[Xcb] [PATCH] memcpy() with wrong size in xcb/util/icccm
Michael Stapelberg
michael+xcb at stapelberg.de
Mon Dec 21 11:31:58 PST 2009
Hi,
a user of i3 recently discovered a problem where libxcb wrote into i3’s
memory, thereby overwriting a pointer with NULL and thus crashing i3.
The problem seems to be using the wrong length for memcpy in
xcb_get_wm_size_hints_from_reply(), see this patch:
--- icccm/O.icccm.c 2009-12-21 19:33:35.019052049 +0100
+++ icccm/icccm.c 2009-12-21 19:33:42.951051864 +0100
@@ -445,8 +445,7 @@
length >= 15))
return 0;
- memcpy(hints, (xcb_size_hints_t *) xcb_get_property_value (reply),
- length * reply->format >> 3);
+ memcpy(hints, (xcb_size_hints_t *) xcb_get_property_value (reply), length);
flags = (XCB_SIZE_HINT_US_POSITION | XCB_SIZE_HINT_US_SIZE |
XCB_SIZE_HINT_P_POSITION | XCB_SIZE_HINT_P_SIZE |
I think this is the correct way to do it because it matches the
sizeof(xcb_size_hints_t) and because xcb_get_wm_hints_from_reply() also does
not multiply with (reply->format >> 3). Still, it would be great if anyone of
you more familiar with this code could review it and apply the patch for the
next release of xcb-util.
Best regards,
Michael
More information about the Xcb
mailing list