From 63318d28b1ea86873eeb1023d88e56d57bdd2453 Mon Sep 17 00:00:00 2001 From: Simon Ser Date: Thu, 11 Jun 2026 16:49:00 +0200 Subject: [PATCH] xwayland/xwm: check WM_TRANSIENT_FOR length Without this check, the reply value might be smaller than xcb_window_t and will result in an invalid memory read. Reported-by: Tristan --- xwayland/xwm.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/xwayland/xwm.c b/xwayland/xwm.c index 413981399..8cee2961e 100644 --- a/xwayland/xwm.c +++ b/xwayland/xwm.c @@ -808,8 +808,12 @@ static void read_surface_parent(struct wlr_xwm *xwm, } struct wlr_xwayland_surface *found_parent = NULL; - const xcb_window_t *xid = xcb_get_property_value(reply); - if (reply->type != XCB_ATOM_NONE && xid != NULL) { + if (reply->type != XCB_ATOM_NONE) { + if (xcb_get_property_value_length(reply) != sizeof(xcb_window_t)) { + wlr_log(WLR_DEBUG, "Invalid WM_TRANSIENT_FOR property length"); + return; + } + const xcb_window_t *xid = xcb_get_property_value(reply); found_parent = lookup_surface(xwm, *xid); if (!has_parent(found_parent, xsurface)) { xsurface->parent = found_parent;