[PATCH] ephyrGLXQueryServerString: Send padded copy of server_string to client
Alan Coopersmith
alan.coopersmith at oracle.com
Mon May 21 14:47:44 PDT 2012
ephyrGLXQueryServerString() carefully allocated a buffer padded to the
word-aligned string length for sending to the client, copied the string
to it, and then forgot to use it, potentially reading a few bytes of
garbage past the end of the server_string buffer.
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
---
I'm not even sure why it copies to a padded buffer since WriteToClient
will also pad it for you, but as long as it does, might as well use it
instead of going to all that work to ignore it.
hw/kdrive/ephyr/ephyrglxext.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/kdrive/ephyr/ephyrglxext.c b/hw/kdrive/ephyr/ephyrglxext.c
index 1287e04..5b37329 100644
--- a/hw/kdrive/ephyr/ephyrglxext.c
+++ b/hw/kdrive/ephyr/ephyrglxext.c
@@ -376,7 +376,7 @@ ephyrGLXQueryServerString(__GLXclientState * a_cl, GLbyte * a_pc)
memcpy(buf, server_string, length);
WriteToClient(client, sz_xGLXQueryServerStringReply, &reply);
- WriteToClient(client, (int) (reply.length << 2), server_string);
+ WriteToClient(client, (int) (reply.length << 2), buf);
res = Success;
--
1.7.9.2
More information about the xorg-devel
mailing list