ephyrGLXQueryServerString() carefully allocated a buffer padded to the word-aligned string length for sending to the client, copied the string to it, and then forgot to use it, potentially reading a few bytes of garbage past the end of the server_string buffer.
Since WriteToClient already handles the necessary padding, just send it the actual length of the original server_string, and don't bother making a padded copy. Signed-off-by: Alan Coopersmith <[email protected]> --- hw/kdrive/ephyr/ephyrglxext.c | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/hw/kdrive/ephyr/ephyrglxext.c b/hw/kdrive/ephyr/ephyrglxext.c index 3eae571..714b81b 100644 --- a/hw/kdrive/ephyr/ephyrglxext.c +++ b/hw/kdrive/ephyr/ephyrglxext.c @@ -372,22 +372,11 @@ ephyrGLXQueryServerString(__GLXclientState * a_cl, GLbyte * a_pc) .length = __GLX_PAD(length) >> 2, .n = length }; - char *buf; EPHYR_LOG("string: %s\n", server_string); - buf = calloc(reply.length << 2, 1); - if (!buf) { - EPHYR_LOG_ERROR("failed to allocate string\n;"); - return BadAlloc; - } - memcpy(buf, server_string, length); - WriteToClient(client, sz_xGLXQueryServerStringReply, &reply); - WriteToClient(client, (int) (reply.length << 2), server_string); - - free(buf); - buf = NULL; + WriteToClient(client, length, server_string); res = Success; } -- 1.7.9.2 _______________________________________________ [email protected]: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
