diff options
| author | Colin Harrison <colin.harrison@virgin.net> | 2013-06-25 21:34:43 +0100 |
|---|---|---|
| committer | Jon TURNEY <jon.turney@dronecode.org.uk> | 2013-07-23 23:59:41 +0100 |
| commit | e95bb97073ca77193e4c51bd1504403fbe245533 (patch) | |
| tree | 743964b1948e61dda29959548404644a643680f3 | |
| parent | 4bc375aa2f08bd092f60d3e358d345fc9a0d3637 (diff) | |
hw/xwin: Fix possible crash in winMultiWindowGetClassHint
Fix a possible crash in winMultiWindowGetClassHint() when an application doesn't
null terminate the WM_CLASS property class name (which is an ICCCM conformance
bug in the application)
(Reported for running the contiki cooja simulator in multiwindow mode, although
it seems that many Java clients may have this problem, see [1])
Based on a patch by Marc Haesen.
v2: Avoid using strnlen() which is missing on MinGW
v3: Align with Xming patch
[1] http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6961123
Signed-off-by: Colin Harrison <colin.harrison@virgin.net>
Reviewed-by: Yaakov Selkowitz <yselkowitz@users.sourceforge.net>
Reviewed-by: Jon TURNEY <jon.turney@dronecode.org.uk>
| -rw-r--r-- | hw/xwin/winmultiwindowclass.c | 21 |
1 files changed, 14 insertions, 7 deletions
diff --git a/hw/xwin/winmultiwindowclass.c b/hw/xwin/winmultiwindowclass.c index ced8f4554..6787332a3 100644 --- a/hw/xwin/winmultiwindowclass.c +++ b/hw/xwin/winmultiwindowclass.c @@ -68,7 +68,12 @@ winMultiWindowGetClassHint(WindowPtr pWin, char **res_name, char **res_class) while (prop) { if (prop->propertyName == XA_WM_CLASS && prop->type == XA_STRING && prop->format == 8 && prop->data) { + /* + WM_CLASS property should consist of 2 null terminated strings, but we + must handle the cases when one or both is absent or not null terminated + */ len_name = strlen((char *) prop->data); + if (len_name > prop->size) len_name = prop->size; (*res_name) = malloc(len_name + 1); @@ -77,13 +82,13 @@ winMultiWindowGetClassHint(WindowPtr pWin, char **res_name, char **res_class) return 0; } - /* Add one to len_name to allow copying of trailing 0 */ - strncpy((*res_name), prop->data, len_name + 1); + /* Copy name and ensure null terminated */ + strncpy((*res_name), prop->data, len_name); + (*res_name)[len_name] = '\0'; - if (len_name == prop->size) - len_name--; - - len_class = strlen(((char *) prop->data) + 1 + len_name); + /* Compute length of class name, it could be that it is absent or not null terminated */ + len_class = (len_name >= prop->size) ? 0 : (strlen(((char *) prop->data) + 1 + len_name)); + if (len_class > prop->size - 1 - len_name) len_class = prop->size - 1 - len_name; (*res_class) = malloc(len_class + 1); @@ -95,7 +100,9 @@ winMultiWindowGetClassHint(WindowPtr pWin, char **res_name, char **res_class) return 0; } - strcpy((*res_class), ((char *) prop->data) + 1 + len_name); + /* Copy class name and ensure null terminated */ + strncpy((*res_class), ((char *) prop->data) + 1 + len_name, len_class); + (*res_class)[len_class] = '\0'; return 1; } |