hw/xwin: Improve NET_WM_ICON validation
Check that we don't overrun the end of the property data while converting icons See http://cygwin.com/ml/cygwin-xfree/2013-06/msg00040.html for testcase. Also, some warning fixes in winXIconToHICON() Signed-off-by: Jon TURNEY <jon.turney@dronecode.org.uk> Reviewed-by: Colin Harrison <colin.harrison@virgin.net>
This commit is contained in:
parent
ab61d07002
commit
896b53ffa7
|
@ -372,13 +372,12 @@ winXIconToHICON(Display * pDisplay, Window id, int iconSize)
|
||||||
unsigned char *mask, *image = NULL, *imageMask;
|
unsigned char *mask, *image = NULL, *imageMask;
|
||||||
unsigned char *dst, *src;
|
unsigned char *dst, *src;
|
||||||
int planes, bpp, i;
|
int planes, bpp, i;
|
||||||
int biggest_size = 0;
|
unsigned int biggest_size = 0;
|
||||||
HDC hDC;
|
HDC hDC;
|
||||||
ICONINFO ii;
|
ICONINFO ii;
|
||||||
XWMHints *hints;
|
XWMHints *hints;
|
||||||
HICON hIcon = NULL;
|
HICON hIcon = NULL;
|
||||||
uint32_t *biggest_icon = NULL;
|
uint32_t *biggest_icon = NULL;
|
||||||
|
|
||||||
static Atom _XA_NET_WM_ICON;
|
static Atom _XA_NET_WM_ICON;
|
||||||
static int generation;
|
static int generation;
|
||||||
uint32_t *icon, *icon_data = NULL;
|
uint32_t *icon, *icon_data = NULL;
|
||||||
|
@ -405,10 +404,25 @@ winXIconToHICON(Display * pDisplay, Window id, int iconSize)
|
||||||
(icon_data != NULL)) {
|
(icon_data != NULL)) {
|
||||||
for (icon = icon_data; icon < &icon_data[size] && *icon;
|
for (icon = icon_data; icon < &icon_data[size] && *icon;
|
||||||
icon = &icon[icon[0] * icon[1] + 2]) {
|
icon = &icon[icon[0] * icon[1] + 2]) {
|
||||||
/* Find an exact match to the size we require... */
|
winDebug("winXIconToHICON: %u x %u NetIcon\n", icon[0], icon[1]);
|
||||||
|
|
||||||
|
/* Icon data size will overflow an int and thus is bigger than the
|
||||||
|
property can possibly be */
|
||||||
|
if ((INT_MAX/icon[0]) < icon[1]) {
|
||||||
|
winDebug("winXIconToHICON: _NET_WM_ICON icon data size overflow\n");
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Icon data size is bigger than amount of data remaining */
|
||||||
|
if (&icon[icon[0] * icon[1] + 2] > &icon_data[size]) {
|
||||||
|
winDebug("winXIconToHICON: _NET_WM_ICON data is malformed\n");
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Found an exact match to the size we require... */
|
||||||
if (icon[0] == iconSize && icon[1] == iconSize) {
|
if (icon[0] == iconSize && icon[1] == iconSize) {
|
||||||
winDebug("winXIconToHICON: found %lu x %lu NetIcon\n", icon[0],
|
winDebug("winXIconToHICON: selected %d x %d NetIcon\n",
|
||||||
icon[1]);
|
iconSize, iconSize);
|
||||||
hIcon = NetWMToWinIcon(bpp, icon);
|
hIcon = NetWMToWinIcon(bpp, icon);
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
@ -421,7 +435,7 @@ winXIconToHICON(Display * pDisplay, Window id, int iconSize)
|
||||||
|
|
||||||
if (!hIcon && biggest_icon) {
|
if (!hIcon && biggest_icon) {
|
||||||
winDebug
|
winDebug
|
||||||
("winXIconToHICON: selected %lu x %lu NetIcon for scaling to %u x %u\n",
|
("winXIconToHICON: selected %u x %u NetIcon for scaling to %d x %d\n",
|
||||||
biggest_icon[0], biggest_icon[1], iconSize, iconSize);
|
biggest_icon[0], biggest_icon[1], iconSize, iconSize);
|
||||||
|
|
||||||
hIcon = NetWMToWinIcon(bpp, biggest_icon);
|
hIcon = NetWMToWinIcon(bpp, biggest_icon);
|
||||||
|
|
Loading…
Reference in New Issue
Block a user