xenocara/dist/xcb-util/icccm: fix reply->format check

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

xenocara/dist/xcb-util/icccm: fix reply->format check

David Coppa
Hi all,

The attached patch fixes a bug in libxcb-icccm that affects xcb-based WMs.

For example, with i3 window manager from ports/x11/i3, launching xev makes
i3 crash:

GNU gdb 6.3
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-unknown-openbsd4.7"...
Core was generated by `i3'.
Program terminated with signal 8, Arithmetic exception.

...

#0  0x0a2f493a in xcb_get_wm_hints_from_reply (hints=0xcfbf9870,
    reply=0x85607bc0) at /usr/xenocara/dist/xcb-util/icccm/icccm.c:639
639  num_elem = length / (reply->format / 8);
(gdb) quit


Patch is from fdo's git repo:
http://cgit.freedesktop.org/xcb/util/commit/?id=d5b5d682465bd3196105df86d6df9fcde9518e6c

Cheers,
David


Index: icccm.c
===================================================================
RCS file: /cvs/xenocara/dist/xcb-util/icccm/icccm.c,v
retrieving revision 1.4
diff -N -u -p icccm.c
--- icccm.c 5 Sep 2009 15:55:46 -0000 1.4
+++ icccm.c 5 Mar 2010 11:46:59 -0000
@@ -632,15 +632,13 @@ xcb_get_wm_hints_from_reply(xcb_wm_hints_t *hints,
 {
   int length, num_elem;
 
-  if(!reply)
+  if(!reply || reply->type != WM_HINTS || reply->format != 32)
     return 0;
 
   length = xcb_get_property_value_length(reply);
   num_elem = length / (reply->format / 8);
 
-  if (reply->type != WM_HINTS
-      || reply->format != 32
-      || num_elem < XCB_NUM_WM_HINTS_ELEMENTS - 1)
+  if(num_elem < XCB_NUM_WM_HINTS_ELEMENTS - 1)
     return 0;
 
   memcpy(hints, (xcb_size_hints_t *) xcb_get_property_value(reply), length);