mirrors/sway
1
0
Fork 0
mirror of https://github.com/swaywm/sway.git synced 2026-06-06 03:03:22 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

swaybar/tray: fix heap buffer overflow in read_pixmap

Browse source 
Validate that the icon pixel data array size accommodates the provided
dimensions.
This commit is contained in:
Scott Leggett 2026-06-02 09:55:06 +08:00 committed by Simon Ser
parent 3302f1ce5c
commit 97c342f9e1
1 changed files with 4 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

8
swaybar/tray/item.c
View file

@ -66,17 +66,17 @@ static int read_pixmap(sd_bus_message *msg, struct swaybar_sni *sni,
} }
const void *pixels; const void *pixels;
size_t npixels; size_t pixel_data_size; // size in bytes, each pixel is 4 bytes
ret = sd_bus_message_read_array(msg, 'y', &pixels, &npixels); ret = sd_bus_message_read_array(msg, 'y', &pixels, &pixel_data_size);
if (ret < 0) { if (ret < 0) {
sway_log(SWAY_ERROR, "%s %s: %s", sni->watcher_id, prop, strerror(-ret)); sway_log(SWAY_ERROR, "%s %s: %s", sni->watcher_id, prop, strerror(-ret));
goto error; goto error;
} }
if (height > 0 && width == height) { if (height > 0 && width == height && (size_t)width * height <= pixel_data_size / 4) {
sway_log(SWAY_DEBUG, "%s %s: found icon w:%d h:%d", sni->watcher_id, prop, width, height); sway_log(SWAY_DEBUG, "%s %s: found icon w:%d h:%d", sni->watcher_id, prop, width, height);
struct swaybar_pixmap *pixmap = struct swaybar_pixmap *pixmap =
malloc(sizeof(struct swaybar_pixmap) + npixels); malloc(sizeof(struct swaybar_pixmap) + pixel_data_size);
pixmap->size = height; pixmap->size = height;
// convert from network byte order to host byte order // convert from network byte order to host byte order