diff options
| author | Ulrich Sibiller <uli42@gmx.de> | 2021-01-30 18:39:14 +0100 |
|---|---|---|
| committer | Ulrich Sibiller <uli42@gmx.de> | 2021-06-20 20:12:51 +0200 |
| commit | 9d8771562c847e957250f7df7411b9ce92dd1143 (patch) | |
| tree | f607cc9624c24a1578780728be12b3279dcc2943 /nx-X11 | |
| parent | f578b86d34f5858fa215f6eebc12fec82f16792e (diff) | |
| download | nx-libs-9d8771562c847e957250f7df7411b9ce92dd1143.tar.gz nx-libs-9d8771562c847e957250f7df7411b9ce92dd1143.tar.bz2 nx-libs-9d8771562c847e957250f7df7411b9ce92dd1143.zip | |
Clipboard.c: limit selection nxagentFindCurrentSelectionIndex can return
Normally you'd expect the loop going up to NumCurrentSelections. But
the dix code will increase that number (but not nxagentMaxSelections)
when drag and drop comes into play. In that case this helper will
report a match for other selections than the ones the clipboard code
knows about. The subsequent code will then use a higher index which
will lead to out of range data reads (and writes!). Therefore we take
nxagentMaxSelections here. The startup code ensures that both arrays
will refer to the same selection for the first nxagentMaxSelections
selection atoms.
This way the clipboard code will not kick in for drag and drop
resources.
Fixes ArcticaProject/nx-libs#986
Diffstat (limited to 'nx-X11')
| -rw-r--r-- | nx-X11/programs/Xserver/hw/nxagent/Clipboard.c | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/nx-X11/programs/Xserver/hw/nxagent/Clipboard.c b/nx-X11/programs/Xserver/hw/nxagent/Clipboard.c index 3098ebb49..b3598eef8 100644 --- a/nx-X11/programs/Xserver/hw/nxagent/Clipboard.c +++ b/nx-X11/programs/Xserver/hw/nxagent/Clipboard.c @@ -763,7 +763,21 @@ int nxagentFindLastSelectionOwnerIndex(XlibAtom sel) */ int nxagentFindCurrentSelectionIndex(Atom sel) { - for (int index = 0; index < NumCurrentSelections; index++) + /* + * Normally you'd expect the loop going up to + * NumCurrentSelections. But the dix code will increase that number + * (but not nxagentMaxSelections) when drag and drop comes into + * play. In that case this helper will report a match for other + * selections than the ones the clipboard code knows about. The + * subsequent code will then use a higher index which will be used + * by the clipboard code and will lead to out of range data reads + * (and writes!). Therefore we take nxagentMaxSelections here. The + * startup code ensures that both arrays will refer to the same + * selection for the first nxagentMaxSelections selection atoms. + */ + + // for (int index = 0; index < NumCurrentSelections; index++) + for (int index = 0; index < nxagentMaxSelections; index++) { if (CurrentSelections[index].selection == sel) { |