From 13f96c5401ffe3869f08fecb2baf5bff2438b02e Mon Sep 17 00:00:00 2001 From: Brian Paul Date: Mon, 10 Nov 2008 14:27:42 -0700 Subject: GLX: fix out-of-bounds memory issue in indirect glAreTexturesResident() See bug 18445. When getting array results, __glXReadReply() always reads a multiple of four bytes. This can cause writing to invalid memory when 'n' is not a multiple of four. Special-case the glAreTexturesResident() functions now. To fix the bug, we use a temporary buffer that's a multiple of four bytes in length. NOTE: this commit also reverts part of commit 919ec22ecf72aa163e1b97d8c7381002131ed32c (glx/x11: Added some #ifdef GLX_DIRECT_RENDERING protection) which directly edited the indirect.c file rather than the python generator! I'm not repairing that issue at this time. --- src/mesa/main/enums.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'src/mesa/main/enums.c') diff --git a/src/mesa/main/enums.c b/src/mesa/main/enums.c index 15e7d5b96c..a9c102e4f2 100644 --- a/src/mesa/main/enums.c +++ b/src/mesa/main/enums.c @@ -4866,8 +4866,8 @@ const char *_mesa_lookup_enum_by_nr( int nr ) { unsigned * i; - i = (unsigned *)_mesa_bsearch( & nr, reduced_enums, Elements(reduced_enums), - sizeof(reduced_enums[0]), (cfunc) compar_nr ); + i = (unsigned *)bsearch( & nr, reduced_enums, Elements(reduced_enums), + sizeof(reduced_enums[0]), (cfunc) compar_nr ); if ( i != NULL ) { return & enum_string_table[ all_enums[ *i ].offset ]; @@ -4884,8 +4884,8 @@ int _mesa_lookup_enum_by_name( const char *symbol ) enum_elt * f = NULL; if ( symbol != NULL ) { - f = (enum_elt *)_mesa_bsearch( symbol, all_enums, Elements(all_enums), - sizeof( enum_elt ), (cfunc) compar_name ); + f = (enum_elt *)bsearch( symbol, all_enums, Elements(all_enums), + sizeof( enum_elt ), (cfunc) compar_name ); } return (f != NULL) ? f->n : -1; -- cgit v1.2.3