Check more carefully the reply of a _NET_WM_ICON which may contains

several icons
author: Arnaud Fontaine <arnau@debian.org> 2011-03-07 23:20:03 +0900
committer: Arnaud Fontaine <arnau@debian.org> 2011-03-07 23:20:03 +0900
commit: 91988b08395dad5a221204e83324cb72d898334d (patch)
tree: 0638f2d6b8714a47c7b15a4f68d59aabbe82eb3c /ewmh
parent: 368165f1f99c15f22dbe02e7373f7d6d20c0277e (diff)
1 files changed, 12 insertions, 3 deletions
diff --git a/ewmh/ewmh.c.m4 b/ewmh/ewmh.c.m4
index 103f3ad..23df1b0 100644
--- a/ewmh/ewmh.c.m4
+++ b/ewmh/ewmh.c.m4
@@ -1144,13 +1144,22 @@ uint8_t
 xcb_ewmh_get_wm_icon_from_reply(xcb_ewmh_get_wm_icon_reply_t *wm_icon,
                                 xcb_get_property_reply_t *r)
 {
+  const uint32_t r_value_len = xcb_get_property_value_length(r);
   if(!r || r->type != XCB_ATOM_CARDINAL || r->format != 32 ||
-     xcb_get_property_value_length(r) <= (sizeof(uint32_t) * 2))
+     r_value_len <= (sizeof(uint32_t) * 2))
     return 0;
 
-  wm_icon->_reply = r;
-  uint32_t *r_value = (uint32_t *) xcb_get_property_value(wm_icon->_reply);
+  uint32_t *r_value = (uint32_t *) xcb_get_property_value(r);
+  if(!r_value)
+    return 0;
 
+  /* Check that the property is as long as it should be, handling
+     integer overflow */
+  const uint64_t expected_len = r_value[0] * (uint64_t) r_value[1];
+  if(!r_value[0] || !r_value[1] || expected_len > r_value_len - 2)
+    return 0;
+
+  wm_icon->_reply = r;
   wm_icon->width = r_value[0];
   wm_icon->height = r_value[1];
   wm_icon->data = r_value + 2;
author	Arnaud Fontaine <arnau@debian.org>	2011-03-07 23:20:03 +0900
committer	Arnaud Fontaine <arnau@debian.org>	2011-03-07 23:20:03 +0900
commit	91988b08395dad5a221204e83324cb72d898334d (patch)
tree	0638f2d6b8714a47c7b15a4f68d59aabbe82eb3c /ewmh
parent	368165f1f99c15f22dbe02e7373f7d6d20c0277e (diff)