| Summary: | Invalid _NET_WM_ICON crashes kwin | ||
|---|---|---|---|
| Product: | [Plasma] kwin | Reporter: | Billy Biggs <vektor> |
| Component: | general | Assignee: | KWin default assignee <kwin-bugs-null> |
| Status: | RESOLVED FIXED | ||
| Severity: | crash | CC: | robert.kausch |
| Priority: | NOR | ||
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Platform: | Debian testing | ||
| OS: | Linux | ||
| Latest Commit: | Version Fixed In: | ||
| Sentry Crash Report: | |||
CVS commit by lunakl: Protect against attempts at sabotaging KWin. CCMAIL: 90944-done@bugs.kde.org M +1 -1 netwm.cpp 1.137 --- kdelibs/kdecore/netwm.cpp #1.136:1.137 @@ -495,5 +495,5 @@ fprintf(stderr, "NETWM: Warning readIcon s = sz * sizeof(long); - if ( i + s - 1 > bufsize ) { + if ( i + s - 1 > bufsize || sz == 0 || sz > 1024 * 1024 ) { break; } Unfortunately, this bug has been reintroduced in Plasma 5. The original code submitted by Billy crashes even the latest KWin 5.3.2 again. And fixed again in kwindowsystem 5.13. Thanks! |
Version: 3.3.0 (using KDE KDE 3.3.0) Installed from: Debian testing/unstable Packages OS: Linux The following application causes kwin to crash. #include <stdlib.h> #include <X11/Xlib.h> int main( int argc, char **argv ) { Display *d = XOpenDisplay(0); int s = DefaultScreen(d); unsigned int *data = malloc(1026 * 4); Atom net_wm_icon = XInternAtom(d, "_NET_WM_ICON", False); Atom cardinal = XInternAtom(d, "CARDINAL", False); Window w; XEvent e; w = XCreateWindow(d, RootWindow(d, s), 0, 0, 20, 20, 0, CopyFromParent, InputOutput, CopyFromParent, 0, 0); data[ 0 ] = 536870912; data[ 1 ] = 536870912; XChangeProperty(d, w, net_wm_icon, cardinal, 32, PropModeReplace, (const unsigned char*) data, 1026*4); XMapWindow(d, w); while(1) XNextEvent(d, &e); }