mapi: Make private copies of name strings provided by client.

glXGetProcAddress("glFoo") ends up in stub_add_dynamic() to
create dynamic stubs for dynamic functions. stub_add_dynamic()
doesn't store the caller provided name string "Foo" in a mesa
private copy, but just stores a pointer to the "glFoo" string
passed to glXGetProcAddress - a pointer into arbitrary memory
outside mesa's control.

If the caller passes some dynamically allocated/changing
memory buffer to glXGetProcAddress(), or the caller gets unmapped
from memory, e.g., some dynamically loaded application
plugin which uses OpenGL, this ends badly - with a dangling
pointer.

strdup() the name string provided by the client to avoid
this problem.

Cc: "10.3 10.4 10.5" <mesa-stable@lists.freedesktop.org>
Signed-off-by: Mario Kleiner <mario.kleiner.de@gmail.com>
Reviewed-by: Brian Paul <brianp@vmware.com>

diff --git a/src/mapi/stub.c b/src/mapi/stub.c
index 05436bab6d3c90c8b677156473a3d303b24d4bce..45e4f7dc69e6d5454fa0ca40b803ef8d95710b1f 100644 (file)
--- a/src/mapi/stub.c
+++ b/src/mapi/stub.c
@@ -102,7 +102,7 @@ stub_add_dynamic(const char *name)
    if (!stub->addr)
       return NULL;
 
-   stub->name = (const void *) name;
+   stub->name = (const void *) strdup(name);
    /* to be fixed later */
    stub->slot = -1;