[hackers] [dwm] dwm: Fix getatomprop regression from heap overflow fix || Chris Down

From: <git_AT_suckless.org>
Date: Fri, 16 Jan 2026 14:30:47 +0100 (CET)

commit a9aa0d8ffbb548b0b1f9f755557aef2482c0f820
Author: Chris Down <chris_AT_chrisdown.name>
AuthorDate: Wed Jan 14 14:58:05 2026 +0800
Commit: Hiltjo Posthuma <hiltjo_AT_codemadness.org>
CommitDate: Fri Jan 16 14:13:51 2026 +0100

    dwm: Fix getatomprop regression from heap overflow fix
    
    Commit 244fa852fe27 ("dwm: Fix heap buffer overflow in getatomprop")
    introduced a check for dl > 0 before dereferencing the property pointer.
    However, I missed that the variable dl is passed to XGetWindowProperty
    for both nitems_return and bytes_after_return parameters:
    
        XGetWindowProperty(..., &dl, &dl, &p)
    
    The final value in dl is bytes_after_return, not nitems_return. For a
    successfully read property, bytes_after is typically 0 (indicating all
    data was retrieved), so the check `dl > 0` is always false and dwm never
    reads any atom properties. So this is safe, but not very helpful :-)
    
    dl is probably just a dummy variable anyway, so fix by using a separate
    variable for nitems, and check nitems > 0 as originally intended.

diff --git a/dwm.c b/dwm.c
index 8f4fa75..53b393e 100644
--- a/dwm.c
+++ b/dwm.c
_AT_@ -864,13 +864,13 @@ Atom
 getatomprop(Client *c, Atom prop)
 {
         int di;
- unsigned long dl;
+ unsigned long nitems, dl;
         unsigned char *p = NULL;
         Atom da, atom = None;
 
         if (XGetWindowProperty(dpy, c->win, prop, 0L, sizeof atom, False, XA_ATOM,
- &da, &di, &dl, &dl, &p) == Success && p) {
- if (dl > 0)
+ &da, &di, &nitems, &dl, &p) == Success && p) {
+ if (nitems > 0)
                         atom = *(Atom *)p;
                 XFree(p);
         }
Received on Fri Jan 16 2026 - 14:30:47 CET