Debian Bug report logs - #646156
pu: package xorg-server/2:1.7.7-14

version graph

Package: release.debian.org; Maintainer for release.debian.org is Debian Release Team <debian-release@lists.debian.org>;

Reported by: Julien Cristau <jcristau@debian.org>

Date: Fri, 21 Oct 2011 19:15:02 UTC

Severity: normal

Tags: confirmed, squeeze

Fixed in version 6.0.4

Done: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, xorg-server@packages.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#646156; Package release.debian.org. (Fri, 21 Oct 2011 19:15:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
New Bug report received and forwarded. Copy sent to xorg-server@packages.debian.org, Debian Release Team <debian-release@lists.debian.org>. (Fri, 21 Oct 2011 19:15:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: pu: package xorg-server/2:1.7.7-14
Date: Fri, 21 Oct 2011 21:12:56 +0200
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

there were a couple of CVEs for X recently, that Moritz suggested we
fixed through p-u.  And an input fix to use 64bit arithmetic to avoid
overflows with high resolution devices, that's been sitting upstream in
the 1.7 branch since March.  (The xquartz change is irrelevant but won't
hurt.)

 ChangeLog                      |  205 +++++++++++++++++++++++++++++++++++++++++
 debian/changelog               |   10 ++
 glx/glxcmds.c                  |  188 +++++++++++++++++++++++++++++++++++--
 glx/glxcmdsswap.c              |  171 ++++++++++++++++++++++++++++++++--
 glx/xfont.c                    |    2 
 hw/xfree86/common/xf86Xinput.c |    8 -
 hw/xquartz/GL/Makefile.am      |    2 
 os/utils.c                     |    4 
 8 files changed, 563 insertions(+), 27 deletions(-)

Cheers,
Julien

diff --git a/ChangeLog b/ChangeLog
index b9683ab..f3261ee 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,208 @@
+commit 03ff880e8bf20cdecaf27f03391ea31545ecc22c
+Author: Matthieu Herrb <matthieu.herrb@laas.fr>
+Date:   Mon Oct 17 22:27:35 2011 +0200
+
+    Fix CVE-2011-4029: File permission change vulnerability.
+    
+    Use fchmod() to change permissions of the lock file instead
+    of chmod(), thus avoid the race that can be exploited to set
+    a symbolic link to any file or directory in the system.
+    
+    Signed-off-by: Matthieu Herrb <matthieu.herrb@laas.fr>
+    Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+    (cherry picked from commit b67581cf825940fdf52bf2e0af4330e695d724a4)
+    (cherry picked from commit 12f65819ffb04103f170ecd7e281348de618fc4c)
+
+commit 3394ae378da567025ac94a2c2ff04f2a0b113962
+Author: Matthieu Herrb <matthieu.herrb@laas.fr>
+Date:   Mon Oct 17 22:26:12 2011 +0200
+
+    Fix CVE-2011-4028: File disclosure vulnerability.
+    
+    use O_NOFOLLOW to open the existing lock file, so symbolic links
+    aren't followed, thus avoid revealing if it point to an existing
+    file.
+    
+    Signed-off-by: Matthieu Herrb <matthieu.herrb@laas.fr>
+    Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+    (cherry picked from commit 6ba44b91e37622ef8c146d8f2ac92d708a18ed34)
+    (cherry picked from commit f80d23357874db19bc124dee70239fb182977883)
+
+commit 656307e93a7c72b147805e3741ebb02baf876150
+Author: Julien Cristau <jcristau@debian.org>
+Date:   Sun Jan 23 13:35:54 2011 +0100
+
+    glx: Work around wrong request lengths sent by mesa
+    
+    mesa used to send too long requests for GLXDestroyPixmap,
+    GLXDestroyWindow, GLXChangeDrawableAttributes, GLXGetDrawableAttributes
+    and GLXGetFBConfigsSGIX.
+    
+    Fixes a regression introduced in ec9c97c6bf70b523bc500bd3adf62176f1bb33a4
+    X.Org bug#33324 <https://bugs.freedesktop.org/show_bug.cgi?id=33324>
+    
+    Reported-by: xunx.fang@intel.com
+    Signed-off-by: Julien Cristau <jcristau@debian.org>
+    Reviewed-by: Adam Jackson <ajax@redhat.com>
+    (cherry picked from commit 402b329c3aa8ddbebaa1f593306a02d4cd6fed26)
+
+commit c821bd84e594e86d5dd766f680064e88a29a10d1
+Author: Julien Cristau <jcristau@debian.org>
+Date:   Wed Jan 26 13:06:53 2011 +0100
+
+    glx: fix BindTexImageEXT length check
+    
+    The request is followed by a list of attributes.
+    
+    X.Org bug#33449
+    
+    Reported-and-tested-by: meng <mengmeng.meng@intel.com>
+    Signed-off-by: Julien Cristau <jcristau@debian.org>
+    Reviewed-by: Adam Jackson <ajax@redhat.com>
+    (cherry picked from commit 1137c11be0f82049d28024eaf963c6f76e0d4334)
+
+commit 5b76d710d3cebbfb8a5f02eaa7920f73deadff21
+Author: Julien Cristau <jcristau@debian.org>
+Date:   Sun Jan 23 17:05:26 2011 +0100
+
+    glx: fix request length check for CreateGLXPbufferSGIX
+    
+    The request is followed by an attribute list.
+    
+    Signed-off-by: Julien Cristau <jcristau@debian.org>
+    Reviewed-by: Adam Jackson <ajax@redhat.com>
+    (cherry picked from commit a883cf1545abd89bb2cadfa659718884b56fd234)
+
+commit 7ed56f793fe9bfe1fd2b70157523952cf6070fd8
+Author: Julien Cristau <jcristau@debian.org>
+Date:   Wed Nov 10 22:39:54 2010 +0100
+
+    glx: validate numAttribs field before using it
+    
+    Reviewed-by: Kristian Høgsberg <krh@bitplanet.net>
+    Reviewed-by: Daniel Stone <daniel@fooishbar.org>
+    Signed-off-by: Julien Cristau <jcristau@debian.org>
+    (cherry picked from commit d9225b9602c85603ae616a7381c784f5cf5e811c)
+
+commit 4f6ee6177c76d480fe2c477b0ca19ad337928373
+Author: Julien Cristau <jcristau@debian.org>
+Date:   Sun Aug 22 16:20:45 2010 +0100
+
+    glx: swap the request arrays entirely, not just half of them
+    
+    Various glx requests include a list of pairs of attributes.  We were
+    only swapping the first half.
+    
+    Reviewed-by: Kristian Høgsberg <krh@bitplanet.net>
+    Reviewed-by: Daniel Stone <daniel@fooishbar.org>
+    Signed-off-by: Julien Cristau <jcristau@debian.org>
+    (cherry picked from commit 62319e8381ebd645ae36b25e5fc3c0e9b098387b)
+
+commit 00130263a222de904a4500c5410706aa5ec693dc
+Author: Julien Cristau <jcristau@debian.org>
+Date:   Sun Aug 22 00:50:05 2010 +0100
+
+    glx: check request length before swapping
+    
+    Reviewed-by: Kristian Høgsberg <krh@bitplanet.net>
+    Reviewed-by: Daniel Stone <daniel@fooishbar.org>
+    Signed-off-by: Julien Cristau <jcristau@debian.org>
+    (cherry picked from commit 6c69235a9dfc52e4b4e47630ff4bab1a820eb543)
+
+commit 6ff0bcfcc0eb02640456beacaaa93ee762c84507
+Author: Julien Cristau <jcristau@debian.org>
+Date:   Sat Jul 3 19:47:55 2010 +0100
+
+    glx: validate request lengths
+    
+    Reviewed-by: Adam Jackson <ajax@redhat.com>
+    Reviewed-by: Kristian Høgsberg <krh@bitplanet.net>
+    Reviewed-by: Daniel Stone <daniel@fooishbar.org>
+    Signed-off-by: Julien Cristau <jcristau@debian.org>
+    (cherry-picked from commit ec9c97c6bf70b523bc500bd3adf62176f1bb33a4)
+
+commit 94458a6e09761e3b7937bb639ea4c12972328c7f
+Author: Jeremy Huddleston <jeremyhu@apple.com>
+Date:   Sun Mar 13 15:10:00 2011 -0700
+
+    XQuartz GL: Add $(GL_CFLAGS) to CFLAGS
+    
+    This fixes a build failure I found on tinderbox.
+    
+    Signed-off-by: Jeremy Huddleston <jeremyhu@apple.com>
+    (cherry picked from commit f641e4b34aa91ecda29e546b8b975e72ce037ed0)
+    
+    Conflicts:
+    
+    	hw/xquartz/GL/Makefile.am
+    
+    Signed-off-by: Jeremy Huddleston <jeremyhu@apple.com>
+
+commit ee8664ee8573d810a8768a2e10dd896b630697ff
+Author: Benjamin Tissoires <tissoire@cena.fr>
+Date:   Wed Apr 14 17:27:51 2010 +0200
+
+    xf86ScaleAxis: support for high resolution devices
+    
+    High resolution devices was generating integer overflow.
+    For instance the wacom Cintiq 21UX has an axis value up to
+    87000. Thus the term (dSx * (Cx - Rxlow)) is greater than
+    MAX_INT32.
+    
+    Using 64bits integer avoids such problem.
+    
+    Signed-off-by: Philippe Ribet <ribet@cena.fr>
+    Signed-off-by: Benjamin Tissoires <tissoire@cena.fr>
+    Reviewed-by: Keith Packard <keithp@keithp.com>
+    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+    (cherry picked from commit a780e5b3638a0ff81301fc68aca15b47ba0befb7)
+
+commit 01bc98e313b8ee62c506d0f8f408d54b71d1dfa6
+Author: Julien Cristau <jcristau@debian.org>
+Date:   Sat Jul 3 19:42:26 2010 +0100
+
+    glx: make sure screen is non-negative in validGlxScreen
+    
+    Reviewed-by: Adam Jackson <ajax@redhat.com>
+    Reviewed-by: Kristian Høgsberg <krh@bitplanet.net>
+    Reviewed-by: Daniel Stone <daniel@fooishbar.org>
+    Signed-off-by: Julien Cristau <jcristau@debian.org>
+    (cherry picked from commit 3f0d3f4d97bce75c1828635c322b6560a45a037f)
+
+commit d77ffa918b2aaa3ca1deb17ed0145199d0f863da
+Author: Julien Cristau <jcristau@debian.org>
+Date:   Mon Jan 31 14:14:47 2011 +0100
+
+    Revert "randr: check for virtual size limits before set crtc"
+    
+    Apparently these checks break rotation with the nvidia drivers:
+    https://bbs.archlinux.org/viewtopic.php?pid=877761
+    http://bugs.debian.org/611619
+    Let's not do that in a stable branch.
+    
+    This reverts commit 6a6d907e77777057cadbd80572119c09732385cd.
+    
+    Signed-off-by: Julien Cristau <jcristau@debian.org>
+
+commit 5549d99acbc38c8a1f12d649c42f044392ec7af0
+Author: Peter Hutterer <peter.hutterer@who-t.net>
+Date:   Fri Sep 3 11:54:41 2010 +1000
+
+    mi: handle DGA subtypes when determining the master device.
+    
+    The subtype in the DGA event is the core type and all ET_ event types (where
+    applicable) are identical to the core types. Thus the switch statement below
+    will work as required and assign the right master device.
+    
+    Fixes a crasher bug on keyboard devices with valuators. If a device sends a
+    motion event while grabbed and a DGA client is active (but has not selected
+    input through DGA), the valuator event is posted through the VCK and
+    eventually results in a NULL-pointer dereference on dev->valuator.
+    
+    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+    (cherry picked from commit 31ab9f8860848504df18a8be9d19b817b191e0df)
+    (cherry picked from commit faecab3b13bbaecf4f35f49b833d1b79a5fb647d)
+
 commit 2fd67c34549f1703e8ca522f92be518b18f90e81
 Author: Ville Syrjälä <ville.syrjala@nokia.com>
 Date:   Thu Dec 16 18:22:13 2010 +0200
diff --git a/debian/changelog b/debian/changelog
index ba68ab8..7c2935c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+xorg-server (2:1.7.7-14) UNRELEASED; urgency=low
+
+  * GLX: add missing input sanitization (CVE-2010-4818).  Also fix a couple
+    swapping issues.
+  * File disclosure vulnerability (CVE-2011-4028).
+  * File permission change vulnerability (CVE-2011-4029).
+  * xf86ScaleAxis: support for high resolution devices.
+
+ -- Julien Cristau <jcristau@debian.org>  Fri, 21 Oct 2011 20:56:40 +0200
+
 xorg-server (2:1.7.7-13) stable; urgency=low
 
