[Xcb] [Bug 29373] New: libicccm: xcb_get_wm_class_from_reply() causes reads beyond end of buffer

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Tue Aug 3 01:58:31 PDT 2010


           Summary: libicccm: xcb_get_wm_class_from_reply() causes reads
                    beyond end of buffer
           Product: XCB
           Version: unspecified
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: minor
          Priority: medium
         Component: Utils
        AssignedTo: xcb at lists.freedesktop.org
        ReportedBy: psychon at znc.in
         QAContact: xcb at lists.freedesktop.org

Created an attachment (id=37536)
 --> (https://bugs.freedesktop.org/attachment.cgi?id=37536)
Sample app setting an invalid WM_CLASS to trigger the bug in


ICCCM mandates that WM_CLASS must be contain "instance\0class\0". Both entries
have to be NULL-terminated. xcb_get_wm_class_from_reply() relies on this, but
apparently some apps don't do this.

The code in question looks like this: (
http://cgit.freedesktop.org/xcb/util/tree/icccm/icccm.c#n330 )

  prop->_reply = reply;
  prop->instance_name = (char *) xcb_get_property_value(prop->_reply);

  int name_len = strlen(prop->instance_name);
  if(name_len == xcb_get_property_value_length(prop->_reply))

  prop->class_name = prop->instance_name + name_len + 1;

If the instance is not NULL terminated, strlen() will read beyond the end of
the buffer. If the class is not NULL terminated, the calling application will
read beyond the end of the buffer when it tries to use the results of this

The attached application sets such an invalid WM_NAME on its window. The value
used is 8 bytes long to avoid padding in the wire protocol.

This was found via java's usual brokeness and the awesome WM:


Configure bugmail: https://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
You are the assignee for the bug.

More information about the Xcb mailing list