From 97c342f9e1e1f6ac640f58d53950d92bc48dd889 Mon Sep 17 00:00:00 2001 From: Scott Leggett Date: Tue, 2 Jun 2026 09:55:06 +0800 Subject: [PATCH] swaybar/tray: fix heap buffer overflow in read_pixmap Validate that the icon pixel data array size accommodates the provided dimensions. --- swaybar/tray/item.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/swaybar/tray/item.c b/swaybar/tray/item.c index 12929743b..af9b5cde3 100644 --- a/swaybar/tray/item.c +++ b/swaybar/tray/item.c @@ -66,17 +66,17 @@ static int read_pixmap(sd_bus_message *msg, struct swaybar_sni *sni, } const void *pixels; - size_t npixels; - ret = sd_bus_message_read_array(msg, 'y', &pixels, &npixels); + size_t pixel_data_size; // size in bytes, each pixel is 4 bytes + ret = sd_bus_message_read_array(msg, 'y', &pixels, &pixel_data_size); if (ret < 0) { sway_log(SWAY_ERROR, "%s %s: %s", sni->watcher_id, prop, strerror(-ret)); goto error; } - if (height > 0 && width == height) { + if (height > 0 && width == height && (size_t)width * height <= pixel_data_size / 4) { sway_log(SWAY_DEBUG, "%s %s: found icon w:%d h:%d", sni->watcher_id, prop, width, height); struct swaybar_pixmap *pixmap = - malloc(sizeof(struct swaybar_pixmap) + npixels); + malloc(sizeof(struct swaybar_pixmap) + pixel_data_size); pixmap->size = height; // convert from network byte order to host byte order