   * bug script: Report KMS configuration files and their contents.
diff --git a/glx/glxcmds.c b/glx/glxcmds.c
index b1061a8..ce6aeb3 100644
--- a/glx/glxcmds.c
+++ b/glx/glxcmds.c
@@ -58,7 +58,7 @@ validGlxScreen(ClientPtr client, int screen, __GLXscreen **pGlxScreen, int *err)
     /*
     ** Check if screen exists.
     */
-    if (screen >= screenInfo.numScreens) {
+    if (screen < 0 || screen >= screenInfo.numScreens) {
 	client->errorValue = screen;
 	*err = BadValue;
 	return FALSE;
@@ -312,11 +312,14 @@ DoCreateContext(__GLXclientState *cl, GLXContextID gcId,
 
 int __glXDisp_CreateContext(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXCreateContextReq *req = (xGLXCreateContextReq *) pc;
     __GLXconfig *config;
     __GLXscreen *pGlxScreen;
     int err;
 
+    REQUEST_SIZE_MATCH(xGLXCreateContextReq);
+
     if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err))
 	return err;
     if (!validGlxVisual(cl->client, pGlxScreen, req->visual, &config, &err))
@@ -328,11 +331,14 @@ int __glXDisp_CreateContext(__GLXclientState *cl, GLbyte *pc)
 
 int __glXDisp_CreateNewContext(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXCreateNewContextReq *req = (xGLXCreateNewContextReq *) pc;
     __GLXconfig *config;
     __GLXscreen *pGlxScreen;
     int err;
 
+    REQUEST_SIZE_MATCH(xGLXCreateNewContextReq);
+
     if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err))
 	return err;
     if (!validGlxFBConfig(cl->client, pGlxScreen, req->fbconfig, &config, &err))
@@ -344,12 +350,15 @@ int __glXDisp_CreateNewContext(__GLXclientState *cl, GLbyte *pc)
 
 int __glXDisp_CreateContextWithConfigSGIX(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXCreateContextWithConfigSGIXReq *req = 
 	(xGLXCreateContextWithConfigSGIXReq *) pc;
     __GLXconfig *config;
     __GLXscreen *pGlxScreen;
     int err;
 
+    REQUEST_SIZE_MATCH(xGLXCreateContextWithConfigSGIXReq);
+
     if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err))
 	return err;
     if (!validGlxFBConfig(cl->client, pGlxScreen, req->fbconfig, &config, &err))
@@ -360,10 +369,13 @@ int __glXDisp_CreateContextWithConfigSGIX(__GLXclientState *cl, GLbyte *pc)
 }
 int __glXDisp_DestroyContext(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXDestroyContextReq *req = (xGLXDestroyContextReq *) pc;
     __GLXcontext *glxc;
     int err;
 
+    REQUEST_SIZE_MATCH(xGLXDestroyContextReq);
+
     if (!validGlxContext(cl->client, req->context, DixDestroyAccess,
 			 &glxc, &err))
 	    return err;
@@ -675,24 +687,33 @@ DoMakeCurrent(__GLXclientState *cl,
 
 int __glXDisp_MakeCurrent(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXMakeCurrentReq *req = (xGLXMakeCurrentReq *) pc;
 
+    REQUEST_SIZE_MATCH(xGLXMakeCurrentReq);
+
     return DoMakeCurrent( cl, req->drawable, req->drawable,
 			  req->context, req->oldContextTag );
 }
 
 int __glXDisp_MakeContextCurrent(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXMakeContextCurrentReq *req = (xGLXMakeContextCurrentReq *) pc;
 
+    REQUEST_SIZE_MATCH(xGLXMakeContextCurrentReq);
+
     return DoMakeCurrent( cl, req->drawable, req->readdrawable,
 			  req->context, req->oldContextTag );
 }
 
 int __glXDisp_MakeCurrentReadSGI(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXMakeCurrentReadSGIReq *req = (xGLXMakeCurrentReadSGIReq *) pc;
 
+    REQUEST_SIZE_MATCH(xGLXMakeCurrentReadSGIReq);
+
     return DoMakeCurrent( cl, req->drawable, req->readable,
 			  req->context, req->oldContextTag );
 }
@@ -705,6 +726,8 @@ int __glXDisp_IsDirect(__GLXclientState *cl, GLbyte *pc)
     __GLXcontext *glxc;
     int err;
 
+    REQUEST_SIZE_MATCH(xGLXIsDirectReq);
+
     if (!validGlxContext(cl->client, req->context, DixReadAccess, &glxc, &err))
 	return err;
 
@@ -729,6 +752,8 @@ int __glXDisp_QueryVersion(__GLXclientState *cl, GLbyte *pc)
     xGLXQueryVersionReply reply;
     GLuint major, minor;
 
+    REQUEST_SIZE_MATCH(xGLXQueryVersionReq);
+
     major = req->majorVersion;
     minor = req->minorVersion;
     (void)major;
@@ -755,11 +780,15 @@ int __glXDisp_QueryVersion(__GLXclientState *cl, GLbyte *pc)
 
 int __glXDisp_WaitGL(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXWaitGLReq *req = (xGLXWaitGLReq *)pc;
-    GLXContextTag tag = req->contextTag;
+    GLXContextTag tag;
     __GLXcontext *glxc = NULL;
     int error;
 
+    REQUEST_SIZE_MATCH(xGLXWaitGLReq);
+
+    tag = req->contextTag;
     if (tag) {
 	glxc = __glXLookupContextByTag(cl, tag);
 	if (!glxc)
@@ -779,11 +808,15 @@ int __glXDisp_WaitGL(__GLXclientState *cl, GLbyte *pc)
 
 int __glXDisp_WaitX(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXWaitXReq *req = (xGLXWaitXReq *)pc;
-    GLXContextTag tag = req->contextTag;
+    GLXContextTag tag;
     __GLXcontext *glxc = NULL;
     int error;
 
+    REQUEST_SIZE_MATCH(xGLXWaitXReq);
+
+    tag = req->contextTag;
     if (tag) {
 	glxc = __glXLookupContextByTag(cl, tag);
 	if (!glxc)
@@ -803,13 +836,19 @@ int __glXDisp_CopyContext(__GLXclientState *cl, GLbyte *pc)
 {
     ClientPtr client = cl->client;
     xGLXCopyContextReq *req = (xGLXCopyContextReq *) pc;
-    GLXContextID source = req->source;
-    GLXContextID dest = req->dest;
-    GLXContextTag tag = req->contextTag;
-    unsigned long mask = req->mask;
+    GLXContextID source;
+    GLXContextID dest;
+    GLXContextTag tag;
+    unsigned long mask;
     __GLXcontext *src, *dst;
     int error;
 
