From 9d8771562c847e957250f7df7411b9ce92dd1143 Mon Sep 17 00:00:00 2001 From: Ulrich Sibiller Date: Sat, 30 Jan 2021 18:39:14 +0100 Subject: Clipboard.c: limit selection nxagentFindCurrentSelectionIndex can return Normally you'd expect the loop going up to NumCurrentSelections. But the dix code will increase that number (but not nxagentMaxSelections) when drag and drop comes into play. In that case this helper will report a match for other selections than the ones the clipboard code knows about. The subsequent code will then use a higher index which will lead to out of range data reads (and writes!). Therefore we take nxagentMaxSelections here. The startup code ensures that both arrays will refer to the same selection for the first nxagentMaxSelections selection atoms. This way the clipboard code will not kick in for drag and drop resources. Fixes ArcticaProject/nx-libs#986 --- nx-X11/programs/Xserver/hw/nxagent/Clipboard.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/nx-X11/programs/Xserver/hw/nxagent/Clipboard.c b/nx-X11/programs/Xserver/hw/nxagent/Clipboard.c index 3098ebb49..b3598eef8 100644 --- a/nx-X11/programs/Xserver/hw/nxagent/Clipboard.c +++ b/nx-X11/programs/Xserver/hw/nxagent/Clipboard.c @@ -763,7 +763,21 @@ int nxagentFindLastSelectionOwnerIndex(XlibAtom sel) */ int nxagentFindCurrentSelectionIndex(Atom sel) { - for (int index = 0; index < NumCurrentSelections; index++) + /* + * Normally you'd expect the loop going up to + * NumCurrentSelections. But the dix code will increase that number + * (but not nxagentMaxSelections) when drag and drop comes into + * play. In that case this helper will report a match for other + * selections than the ones the clipboard code knows about. The + * subsequent code will then use a higher index which will be used + * by the clipboard code and will lead to out of range data reads + * (and writes!). Therefore we take nxagentMaxSelections here. The + * startup code ensures that both arrays will refer to the same + * selection for the first nxagentMaxSelections selection atoms. + */ + + // for (int index = 0; index < NumCurrentSelections; index++) + for (int index = 0; index < nxagentMaxSelections; index++) { if (CurrentSelections[index].selection == sel) { -- cgit v1.2.3