-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Uli Schlachter wrote:
> If no one comes up with a patch first, I'll give it a try on thursday (no time
> before then).
> So far it looks like ewmh_window_icon_get_reply() needs some check like this
> (+
> handling integer overflows somehow):
> if (width * height + 2 > length) error()
>
> Cheers,
> Uli
Hi,
attached is my proposed patch for this. I'll hopefully remember to remove that
"TODO remove this" and the warn(), or do you think there should be a warn() left
in there?
Are there any issues associated with using unsigned long long?
Oh and, comments on this patch? Anything I missed? Anything which is unclear?
If no one finds any issues with this, I'll handle that "TODO", create a for-jd
branch again and send a pull request (if jd doesnt manually apply these patches
before then...).
Cheers,
Uli
- --
"Do you know that books smell like nutmeg or some spice from a foreign land?"
-- Faber in Fahrenheit 451
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQEcBAEBCAAGBQJKDHD5AAoJECLkKOvLj8sG4kcH/37o9j+Yo5wZea9I1CiOZZMi
F6tUScV5tCj4HNUAEiaSqPAuh0elo2qqw9kwMB+xQMKTBNqUQ41uPQW0dDYT5Ayi
hpC5vY0szhHhO/dF8XoCIdXwheazHPwRQUU+FripjFc6A8lZSuLfvKiYGXlWPyiu
m3RwWLXVf7R1614sJyg6//5fIyxHkCPk4NxxyRyelHXCh6VSQf1dz0cNTjOJs0BV
XxRfkTMhkJDng/0LrQ9LGK7XVuYjS5XKBtV8NTruoTAA27A8uTI78ZoNIj32ZKjo
D1NVYRI+kJd1Vh41fu5N1O1BeD7kLyvZ45RkKypTcOw8N7Bb4SEv05rJw+fS7Jk=
=QCFA
-----END PGP SIGNATURE-----
>From fe99516defcbd6368f19e4d3f4b87f22332d011c Mon Sep 17 00:00:00 2001
From: Uli Schlachter <[email protected]>
Date: Tue, 12 May 2009 11:05:34 +0200
Subject: [PATCH 1/2] Restructure the code in ewmh_window_icon_from_reply() slightly
This is just a preparation for the following commit.
Signed-off-by: Uli Schlachter <[email protected]>
---
ewmh.c | 11 +++++++----
1 files changed, 7 insertions(+), 4 deletions(-)
diff --git a/ewmh.c b/ewmh.c
index 2ac8bd7..19ae6cb 100644
--- a/ewmh.c
+++ b/ewmh.c
@@ -662,11 +662,14 @@ ewmh_window_icon_from_reply(xcb_get_property_reply_t *r)
{
uint32_t *data;
- if(r && r->type == CARDINAL && r->format == 32 && r->length >= 2 &&
- (data = (uint32_t *) xcb_get_property_value(r)) && data[0] && data[1])
- return image_new_from_argb32(data[0], data[1], data + 2);
+ if(!r || r->type != CARDINAL || r->format != 32 || r->length < 2)
+ return 0;
- return 0;
+ data = (uint32_t *) xcb_get_property_value(r);
+ if (!data || !data[0] || !data[1])
+ return 0;
+
+ return image_new_from_argb32(data[0], data[1], data + 2);
}
/** Get NET_WM_ICON.
--
1.6.2.4
>From 785127406e8598ad0ef13c619878a2d149ea9846 Mon Sep 17 00:00:00 2001
From: Uli Schlachter <[email protected]>
Date: Tue, 12 May 2009 11:08:43 +0200
Subject: [PATCH 2/2] Check that the property is as long as it should be
Before this, a _NET_WM_ICON could have been 5 bytes long but still claiming
that the image it describes is 100x100 pixel in size.
Signed-off-by: Uli Schlachter <[email protected]>
---
ewmh.c | 14 +++++++++++++-
1 files changed, 13 insertions(+), 1 deletions(-)
diff --git a/ewmh.c b/ewmh.c
index 19ae6cb..6d4890f 100644
--- a/ewmh.c
+++ b/ewmh.c
@@ -661,14 +661,26 @@ int
ewmh_window_icon_from_reply(xcb_get_property_reply_t *r)
{
uint32_t *data;
+ unsigned long long len;
if(!r || r->type != CARDINAL || r->format != 32 || r->length < 2)
return 0;
data = (uint32_t *) xcb_get_property_value(r);
- if (!data || !data[0] || !data[1])
+ if (!data)
return 0;
+ /* Check that the property is as long as it should be, handling integer
+ * overflow. unsigned long long got at least 64 bit and thus this
+ * multiplication can not overflow.
+ */
+ len = data[0] * (unsigned long long) data[1];
+ if (!data[0] || !data[1] || len > r->length - 2) {
+ /* TODO remove this warning */
+ warn("Ignoring invalid icon");
+ return 0;
+ }
+
return image_new_from_argb32(data[0], data[1], data + 2);
}
--
1.6.2.4
