xwayland/selection: stop using VLAs for MIME type atom lists

The size of the VLA is client-controlled and can overflow the
stack. Instead, allocate on the heap.

Closes: https://gitlab.freedesktop.org/wlroots/wlroots/-/work_items/4090

xwayland/selection/dnd.c

@@ -83,7 +83,12 @@ static void xwm_dnd_send_enter(struct wlr_xwm *xwm) {
 		// data and must be retrieved with the DND_TYPE_LIST property
 		data.data32[1] |= 1;
 
-		xcb_atom_t targets[n];
+		xcb_atom_t *targets = malloc(n * sizeof(targets[0]));
+		if (targets == NULL) {
+			wlr_log(WLR_ERROR, "Allocation failed");
+			return;
+		}
+
 		size_t i = 0;
 		char **mime_type_ptr;
 		wl_array_for_each(mime_type_ptr, mime_types) {
@@ -99,6 +104,8 @@ static void xwm_dnd_send_enter(struct wlr_xwm *xwm) {
 			XCB_ATOM_ATOM,
 			32, // format
 			n, targets);
+
+		free(targets);
 	}
 
 	xwm_dnd_send_event(xwm, xwm->atoms[DND_ENTER], &data);

xwayland/selection/outgoing.c

@@ -336,7 +336,11 @@ static void xwm_selection_send_targets(struct wlr_xwm_selection *selection,
 	}
 
 	size_t n = 2 + mime_types->size / sizeof(char *);
-	xcb_atom_t targets[n];
+	xcb_atom_t *targets = malloc(n * sizeof(targets[0]));
+	if (targets == NULL) {
+		wlr_log(WLR_ERROR, "Allocation failure");
+		return;
+	}
 	targets[0] = xwm->atoms[TIMESTAMP];
 	targets[1] = xwm->atoms[TARGETS];
 
@@ -356,6 +360,8 @@ static void xwm_selection_send_targets(struct wlr_xwm_selection *selection,
 		32, // format
 		n, targets);
 
+	free(targets);
+
 	xwm_selection_send_notify(selection->xwm, req, true);
 }