[Xcb] [PATCH] memcpy() with wrong size in xcb/util/icccm
Michael Stapelberg
michael+xcb at stapelberg.de
Mon Dec 21 13:01:33 PST 2009
Hi Peter,
Excerpts from Peter Harris's message of Mo Dez 21 21:10:44 +0100 2009:
> > I think this is the correct way to do it because it matches the
> > sizeof(xcb_size_hints_t)
> Are you sure?
You are right, I messed up the calculations somewhere. To explain it
correctly: reply->value_len = 18, reply->format = 32, ergo
xcb_get_property_value_length() returns (18 * (32/8)) = 72. In the code
this is then divided by (32/8) again and multiplied later.
In our tests the user was not able to reproduce it again. Sorry for the
false alarm. In any case, though, it seems like a good idea to ensure
that not more than sizeof(xcb_size_hints_t) bytes are copied.
> There is definitely a major problem with this code: It copies an
> untrusted amount of data into a fixed length buffer. See the attached
> patch; does this fix the problem for you?
You seem to have forgotten the attachment.
Best regards,
Michael
More information about the Xcb
mailing list