diff options
| author | Chris Down <chris@chrisdown.name> | 2026-01-14 14:58:05 +0800 |
|---|---|---|
| committer | Hiltjo Posthuma <hiltjo@codemadness.org> | 2026-01-16 14:13:51 +0100 |
| commit | a9aa0d8ffbb548b0b1f9f755557aef2482c0f820 (patch) | |
| tree | 1b104e0725530dfb437f732a53a49e01a2c0a913 | |
| parent | 85fe518c1af5eb43f222f4d8579e4814ed769f3b (diff) | |
Commit 244fa852fe27 ("dwm: Fix heap buffer overflow in getatomprop")
introduced a check for dl > 0 before dereferencing the property pointer.
However, I missed that the variable dl is passed to XGetWindowProperty
for both nitems_return and bytes_after_return parameters:
XGetWindowProperty(..., &dl, &dl, &p)
The final value in dl is bytes_after_return, not nitems_return. For a
successfully read property, bytes_after is typically 0 (indicating all
data was retrieved), so the check `dl > 0` is always false and dwm never
reads any atom properties. So this is safe, but not very helpful :-)
dl is probably just a dummy variable anyway, so fix by using a separate
variable for nitems, and check nitems > 0 as originally intended.
| -rw-r--r-- | dwm.c | 6 |
1 files changed, 3 insertions, 3 deletions
@@ -864,13 +864,13 @@ Atom getatomprop(Client *c, Atom prop) { int di; - unsigned long dl; + unsigned long nitems, dl; unsigned char *p = NULL; Atom da, atom = None; if (XGetWindowProperty(dpy, c->win, prop, 0L, sizeof atom, False, XA_ATOM, - &da, &di, &dl, &dl, &p) == Success && p) { - if (dl > 0) + &da, &di, &nitems, &dl, &p) == Success && p) { + if (nitems > 0) atom = *(Atom *)p; XFree(p); } |