[PATCH v3] compositor-x11: fix title overflow in x11_backend_create_output

Benoit Gschwind gschwind at gnu-log.net
Sun Jun 5 17:01:11 UTC 2016


sprintf can overflow the fixed length title which is char[32]. This
patch change title to dynamically allocated char array using asprintf or
strdup. If one of them fail we leave returning NULL to indicate the
failure.

Signed-of-by: Benoit Gschwind<gschwind at gnu-log.net>
---
v3:
 - fix xcb_destroy_window arguments

v2:
 - fix spacing
 - properly cleanup everything on failure.

 src/compositor-x11.c | 28 +++++++++++++++++++---------
 1 file changed, 19 insertions(+), 9 deletions(-)

diff --git a/src/compositor-x11.c b/src/compositor-x11.c
index 629b5f3..8727934 100644
--- a/src/compositor-x11.c
+++ b/src/compositor-x11.c
@@ -782,7 +782,7 @@ x11_backend_create_output(struct x11_backend *b, int x, int y,
 {
 	static const char name[] = "Weston Compositor";
 	static const char class[] = "weston-1\0Weston Compositor";
-	char title[32];
+	char *title = NULL;
 	struct x11_output *output;
 	xcb_screen_t *screen;
 	struct wm_normal_hints normal_hints;
@@ -800,11 +800,6 @@ x11_backend_create_output(struct x11_backend *b, int x, int y,
 	output_width = width * scale;
 	output_height = height * scale;
 
-	if (configured_name)
-		sprintf(title, "%s - %s", name, configured_name);
-	else
-		strcpy(title, name);
-
 	if (!no_input)
 		values[0] |=
 			XCB_EVENT_MASK_KEY_PRESS |
@@ -871,9 +866,24 @@ x11_backend_create_output(struct x11_backend *b, int x, int y,
 	}
 
 	/* Set window name.  Don't bother with non-EWMH WMs. */
-	xcb_change_property(b->conn, XCB_PROP_MODE_REPLACE, output->window,
-			    b->atom.net_wm_name, b->atom.utf8_string, 8,
-			    strlen(title), title);
+	if (configured_name) {
+		if (asprintf(&title, "%s - %s", name, configured_name) < 0)
+			title = NULL;
+	} else {
+		title = strdup(name);
+	}
+
+	if (title) {
+		xcb_change_property(b->conn, XCB_PROP_MODE_REPLACE, output->window,
+				    b->atom.net_wm_name, b->atom.utf8_string, 8,
+				    strlen(title), title);
+		free(title);
+	} else {
+		xcb_destroy_window(b->conn, output->window);
+		free(output);
+		return NULL;
+	}
+
 	xcb_change_property(b->conn, XCB_PROP_MODE_REPLACE, output->window,
 			    b->atom.wm_class, b->atom.string, 8,
 			    sizeof class, class);
-- 
2.7.3



More information about the wayland-devel mailing list