xenocara/dist/xcb-util/icccm: better patch

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

xenocara/dist/xcb-util/icccm: better patch

David Coppa
Hello again,

This is a better patch that also fixes a problem of copying an untrusted
amount of data into a fixed length buffer.

From Peter Harris <[hidden email]> (xcb developer).

Please have a look at it if you want...

Ciao,
Dav


Index: icccm.c
===================================================================
RCS file: /cvs/xenocara/dist/xcb-util/icccm/icccm.c,v
retrieving revision 1.4
diff -N -u -p icccm.c
--- icccm.c 5 Sep 2009 15:55:46 -0000 1.4
+++ icccm.c 5 Mar 2010 12:33:42 -0000
@@ -442,14 +442,16 @@ xcb_get_wm_size_hints_from_reply(xcb_size_hints_t *hin
   length = xcb_get_property_value_length(reply) / (reply->format / 8);
 
   if (!(reply->type == WM_SIZE_HINTS &&
-        (reply->format == 8  || reply->format == 16 ||
-         reply->format == 32) &&
+         reply->format == 32 &&
         /* OldNumPropSizeElements = 15 (pre-ICCCM) */
         length >= 15))
     return 0;
 
+  if (length > XCB_NUM_WM_SIZE_HINTS_ELEMENTS)
+    length = XCB_NUM_WM_SIZE_HINTS_ELEMENTS;
+
   memcpy(hints, (xcb_size_hints_t *) xcb_get_property_value (reply),
-         length * reply->format >> 3);
+         length * (reply->format / 8));
 
   flags = (XCB_SIZE_HINT_US_POSITION | XCB_SIZE_HINT_US_SIZE |
            XCB_SIZE_HINT_P_POSITION | XCB_SIZE_HINT_P_SIZE |
@@ -632,16 +634,17 @@ xcb_get_wm_hints_from_reply(xcb_wm_hints_t *hints,
 {
   int length, num_elem;
 
-  if(!reply)
+  if(!reply || reply->type != WM_HINTS || reply->format != 32)
     return 0;
 
   length = xcb_get_property_value_length(reply);
   num_elem = length / (reply->format / 8);
 
-  if (reply->type != WM_HINTS
-      || reply->format != 32
-      || num_elem < XCB_NUM_WM_HINTS_ELEMENTS - 1)
+  if(num_elem < XCB_NUM_WM_HINTS_ELEMENTS - 1)
     return 0;
+
+  if (length > sizeof(xcb_size_hints_t))
+    length = sizeof(xcb_size_hints_t);
 
   memcpy(hints, (xcb_size_hints_t *) xcb_get_property_value(reply), length);
 
Index: xcb_icccm.h
===================================================================
RCS file: /cvs/xenocara/dist/xcb-util/icccm/xcb_icccm.h,v
retrieving revision 1.2
diff -N -u -p xcb_icccm.h
--- xcb_icccm.h 5 Sep 2009 15:55:46 -0000 1.2
+++ xcb_icccm.h 5 Mar 2010 12:33:43 -0000
@@ -447,6 +447,8 @@ typedef struct {
   uint32_t win_gravity;
 } xcb_size_hints_t;
 
+#define XCB_NUM_WM_SIZE_HINTS_ELEMENTS 18
+
 /**
  * @brief Set size hints to a given position.
  * @param hints SIZE_HINTS structure.