From 5c2f20edb0bca7bb955b14bd94a6bd6abc6f5a5d Mon Sep 17 00:00:00 2001 From: Benoit Gschwind Date: Sun, 5 Jun 2016 19:01:11 +0200 Subject: [PATCH] compositor-x11: fix title overflow in x11_backend_create_output sprintf can overflow the fixed length title which is char[32]. This patch change title to dynamically allocated char array using asprintf or strdup. If one of them fail we leave returning NULL to indicate the failure. Signed-off-by: Benoit Gschwind Reviewed-by: Yong Bakos Tested-by: Yong Bakos Reviewed-by: Daniel Stone Reviewed-by: Bryce Harrington Signed-off-by: Daniel Stone --- libweston/compositor-x11.c | 28 +++++++++++++++++++--------- 1 file changed, 19 insertions(+), 9 deletions(-) diff --git a/libweston/compositor-x11.c b/libweston/compositor-x11.c index 5e46e68d..a3319b44 100644 --- a/libweston/compositor-x11.c +++ b/libweston/compositor-x11.c @@ -782,7 +782,7 @@ x11_backend_create_output(struct x11_backend *b, int x, int y, { static const char name[] = "Weston Compositor"; static const char class[] = "weston-1\0Weston Compositor"; - char title[32]; + char *title = NULL; struct x11_output *output; xcb_screen_t *screen; struct wm_normal_hints normal_hints; @@ -800,11 +800,6 @@ x11_backend_create_output(struct x11_backend *b, int x, int y, output_width = width * scale; output_height = height * scale; - if (configured_name) - sprintf(title, "%s - %s", name, configured_name); - else - strcpy(title, name); - if (!no_input) values[0] |= XCB_EVENT_MASK_KEY_PRESS | @@ -871,9 +866,24 @@ x11_backend_create_output(struct x11_backend *b, int x, int y, } /* Set window name. Don't bother with non-EWMH WMs. */ - xcb_change_property(b->conn, XCB_PROP_MODE_REPLACE, output->window, - b->atom.net_wm_name, b->atom.utf8_string, 8, - strlen(title), title); + if (configured_name) { + if (asprintf(&title, "%s - %s", name, configured_name) < 0) + title = NULL; + } else { + title = strdup(name); + } + + if (title) { + xcb_change_property(b->conn, XCB_PROP_MODE_REPLACE, output->window, + b->atom.net_wm_name, b->atom.utf8_string, 8, + strlen(title), title); + free(title); + } else { + xcb_destroy_window(b->conn, output->window); + free(output); + return NULL; + } + xcb_change_property(b->conn, XCB_PROP_MODE_REPLACE, output->window, b->atom.wm_class, b->atom.string, 8, sizeof class, class);