)

     char *answer, answerBuffer[200];

     GLint width = 0, height = 0, depth = 1;

+    REQUEST_FIXED_SIZE(xGLXSingleReq, 20);

+

     __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);

     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);

     if (!cx) {

@@ -184,6 +188,8 @@ __glXDispSwap_GetPolygonStipple(__GLXclientState * cl, GLbyte * pc)

     __GLX_DECLARE_SWAP_VARIABLES;

+    REQUEST_FIXED_SIZE(xGLXSingleReq, 4);

+

     __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);

     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);

     if (!cx) {

@@ -251,15 +257,13 @@ GetSeparableFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)

     compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);

     compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1);

-    if (compsize < 0)

+    if ((compsize = safe_pad(compsize)) < 0)

         return BadLength;

-    if (compsize2 < 0)

+    if ((compsize2 = safe_pad(compsize2)) < 0)

         return BadLength;

-    compsize = __GLX_PAD(compsize);

-    compsize2 = __GLX_PAD(compsize2);

     glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);

-    __GLX_GET_ANSWER_BUFFER(answer, cl, compsize + compsize2, 1);

+    __GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1);

     __glXClearErrorOccured();

     glGetSeparableFilter(*(GLenum *) (pc + 0), *(GLenum *) (pc + 4),

                          *(GLenum *) (pc + 8), answer, answer + compsize, NULL);

@@ -285,7 +289,9 @@ int

 __glXDispSwap_GetSeparableFilter(__GLXclientState * cl, GLbyte * pc)

 {

     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);

+    ClientPtr client = cl->client;

+    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);

     return GetSeparableFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);

 }

@@ -293,7 +299,9 @@ int

 __glXDispSwap_GetSeparableFilterEXT(__GLXclientState * cl, GLbyte * pc)

 {

     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);

+    ClientPtr client = cl->client;

+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);

     return GetSeparableFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);

 }

@@ -367,7 +375,9 @@ int

 __glXDispSwap_GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc)

 {

     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);

+    ClientPtr client = cl->client;

+    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);

     return GetConvolutionFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);

 }

@@ -375,7 +385,9 @@ int

 __glXDispSwap_GetConvolutionFilterEXT(__GLXclientState * cl, GLbyte * pc)

 {

     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);

+    ClientPtr client = cl->client;

+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);

     return GetConvolutionFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);

 }

@@ -441,7 +453,9 @@ int

 __glXDispSwap_GetHistogram(__GLXclientState * cl, GLbyte * pc)

 {

     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);

+    ClientPtr client = cl->client;

+    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);

     return GetHistogram(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);

 }

@@ -449,7 +463,9 @@ int

 __glXDispSwap_GetHistogramEXT(__GLXclientState * cl, GLbyte * pc)

 {

     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);

+    ClientPtr client = cl->client;

+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);

     return GetHistogram(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);

 }

@@ -507,7 +523,9 @@ int

 __glXDispSwap_GetMinmax(__GLXclientState * cl, GLbyte * pc)

 {

     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);

+    ClientPtr client = cl->client;

+    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);

     return GetMinmax(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);

 }

@@ -515,7 +533,9 @@ int

 __glXDispSwap_GetMinmaxEXT(__GLXclientState * cl, GLbyte * pc)

 {

     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);

+    ClientPtr client = cl->client;

+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);

     return GetMinmax(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);

 }

@@ -581,7 +601,9 @@ int

 __glXDispSwap_GetColorTable(__GLXclientState * cl, GLbyte * pc)

 {

     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);

+    ClientPtr client = cl->client;

+    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);

     return GetColorTable(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);

 }

@@ -589,6 +611,8 @@ int

 __glXDispSwap_GetColorTableSGI(__GLXclientState * cl, GLbyte * pc)

 {

     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);

+    ClientPtr client = cl->client;

+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);

     return GetColorTable(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);

 }

-- 

1.9.3