+    REQUEST_SIZE_MATCH(xGLXCopyContextReq);
+
+    source = req->source;
+    dest = req->dest;
+    tag = req->contextTag;
+    mask = req->mask;
     if (!validGlxContext(cl->client, source, DixReadAccess, &src, &error))
 	return error;
     if (!validGlxContext(cl->client, dest, DixWriteAccess, &dst, &error))
@@ -892,6 +931,8 @@ int __glXDisp_GetVisualConfigs(__GLXclientState *cl, GLbyte *pc)
     __GLX_DECLARE_SWAP_VARIABLES;
     __GLX_DECLARE_SWAP_ARRAY_VARIABLES;
 
+    REQUEST_SIZE_MATCH(xGLXGetVisualConfigsReq);
+
     if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err))
 	return err;
 
@@ -1071,13 +1112,18 @@ DoGetFBConfigs(__GLXclientState *cl, unsigned screen)
 
 int __glXDisp_GetFBConfigs(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXGetFBConfigsReq *req = (xGLXGetFBConfigsReq *) pc;
+    REQUEST_SIZE_MATCH(xGLXGetFBConfigsReq);
     return DoGetFBConfigs(cl, req->screen);
 }
 
 int __glXDisp_GetFBConfigsSGIX(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXGetFBConfigsSGIXReq *req = (xGLXGetFBConfigsSGIXReq *) pc;
+    /* work around mesa bug, don't use REQUEST_SIZE_MATCH */
+    REQUEST_AT_LEAST_SIZE(xGLXGetFBConfigsSGIXReq);
     return DoGetFBConfigs(cl, req->screen);
 }
 
@@ -1203,11 +1249,14 @@ determineTextureTarget(ClientPtr client, XID glxDrawableID,
 
 int __glXDisp_CreateGLXPixmap(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXCreateGLXPixmapReq *req = (xGLXCreateGLXPixmapReq *) pc;
     __GLXconfig *config;
     __GLXscreen *pGlxScreen;
     int err;
 
+    REQUEST_SIZE_MATCH(xGLXCreateGLXPixmapReq);
+
     if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err))
 	return err;
     if (!validGlxVisual(cl->client, pGlxScreen, req->visual, &config, &err))
@@ -1219,11 +1268,19 @@ int __glXDisp_CreateGLXPixmap(__GLXclientState *cl, GLbyte *pc)
 
 int __glXDisp_CreatePixmap(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXCreatePixmapReq *req = (xGLXCreatePixmapReq *) pc;
     __GLXconfig *config;
     __GLXscreen *pGlxScreen;
     int err;
 
+    REQUEST_AT_LEAST_SIZE(xGLXCreatePixmapReq);
+    if (req->numAttribs > (UINT32_MAX >> 3)) {
+	client->errorValue = req->numAttribs;
+	return BadValue;
+    }
+    REQUEST_FIXED_SIZE(xGLXCreatePixmapReq, req->numAttribs << 3);
+
     if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err))
 	return err;
     if (!validGlxFBConfig(cl->client, pGlxScreen, req->fbconfig, &config, &err))
@@ -1242,12 +1299,15 @@ int __glXDisp_CreatePixmap(__GLXclientState *cl, GLbyte *pc)
 
 int __glXDisp_CreateGLXPixmapWithConfigSGIX(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXCreateGLXPixmapWithConfigSGIXReq *req = 
 	(xGLXCreateGLXPixmapWithConfigSGIXReq *) pc;
     __GLXconfig *config;
     __GLXscreen *pGlxScreen;
     int err;
 
+    REQUEST_SIZE_MATCH(xGLXCreateGLXPixmapWithConfigSGIXReq);
+
     if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err))
 	return err;
     if (!validGlxFBConfig(cl->client, pGlxScreen, req->fbconfig, &config, &err))
@@ -1274,15 +1334,23 @@ static int DoDestroyDrawable(__GLXclientState *cl, XID glxdrawable, int type)
 
 int __glXDisp_DestroyGLXPixmap(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXDestroyGLXPixmapReq *req = (xGLXDestroyGLXPixmapReq *) pc;
 
+    REQUEST_SIZE_MATCH(xGLXDestroyGLXPixmapReq);
+
     return DoDestroyDrawable(cl, req->glxpixmap, GLX_DRAWABLE_PIXMAP);
 }
 
 int __glXDisp_DestroyPixmap(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXDestroyPixmapReq *req = (xGLXDestroyPixmapReq *) pc;
 
+    /* should be REQUEST_SIZE_MATCH, but mesa's glXDestroyPixmap used to set
+     * length to 3 instead of 2 */
+    REQUEST_AT_LEAST_SIZE(xGLXDestroyPixmapReq);
+
     return DoDestroyDrawable(cl, req->glxpixmap, GLX_DRAWABLE_PIXMAP);
 }
 
@@ -1311,10 +1379,18 @@ DoCreatePbuffer(ClientPtr client, int screenNum, XID fbconfigId,
 
 int __glXDisp_CreatePbuffer(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXCreatePbufferReq	*req = (xGLXCreatePbufferReq *) pc;
     CARD32			*attrs;
     int				 width, height, i;
 
+    REQUEST_AT_LEAST_SIZE(xGLXCreatePbufferReq);
+    if (req->numAttribs > (UINT32_MAX >> 3)) {
+	client->errorValue = req->numAttribs;
+	return BadValue;
+    }
+    REQUEST_FIXED_SIZE(xGLXCreatePbufferReq, req->numAttribs << 3);
+
     attrs = (CARD32 *) (req + 1);
     width = 0;
     height = 0;
@@ -1340,23 +1416,32 @@ int __glXDisp_CreatePbuffer(__GLXclientState *cl, GLbyte *pc)
 
 int __glXDisp_CreateGLXPbufferSGIX(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXCreateGLXPbufferSGIXReq *req = (xGLXCreateGLXPbufferSGIXReq *) pc;
 
+    REQUEST_AT_LEAST_SIZE(xGLXCreateGLXPbufferSGIXReq);
+
     return DoCreatePbuffer(cl->client, req->screen, req->fbconfig,
 			   req->width, req->height, req->pbuffer);
 }
 
 int __glXDisp_DestroyPbuffer(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXDestroyPbufferReq *req = (xGLXDestroyPbufferReq *) pc;
 
+    REQUEST_SIZE_MATCH(xGLXDestroyPbufferReq);
+
     return DoDestroyDrawable(cl, req->pbuffer, GLX_DRAWABLE_PBUFFER);
 }
 
 int __glXDisp_DestroyGLXPbufferSGIX(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXDestroyGLXPbufferSGIXReq *req = (xGLXDestroyGLXPbufferSGIXReq *) pc;
 
+    REQUEST_SIZE_MATCH(xGLXDestroyGLXPbufferSGIXReq);
+
     return DoDestroyDrawable(cl, req->pbuffer, GLX_DRAWABLE_PBUFFER);
 }
 
@@ -1387,18 +1472,40 @@ DoChangeDrawableAttributes(ClientPtr client, XID glxdrawable,
 
 int __glXDisp_ChangeDrawableAttributes(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXChangeDrawableAttributesReq *req =
 	(xGLXChangeDrawableAttributesReq *) pc;
 
+    REQUEST_AT_LEAST_SIZE(xGLXChangeDrawableAttributesReq);
+    if (req->numAttribs > (UINT32_MAX >> 3)) {
+	client->errorValue = req->numAttribs;
+	return BadValue;
+    }
+#if 0
+    /* mesa sends an additional 8 bytes */
+    REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3);
+#else
+    if (((sizeof(xGLXChangeDrawableAttributesReq) + (req->numAttribs << 3)) >> 2) < client->req_len)
+	    return BadLength;
+#endif
+
     return DoChangeDrawableAttributes(cl->client, req->drawable,
 				      req->numAttribs, (CARD32 *) (req + 1));
 }
 
 int __glXDisp_ChangeDrawableAttributesSGIX(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXChangeDrawableAttributesSGIXReq *req =
 	(xGLXChangeDrawableAttributesSGIXReq *)pc;
 
+    REQUEST_AT_LEAST_SIZE(xGLXChangeDrawableAttributesSGIXReq);
+    if (req->numAttribs > (UINT32_MAX >> 3)) {
+	client->errorValue = req->numAttribs;
+	return BadValue;
+    }
+    REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesSGIXReq, req->numAttribs << 3);
+
     return DoChangeDrawableAttributes(cl->client, req->drawable,
 				      req->numAttribs, (CARD32 *) (req + 1));
 }
@@ -1412,6 +1519,13 @@ int __glXDisp_CreateWindow(__GLXclientState *cl, GLbyte *pc)
     DrawablePtr		 pDraw;
     int			 err;
 
+    REQUEST_AT_LEAST_SIZE(xGLXCreateWindowReq);
+    if (req->numAttribs > (UINT32_MAX >> 3)) {
+	client->errorValue = req->numAttribs;
+	return BadValue;
+    }
+    REQUEST_FIXED_SIZE(xGLXCreateWindowReq, req->numAttribs << 3);
+
     if (!validGlxScreen(client, req->screen, &pGlxScreen, &err))
 	return err;
     if (!validGlxFBConfig(client, pGlxScreen, req->fbconfig, &config, &err))
@@ -1432,8 +1546,12 @@ int __glXDisp_CreateWindow(__GLXclientState *cl, GLbyte *pc)
 
 int __glXDisp_DestroyWindow(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXDestroyWindowReq *req = (xGLXDestroyWindowReq *) pc;
 
