i took a look (read: not compile tested) and it look good to me. re, wh
Am 24.06.2012 19:25, schrieb Alan Coopersmith: > ephyrGLXQueryServerString() carefully allocated a buffer padded to the > word-aligned string length for sending to the client, copied the string > to it, and then forgot to use it, potentially reading a few bytes of > garbage past the end of the server_string buffer. > > Since WriteToClient already handles the necessary padding, just send > it the actual length of the original server_string, and don't bother > making a padded copy. > > Signed-off-by: Alan Coopersmith <[email protected]> > --- > hw/kdrive/ephyr/ephyrglxext.c | 13 +------------ > 1 file changed, 1 insertion(+), 12 deletions(-) > > diff --git a/hw/kdrive/ephyr/ephyrglxext.c b/hw/kdrive/ephyr/ephyrglxext.c > index 3eae571..714b81b 100644 > --- a/hw/kdrive/ephyr/ephyrglxext.c > +++ b/hw/kdrive/ephyr/ephyrglxext.c > @@ -372,22 +372,11 @@ ephyrGLXQueryServerString(__GLXclientState * a_cl, > GLbyte * a_pc) > .length = __GLX_PAD(length) >> 2, > .n = length > }; > - char *buf; > > EPHYR_LOG("string: %s\n", server_string); > > - buf = calloc(reply.length << 2, 1); > - if (!buf) { > - EPHYR_LOG_ERROR("failed to allocate string\n;"); > - return BadAlloc; > - } > - memcpy(buf, server_string, length); > - > WriteToClient(client, sz_xGLXQueryServerStringReply, &reply); > - WriteToClient(client, (int) (reply.length << 2), server_string); > - > - free(buf); > - buf = NULL; > + WriteToClient(client, length, server_string); > > res = Success; > } _______________________________________________ [email protected]: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
