diff options
author | marha <marha@users.sourceforge.net> | 2012-08-21 08:14:41 +0200 |
---|---|---|
committer | marha <marha@users.sourceforge.net> | 2012-08-21 08:14:41 +0200 |
commit | b6dd6de7f745bf0e52ac1d8922dca6f6f2517803 (patch) | |
tree | 98ebefab371139f321a1b2902b1983798bb84193 /xorg-server/hw/xwin | |
parent | 1bf52245e51f23656a3520056b440a633ea5a61b (diff) | |
download | vcxsrv-b6dd6de7f745bf0e52ac1d8922dca6f6f2517803.tar.gz vcxsrv-b6dd6de7f745bf0e52ac1d8922dca6f6f2517803.tar.bz2 vcxsrv-b6dd6de7f745bf0e52ac1d8922dca6f6f2517803.zip |
Solved possible crash in winMultiWindowGetClassHint
It seems that the class name is not always null terminated. (Seen by
running the contiki cooja simulator in multiwindow mode)
Diffstat (limited to 'xorg-server/hw/xwin')
-rw-r--r-- | xorg-server/hw/xwin/winmultiwindowclass.c | 21 |
1 files changed, 14 insertions, 7 deletions
diff --git a/xorg-server/hw/xwin/winmultiwindowclass.c b/xorg-server/hw/xwin/winmultiwindowclass.c index cc7628d5c..96f69727f 100644 --- a/xorg-server/hw/xwin/winmultiwindowclass.c +++ b/xorg-server/hw/xwin/winmultiwindowclass.c @@ -68,7 +68,7 @@ winMultiWindowGetClassHint(WindowPtr pWin, char **res_name, char **res_class) while (prop) { if (prop->propertyName == XA_WM_CLASS && prop->type == XA_STRING && prop->format == 8 && prop->data) { - len_name = strlen((char *) prop->data); + len_name = strnlen((char *) prop->data, prop->size); (*res_name) = malloc(len_name + 1); @@ -78,12 +78,18 @@ winMultiWindowGetClassHint(WindowPtr pWin, char **res_name, char **res_class) } /* Add one to len_name to allow copying of trailing 0 */ - strncpy((*res_name), prop->data, len_name + 1); + memcpy((*res_name), prop->data, len_name ); + (*res_name)[len_name]='\0'; - if (len_name == prop->size) - len_name--; - - len_class = strlen(((char *) prop->data) + 1 + len_name); + if (len_name < prop->size-1) + { + // It could be that the string is not null terminated + len_class = strnlen(((char *) prop->data) + 1 + len_name, prop->size-1-len_name); + } + else + { + len_class = 0; + } (*res_class) = malloc(len_class + 1); @@ -95,7 +101,8 @@ winMultiWindowGetClassHint(WindowPtr pWin, char **res_name, char **res_class) return 0; } - strcpy((*res_class), ((char *) prop->data) + 1 + len_name); + memcpy((*res_class), ((char *) prop->data) + 1 + len_name, len_class); + (*res_class)[len_class]='\0'; return 1; } |