[repo.or.cz] wmaker-crm.git branch master updated: wmaker-0.96.0-102-gaa7287efbf0e
4 views
Skip to first unread message
crmafra
May 11, 2026, 5:10:20 AM (9 days ago) May 11
to wmake...@googlegroups.com
This is an automated email generated because a ref change occurred in the
git repository for project wmaker-crm.git.
The branch, master has been updated
via aa7287efbf0e7f7ab13e46bb85ae71981e1ac3bd (commit)
via 5eb328753537d69fbcc825ef542be7b9b3249b21 (commit)
from 931186bd18cbe5249f1f4d06e02ba1fcc2609d06 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit aa7287efbf0e7f7ab13e46bb85ae71981e1ac3bd
Author: David Maciejak <david.m...@gmail.com>
Date: Thu, 9 Apr 2026 22:55:01 +0000
URL: <https://repo.or.cz/wmaker-crm.git/aa7287efbf0e7f7a>
wmaker: check RCreateImage() result for _NET_WM_ICON
makeRImageFromARGBData() dereferences image->data immediately after
RCreateImage() without checking for NULL. A client that advertises a
20000x20000 icon makes RCreateImage() try a 1.6 GB malloc, on failure
wmaker segfaults.
---
src/wmspec.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/wmspec.c b/src/wmspec.c
index 26f4a5a6719d..2d9b4611b4d1 100644
--- a/src/wmspec.c
+++ b/src/wmspec.c
@@ -408,6 +408,8 @@ static RImage *makeRImageFromARGBData(unsigned long *data)
return NULL;
image = RCreateImage(width, height, True);
+ if (!image)
+ return NULL;
for (imgdata = image->data, i = 2; i < size + 2; i++, imgdata += 4) {
pixel = data[i];
commit 5eb328753537d69fbcc825ef542be7b9b3249b21
Author: David Maciejak <david.m...@gmail.com>
Date: Thu, 9 Apr 2026 22:55:00 +0000
URL: <https://repo.or.cz/wmaker-crm.git/5eb328753537d69f>
wmaker: fix integer overflow in _NET_WM_ICON parser
findBestIcon() multiplies two attacker-controlled 32-bit ints (icon
width * height) without overflow checking. A client setting
_NET_WM_ICON = {2, 0x7FFFFFFF} makes "size" wrap to 0 so "i += size"
never advances and wmaker spins forever at 100% CPU.
The same loop also never verifies that the claimed icon actually fits
inside the property buffer, allowing a 2-element property to drive a
multi-KB OOB read in makeRImageFromARGBData().
Validate dimensions against a 4096-pixel cap (safe from unsigned long
overflow) and reject icons whose pixel data would extend past the end
of the property.
---
src/wmspec.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/src/wmspec.c b/src/wmspec.c
index 8f4a3ccf0da9..26f4a5a6719d 100644
--- a/src/wmspec.c
+++ b/src/wmspec.c
@@ -458,9 +458,11 @@ static RImage *findBestIcon(unsigned long *data, unsigned long items)
/* get the current icon's size */
sx = (int)data[i];
sy = (int)data[i + 1];
- if ((sx < 1) || (sy < 1))
+ if (sx < 1 || sy < 1 || sx > 4096 || sy > 4096)
+ break;
+ size = (unsigned long)sx * (unsigned long)sy + 2;
+ if ((unsigned long)size > items - i)
break;
- size = sx * sy + 2;
/* check the size difference if it's not too large */
if ((sx <= wanted) && (sy <= wanted)) {
@@ -485,8 +487,12 @@ static RImage *findBestIcon(unsigned long *data, unsigned long items)
* small image by a small scale. */
largest = 0;
for (i = 0L; i < items - 1;) {
- size = (int)data[i] * (int)data[i + 1];
- if (size == 0)
+ sx = (int)data[i];
+ sy = (int)data[i + 1];
+ if (sx < 1 || sy < 1 || sx > 4096 || sy > 4096)
+ break;
+ size = (unsigned long)sx * (unsigned long)sy;
+ if ((unsigned long)size + 2 > items - i)
break;
if (size > largest) {
icon = &data[i];
-----------------------------------------------------------------------
Summary of changes:
src/wmspec.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
repo.or.cz automatic notification. Contact project admin crm...@gmail.com
if you want to unsubscribe, or site admin ad...@repo.or.cz if you receive
no reply.