+    /* mesa's glXDestroyWindow used to set length to 3 instead of 2 */
+    REQUEST_AT_LEAST_SIZE(xGLXDestroyWindowReq);
+
     return DoDestroyDrawable(cl, req->glxwindow, GLX_DRAWABLE_WINDOW);
 }
 
@@ -1449,12 +1567,16 @@ int __glXDisp_SwapBuffers(__GLXclientState *cl, GLbyte *pc)
 {
     ClientPtr client = cl->client;
     xGLXSwapBuffersReq *req = (xGLXSwapBuffersReq *) pc;
-    GLXContextTag tag = req->contextTag;
-    XID drawId = req->drawable;
+    GLXContextTag tag;
+    XID drawId;
     __GLXcontext *glxc = NULL;
     __GLXdrawable *pGlxDraw;
     int error;
 
+    REQUEST_SIZE_MATCH(xGLXSwapBuffersReq);
+
+    tag = req->contextTag;
+    drawId = req->drawable;
     if (tag) {
 	glxc = __glXLookupContextByTag(cl, tag);
 	if (!glxc) {
@@ -1535,15 +1657,21 @@ DoQueryContext(__GLXclientState *cl, GLXContextID gcId)
 
 int __glXDisp_QueryContextInfoEXT(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXQueryContextInfoEXTReq *req = (xGLXQueryContextInfoEXTReq *) pc;
 
+    REQUEST_SIZE_MATCH(xGLXQueryContextInfoEXTReq);
+
     return DoQueryContext(cl, req->context);
 }
 
 int __glXDisp_QueryContext(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXQueryContextReq *req = (xGLXQueryContextReq *) pc;
 
+    REQUEST_SIZE_MATCH(xGLXQueryContextReq);
+
     return DoQueryContext(cl, req->context);
 }
 
@@ -1556,11 +1684,21 @@ int __glXDisp_BindTexImageEXT(__GLXclientState *cl, GLbyte *pc)
     GLXDrawable		 drawId;
     int			 buffer;
     int			 error;
+    CARD32		 num_attribs;
+
+    if ((sizeof(xGLXVendorPrivateReq) + 12) >> 2 > client->req_len)
+	return BadLength;
 
     pc += __GLX_VENDPRIV_HDR_SIZE;
 
     drawId = *((CARD32 *) (pc));
     buffer = *((INT32 *)  (pc + 4));
+    num_attribs = *((CARD32 *) (pc + 8));
+    if (num_attribs > (UINT32_MAX >> 3)) {
+	client->errorValue = num_attribs;
+	return BadValue;
+    }
+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 12 + (num_attribs << 3));
 
     if (buffer != GLX_FRONT_LEFT_EXT)
 	return __glXError(GLXBadPixmap);
@@ -1591,6 +1729,8 @@ int __glXDisp_ReleaseTexImageEXT(__GLXclientState *cl, GLbyte *pc)
     int			 buffer;
     int			 error;
 
+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 8);
+
     pc += __GLX_VENDPRIV_HDR_SIZE;
 
     drawId = *((CARD32 *) (pc));
@@ -1626,6 +1766,8 @@ int __glXDisp_CopySubBufferMESA(__GLXclientState *cl, GLbyte *pc)
     (void) client;
     (void) req;
 
+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 20);
+
     pc += __GLX_VENDPRIV_HDR_SIZE;
 
     drawId = *((CARD32 *) (pc));
@@ -1714,16 +1856,23 @@ DoGetDrawableAttributes(__GLXclientState *cl, XID drawId)
 
 int __glXDisp_GetDrawableAttributes(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXGetDrawableAttributesReq *req = (xGLXGetDrawableAttributesReq *)pc;
 
+    /* this should be REQUEST_SIZE_MATCH, but mesa sends an additional 4 bytes */
+    REQUEST_AT_LEAST_SIZE(xGLXGetDrawableAttributesReq);
+
     return DoGetDrawableAttributes(cl, req->drawable);
 }
 
 int __glXDisp_GetDrawableAttributesSGIX(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXGetDrawableAttributesSGIXReq *req =
 	(xGLXGetDrawableAttributesSGIXReq *)pc;
     
+    REQUEST_SIZE_MATCH(xGLXGetDrawableAttributesSGIXReq);
+
     return DoGetDrawableAttributes(cl, req->drawable);
 }
 
@@ -1748,6 +1897,8 @@ int __glXDisp_Render(__GLXclientState *cl, GLbyte *pc)
     __GLXcontext *glxc;
     __GLX_DECLARE_SWAP_VARIABLES;
 
+    REQUEST_AT_LEAST_SIZE(xGLXRenderReq);
+
     req = (xGLXRenderReq *) pc;
     if (client->swapped) {
 	__GLX_SWAP_SHORT(&req->length);
@@ -1768,6 +1919,9 @@ int __glXDisp_Render(__GLXclientState *cl, GLbyte *pc)
 	__GLXdispatchRenderProcPtr proc;
 	int err;
 
+	if (left < sizeof(__GLXrenderHeader))
+	    return BadLength;
+
 	/*
 	** Verify that the header length and the overall length agree.
 	** Also, each command must be word aligned.
@@ -2278,10 +2432,12 @@ int __glXDisp_HyperpipeConfigSGIX(__GLXclientState *cl, GLbyte *pc)
 
 int __glXDisp_VendorPrivate(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXVendorPrivateReq *req = (xGLXVendorPrivateReq *) pc;
     GLint vendorcode = req->vendorCode;
     __GLXdispatchVendorPrivProcPtr proc;
 
+    REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateReq);
 
     proc = (__GLXdispatchVendorPrivProcPtr)
       __glXGetProtocolDecodeFunction(& VendorPriv_dispatch_info,
@@ -2297,10 +2453,12 @@ int __glXDisp_VendorPrivate(__GLXclientState *cl, GLbyte *pc)
 
 int __glXDisp_VendorPrivateWithReply(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXVendorPrivateReq *req = (xGLXVendorPrivateReq *) pc;
     GLint vendorcode = req->vendorCode;
     __GLXdispatchVendorPrivProcPtr proc;
 
+    REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateReq);
 
     proc = (__GLXdispatchVendorPrivProcPtr)
       __glXGetProtocolDecodeFunction(& VendorPriv_dispatch_info,
@@ -2323,6 +2481,8 @@ int __glXDisp_QueryExtensionsString(__GLXclientState *cl, GLbyte *pc)
     char *buf;
     int err;
 
+    REQUEST_SIZE_MATCH(xGLXQueryExtensionsStringReq);
+
     if (!validGlxScreen(client, req->screen, &pGlxScreen, &err))
 	return err;
 
@@ -2361,6 +2521,8 @@ int __glXDisp_QueryServerString(__GLXclientState *cl, GLbyte *pc)
     __GLXscreen *pGlxScreen;
     int err;
 
+    REQUEST_SIZE_MATCH(xGLXQueryServerStringReq);
+
     if (!validGlxScreen(client, req->screen, &pGlxScreen, &err))
 	return err;
 
@@ -2404,14 +2566,20 @@ int __glXDisp_QueryServerString(__GLXclientState *cl, GLbyte *pc)
 
 int __glXDisp_ClientInfo(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXClientInfoReq *req = (xGLXClientInfoReq *) pc;
     const char *buf;
    
+    REQUEST_AT_LEAST_SIZE(xGLXClientInfoReq);
+
+    buf = (const char *)(req+1);
+    if (!memchr(buf, 0, (client->req_len << 2) - sizeof(xGLXClientInfoReq)))
+	return BadLength;
+
     cl->GLClientmajorVersion = req->major;
     cl->GLClientminorVersion = req->minor;
     if (cl->GLClientextensions)
 	xfree(cl->GLClientextensions);
-    buf = (const char *)(req+1);
     cl->GLClientextensions = xstrdup(buf);
 
     return Success;
diff --git a/glx/glxcmdsswap.c b/glx/glxcmdsswap.c
index c414dc8..5947e64 100644
--- a/glx/glxcmdsswap.c
+++ b/glx/glxcmdsswap.c
@@ -61,9 +61,12 @@
 
 int __glXDispSwap_CreateContext(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXCreateContextReq *req = (xGLXCreateContextReq *) pc;
     __GLX_DECLARE_SWAP_VARIABLES;
 
+    REQUEST_SIZE_MATCH(xGLXCreateContextReq);
+
     __GLX_SWAP_SHORT(&req->length);
     __GLX_SWAP_INT(&req->context);
     __GLX_SWAP_INT(&req->visual);
@@ -75,9 +78,12 @@ int __glXDispSwap_CreateContext(__GLXclientState *cl, GLbyte *pc)
 
 int __glXDispSwap_CreateNewContext(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXCreateNewContextReq *req = (xGLXCreateNewContextReq *) pc;
     __GLX_DECLARE_SWAP_VARIABLES;
 
+    REQUEST_SIZE_MATCH(xGLXCreateNewContextReq);
+
     __GLX_SWAP_SHORT(&req->length);
     __GLX_SWAP_INT(&req->context);
     __GLX_SWAP_INT(&req->fbconfig);
@@ -90,10 +96,13 @@ int __glXDispSwap_CreateNewContext(__GLXclientState *cl, GLbyte *pc)
 
 int __glXDispSwap_CreateContextWithConfigSGIX(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXCreateContextWithConfigSGIXReq *req =
 	(xGLXCreateContextWithConfigSGIXReq *) pc;
     __GLX_DECLARE_SWAP_VARIABLES;
 
