From 07fae919a4474abfb55f41ed3d07bf93e74e9154 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Erkki=20Sepp=C3=A4l=C3=A4?= <erkki.seppala@vincit.fi>
Date: Thu, 3 Feb 2011 17:08:57 +0200
Subject: cmsProp: don't deal with uninitialized values, fail instead
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Properly handle the return value of XGetWindowProperty by considering
if after the loop as well.

Using freed pointer "prop_ret"

There were numerous things wrong in how this function interacted with
XGetWindowProperty.

None of the local variables were initialized and remained that way if
the call to XGetWindowProperty returned 1 (not Succeed). That doesn't
result in after_ret being initialized in which case if it happens to
be 0, the loop was exited. In that case format_ret and nitems_ret were
uninitialized and the function might return with success (but with
uninitialized pointer in prop_ret) or XcmsFailure.

As the buffer enlarging code was called only when XGetWindowProperty
failed (returned not Success), after_ret would not have been
initialized. It would have been initialized only if the
XGetWindowProperty has returned Success earlier, but in that case the
code fragment would not have been reached.

This patch alters the function to return XcmsFailure if the call to
XGetWindowProperty fails.

Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Ander Conselvan de Oliveira <ander.conselvan-de-oliveira@nokia.com>
Reviewed-by: Rami Ylimäki <rami.ylimaki@vincit.fi>
Signed-off-by: Erkki Seppälä <erkki.seppala@vincit.fi>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
---
 nx-X11/lib/X11/cmsProp.c | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

(limited to 'nx-X11/lib/X11/cmsProp.c')

diff --git a/nx-X11/lib/X11/cmsProp.c b/nx-X11/lib/X11/cmsProp.c
index 0e8f8a2ba..7e1a70310 100644
--- a/nx-X11/lib/X11/cmsProp.c
+++ b/nx-X11/lib/X11/cmsProp.c
@@ -125,20 +125,23 @@ _XcmsGetProperty(
     unsigned long nitems_ret, after_ret;
     #endif
     Atom atom_ret;
+    int xgwp_ret;
 
-    while (XGetWindowProperty (pDpy, w, property, 0, len, False,
-			       XA_INTEGER, &atom_ret, &format_ret,
-			       &nitems_ret, &after_ret,
-			       (unsigned char **)&prop_ret)) {
-	if (after_ret > 0) {
+    while (True) {
+       xgwp_ret = XGetWindowProperty (pDpy, w, property, 0, len, False,
+                                      XA_INTEGER, &atom_ret, &format_ret,
+                                      &nitems_ret, &after_ret,
+                                      (unsigned char **)&prop_ret);
+       if (xgwp_ret == Success && after_ret > 0) {
 	    len += nitems_ret * (format_ret >> 3);
 	    XFree (prop_ret);
 	} else {
 	    break;
 	}
     }
-    if (format_ret == 0 || nitems_ret == 0) {
-	/* the property does not exist or is of an unexpected type */
+    if (xgwp_ret != Success || format_ret == 0 || nitems_ret == 0) {
+       /* the property does not exist or is of an unexpected type or
+           getting window property failed */
 	return(XcmsFailure);
     }
 
-- 
cgit v1.2.3