[PATCH 01/02] wmaker: fix integer overflow in _NET_WM_ICON parser
2 views
Skip to first unread message
david.m...@gmail.com
May 10, 2026, 11:31:43 PM (9 days ago) May 10
to Window Maker Development
findBestIcon() multiplies two attacker-controlled 32-bit ints (icon
width * height) without overflow checking. A client setting
_NET_WM_ICON = {2, 0x7FFFFFFF} makes "size" wrap to 0 so "i += size"
never advances and wmaker spins forever at 100% CPU.
The same loop also never verifies that the claimed icon actually fits
inside the property buffer, allowing a 2-element property to drive a
multi-KB OOB read in makeRImageFromARGBData().
Validate dimensions against a 4096-pixel cap (safe from unsigned long
overflow) and reject icons whose pixel data would extend past the end
of the property.
---
src/wmspec.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/src/wmspec.c b/src/wmspec.c
index 1111111..2222222 100644
--- a/src/wmspec.c
+++ b/src/wmspec.c
@@ -456,11 +456,13 @@ static RImage *findBestIcon(unsigned long *data, unsigned long items)
for (i = 0L; i < items - 1;) {
/* get the current icon's size */
sx = (int)data[i];
sy = (int)data[i + 1];
- if ((sx < 1) || (sy < 1))
+ if (sx < 1 || sy < 1 || sx > 4096 || sy > 4096)
break;
- size = sx * sy + 2;
+ size = (unsigned long)sx * (unsigned long)sy + 2;
+ if ((unsigned long)size > items - i)
+ break;
/* check the size difference if it's not too large */
if ((sx <= wanted) && (sy <= wanted)) {
@@ -485,9 +487,13 @@ static RImage *findBestIcon(unsigned long *data, unsigned long items)
* small image by a small scale. */
largest = 0;
for (i = 0L; i < items - 1;) {
- size = (int)data[i] * (int)data[i + 1];
- if (size == 0)
+ sx = (int)data[i];
+ sy = (int)data[i + 1];
+ if (sx < 1 || sy < 1 || sx > 4096 || sy > 4096)
break;
+ size = (unsigned long)sx * (unsigned long)sy;
+ if ((unsigned long)size + 2 > items - i)
+ break;
if (size > largest) {
icon = &data[i];
largest = size;
--
2.43.0
width * height) without overflow checking. A client setting
_NET_WM_ICON = {2, 0x7FFFFFFF} makes "size" wrap to 0 so "i += size"
never advances and wmaker spins forever at 100% CPU.
The same loop also never verifies that the claimed icon actually fits
inside the property buffer, allowing a 2-element property to drive a
multi-KB OOB read in makeRImageFromARGBData().
Validate dimensions against a 4096-pixel cap (safe from unsigned long
overflow) and reject icons whose pixel data would extend past the end
of the property.
---
src/wmspec.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/src/wmspec.c b/src/wmspec.c
index 1111111..2222222 100644
--- a/src/wmspec.c
+++ b/src/wmspec.c
@@ -456,11 +456,13 @@ static RImage *findBestIcon(unsigned long *data, unsigned long items)
for (i = 0L; i < items - 1;) {
/* get the current icon's size */
sx = (int)data[i];
sy = (int)data[i + 1];
- if ((sx < 1) || (sy < 1))
+ if (sx < 1 || sy < 1 || sx > 4096 || sy > 4096)
break;
- size = sx * sy + 2;
+ size = (unsigned long)sx * (unsigned long)sy + 2;
+ if ((unsigned long)size > items - i)
+ break;
/* check the size difference if it's not too large */
if ((sx <= wanted) && (sy <= wanted)) {
@@ -485,9 +487,13 @@ static RImage *findBestIcon(unsigned long *data, unsigned long items)
* small image by a small scale. */
largest = 0;
for (i = 0L; i < items - 1;) {
- size = (int)data[i] * (int)data[i + 1];
- if (size == 0)
+ sx = (int)data[i];
+ sy = (int)data[i + 1];
+ if (sx < 1 || sy < 1 || sx > 4096 || sy > 4096)
break;
+ size = (unsigned long)sx * (unsigned long)sy;
+ if ((unsigned long)size + 2 > items - i)
+ break;
if (size > largest) {
icon = &data[i];
largest = size;
--
2.43.0
Reply all
Reply to author
Forward
0 new messages