ephyrGLXQueryServerString() carefully allocated a buffer padded to the word-aligned string length for sending to the client, copied the string to it, and then forgot to use it, potentially reading a few bytes of garbage past the end of the server_string buffer.
Since WriteToClient already handles the necessary padding, just send it the actual length of the original server_string, and don't bother making a padded copy. Signed-off-by: Alan Coopersmith <[email protected]> --- hw/kdrive/ephyr/ephyrglxext.c | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/hw/kdrive/ephyr/ephyrglxext.c b/hw/kdrive/ephyr/ephyrglxext.c index dae22fc..ce66fe0 100644 --- a/hw/kdrive/ephyr/ephyrglxext.c +++ b/hw/kdrive/ephyr/ephyrglxext.c @@ -357,7 +357,7 @@ ephyrGLXQueryServerString(__GLXclientState * a_cl, GLbyte * a_pc) ClientPtr client = a_cl->client; xGLXQueryServerStringReq *req = (xGLXQueryServerStringReq *) a_pc; xGLXQueryServerStringReply reply; - char *server_string = NULL, *buf = NULL; + char *server_string = NULL; int length = 0; EPHYR_LOG("enter\n"); @@ -377,13 +377,6 @@ ephyrGLXQueryServerString(__GLXclientState * a_cl, GLbyte * a_pc) .n = length }; - buf = calloc(reply.length << 2, 1); - if (!buf) { - EPHYR_LOG_ERROR("failed to allocate string\n;"); - return BadAlloc; - } - memcpy(buf, server_string, length); - WriteToClient(client, sz_xGLXQueryServerStringReply, &reply); WriteToClient(client, (int) (reply.length << 2), server_string); -- 1.7.9.2 _______________________________________________ [email protected]: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