--
wmaker-crm.git ("The Window Maker window manager")
git repository for project wmaker-crm.git.
The branch, master has been updated
via aa7287efbf0e7f7ab13e46bb85ae71981e1ac3bd (commit)
via 5eb328753537d69fbcc825ef542be7b9b3249b21 (commit)
from 931186bd18cbe5249f1f4d06e02ba1fcc2609d06 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit aa7287efbf0e7f7ab13e46bb85ae71981e1ac3bd
Author: David Maciejak <david.m...@gmail.com>
Date: Thu, 9 Apr 2026 22:55:01 +0000
URL: <https://repo.or.cz/wmaker-crm.git/aa7287efbf0e7f7a>
wmaker: check RCreateImage() result for _NET_WM_ICON
makeRImageFromARGBData() dereferences image->data immediately after
RCreateImage() without checking for NULL. A client that advertises a
20000x20000 icon makes RCreateImage() try a 1.6 GB malloc, on failure
wmaker segfaults.
---
src/wmspec.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/wmspec.c b/src/wmspec.c
index 26f4a5a6719d..2d9b4611b4d1 100644
--- a/src/wmspec.c
+++ b/src/wmspec.c
@@ -408,6 +408,8 @@ static RImage *makeRImageFromARGBData(unsigned long *data)
return NULL;
image = RCreateImage(width, height, True);
+ if (!image)
+ return NULL;
for (imgdata = image->data, i = 2; i < size + 2; i++, imgdata += 4) {
pixel = data[i];
commit 5eb328753537d69fbcc825ef542be7b9b3249b21
Author: David Maciejak <david.m...@gmail.com>
Date: Thu, 9 Apr 2026 22:55:00 +0000
URL: <https://repo.or.cz/wmaker-crm.git/5eb328753537d69f>
wmaker: fix integer overflow in _NET_WM_ICON parser
findBestIcon() multiplies two attacker-controlled 32-bit ints (icon
width * height) without overflow checking. A client setting
_NET_WM_ICON = {2, 0x7FFFFFFF} makes "size" wrap to 0 so "i += size"
never advances and wmaker spins forever at 100% CPU.
The same loop also never verifies that the claimed icon actually fits
inside the property buffer, allowing a 2-element property to drive a
multi-KB OOB read in makeRImageFromARGBData().
Validate dimensions against a 4096-pixel cap (safe from unsigned long
overflow) and reject icons whose pixel data would extend past the end
of the property.
---
src/wmspec.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/src/wmspec.c b/src/wmspec.c
index 8f4a3ccf0da9..26f4a5a6719d 100644
--- a/src/wmspec.c
+++ b/src/wmspec.c
@@ -458,9 +458,11 @@ static RImage *findBestIcon(unsigned long *data, unsigned long items)
/* get the current icon's size */
sx = (int)data[i];
sy = (int)data[i + 1];
- if ((sx < 1) || (sy < 1))
+ if (sx < 1 || sy < 1 || sx > 4096 || sy > 4096)
+ break;
+ size = (unsigned long)sx * (unsigned long)sy + 2;
+ if ((unsigned long)size > items - i)
break;
- size = sx * sy + 2;
/* check the size difference if it's not too large */
if ((sx <= wanted) && (sy <= wanted)) {
@@ -485,8 +487,12 @@ static RImage *findBestIcon(unsigned long *data, unsigned long items)
* small image by a small scale. */
largest = 0;
for (i = 0L; i < items - 1;) {
- size = (int)data[i] * (int)data[i + 1];
- if (size == 0)
+ sx = (int)data[i];
+ sy = (int)data[i + 1];
+ if (sx < 1 || sy < 1 || sx > 4096 || sy > 4096)
+ break;
+ size = (unsigned long)sx * (unsigned long)sy;
+ if ((unsigned long)size + 2 > items - i)
break;
if (size > largest) {
icon = &data[i];
-----------------------------------------------------------------------
Summary of changes:
src/wmspec.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
repo.or.cz automatic notification. Contact project admin crm...@gmail.com
if you want to unsubscribe, or site admin ad...@repo.or.cz if you receive
no reply.
--
wmaker-crm.git ("The Window Maker window manager")
Reply all
Reply to author
Forward
0 new messages