ephyrGLXQueryServerString() carefully allocated a buffer padded to the word-aligned string length for sending to the client, copied the string to it, and then forgot to use it, potentially reading a few bytes of garbage past the end of the server_string buffer.
Signed-off-by: Alan Coopersmith <[email protected]> --- I'm not even sure why it copies to a padded buffer since WriteToClient will also pad it for you, but as long as it does, might as well use it instead of going to all that work to ignore it. hw/kdrive/ephyr/ephyrglxext.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/kdrive/ephyr/ephyrglxext.c b/hw/kdrive/ephyr/ephyrglxext.c index 1287e04..5b37329 100644 --- a/hw/kdrive/ephyr/ephyrglxext.c +++ b/hw/kdrive/ephyr/ephyrglxext.c @@ -376,7 +376,7 @@ ephyrGLXQueryServerString(__GLXclientState * a_cl, GLbyte * a_pc) memcpy(buf, server_string, length); WriteToClient(client, sz_xGLXQueryServerStringReply, &reply); - WriteToClient(client, (int) (reply.length << 2), server_string); + WriteToClient(client, (int) (reply.length << 2), buf); res = Success; -- 1.7.9.2 _______________________________________________ [email protected]: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
