[Xcb] [PATCH] memcpy() with wrong size in xcb/util/icccm

Michael Stapelberg michael+xcb at stapelberg.de
Mon Dec 21 11:31:58 PST 2009


a user of i3 recently discovered a problem where libxcb wrote into i3’s
memory, thereby overwriting a pointer with NULL and thus crashing i3.

The problem seems to be using the wrong length for memcpy in
xcb_get_wm_size_hints_from_reply(), see this patch:

--- icccm/O.icccm.c	2009-12-21 19:33:35.019052049 +0100
+++ icccm/icccm.c	2009-12-21 19:33:42.951051864 +0100
@@ -445,8 +445,7 @@
         length >= 15))
     return 0;
-  memcpy(hints, (xcb_size_hints_t *) xcb_get_property_value (reply),
-         length * reply->format >> 3);
+  memcpy(hints, (xcb_size_hints_t *) xcb_get_property_value (reply), length);

I think this is the correct way to do it because it matches the
sizeof(xcb_size_hints_t) and because xcb_get_wm_hints_from_reply() also does
not multiply with (reply->format >> 3). Still, it would be great if anyone of
you more familiar with this code could review it and apply the patch for the
next release of xcb-util.

Best regards,

More information about the Xcb mailing list