+    REQUEST_SIZE_MATCH(xGLXCreateContextWithConfigSGIXReq);
+
     __GLX_SWAP_SHORT(&req->length);
     __GLX_SWAP_INT(&req->context);
     __GLX_SWAP_INT(&req->fbconfig);
@@ -106,9 +115,12 @@ int __glXDispSwap_CreateContextWithConfigSGIX(__GLXclientState *cl, GLbyte *pc)
 
 int __glXDispSwap_DestroyContext(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXDestroyContextReq *req = (xGLXDestroyContextReq *) pc;
     __GLX_DECLARE_SWAP_VARIABLES;
 
+    REQUEST_SIZE_MATCH(xGLXDestroyContextReq);
+
     __GLX_SWAP_SHORT(&req->length);
     __GLX_SWAP_INT(&req->context);
 
@@ -117,9 +129,12 @@ int __glXDispSwap_DestroyContext(__GLXclientState *cl, GLbyte *pc)
 
 int __glXDispSwap_MakeCurrent(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXMakeCurrentReq *req = (xGLXMakeCurrentReq *) pc;
     __GLX_DECLARE_SWAP_VARIABLES;
 
+    REQUEST_SIZE_MATCH(xGLXMakeCurrentReq);
+
     __GLX_SWAP_SHORT(&req->length);
     __GLX_SWAP_INT(&req->drawable);
     __GLX_SWAP_INT(&req->context);
@@ -130,9 +145,12 @@ int __glXDispSwap_MakeCurrent(__GLXclientState *cl, GLbyte *pc)
 
 int __glXDispSwap_MakeContextCurrent(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXMakeContextCurrentReq *req = (xGLXMakeContextCurrentReq *) pc;
     __GLX_DECLARE_SWAP_VARIABLES;
 
+    REQUEST_SIZE_MATCH(xGLXMakeContextCurrentReq);
+
     __GLX_SWAP_SHORT(&req->length);
     __GLX_SWAP_INT(&req->drawable);
     __GLX_SWAP_INT(&req->readdrawable);
@@ -144,9 +162,12 @@ int __glXDispSwap_MakeContextCurrent(__GLXclientState *cl, GLbyte *pc)
 
 int __glXDispSwap_MakeCurrentReadSGI(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXMakeCurrentReadSGIReq *req = (xGLXMakeCurrentReadSGIReq *) pc;
     __GLX_DECLARE_SWAP_VARIABLES;
 
+    REQUEST_SIZE_MATCH(xGLXMakeCurrentReadSGIReq);
+
     __GLX_SWAP_SHORT(&req->length);
     __GLX_SWAP_INT(&req->drawable);
     __GLX_SWAP_INT(&req->readable);
@@ -158,9 +179,12 @@ int __glXDispSwap_MakeCurrentReadSGI(__GLXclientState *cl, GLbyte *pc)
 
 int __glXDispSwap_IsDirect(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXIsDirectReq *req = (xGLXIsDirectReq *) pc;
     __GLX_DECLARE_SWAP_VARIABLES;
 
+    REQUEST_SIZE_MATCH(xGLXIsDirectReq);
+
     __GLX_SWAP_SHORT(&req->length);
     __GLX_SWAP_INT(&req->context);
 
@@ -169,9 +193,12 @@ int __glXDispSwap_IsDirect(__GLXclientState *cl, GLbyte *pc)
 
 int __glXDispSwap_QueryVersion(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXQueryVersionReq *req = (xGLXQueryVersionReq *) pc;
     __GLX_DECLARE_SWAP_VARIABLES;
 
+    REQUEST_SIZE_MATCH(xGLXQueryVersionReq);
+
     __GLX_SWAP_SHORT(&req->length);
     __GLX_SWAP_INT(&req->majorVersion);
     __GLX_SWAP_INT(&req->minorVersion);
@@ -181,9 +208,12 @@ int __glXDispSwap_QueryVersion(__GLXclientState *cl, GLbyte *pc)
 
 int __glXDispSwap_WaitGL(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXWaitGLReq *req = (xGLXWaitGLReq *) pc;
     __GLX_DECLARE_SWAP_VARIABLES;
 
+    REQUEST_SIZE_MATCH(xGLXWaitGLReq);
+
     __GLX_SWAP_SHORT(&req->length);
     __GLX_SWAP_INT(&req->contextTag);
 
@@ -192,9 +222,12 @@ int __glXDispSwap_WaitGL(__GLXclientState *cl, GLbyte *pc)
 
 int __glXDispSwap_WaitX(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXWaitXReq *req = (xGLXWaitXReq *) pc;
     __GLX_DECLARE_SWAP_VARIABLES;
 
+    REQUEST_SIZE_MATCH(xGLXWaitXReq);
+
     __GLX_SWAP_SHORT(&req->length);
     __GLX_SWAP_INT(&req->contextTag);
 
@@ -203,9 +236,12 @@ int __glXDispSwap_WaitX(__GLXclientState *cl, GLbyte *pc)
 
 int __glXDispSwap_CopyContext(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXCopyContextReq *req = (xGLXCopyContextReq *) pc;
     __GLX_DECLARE_SWAP_VARIABLES;
 
+    REQUEST_SIZE_MATCH(xGLXCopyContextReq);
+
     __GLX_SWAP_SHORT(&req->length);
     __GLX_SWAP_INT(&req->source);
     __GLX_SWAP_INT(&req->dest);
@@ -216,36 +252,48 @@ int __glXDispSwap_CopyContext(__GLXclientState *cl, GLbyte *pc)
 
 int __glXDispSwap_GetVisualConfigs(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXGetVisualConfigsReq *req = (xGLXGetVisualConfigsReq *) pc;
     __GLX_DECLARE_SWAP_VARIABLES;
 
+    REQUEST_SIZE_MATCH(xGLXGetVisualConfigsReq);
+
     __GLX_SWAP_INT(&req->screen);
     return __glXDisp_GetVisualConfigs(cl, pc);
 }
 
 int __glXDispSwap_GetFBConfigs(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXGetFBConfigsReq *req = (xGLXGetFBConfigsReq *) pc;
     __GLX_DECLARE_SWAP_VARIABLES;
 
+    REQUEST_SIZE_MATCH(xGLXGetFBConfigsReq);
+
     __GLX_SWAP_INT(&req->screen);
     return __glXDisp_GetFBConfigs(cl, pc);
 }
 
 int __glXDispSwap_GetFBConfigsSGIX(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXGetFBConfigsSGIXReq *req = (xGLXGetFBConfigsSGIXReq *) pc;
     __GLX_DECLARE_SWAP_VARIABLES;
 
+    REQUEST_AT_LEAST_SIZE(xGLXGetFBConfigsSGIXReq);
+
     __GLX_SWAP_INT(&req->screen);
     return __glXDisp_GetFBConfigsSGIX(cl, pc);
 }
 
 int __glXDispSwap_CreateGLXPixmap(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXCreateGLXPixmapReq *req = (xGLXCreateGLXPixmapReq *) pc;
     __GLX_DECLARE_SWAP_VARIABLES;
 
+    REQUEST_SIZE_MATCH(xGLXCreateGLXPixmapReq);
+
     __GLX_SWAP_SHORT(&req->length);
     __GLX_SWAP_INT(&req->screen);
     __GLX_SWAP_INT(&req->visual);
@@ -257,29 +305,41 @@ int __glXDispSwap_CreateGLXPixmap(__GLXclientState *cl, GLbyte *pc)
 
 int __glXDispSwap_CreatePixmap(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXCreatePixmapReq *req = (xGLXCreatePixmapReq *) pc;
     CARD32 *attribs;
     __GLX_DECLARE_SWAP_VARIABLES;
     __GLX_DECLARE_SWAP_ARRAY_VARIABLES;
 
+    REQUEST_AT_LEAST_SIZE(xGLXCreatePixmapReq);
+
     __GLX_SWAP_SHORT(&req->length);
     __GLX_SWAP_INT(&req->screen);
     __GLX_SWAP_INT(&req->fbconfig);
     __GLX_SWAP_INT(&req->pixmap);
     __GLX_SWAP_INT(&req->glxpixmap);
     __GLX_SWAP_INT(&req->numAttribs);
+
+    if (req->numAttribs > (UINT32_MAX >> 3)) {
+	client->errorValue = req->numAttribs;
+	return BadValue;
+    }
+    REQUEST_FIXED_SIZE(xGLXCreatePixmapReq, req->numAttribs << 3);
     attribs = (CARD32*)(req + 1);
-    __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs);
+    __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
 
     return __glXDisp_CreatePixmap(cl, pc);
 }
 
 int __glXDispSwap_CreateGLXPixmapWithConfigSGIX(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXCreateGLXPixmapWithConfigSGIXReq *req = 
 	(xGLXCreateGLXPixmapWithConfigSGIXReq *) pc;
     __GLX_DECLARE_SWAP_VARIABLES;
 
