mirrors/wlroots
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/wlroots/wlroots.git synced 2026-06-13 14:32:57 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

xwayland/xwm: check WM_TRANSIENT_FOR length

Browse source 
Without this check, the reply value might be smaller than
xcb_window_t and will result in an invalid memory read.

Reported-by: Tristan <TristanInSec@gmail.com>
(cherry picked from commit 63318d28b1)
This commit is contained in:
Simon Ser 2026-06-11 16:49:00 +02:00 committed by Simon Zeni
parent 2bacd749ec
commit 5af4343bba
1 changed files with 6 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

6
xwayland/xwm.c
View file

@ -807,8 +807,12 @@ static void read_surface_parent(struct wlr_xwm *xwm,
}
struct wlr_xwayland_surface *found_parent = NULL;
if (reply->type != XCB_ATOM_NONE) {
if (xcb_get_property_value_length(reply) != sizeof(xcb_window_t)) {
wlr_log(WLR_DEBUG, "Invalid WM_TRANSIENT_FOR property length");
return;
}
const xcb_window_t *xid = xcb_get_property_value(reply);
if (reply->type != XCB_ATOM_NONE && xid != NULL) {
found_parent = lookup_surface(xwm, *xid);
if (!has_parent(found_parent, xsurface)) {
xsurface->parent = found_parent;