From a9aa0d8ffbb548b0b1f9f755557aef2482c0f820 Mon Sep 17 00:00:00 2001
From: Chris Down <chris@chrisdown.name>
Date: Wed, 14 Jan 2026 14:58:05 +0800
Subject: dwm: Fix getatomprop regression from heap overflow fix

Commit 244fa852fe27 ("dwm: Fix heap buffer overflow in getatomprop")
introduced a check for dl > 0 before dereferencing the property pointer.
However, I missed that the variable dl is passed to XGetWindowProperty
for both nitems_return and bytes_after_return parameters:

    XGetWindowProperty(..., &dl, &dl, &p)

The final value in dl is bytes_after_return, not nitems_return. For a
successfully read property, bytes_after is typically 0 (indicating all
data was retrieved), so the check `dl > 0` is always false and dwm never
reads any atom properties. So this is safe, but not very helpful :-)

dl is probably just a dummy variable anyway, so fix by using a separate
variable for nitems, and check nitems > 0 as originally intended.
---
 dwm.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/dwm.c b/dwm.c
index 8f4fa75..53b393e 100644
--- a/dwm.c
+++ b/dwm.c
@@ -864,13 +864,13 @@ Atom
 getatomprop(Client *c, Atom prop)
 {
 	int di;
-	unsigned long dl;
+	unsigned long nitems, dl;
 	unsigned char *p = NULL;
 	Atom da, atom = None;
 
 	if (XGetWindowProperty(dpy, c->win, prop, 0L, sizeof atom, False, XA_ATOM,
-		&da, &di, &dl, &dl, &p) == Success && p) {
-		if (dl > 0)
+		&da, &di, &nitems, &dl, &p) == Success && p) {
+		if (nitems > 0)
 			atom = *(Atom *)p;
 		XFree(p);
 	}
-- 
cgit v1.2.3