+    REQUEST_SIZE_MATCH(xGLXCreateGLXPixmapWithConfigSGIXReq);
+
     __GLX_SWAP_SHORT(&req->length);
     __GLX_SWAP_INT(&req->screen);
     __GLX_SWAP_INT(&req->fbconfig);
@@ -291,9 +351,12 @@ int __glXDispSwap_CreateGLXPixmapWithConfigSGIX(__GLXclientState *cl, GLbyte *pc
 
 int __glXDispSwap_DestroyGLXPixmap(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXDestroyGLXPixmapReq *req = (xGLXDestroyGLXPixmapReq *) pc;
     __GLX_DECLARE_SWAP_VARIABLES;
 
+    REQUEST_SIZE_MATCH(xGLXDestroyGLXPixmapReq);
+
     __GLX_SWAP_SHORT(&req->length);
     __GLX_SWAP_INT(&req->glxpixmap);
 
@@ -302,9 +365,12 @@ int __glXDispSwap_DestroyGLXPixmap(__GLXclientState *cl, GLbyte *pc)
 
 int __glXDispSwap_DestroyPixmap(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXDestroyGLXPixmapReq *req = (xGLXDestroyGLXPixmapReq *) pc;
     __GLX_DECLARE_SWAP_VARIABLES;
 
+    REQUEST_AT_LEAST_SIZE(xGLXDestroyGLXPixmapReq);
+
     __GLX_SWAP_SHORT(&req->length);
     __GLX_SWAP_INT(&req->glxpixmap);
 
@@ -313,9 +379,12 @@ int __glXDispSwap_DestroyPixmap(__GLXclientState *cl, GLbyte *pc)
 
 int __glXDispSwap_QueryContext(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXQueryContextReq *req = (xGLXQueryContextReq *) pc;    
     __GLX_DECLARE_SWAP_VARIABLES;
 
+    REQUEST_SIZE_MATCH(xGLXQueryContextReq);
+
     __GLX_SWAP_INT(&req->context);
 
     return __glXDisp_QueryContext(cl, pc);
@@ -323,26 +392,38 @@ int __glXDispSwap_QueryContext(__GLXclientState *cl, GLbyte *pc)
 
 int __glXDispSwap_CreatePbuffer(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXCreatePbufferReq *req = (xGLXCreatePbufferReq *) pc;    
     __GLX_DECLARE_SWAP_VARIABLES;
     __GLX_DECLARE_SWAP_ARRAY_VARIABLES;
     CARD32 *attribs;
 
+    REQUEST_AT_LEAST_SIZE(xGLXCreatePbufferReq);
+
     __GLX_SWAP_INT(&req->screen);
     __GLX_SWAP_INT(&req->fbconfig);
     __GLX_SWAP_INT(&req->pbuffer);
     __GLX_SWAP_INT(&req->numAttribs);
+
+    if (req->numAttribs > (UINT32_MAX >> 3)) {
+	client->errorValue = req->numAttribs;
+	return BadValue;
+    }
+    REQUEST_FIXED_SIZE(xGLXCreatePbufferReq, req->numAttribs << 3);
     attribs = (CARD32*)(req + 1);
-    __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs);
+    __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
 
     return __glXDisp_CreatePbuffer(cl, pc);
 }
 
 int __glXDispSwap_CreateGLXPbufferSGIX(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXCreateGLXPbufferSGIXReq *req = (xGLXCreateGLXPbufferSGIXReq *) pc;    
     __GLX_DECLARE_SWAP_VARIABLES;
 
+    REQUEST_AT_LEAST_SIZE(xGLXCreateGLXPbufferSGIXReq);
+
     __GLX_SWAP_INT(&req->screen);
     __GLX_SWAP_INT(&req->fbconfig);
     __GLX_SWAP_INT(&req->pbuffer);
@@ -354,9 +435,12 @@ int __glXDispSwap_CreateGLXPbufferSGIX(__GLXclientState *cl, GLbyte *pc)
 
 int __glXDispSwap_DestroyPbuffer(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXDestroyPbufferReq *req = (xGLXDestroyPbufferReq *) pc;
     __GLX_DECLARE_SWAP_VARIABLES;
 
+    REQUEST_SIZE_MATCH(xGLXDestroyPbufferReq);
+
     __GLX_SWAP_INT(&req->pbuffer);
 
     return __glXDisp_DestroyPbuffer(cl, pc);
@@ -364,9 +448,12 @@ int __glXDispSwap_DestroyPbuffer(__GLXclientState *cl, GLbyte *pc)
 
 int __glXDispSwap_DestroyGLXPbufferSGIX(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXDestroyGLXPbufferSGIXReq *req = (xGLXDestroyGLXPbufferSGIXReq *) pc;
     __GLX_DECLARE_SWAP_VARIABLES;
 
+    REQUEST_SIZE_MATCH(xGLXDestroyGLXPbufferSGIXReq);
+
     __GLX_SWAP_INT(&req->pbuffer);
 
     return __glXDisp_DestroyGLXPbufferSGIX(cl, pc);
@@ -374,16 +461,27 @@ int __glXDispSwap_DestroyGLXPbufferSGIX(__GLXclientState *cl, GLbyte *pc)
 
 int __glXDispSwap_ChangeDrawableAttributes(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXChangeDrawableAttributesReq *req =
 	(xGLXChangeDrawableAttributesReq *) pc;
     __GLX_DECLARE_SWAP_VARIABLES;
     __GLX_DECLARE_SWAP_ARRAY_VARIABLES;
     CARD32 *attribs;
 
+    REQUEST_AT_LEAST_SIZE(xGLXChangeDrawableAttributesReq);
+
     __GLX_SWAP_INT(&req->drawable);
     __GLX_SWAP_INT(&req->numAttribs);
+
+    if (req->numAttribs > (UINT32_MAX >> 3)) {
+	client->errorValue = req->numAttribs;
+	return BadValue;
+    }
+    if (((sizeof(xGLXChangeDrawableAttributesReq) + (req->numAttribs << 3)) >> 2) < client->req_len)
+	return BadLength;
+
     attribs = (CARD32*)(req + 1);
-    __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs);
+    __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
 
     return __glXDisp_ChangeDrawableAttributes(cl, pc);
 }
@@ -391,43 +489,64 @@ int __glXDispSwap_ChangeDrawableAttributes(__GLXclientState *cl, GLbyte *pc)
 int __glXDispSwap_ChangeDrawableAttributesSGIX(__GLXclientState *cl,
 					       GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXChangeDrawableAttributesSGIXReq *req =
 	(xGLXChangeDrawableAttributesSGIXReq *) pc;
     __GLX_DECLARE_SWAP_VARIABLES;
     __GLX_DECLARE_SWAP_ARRAY_VARIABLES;
     CARD32 *attribs;
 
+    REQUEST_AT_LEAST_SIZE(xGLXChangeDrawableAttributesSGIXReq);
+
     __GLX_SWAP_INT(&req->drawable);
     __GLX_SWAP_INT(&req->numAttribs);
+
+    if (req->numAttribs > (UINT32_MAX >> 3)) {
+	client->errorValue = req->numAttribs;
+	return BadValue;
+    }
+    REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesSGIXReq, req->numAttribs << 3);
     attribs = (CARD32*)(req + 1);
-    __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs);
+    __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
 
     return __glXDisp_ChangeDrawableAttributesSGIX(cl, pc);
 }
 
 int __glXDispSwap_CreateWindow(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXCreateWindowReq *req = (xGLXCreateWindowReq *) pc;
     __GLX_DECLARE_SWAP_VARIABLES;
     __GLX_DECLARE_SWAP_ARRAY_VARIABLES;
     CARD32 *attribs;
 
+    REQUEST_AT_LEAST_SIZE(xGLXCreateWindowReq);
+
     __GLX_SWAP_INT(&req->screen);
     __GLX_SWAP_INT(&req->fbconfig);
     __GLX_SWAP_INT(&req->window);
     __GLX_SWAP_INT(&req->glxwindow);
     __GLX_SWAP_INT(&req->numAttribs);
+
+    if (req->numAttribs > (UINT32_MAX >> 3)) {
+	client->errorValue = req->numAttribs;
+	return BadValue;
+    }
+    REQUEST_FIXED_SIZE(xGLXCreateWindowReq, req->numAttribs << 3);
     attribs = (CARD32*)(req + 1);
-    __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs);
+    __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
 
     return __glXDisp_CreateWindow(cl, pc);
 }
 
 int __glXDispSwap_DestroyWindow(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXDestroyWindowReq *req = (xGLXDestroyWindowReq *) pc;
     __GLX_DECLARE_SWAP_VARIABLES;
 
+    REQUEST_AT_LEAST_SIZE(xGLXDestroyWindowReq);
+
     __GLX_SWAP_INT(&req->glxwindow);
 
     return __glXDisp_DestroyWindow(cl, pc);
@@ -435,9 +554,12 @@ int __glXDispSwap_DestroyWindow(__GLXclientState *cl, GLbyte *pc)
 
 int __glXDispSwap_SwapBuffers(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXSwapBuffersReq *req = (xGLXSwapBuffersReq *) pc;
     __GLX_DECLARE_SWAP_VARIABLES;
 
+    REQUEST_SIZE_MATCH(xGLXSwapBuffersReq);
+
     __GLX_SWAP_SHORT(&req->length);
     __GLX_SWAP_INT(&req->contextTag);
     __GLX_SWAP_INT(&req->drawable);
@@ -447,9 +569,12 @@ int __glXDispSwap_SwapBuffers(__GLXclientState *cl, GLbyte *pc)
 
 int __glXDispSwap_UseXFont(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXUseXFontReq *req = (xGLXUseXFontReq *) pc;
     __GLX_DECLARE_SWAP_VARIABLES;
 
