From 5b11f4066af2c0bb85743ce1ef6f6fa8fa5729d3 Mon Sep 17 00:00:00 2001 From: Daniel Stone Date: Fri, 24 Jun 2022 16:43:12 +0100 Subject: [PATCH] xwayland: Allow for old WM_NORMAL_HINTS There are two versions of WM_NORMAL_HINTS: the original pre-ICCCM version (standardised by Xlib itself?) provides 15 elements of 32 bits each, with the ICCCM v1 extending this by 3 additional elements. Since the flags are enough to identify which elements are present, and the structure is append-only, we only need to read the minimum length between what the user provided and what we support. Fixes a heap overrun found with ASan. Signed-off-by: Daniel Stone --- xwayland/window-manager.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/xwayland/window-manager.c b/xwayland/window-manager.c index 7889f871..73453e0b 100644 --- a/xwayland/window-manager.c +++ b/xwayland/window-manager.c @@ -576,9 +576,13 @@ weston_wm_window_read_properties(struct weston_wm_window *window) } break; case TYPE_WM_NORMAL_HINTS: + /* WM_NORMAL_HINTS can be either 15 or 18 CARD32s */ + memset(&window->size_hints, 0, + sizeof(window->size_hints)); memcpy(&window->size_hints, xcb_get_property_value(reply), - sizeof window->size_hints); + MIN(sizeof(window->size_hints), + reply->value_len * 4)); break; case TYPE_NET_WM_STATE: window->fullscreen = 0;