Validate size of wm_hints and wm_size_hints

Without these checks, we can overflow the buffer or divide by zero. Patch from upstreams, From David Coppa.
2010-03-20 07:37:07 +00:00 · 2010-03-20 07:37:07 +00:00 · 7b8404708b
commit 7b8404708b
parent 13e4486b33
1 changed files with 5 additions and 8 deletions
--- a/dist/xcb-util/icccm/icccm.c
+++ b/dist/xcb-util/icccm/icccm.c
@ -418,8 +418,7 @@ xcb_get_property_cookie_t
 xcb_get_wm_size_hints(xcb_connection_t *c, xcb_window_t window,
                      xcb_atom_t property)
 {
-  /* NumPropSizeElements = 18 (ICCCM version 1). */
-  return xcb_get_property(c, 0, window, property, WM_SIZE_HINTS, 0L, 18);
+  return xcb_get_property(c, 0, window, property, WM_SIZE_HINTS, 0L, XCB_NUM_WM_SIZE_HINTS_ELEMENTS);
 }

 xcb_get_property_cookie_t
@ -427,7 +426,7 @@ xcb_get_wm_size_hints_unchecked(xcb_connection_t *c, xcb_window_t window,
                                xcb_atom_t property)
 {
  return xcb_get_property_unchecked(c, 0, window, property, WM_SIZE_HINTS,
-                                    0L, 18);
+                                    0L, XCB_NUM_WM_SIZE_HINTS_ELEMENTS);
 }

 uint8_t
@ -439,14 +438,12 @@ xcb_get_wm_size_hints_from_reply(xcb_size_hints_t *hints, xcb_get_property_reply
  if(!reply)
    return 0;

-  length = xcb_get_property_value_length(reply) / (reply->format / 8);
-
  if (!(reply->type == WM_SIZE_HINTS &&
-         reply->format == 32 &&
-        /* OldNumPropSizeElements = 15 (pre-ICCCM) */
-        length >= 15))
+         reply->format == 32))
    return 0;

+  length = xcb_get_property_value_length(reply) / (reply->format / 8);
+
  if (length > XCB_NUM_WM_SIZE_HINTS_ELEMENTS)
    length = XCB_NUM_WM_SIZE_HINTS_ELEMENTS;