diff options
| author | Ran Benita <ran234@gmail.com> | 2014-05-14 11:44:29 +0300 |
|---|---|---|
| committer | Ran Benita <ran234@gmail.com> | 2014-05-14 12:02:13 +0300 |
| commit | e3f751be660e28e48d1477660e99e5456c864296 (patch) | |
| tree | d4d452ec22f68e60cfbb68cc4f6a49668775d77d | |
| parent | 86cfef63ca9ae6ad01791e4a6ec73754e4a769d7 (diff) | |
| download | xorg-lib-libxkbcommon-e3f751be660e28e48d1477660e99e5456c864296.tar.gz | |
x11: fix out-of-bounds access in adopt_atoms() error handling
Two problems:
- `j` can be >= `SIZE`, and needs to be wrapped like in the rest of the
code.
- `cookies[j % SIZE]` is not initialized if there's no atom in `from[j]`.
The is manifested when:
- We've already gone through one batch (>= 128 atoms) (in fact this
cannot happen in call to `adopt_atoms` in the current code).
- An XCB request failed in the middle of a batch.
Signed-off-by: Ran Benita <ran234@gmail.com>
| -rw-r--r-- | src/x11/util.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/src/x11/util.c b/src/x11/util.c index 92ff2e6..47bb92a 100644 --- a/src/x11/util.c +++ b/src/x11/util.c @@ -195,11 +195,12 @@ adopt_atoms(struct xkb_context *ctx, xcb_connection_t *conn, /* * If we don't discard the uncollected replies, they just - * sit there waiting. Sad. + * sit in the XCB queue waiting forever. Sad. */ err_discard: for (size_t j = i + 1; j < stop; j++) - xcb_discard_reply(conn, cookies[j].sequence); + if (from[j] != XCB_ATOM_NONE) + xcb_discard_reply(conn, cookies[j % SIZE].sequence); return false; } } |