ephyrGLXQueryServerString: Stop making an unused copy of server_string
ephyrGLXQueryServerString() carefully allocated a buffer padded to the word-aligned string length for sending to the client, copied the string to it, and then forgot to use it, potentially reading a few bytes of garbage past the end of the server_string buffer. Since WriteToClient already handles the necessary padding, just send it the actual length of the original server_string, and don't bother making a padded copy. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Keith Packard <keithp@keithp.com> Tested-by: Daniel Stone <daniel@fooishbar.org>
This commit is contained in:
parent
7a29f68782
commit
2b1c1300cc
|
@ -357,7 +357,7 @@ ephyrGLXQueryServerString(__GLXclientState * a_cl, GLbyte * a_pc)
|
||||||
ClientPtr client = a_cl->client;
|
ClientPtr client = a_cl->client;
|
||||||
xGLXQueryServerStringReq *req = (xGLXQueryServerStringReq *) a_pc;
|
xGLXQueryServerStringReq *req = (xGLXQueryServerStringReq *) a_pc;
|
||||||
xGLXQueryServerStringReply reply;
|
xGLXQueryServerStringReply reply;
|
||||||
char *server_string = NULL, *buf = NULL;
|
char *server_string = NULL;
|
||||||
int length = 0;
|
int length = 0;
|
||||||
|
|
||||||
EPHYR_LOG("enter\n");
|
EPHYR_LOG("enter\n");
|
||||||
|
@ -377,13 +377,6 @@ ephyrGLXQueryServerString(__GLXclientState * a_cl, GLbyte * a_pc)
|
||||||
.n = length
|
.n = length
|
||||||
};
|
};
|
||||||
|
|
||||||
buf = calloc(reply.length << 2, 1);
|
|
||||||
if (!buf) {
|
|
||||||
EPHYR_LOG_ERROR("failed to allocate string\n;");
|
|
||||||
return BadAlloc;
|
|
||||||
}
|
|
||||||
memcpy(buf, server_string, length);
|
|
||||||
|
|
||||||
WriteToClient(client, sz_xGLXQueryServerStringReply, &reply);
|
WriteToClient(client, sz_xGLXQueryServerStringReply, &reply);
|
||||||
WriteToClient(client, (int) (reply.length << 2), server_string);
|
WriteToClient(client, (int) (reply.length << 2), server_string);
|
||||||
|
|
||||||
|
@ -394,9 +387,6 @@ ephyrGLXQueryServerString(__GLXclientState * a_cl, GLbyte * a_pc)
|
||||||
free(server_string);
|
free(server_string);
|
||||||
server_string = NULL;
|
server_string = NULL;
|
||||||
|
|
||||||
free(buf);
|
|
||||||
buf = NULL;
|
|
||||||
|
|
||||||
return res;
|
return res;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user