From 76cf818cc2796563f9465bec78ba28f9ce2964cb Mon Sep 17 00:00:00 2001 From: Peter Harris Date: Mon, 21 Dec 2009 15:05:57 -0500 Subject: [PATCH 1/2] Validate size of wm_hints and wm_size_hints Without these checks, we can overflow the buffer. Signed-off-by: Peter Harris --- icccm/icccm.c | 11 ++++++++--- icccm/xcb_icccm.h | 2 ++ 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/icccm/icccm.c b/icccm/icccm.c index 18c2cf2..bea1d6a 100644 --- a/icccm/icccm.c +++ b/icccm/icccm.c @@ -445,14 +445,16 @@ xcb_get_wm_size_hints_from_reply(xcb_size_hints_t *hints, xcb_get_property_reply int length = xcb_get_property_value_length(reply) / (reply->format / 8); if (!(reply->type == WM_SIZE_HINTS && - (reply->format == 8 || reply->format == 16 || - reply->format == 32) && + reply->format == 32 && /* OldNumPropSizeElements = 15 (pre-ICCCM) */ length >= 15)) return 0; + if (length > XCB_NUM_WM_SIZE_HINTS_ELEMENTS) + length = XCB_NUM_WM_SIZE_HINTS_ELEMENTS; + memcpy(hints, (xcb_size_hints_t *) xcb_get_property_value (reply), - length * reply->format >> 3); + length * (reply->format / 8)); flags = (XCB_SIZE_HINT_US_POSITION | XCB_SIZE_HINT_US_SIZE | XCB_SIZE_HINT_P_POSITION | XCB_SIZE_HINT_P_SIZE | @@ -642,6 +644,9 @@ xcb_get_wm_hints_from_reply(xcb_wm_hints_t *hints, if(num_elem < XCB_NUM_WM_HINTS_ELEMENTS - 1) return 0; + if (length > sizeof(xcb_size_hints_t)) + length = sizeof(xcb_size_hints_t); + memcpy(hints, (xcb_size_hints_t *) xcb_get_property_value(reply), length); if(num_elem < XCB_NUM_WM_HINTS_ELEMENTS) diff --git a/icccm/xcb_icccm.h b/icccm/xcb_icccm.h index 2d80ffb..c0d398f 100644 --- a/icccm/xcb_icccm.h +++ b/icccm/xcb_icccm.h @@ -452,6 +452,8 @@ typedef struct { uint32_t win_gravity; } xcb_size_hints_t; +#define XCB_NUM_WM_SIZE_HINTS_ELEMENTS 18 + /** * @brief Set size hints to a given position. * @param hints SIZE_HINTS structure. -- 1.6.5