[PATCH] ephyrGLXQueryServerString: Send padded copy of server_string to client

Alan Coopersmith alan.coopersmith at oracle.com
Mon May 21 14:47:44 PDT 2012


ephyrGLXQueryServerString() carefully allocated a buffer padded to the
word-aligned string length for sending to the client, copied the string
to it, and then forgot to use it, potentially reading a few bytes of
garbage past the end of the server_string buffer.

Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
---

I'm not even sure why it copies to a padded buffer since WriteToClient
will also pad it for you, but as long as it does, might as well use it
instead of going to all that work to ignore it.

 hw/kdrive/ephyr/ephyrglxext.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/kdrive/ephyr/ephyrglxext.c b/hw/kdrive/ephyr/ephyrglxext.c
index 1287e04..5b37329 100644
--- a/hw/kdrive/ephyr/ephyrglxext.c
+++ b/hw/kdrive/ephyr/ephyrglxext.c
@@ -376,7 +376,7 @@ ephyrGLXQueryServerString(__GLXclientState * a_cl, GLbyte * a_pc)
     memcpy(buf, server_string, length);
 
     WriteToClient(client, sz_xGLXQueryServerStringReply, &reply);
-    WriteToClient(client, (int) (reply.length << 2), server_string);
+    WriteToClient(client, (int) (reply.length << 2), buf);
 
     res = Success;
 
-- 
1.7.9.2



More information about the xorg-devel mailing list