+    REQUEST_SIZE_MATCH(xGLXUseXFontReq);
+
     __GLX_SWAP_SHORT(&req->length);
     __GLX_SWAP_INT(&req->contextTag);
     __GLX_SWAP_INT(&req->font);
@@ -463,9 +588,12 @@ int __glXDispSwap_UseXFont(__GLXclientState *cl, GLbyte *pc)
 
 int __glXDispSwap_QueryExtensionsString(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXQueryExtensionsStringReq *req = (xGLXQueryExtensionsStringReq *)pc;
     __GLX_DECLARE_SWAP_VARIABLES;
 
+    REQUEST_SIZE_MATCH(xGLXQueryExtensionsStringReq);
+
     __GLX_SWAP_SHORT(&req->length);
     __GLX_SWAP_INT(&req->screen);
 
@@ -474,9 +602,12 @@ int __glXDispSwap_QueryExtensionsString(__GLXclientState *cl, GLbyte *pc)
 
 int __glXDispSwap_QueryServerString(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXQueryServerStringReq *req = (xGLXQueryServerStringReq *)pc;
     __GLX_DECLARE_SWAP_VARIABLES;
 
+    REQUEST_SIZE_MATCH(xGLXQueryServerStringReq);
+
     __GLX_SWAP_SHORT(&req->length);
     __GLX_SWAP_INT(&req->screen);
     __GLX_SWAP_INT(&req->name);
@@ -486,9 +617,12 @@ int __glXDispSwap_QueryServerString(__GLXclientState *cl, GLbyte *pc)
 
 int __glXDispSwap_ClientInfo(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXClientInfoReq *req = (xGLXClientInfoReq *)pc;
     __GLX_DECLARE_SWAP_VARIABLES;
 
+    REQUEST_AT_LEAST_SIZE(xGLXClientInfoReq);
+
     __GLX_SWAP_SHORT(&req->length);
     __GLX_SWAP_INT(&req->major);
     __GLX_SWAP_INT(&req->minor);
@@ -499,9 +633,12 @@ int __glXDispSwap_ClientInfo(__GLXclientState *cl, GLbyte *pc)
 
 int __glXDispSwap_QueryContextInfoEXT(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXQueryContextInfoEXTReq *req = (xGLXQueryContextInfoEXTReq *) pc;
     __GLX_DECLARE_SWAP_VARIABLES;
 
+    REQUEST_SIZE_MATCH(xGLXQueryContextInfoEXTReq);
+
     __GLX_SWAP_SHORT(&req->length);
     __GLX_SWAP_INT(&req->context);
 
@@ -510,33 +647,41 @@ int __glXDispSwap_QueryContextInfoEXT(__GLXclientState *cl, GLbyte *pc)
 
 int __glXDispSwap_BindTexImageEXT(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXVendorPrivateReq *req = (xGLXVendorPrivateReq *) pc;
     GLXDrawable		 *drawId;
     int			 *buffer;
-    
+    CARD32		 *num_attribs;
     __GLX_DECLARE_SWAP_VARIABLES;
 
+    if ((sizeof(xGLXVendorPrivateReq) + 12) >> 2 > client->req_len)
+	return BadLength;
+
     pc += __GLX_VENDPRIV_HDR_SIZE;
 
     drawId = ((GLXDrawable *) (pc));
     buffer = ((int *)	      (pc + 4));
+    num_attribs = ((CARD32 *) (pc + 8));
     
     __GLX_SWAP_SHORT(&req->length);
     __GLX_SWAP_INT(&req->contextTag);
     __GLX_SWAP_INT(drawId);
     __GLX_SWAP_INT(buffer);
+    __GLX_SWAP_INT(num_attribs);
 
     return __glXDisp_BindTexImageEXT(cl, (GLbyte *)pc);
 }
 
 int __glXDispSwap_ReleaseTexImageEXT(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXVendorPrivateReq *req = (xGLXVendorPrivateReq *) pc;
     GLXDrawable		 *drawId;
     int			 *buffer;
-    
     __GLX_DECLARE_SWAP_VARIABLES;
 
+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 8);
+
     pc += __GLX_VENDPRIV_HDR_SIZE;
 
     drawId = ((GLXDrawable *) (pc));
@@ -552,12 +697,14 @@ int __glXDispSwap_ReleaseTexImageEXT(__GLXclientState *cl, GLbyte *pc)
 
 int __glXDispSwap_CopySubBufferMESA(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXVendorPrivateReq *req = (xGLXVendorPrivateReq *) pc;
     GLXDrawable		 *drawId;
     int			 *buffer;
-
     __GLX_DECLARE_SWAP_VARIABLES;
 
+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 20);
+
     (void) drawId;
     (void) buffer;
 
@@ -577,11 +724,13 @@ int __glXDispSwap_CopySubBufferMESA(__GLXclientState *cl, GLbyte *pc)
 
 int __glXDispSwap_GetDrawableAttributesSGIX(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXVendorPrivateWithReplyReq *req = (xGLXVendorPrivateWithReplyReq *)pc;
     CARD32 *data;
-    
     __GLX_DECLARE_SWAP_VARIABLES;
 
+    REQUEST_SIZE_MATCH(xGLXGetDrawableAttributesSGIXReq);
+
     data = (CARD32 *) (req + 1);
     __GLX_SWAP_SHORT(&req->length);
     __GLX_SWAP_INT(&req->contextTag);
@@ -592,10 +741,12 @@ int __glXDispSwap_GetDrawableAttributesSGIX(__GLXclientState *cl, GLbyte *pc)
 
 int __glXDispSwap_GetDrawableAttributes(__GLXclientState *cl, GLbyte *pc)
 {
+    ClientPtr client = cl->client;
     xGLXGetDrawableAttributesReq *req = (xGLXGetDrawableAttributesReq *)pc;
-    
     __GLX_DECLARE_SWAP_VARIABLES;
 
+    REQUEST_AT_LEAST_SIZE(xGLXGetDrawableAttributesReq);
+
     __GLX_SWAP_SHORT(&req->length);
     __GLX_SWAP_INT(&req->drawable);
 
diff --git a/glx/xfont.c b/glx/xfont.c
index b8b466d..5d5b4c3 100644
--- a/glx/xfont.c
+++ b/glx/xfont.c
@@ -160,6 +160,8 @@ int __glXDisp_UseXFont(__GLXclientState *cl, GLbyte *pc)
     __GLXcontext *cx;
     int error;
 
+    REQUEST_SIZE_MATCH(xGLXUseXFontReq);
+
     req = (xGLXUseXFontReq *) pc;
     cx = __glXForceCurrent(cl, req->contextTag, &error);
     if (!cx) {
diff --git a/hw/xfree86/common/xf86Xinput.c b/hw/xfree86/common/xf86Xinput.c
index f637cfe..2b9c974 100644
--- a/hw/xfree86/common/xf86Xinput.c
+++ b/hw/xfree86/common/xf86Xinput.c
@@ -79,6 +79,7 @@
 #include "windowstr.h"	/* screenIsSaved */
 
 #include <stdarg.h>
+#include <stdint.h>          /* for int64_t */
 
 #include <X11/Xpoll.h>
 
@@ -978,12 +979,11 @@ xf86ScaleAxis(int	Cx,
               int	Rxlow )
 {
     int X;
-    int dSx = Sxhigh - Sxlow;
-    int dRx = Rxhigh - Rxlow;
+    int64_t dSx = Sxhigh - Sxlow;
+    int64_t dRx = Rxhigh - Rxlow;
 
-    dSx = Sxhigh - Sxlow;
     if (dRx) {
-	X = ((dSx * (Cx - Rxlow)) / dRx) + Sxlow;
+	X = (int)(((dSx * (Cx - Rxlow)) / dRx) + Sxlow);
     }
     else {
 	X = 0;
diff --git a/hw/xquartz/GL/Makefile.am b/hw/xquartz/GL/Makefile.am
index 9b61305..4b9e0aa 100644
--- a/hw/xquartz/GL/Makefile.am
+++ b/hw/xquartz/GL/Makefile.am
@@ -1,5 +1,5 @@
 noinst_LTLIBRARIES = libCGLCore.la
-AM_CFLAGS = $(XSERVER_CFLAGS) $(DIX_CFLAGS)
+AM_CFLAGS = $(XSERVER_CFLAGS) $(DIX_CFLAGS) $(GL_CFLAGS)
 AM_CPPFLAGS = \
 	-I$(top_srcdir) \
 	-I$(top_srcdir)/glx \
diff --git a/os/utils.c b/os/utils.c
index d7c8388..adc75bc 100644
--- a/os/utils.c
+++ b/os/utils.c
@@ -315,7 +315,7 @@ LockServer(void)
     FatalError("Could not create lock file in %s\n", tmp);
   (void) sprintf(pid_str, "%10ld\n", (long)getpid());
   (void) write(lfd, pid_str, 11);
-  (void) chmod(tmp, 0444);
+  (void) fchmod(lfd, 0444);
   (void) close(lfd);
 
   /*
@@ -336,7 +336,7 @@ LockServer(void)
       /*
        * Read the pid from the existing file
        */
-      lfd = open(LockFile, O_RDONLY);
+      lfd = open(LockFile, O_RDONLY|O_NOFOLLOW);
       if (lfd < 0) {
         unlink(tmp);
         FatalError("Can't read lock file %s\n", LockFile);




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#646156; Package release.debian.org. (Sat, 29 Oct 2011 14:30:10 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Sat, 29 Oct 2011 14:30:11 GMT) Full text and rfc822 format available.

