hw/xwin: Fix possible crash in winMultiWindowGetClassHint

Fix a possible crash in winMultiWindowGetClassHint() when an application doesn't null terminate the WM_CLASS property class name (which is an ICCCM conformance bug in the application) (Reported for running the contiki cooja simulator in multiwindow mode, although it seems that many Java clients may have this problem, see [1]) Based on a patch by Marc Haesen. v2: Avoid using strnlen() which is missing on MinGW v3: Align with Xming patch [1] http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6961123 Signed-off-by: Colin Harrison <colin.harrison@virgin.net> Reviewed-by: Yaakov Selkowitz <yselkowitz@users.sourceforge.net> Reviewed-by: Jon TURNEY <jon.turney@dronecode.org.uk>
2013-06-25 21:34:43 +01:00 · 2013-06-25 21:34:43 +01:00 · e95bb97073
parent 4bc375aa2f
commit e95bb97073
1 changed files with 14 additions and 7 deletions
--- a/hw/xwin/winmultiwindowclass.c
+++ b/hw/xwin/winmultiwindowclass.c
@ -68,7 +68,12 @@ winMultiWindowGetClassHint(WindowPtr pWin, char **res_name, char **res_class)
    while (prop) {
        if (prop->propertyName == XA_WM_CLASS
            && prop->type == XA_STRING && prop->format == 8 && prop->data) {
+            /*
+              WM_CLASS property should consist of 2 null terminated strings, but we
+              must handle the cases when one or both is absent or not null terminated
+            */
            len_name = strlen((char *) prop->data);
+            if (len_name > prop->size) len_name = prop->size;

            (*res_name) = malloc(len_name + 1);

@ -77,13 +82,13 @@ winMultiWindowGetClassHint(WindowPtr pWin, char **res_name, char **res_class)
                return 0;
            }

-            /* Add one to len_name to allow copying of trailing 0 */
-            strncpy((*res_name), prop->data, len_name + 1);
+            /* Copy name and ensure null terminated */
+            strncpy((*res_name), prop->data, len_name);
+            (*res_name)[len_name] = '\0';

-            if (len_name == prop->size)
-                len_name--;
-
-            len_class = strlen(((char *) prop->data) + 1 + len_name);
+            /* Compute length of class name, it could be that it is absent or not null terminated */
+            len_class = (len_name >= prop->size) ? 0 : (strlen(((char *) prop->data) + 1 + len_name));
+            if (len_class > prop->size - 1 - len_name) len_class = prop->size - 1 - len_name;

            (*res_class) = malloc(len_class + 1);

@ -95,7 +100,9 @@ winMultiWindowGetClassHint(WindowPtr pWin, char **res_name, char **res_class)
                return 0;
            }

-            strcpy((*res_class), ((char *) prop->data) + 1 + len_name);
+            /* Copy class name and ensure null terminated */
+            strncpy((*res_class), ((char *) prop->data) + 1 + len_name, len_class);
+            (*res_class)[len_class] = '\0';

            return 1;
        }