[PATCH v3] compositor-x11: fix title overflow in x11_backend_create_output

Yong Bakos junk at humanoriented.com
Sun Jun 5 23:46:28 UTC 2016 

On Jun 5, 2016, at 12:01 PM, Benoit Gschwind <gschwind at gnu-log.net> wrote:
> 
> sprintf can overflow the fixed length title which is char[32]. This
> patch change title to dynamically allocated char array using asprintf or
> strdup. If one of them fail we leave returning NULL to indicate the
> failure.
> 
> Signed-of-by: Benoit Gschwind<gschwind at gnu-log.net>

Reviewed-by: Yong Bakos<ybakos at humanoriented.com>
Tested-by: Yong Bakos<ybakos at humanoriented.com>

Cheers,
yong


> ---
> v3:
> - fix xcb_destroy_window arguments
> 
> v2:
> - fix spacing
> - properly cleanup everything on failure.
> 
> src/compositor-x11.c | 28 +++++++++++++++++++---------
> 1 file changed, 19 insertions(+), 9 deletions(-)
> 
> diff --git a/src/compositor-x11.c b/src/compositor-x11.c
> index 629b5f3..8727934 100644
> --- a/src/compositor-x11.c
> +++ b/src/compositor-x11.c
> @@ -782,7 +782,7 @@ x11_backend_create_output(struct x11_backend *b, int x, int y,
> {
> 	static const char name[] = "Weston Compositor";
> 	static const char class[] = "weston-1\0Weston Compositor";
> -	char title[32];
> +	char *title = NULL;
> 	struct x11_output *output;
> 	xcb_screen_t *screen;
> 	struct wm_normal_hints normal_hints;
> @@ -800,11 +800,6 @@ x11_backend_create_output(struct x11_backend *b, int x, int y,
> 	output_width = width * scale;
> 	output_height = height * scale;
> 
> -	if (configured_name)
> -		sprintf(title, "%s - %s", name, configured_name);
> -	else
> -		strcpy(title, name);
> -
> 	if (!no_input)
> 		values[0] |=
> 			XCB_EVENT_MASK_KEY_PRESS |
> @@ -871,9 +866,24 @@ x11_backend_create_output(struct x11_backend *b, int x, int y,
> 	}
> 
> 	/* Set window name.  Don't bother with non-EWMH WMs. */
> -	xcb_change_property(b->conn, XCB_PROP_MODE_REPLACE, output->window,
> -			    b->atom.net_wm_name, b->atom.utf8_string, 8,
> -			    strlen(title), title);
> +	if (configured_name) {
> +		if (asprintf(&title, "%s - %s", name, configured_name) < 0)
> +			title = NULL;
> +	} else {
> +		title = strdup(name);
> +	}
> +
> +	if (title) {
> +		xcb_change_property(b->conn, XCB_PROP_MODE_REPLACE, output->window,
> +				    b->atom.net_wm_name, b->atom.utf8_string, 8,
> +				    strlen(title), title);
> +		free(title);
> +	} else {
> +		xcb_destroy_window(b->conn, output->window);
> +		free(output);
> +		return NULL;
> +	}
> +
> 	xcb_change_property(b->conn, XCB_PROP_MODE_REPLACE, output->window,
> 			    b->atom.wm_class, b->atom.string, 8,
> 			    sizeof class, class);
> -- 
> 2.7.3

More information about the wayland-devel mailing list