Message #10 received at 646156@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Julien Cristau <jcristau@debian.org>, 646156@bugs.debian.org
Subject: Re: Bug#646156: pu: package xorg-server/2:1.7.7-14
Date: Sat, 29 Oct 2011 15:25:47 +0100
tag 646156 + confirmed squeeze
thanks

On Fri, 2011-10-21 at 21:12 +0200, Julien Cristau wrote:
> there were a couple of CVEs for X recently, that Moritz suggested we
> fixed through p-u.  And an input fix to use 64bit arithmetic to avoid
> overflows with high resolution devices, that's been sitting upstream in
> the 1.7 branch since March.  (The xquartz change is irrelevant but won't
> hurt.)

With the obvious tidy-up to the changelog, please go ahead; thanks.

btw, I'm assuming that many of the additions of:

> +    ClientPtr client = cl->client;

are boilerplate, or used in later commits?  They often appear not to be
used in the provided diff.

Regards,

Adam





Added tag(s) squeeze and confirmed. Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk> to control@bugs.debian.org. (Sat, 29 Oct 2011 14:30:13 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#646156; Package release.debian.org. (Sat, 29 Oct 2011 17:42:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Sat, 29 Oct 2011 17:42:03 GMT) Full text and rfc822 format available.

Message #17 received at submit@bugs.debian.org (full text, mbox):

From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: Julien Cristau <jcristau@debian.org>, 646156@bugs.debian.org
Cc: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Re: Bug#646156: pu: package xorg-server/2:1.7.7-14
Date: Sat, 29 Oct 2011 13:38:47 -0400
On Fri, Oct 21, 2011 at 3:12 PM, Julien Cristau wrote:
> +commit 03ff880e8bf20cdecaf27f03391ea31545ecc22c
> +Author: Matthieu Herrb <matthieu.herrb@laas.fr>
> +Date:   Mon Oct 17 22:27:35 2011 +0200
> +
> +    Fix CVE-2011-4029: File permission change vulnerability.
> +
> +    Use fchmod() to change permissions of the lock file instead
> +    of chmod(), thus avoid the race that can be exploited to set
> +    a symbolic link to any file or directory in the system.

I wonder if at least this one should be treated with a real urgency?
On the surface its an info disclosure issue, which tend to be very low
urgency, but it's a pretty bad once since its actually a disclosure of
any file on the system (e.g. /etc/shadown), and there is an existing
poc exploit:
http://vladz.devzero.fr/Xorg-CVE-2011-4029.txt

Best wishes,
Mike




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#646156; Package release.debian.org. (Sat, 29 Oct 2011 17:42:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Sat, 29 Oct 2011 17:42:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#646156; Package release.debian.org. (Sat, 29 Oct 2011 19:03:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Sat, 29 Oct 2011 19:03:06 GMT) Full text and rfc822 format available.

Message #27 received at 646156@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: Michael Gilbert <michael.s.gilbert@gmail.com>, 646156@bugs.debian.org
Subject: Re: Bug#646156: pu: package xorg-server/2:1.7.7-14
Date: Sat, 29 Oct 2011 20:58:58 +0200
On Sat, Oct 29, 2011 at 13:38:47 -0400, Michael Gilbert wrote:

> On Fri, Oct 21, 2011 at 3:12 PM, Julien Cristau wrote:
> > +commit 03ff880e8bf20cdecaf27f03391ea31545ecc22c
> > +Author: Matthieu Herrb <matthieu.herrb@laas.fr>
> > +Date:   Mon Oct 17 22:27:35 2011 +0200
> > +
> > +    Fix CVE-2011-4029: File permission change vulnerability.
> > +
> > +    Use fchmod() to change permissions of the lock file instead
> > +    of chmod(), thus avoid the race that can be exploited to set
> > +    a symbolic link to any file or directory in the system.
> 
> I wonder if at least this one should be treated with a real urgency?
> On the surface its an info disclosure issue, which tend to be very low
> urgency, but it's a pretty bad once since its actually a disclosure of
> any file on the system (e.g. /etc/shadown), and there is an existing
> poc exploit:
> http://vladz.devzero.fr/Xorg-CVE-2011-4029.txt
> 
Moritz said "use p-u", I'm not going to second-guess him.

Cheers,
Julien




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#646156; Package release.debian.org. (Sat, 29 Oct 2011 19:06:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Sat, 29 Oct 2011 19:06:05 GMT) Full text and rfc822 format available.

Message #32 received at 646156@bugs.debian.org (full text, mbox):

From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: 646156@bugs.debian.org
Cc: Moritz Muehlenhoff <jmm@inutil.org>
Subject: Re: Bug#646156: pu: package xorg-server/2:1.7.7-14
Date: Sat, 29 Oct 2011 15:03:49 -0400
On Sat, Oct 29, 2011 at 2:58 PM, Julien Cristau wrote:
> On Sat, Oct 29, 2011 at 13:38:47 -0400, Michael Gilbert wrote:
>
>> On Fri, Oct 21, 2011 at 3:12 PM, Julien Cristau wrote:
>> > +commit 03ff880e8bf20cdecaf27f03391ea31545ecc22c
>> > +Author: Matthieu Herrb <matthieu.herrb@laas.fr>
>> > +Date:   Mon Oct 17 22:27:35 2011 +0200
>> > +
>> > +    Fix CVE-2011-4029: File permission change vulnerability.
>> > +
>> > +    Use fchmod() to change permissions of the lock file instead
>> > +    of chmod(), thus avoid the race that can be exploited to set
>> > +    a symbolic link to any file or directory in the system.
>>
>> I wonder if at least this one should be treated with a real urgency?
>> On the surface its an info disclosure issue, which tend to be very low
>> urgency, but it's a pretty bad once since its actually a disclosure of
>> any file on the system (e.g. /etc/shadown), and there is an existing
>> poc exploit:
>> http://vladz.devzero.fr/Xorg-CVE-2011-4029.txt
>>
> Moritz said "use p-u", I'm not going to second-guess him.

This was before the real impact of the issue was clear (I believe),
and definitely before the exploit code existed.  Personally, I think
this needs to get out to squeeze users ASAP.

Best wishes,
Mike




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#646156; Package release.debian.org. (Sun, 30 Oct 2011 17:33:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Sun, 30 Oct 2011 17:33:07 GMT) Full text and rfc822 format available.

Message #37 received at 646156@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: 646156@bugs.debian.org
Cc: Julien Cristau <jcristau@debian.org>
Subject: Re: Bug#646156: pu: package xorg-server/2:1.7.7-14
Date: Sun, 30 Oct 2011 17:28:24 +0000
tag 646156 + pending
thanks

On Sat, 2011-10-29 at 15:25 +0100, Adam D. Barratt wrote:
> tag 646156 + confirmed squeeze
> thanks
> 
> On Fri, 2011-10-21 at 21:12 +0200, Julien Cristau wrote:
> > there were a couple of CVEs for X recently, that Moritz suggested we
> > fixed through p-u.  And an input fix to use 64bit arithmetic to avoid
> > overflows with high resolution devices, that's been sitting upstream in
> > the 1.7 branch since March.  (The xquartz change is irrelevant but won't
> > hurt.)
> 
> With the obvious tidy-up to the changelog, please go ahead; thanks.

Uploaded and flagged for acceptance at the next dinstall.

Regards,

Adam





Added tag(s) pending. Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk> to control@bugs.debian.org. (Sun, 30 Oct 2011 17:33:10 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#646156; Package release.debian.org. (Sun, 27 Nov 2011 19:39:11 GMT) Full text and rfc822 format available.

Acknowledgement sent to vladz <vladz@devzero.fr>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Sun, 27 Nov 2011 19:39:11 GMT) Full text and rfc822 format available.

Message #44 received at 646156@bugs.debian.org (full text, mbox):

From: vladz <vladz@devzero.fr>
To: Michael Gilbert <michael.s.gilbert@gmail.com>
Cc: 646156@bugs.debian.org, Moritz Muehlenhoff <jmm@inutil.org>
Subject: Re: Bug#646156: pu: package xorg-server/2:1.7.7-14
Date: Sun, 27 Nov 2011 20:36:47 +0100
On Sat, Oct 29, 2011 at 03:03:49PM -0400, Michael Gilbert wrote:
> > On Sat, Oct 29, 2011 at 13:38:47 -0400, Michael Gilbert wrote:
> >> On Fri, Oct 21, 2011 at 3:12 PM, Julien Cristau wrote:
> >> I wonder if at least this one should be treated with a real urgency?
> >> On the surface its an info disclosure issue, which tend to be very low
> >> urgency, but it's a pretty bad once since its actually a disclosure of
> >> any file on the system (e.g. /etc/shadown), and there is an existing
> >> poc exploit:
> >> http://vladz.devzero.fr/Xorg-CVE-2011-4029.txt
> >>
> > Moritz said "use p-u", I'm not going to second-guess him.
> 
> This was before the real impact of the issue was clear (I believe),
> and definitely before the exploit code existed.  Personally, I think
> this needs to get out to squeeze users ASAP.

Sorry for disclosing the exploit but for your information, when I
discovered this vulnerability, the first thing I did is to send an email
to security@debian.org, it contained a full description and the PoC
(exploit) you are talking about (encrypted mail sent on Oct 9th 2011).
I never get any feedback.

Is security@debian.org still the good way to report vulnerabilities?

Regards,
vladz.





Bug marked as fixed in version 6.0.4, send any further explanations to Julien Cristau <jcristau@debian.org> Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk> to control@bugs.debian.org. (Sat, 28 Jan 2012 14:06:26 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 26 Feb 2012 07:36:46 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 03:00:43 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.