From b6dd6de7f745bf0e52ac1d8922dca6f6f2517803 Mon Sep 17 00:00:00 2001 From: marha Date: Tue, 21 Aug 2012 08:14:41 +0200 Subject: Solved possible crash in winMultiWindowGetClassHint It seems that the class name is not always null terminated. (Seen by running the contiki cooja simulator in multiwindow mode) --- xorg-server/hw/xwin/winmultiwindowclass.c | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) (limited to 'xorg-server') diff --git a/xorg-server/hw/xwin/winmultiwindowclass.c b/xorg-server/hw/xwin/winmultiwindowclass.c index cc7628d5c..96f69727f 100644 --- a/xorg-server/hw/xwin/winmultiwindowclass.c +++ b/xorg-server/hw/xwin/winmultiwindowclass.c @@ -68,7 +68,7 @@ winMultiWindowGetClassHint(WindowPtr pWin, char **res_name, char **res_class) while (prop) { if (prop->propertyName == XA_WM_CLASS && prop->type == XA_STRING && prop->format == 8 && prop->data) { - len_name = strlen((char *) prop->data); + len_name = strnlen((char *) prop->data, prop->size); (*res_name) = malloc(len_name + 1); @@ -78,12 +78,18 @@ winMultiWindowGetClassHint(WindowPtr pWin, char **res_name, char **res_class) } /* Add one to len_name to allow copying of trailing 0 */ - strncpy((*res_name), prop->data, len_name + 1); + memcpy((*res_name), prop->data, len_name ); + (*res_name)[len_name]='\0'; - if (len_name == prop->size) - len_name--; - - len_class = strlen(((char *) prop->data) + 1 + len_name); + if (len_name < prop->size-1) + { + // It could be that the string is not null terminated + len_class = strnlen(((char *) prop->data) + 1 + len_name, prop->size-1-len_name); + } + else + { + len_class = 0; + } (*res_class) = malloc(len_class + 1); @@ -95,7 +101,8 @@ winMultiWindowGetClassHint(WindowPtr pWin, char **res_name, char **res_class) return 0; } - strcpy((*res_class), ((char *) prop->data) + 1 + len_name); + memcpy((*res_class), ((char *) prop->data) + 1 + len_name, len_class); + (*res_class)[len_class]='\0'; return 1; } -- cgit v1.2.3