[PATCH v3] compositor-x11: fix title overflow in x11_backend_create_output

Sun, 05 Jun 2016 10:02:33 -0700 

sprintf can overflow the fixed length title which is char[32]. This
patch change title to dynamically allocated char array using asprintf or
strdup. If one of them fail we leave returning NULL to indicate the
failure.

Signed-of-by: Benoit Gschwind<gschw...@gnu-log.net>
---
v3:
 - fix xcb_destroy_window arguments

v2:
 - fix spacing
 - properly cleanup everything on failure.

 src/compositor-x11.c | 28 +++++++++++++++++++---------
 1 file changed, 19 insertions(+), 9 deletions(-)

diff --git a/src/compositor-x11.c b/src/compositor-x11.c
index 629b5f3..8727934 100644
--- a/src/compositor-x11.c
+++ b/src/compositor-x11.c
@@ -782,7 +782,7 @@ x11_backend_create_output(struct x11_backend *b, int x, int 
y,
 {
        static const char name[] = "Weston Compositor";
        static const char class[] = "weston-1\0Weston Compositor";
-       char title[32];
+       char *title = NULL;
        struct x11_output *output;
        xcb_screen_t *screen;
        struct wm_normal_hints normal_hints;
@@ -800,11 +800,6 @@ x11_backend_create_output(struct x11_backend *b, int x, 
int y,
        output_width = width * scale;
        output_height = height * scale;
 
-       if (configured_name)
-               sprintf(title, "%s - %s", name, configured_name);
-       else
-               strcpy(title, name);
-
        if (!no_input)
                values[0] |=
                        XCB_EVENT_MASK_KEY_PRESS |
@@ -871,9 +866,24 @@ x11_backend_create_output(struct x11_backend *b, int x, 
int y,
        }
 
        /* Set window name.  Don't bother with non-EWMH WMs. */
-       xcb_change_property(b->conn, XCB_PROP_MODE_REPLACE, output->window,
-                           b->atom.net_wm_name, b->atom.utf8_string, 8,
-                           strlen(title), title);
+       if (configured_name) {
+               if (asprintf(&title, "%s - %s", name, configured_name) < 0)
+                       title = NULL;
+       } else {
+               title = strdup(name);
+       }
+
+       if (title) {
+               xcb_change_property(b->conn, XCB_PROP_MODE_REPLACE, 
output->window,
+                                   b->atom.net_wm_name, b->atom.utf8_string, 8,
+                                   strlen(title), title);
+               free(title);
+       } else {
+               xcb_destroy_window(b->conn, output->window);
+               free(output);
+               return NULL;
+       }
+
        xcb_change_property(b->conn, XCB_PROP_MODE_REPLACE, output->window,
                            b->atom.wm_class, b->atom.string, 8,
                            sizeof class, class);
-- 
2.7.3

_______________________________________________
wayland-devel mailing list
wayland-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/wayland-devel

Reply via email to