ephyrGLXQueryServerString: Stop making an unused copy of server_string

ephyrGLXQueryServerString() carefully allocated a buffer padded to the
word-aligned string length for sending to the client, copied the string
to it, and then forgot to use it, potentially reading a few bytes of
garbage past the end of the server_string buffer.

Since WriteToClient already handles the necessary padding, just send
it the actual length of the original server_string, and don't bother
making a padded copy.

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
Tested-by: Daniel Stone <daniel@fooishbar.org>

1 files changed, 1 insertions, 11 deletions

diff --git a/hw/kdrive/ephyr/ephyrglxext.c b/hw/kdrive/ephyr/ephyrglxext.c
index dae22fc95..df285cfcb 100644
--- a/hw/kdrive/ephyr/ephyrglxext.c
+++ b/hw/kdrive/ephyr/ephyrglxext.c
@@ -357,7 +357,7 @@ ephyrGLXQueryServerString(__GLXclientState * a_cl, GLbyte * a_pc)
     ClientPtr client = a_cl->client;
     xGLXQueryServerStringReq *req = (xGLXQueryServerStringReq *) a_pc;
     xGLXQueryServerStringReply reply;
-    char *server_string = NULL, *buf = NULL;
+    char *server_string = NULL;
     int length = 0;
 
     EPHYR_LOG("enter\n");
@@ -377,13 +377,6 @@ ephyrGLXQueryServerString(__GLXclientState * a_cl, GLbyte * a_pc)
         .n = length
     };
 
-    buf = calloc(reply.length << 2, 1);
-    if (!buf) {
-        EPHYR_LOG_ERROR("failed to allocate string\n;");
-        return BadAlloc;
-    }
-    memcpy(buf, server_string, length);
-
     WriteToClient(client, sz_xGLXQueryServerStringReply, &reply);
     WriteToClient(client, (int) (reply.length << 2), server_string);
 
@@ -394,9 +387,6 @@ ephyrGLXQueryServerString(__GLXclientState * a_cl, GLbyte * a_pc)
     free(server_string);
     server_string = NULL;
 
-    free(buf);
-    buf = NULL;
-
     return res;
 }