AddResponseToBuffer: Copy respose data as well to avoid use after scope

==88383==ERROR: AddressSanitizer: stack-use-after-scope on address 0x00016f431d70 at pc 0x000100e08d14 bp 0x00016f429670 sp 0x00016f428e28
READ of size 32 at 0x00016f431d70 thread T0
    #0 0x100e08d10 in __asan_memcpy+0x1a4 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x3cd10)
    #1 0x1009e2660 in HandleClientResponses server.c:372
    #2 0x1009e2214 in HandleClientRequest server.c:685
    #3 0x1009df314 in XhivRunServer server.c:715
    #4 0x1009ded40 in XhivOpenServer server.c:822
    #5 0x1009cfb3c in XhivOpenDisplay xlib_client.c:55
    #6 0x1009cf614 in testOverflowFields XQueryFont.c:101
    #7 0x1009ce2b0 in main XQueryFont.c:133
    #8 0x197de3e4c  (<unknown module>)

Address 0x00016f431d70 is located in stack of thread T0 at offset 560 in frame
    #0 0x1009dfd44 in HandleClientRequest server.c:461

  This frame has 11 object(s):
    [32, 36) 'req' (line 483)
    [48, 52) 'length' (line 485)
    [64, 96) 'extension' (line 534)
    [128, 184) 'default_qext_response' (line 551)
    [224, 256) 'getp_reply' (line 597)
    [288, 344) 'getp_response' (line 605)
    [384, 416) 'getif_reply' (line 619)
    [448, 504) 'getif_response' (line 625)
    [544, 548) 'newseq' (line 638)
    [560, 592) 'bigreq_reply' (line 653) <== Memory access at offset 560 is inside this variable
    [624, 680) 'bigreq_response' (line 658)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-use-after-scope (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x3cd10) in __asan_memcpy+0x1a4

Fixes: https://gitlab.freedesktop.org/xorg/test/xhiv/-/issues/1
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>

1 files changed, 6 insertions, 2 deletions

diff --git a/src/server.c b/src/server.c
index 51bdf91..0f290e9 100644
--- a/src/server.c
+++ b/src/server.c
@@ -237,10 +237,14 @@ AddResponseToBuffer(client_response_buffer *crb, const xhiv_response *response,
         uint64_t total_bytes= ((uint64_t) r->length) << 2;
         assert(total_bytes >= r->response_datalen);
 
-        new_crb = calloc(1, sizeof(client_response_buffer));
+        /* Allocate enough for the client_response_buffer and the response data) */
+        new_crb = calloc(1, sizeof(client_response_buffer) + r->response_datalen);
         assert(new_crb != NULL);
 
-        new_crb->response_data = r->response_data;
+        void *new_response_data = (void *)((char *)new_crb + sizeof(client_response_buffer));
+        memcpy(new_response_data, r->response_data, r->response_datalen);
+
+        new_crb->response_data = new_response_data;
         new_crb->response_datalen = r->response_datalen;
         new_crb->length = r->length;
         new_crb->response_sequence = (r->flags & XHIV_NO_SET_SEQUENCE)