[PATCH v2 28/29] ephyrGLXQueryServerString: Stop making an unused copy of server_string

[Alan Coopersmith]

ephyrGLXQueryServerString() carefully allocated a buffer padded to the
word-aligned string length for sending to the client, copied the string
to it, and then forgot to use it, potentially reading a few bytes of
garbage past the end of the server_string buffer.

Since WriteToClient already handles the necessary padding, just send
it the actual length of the original server_string, and don't bother
making a padded copy.

Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
---
 hw/kdrive/ephyr/ephyrglxext.c |    9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

diff --git a/hw/kdrive/ephyr/ephyrglxext.c b/hw/kdrive/ephyr/ephyrglxext.c
index dae22fc..ce66fe0 100644
--- a/hw/kdrive/ephyr/ephyrglxext.c
+++ b/hw/kdrive/ephyr/ephyrglxext.c
@@ -357,7 +357,7 @@ ephyrGLXQueryServerString(__GLXclientState * a_cl, GLbyte * a_pc)
     ClientPtr client = a_cl->client;
     xGLXQueryServerStringReq *req = (xGLXQueryServerStringReq *) a_pc;
     xGLXQueryServerStringReply reply;
-    char *server_string = NULL, *buf = NULL;
+    char *server_string = NULL;
     int length = 0;
 
     EPHYR_LOG("enter\n");
@@ -377,13 +377,6 @@ ephyrGLXQueryServerString(__GLXclientState * a_cl, GLbyte * a_pc)
         .n = length
     };
 
-    buf = calloc(reply.length << 2, 1);
-    if (!buf) {
-        EPHYR_LOG_ERROR("failed to allocate string\n;");
-        return BadAlloc;
-    }
-    memcpy(buf, server_string, length);
-
     WriteToClient(client, sz_xGLXQueryServerStringReply, &reply);
     WriteToClient(client, (int) (reply.length << 2), server_string);
 
-- 
1.7.9.2