diff options
| author | Arnaud Fontaine <arnau@debian.org> | 2011-03-07 23:20:03 +0900 |
|---|---|---|
| committer | Arnaud Fontaine <arnau@debian.org> | 2011-03-07 23:20:03 +0900 |
| commit | 91988b08395dad5a221204e83324cb72d898334d (patch) | |
| tree | 0638f2d6b8714a47c7b15a4f68d59aabbe82eb3c | |
| parent | 368165f1f99c15f22dbe02e7373f7d6d20c0277e (diff) | |
Check more carefully the reply of a _NET_WM_ICON which may contains
several icons
| -rw-r--r-- | ewmh/ewmh.c.m4 | 15 |
1 files changed, 12 insertions, 3 deletions
diff --git a/ewmh/ewmh.c.m4 b/ewmh/ewmh.c.m4 index 103f3ad..23df1b0 100644 --- a/ewmh/ewmh.c.m4 +++ b/ewmh/ewmh.c.m4 @@ -1144,13 +1144,22 @@ uint8_t xcb_ewmh_get_wm_icon_from_reply(xcb_ewmh_get_wm_icon_reply_t *wm_icon, xcb_get_property_reply_t *r) { + const uint32_t r_value_len = xcb_get_property_value_length(r); if(!r || r->type != XCB_ATOM_CARDINAL || r->format != 32 || - xcb_get_property_value_length(r) <= (sizeof(uint32_t) * 2)) + r_value_len <= (sizeof(uint32_t) * 2)) return 0; - wm_icon->_reply = r; - uint32_t *r_value = (uint32_t *) xcb_get_property_value(wm_icon->_reply); + uint32_t *r_value = (uint32_t *) xcb_get_property_value(r); + if(!r_value) + return 0; + /* Check that the property is as long as it should be, handling + integer overflow */ + const uint64_t expected_len = r_value[0] * (uint64_t) r_value[1]; + if(!r_value[0] || !r_value[1] || expected_len > r_value_len - 2) + return 0; + + wm_icon->_reply = r; wm_icon->width = r_value[0]; wm_icon->height = r_value[1]; wm_icon->data = r_value + 2; |