Bug 419860

Summary: Buffer overrun when iterating over CTRC's outputs
Product: [Plasma] kwin Reporter: Ruslan Kabatsayev <b7.10110111>
Component: platform-x11-standaloneAssignee: KWin default assignee <kwin-bugs-null>
Status: RESOLVED UNMAINTAINED    
Severity: normal CC: xaver.hugl
Priority: NOR    
Version First Reported In: 5.16.5   
Target Milestone: ---   
Platform: Other   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:

Description Ruslan Kabatsayev 2020-04-08 22:12:31 UTC 
In KWin 5.16.5 in XRandRScreens::update() function CrtcInfo is created, from which outputs() are obtained. Then a loop iterates over this array, indexing outputs[i] with i from 0 to resources->num_outputs. But this upper limit is not number of outputs for the given CRTC. It's the number of outputs in all the screen resources. CrtcInfo instead has its own associated xcb_randr_get_crtc_info_reply_t::num_outputs, which should be used as the upper limit.

The same mistake remains in KWin 5.18 in X11StandalonePlatform::doUpdateOutputs() function.

The result is that current code reads past outputs, from possible_outputs, and then the reads go beyond the server reply if there are more total outputs than CRTC's num_outputs + num_possible_outputs.
Comment 1 Zamundaaa 2023-09-06 10:37:18 UTC 
Doesn't seem to be the case in 5.27 anymore
Comment 2 David Edmundson 2023-09-06 10:38:15 UTC 
This bug was reported against an outdated version of KWin. We have made many changes since the. 
If the issue persists in newer versions can you reopen the bug report updating the version number.