[PATCH 19/19] ephyrGLXQueryServerString: Stop making an unused copy of server_string

Alan Coopersmith alan.coopersmith at oracle.com
Sun Jun 24 10:25:26 PDT 2012


ephyrGLXQueryServerString() carefully allocated a buffer padded to the
word-aligned string length for sending to the client, copied the string
to it, and then forgot to use it, potentially reading a few bytes of
garbage past the end of the server_string buffer.

Since WriteToClient already handles the necessary padding, just send
it the actual length of the original server_string, and don't bother
making a padded copy.

Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
---
 hw/kdrive/ephyr/ephyrglxext.c |   13 +------------
 1 file changed, 1 insertion(+), 12 deletions(-)

diff --git a/hw/kdrive/ephyr/ephyrglxext.c b/hw/kdrive/ephyr/ephyrglxext.c
index 3eae571..714b81b 100644
--- a/hw/kdrive/ephyr/ephyrglxext.c
+++ b/hw/kdrive/ephyr/ephyrglxext.c
@@ -372,22 +372,11 @@ ephyrGLXQueryServerString(__GLXclientState * a_cl, GLbyte * a_pc)
             .length = __GLX_PAD(length) >> 2,
             .n = length
         };
-        char *buf;
 
         EPHYR_LOG("string: %s\n", server_string);
 
-        buf = calloc(reply.length << 2, 1);
-        if (!buf) {
-            EPHYR_LOG_ERROR("failed to allocate string\n;");
-            return BadAlloc;
-        }
-        memcpy(buf, server_string, length);
-
         WriteToClient(client, sz_xGLXQueryServerStringReply, &reply);
-        WriteToClient(client, (int) (reply.length << 2), server_string);
-
-        free(buf);
-        buf = NULL;
+        WriteToClient(client, length, server_string);
 
         res = Success;
     }
-- 
1.7.9.2



More information about the xorg-devel mailing list