Aire-One
/
awesome
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Check that the property is as long as it should be 

Before this, a _NET_WM_ICON could have been 5 bytes long but still claiming
that the image it describes is 100x100 pixel in size.

Signed-off-by: Uli Schlachter <psychon@znc.in>
Signed-off-by: Julien Danjou <julien@danjou.info>
This commit is contained in:
Uli Schlachter 2009-05-12 11:08:43 +02:00 committed by Julien Danjou
parent 3e64d05c3c
commit 572622590a
1 changed files with 10 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
ewmh.c
View File

@ -661,12 +661,21 @@ int
ewmh_window_icon_from_reply(xcb_get_property_reply_t *r) ewmh_window_icon_from_reply(xcb_get_property_reply_t *r)
{ {
uint32_t *data; uint32_t *data;
uint64_t len;
if(!r || r->type != CARDINAL || r->format != 32 || r->length < 2) if(!r || r->type != CARDINAL || r->format != 32 || r->length < 2)
return 0; return 0;
data = (uint32_t *) xcb_get_property_value(r); data = (uint32_t *) xcb_get_property_value(r);
if (!data || !data[0] || !data[1]) if (!data)
return 0;
/* Check that the property is as long as it should be, handling integer
* overflow. <uint32_t> times <another uint32_t casted to uint64_t> always
* fits into an uint64_t and thus this multiplication cannot overflow.
*/
len = data[0] * (uint64_t) data[1];
if (!data[0] || !data[1] || len > r->length - 2)
return 0; return 0;
return image_new_from_argb32(data[0], data[1], data + 2); return image_new_from_argb32(data[0], data[1], data + 2);