xwayland: Allow for old WM_NORMAL_HINTS

There are two versions of WM_NORMAL_HINTS: the original pre-ICCCM version (standardised by Xlib itself?) provides 15 elements of 32 bits each, with the ICCCM v1 extending this by 3 additional elements. Since the flags are enough to identify which elements are present, and the structure is append-only, we only need to read the minimum length between what the user provided and what we support. Fixes a heap overrun found with ASan. Signed-off-by: Daniel Stone <daniels@collabora.com>
2 years ago · 5b11f4066a
parent 4aa885d4af
commit 5b11f4066a
1 changed files with 5 additions and 1 deletions
--- a/xwayland/window-manager.c
+++ b/xwayland/window-manager.c
@ -576,9 +576,13 @@ weston_wm_window_read_properties(struct weston_wm_window *window)
 				}
 			break;
 		case TYPE_WM_NORMAL_HINTS:
 			/* WM_NORMAL_HINTS can be either 15 or 18 CARD32s */
 			memset(&window->size_hints, 0,
 			       sizeof(window->size_hints));
 			memcpy(&window->size_hints,
 			       xcb_get_property_value(reply),
-			       sizeof window->size_hints);
+			       MIN(sizeof(window->size_hints),
 			           reply->value_len * 4));
 			break;
 		case TYPE_NET_WM_STATE:
 			window->fullscreen = 0;