src/glx/glx_query.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) --- a/src/glx/glx_query.c +++ b/src/glx/glx_query.c @@ -53,6 +53,13 @@ __glXQueryServerString(Display * dpy, in /* The spec doesn't mention this, but the Xorg server replies with * a string already terminated with '\0'. */ uint32_t len = xcb_glx_query_server_string_string_length(reply); + /* Allow a max of 64kb string length */ + size_t reply_len = strnlen(xcb_glx_query_server_string_string(reply), 64*1024); + if (reply_len + 1 != len) + { + free(reply); + return(NULL); + } char *buf = malloc(len); memcpy(buf, xcb_glx_query_server_string_string(reply), len); free(reply); @@ -77,6 +84,12 @@ __glXGetString(Display * dpy, int opcode /* The spec doesn't mention this, but the Xorg server replies with * a string already terminated with '\0'. */ uint32_t len = xcb_glx_get_string_string_length(reply); + size_t reply_len = strnlen(xcb_glx_get_string_string(reply), 64*1024); + if (reply_len + 1 != len) + { + free(reply); + return(NULL); + } char *buf = malloc(len); memcpy(buf, xcb_glx_get_string_string(reply), len); free(reply);