32 lines
1.2 KiB
Diff
32 lines
1.2 KiB
Diff
|
src/glx/glx_query.c | 13 +++++++++++++
|
||
|
1 file changed, 13 insertions(+)
|
||
|
--- a/src/glx/glx_query.c
|
||
|
+++ b/src/glx/glx_query.c
|
||
|
@@ -53,6 +53,13 @@ __glXQueryServerString(Display * dpy, in
|
||
|
/* The spec doesn't mention this, but the Xorg server replies with
|
||
|
* a string already terminated with '\0'. */
|
||
|
uint32_t len = xcb_glx_query_server_string_string_length(reply);
|
||
|
+ /* Allow a max of 64kb string length */
|
||
|
+ size_t reply_len = strnlen(xcb_glx_query_server_string_string(reply), 64*1024);
|
||
|
+ if (reply_len + 1 != len)
|
||
|
+ {
|
||
|
+ free(reply);
|
||
|
+ return(NULL);
|
||
|
+ }
|
||
|
char *buf = malloc(len);
|
||
|
memcpy(buf, xcb_glx_query_server_string_string(reply), len);
|
||
|
free(reply);
|
||
|
@@ -77,6 +84,12 @@ __glXGetString(Display * dpy, int opcode
|
||
|
/* The spec doesn't mention this, but the Xorg server replies with
|
||
|
* a string already terminated with '\0'. */
|
||
|
uint32_t len = xcb_glx_get_string_string_length(reply);
|
||
|
+ size_t reply_len = strnlen(xcb_glx_get_string_string(reply), 64*1024);
|
||
|
+ if (reply_len + 1 != len)
|
||
|
+ {
|
||
|
+ free(reply);
|
||
|
+ return(NULL);
|
||
|
+ }
|
||
|
char *buf = malloc(len);
|
||
|
memcpy(buf, xcb_glx_get_string_string(reply), len);
|
||
|
free(reply);
|