record: Prevent out of bounds access when recording a reply.

Any pad bytes in replies are written to the client from a zeroed array. However, record extension tries to incorrectly access the pad bytes from the end of reply data. Signed-off-by: Rami Ylimäki <rami.ylimaki@vincit.fi> Reviewed-by: Erkki Seppälä <erkki.seppala@vincit.fi>
author: Rami Ylimäki <rami.ylimaki@vincit.fi> 2011-10-04 12:25:26 +0300
committer: Jeremy Huddleston <jeremyhu@apple.com> 2011-11-18 11:26:02 -0800
commit: c1bb8f43b9290c2b18a9f0ac59773ff8f1eb974f (patch)
tree: 8592b42f3c19f75b64ce0e7ebd6061df1dd010a7 /include
parent: 1f5baa924a5907978f564372265d9830ac72a077 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/include/os.h b/include/os.h
index b489211ab..823fe5d29 100644
--- a/include/os.h
+++ b/include/os.h
@@ -451,9 +451,10 @@ extern _X_EXPORT CallbackListPtr ReplyCallback;
 typedef struct {
     ClientPtr client;
     const void *replyData;
-    unsigned long dataLenBytes;
+    unsigned long dataLenBytes; /* actual bytes from replyData + pad bytes */
     unsigned long bytesRemaining;
     Bool startOfReply;
+    unsigned long padBytes;     /* pad bytes from zeroed array */
 } ReplyInfoRec;
 
 /* stuff for FlushCallback */
author	Rami Ylimäki <rami.ylimaki@vincit.fi>	2011-10-04 12:25:26 +0300
committer	Jeremy Huddleston <jeremyhu@apple.com>	2011-11-18 11:26:02 -0800
commit	c1bb8f43b9290c2b18a9f0ac59773ff8f1eb974f (patch)
tree	8592b42f3c19f75b64ce0e7ebd6061df1dd010a7 /include
parent	1f5baa924a5907978f564372265d9830ac72a077 (diff)