[hackers] [dwm] more overflow fix in getatomprop() || NRK
commit c3dd6a829b3f5cb9474bcca787a9c8a86932d75d
Author: NRK <nrk_AT_disroot.org>
AuthorDate: Tue Feb 17 07:31:35 2026 +0000
Commit: Hiltjo Posthuma <hiltjo_AT_codemadness.org>
CommitDate: Fri Feb 20 15:31:29 2026 +0100
more overflow fix in getatomprop()
commit 244fa852 (and a9aa0d8) tried to fix overflow by checking
the number of items returned. however this is not sufficient
since the format may be lower than 32 bits.
to reproduce the crash, i used the reproducer given in commit
244fa85 but changed the XChangeProperty line to the following to
set the property to a 1 element 16 bit item:
short si = 1;
XChangeProperty(d, w, net_wm_state, XA_ATOM, 16,
PropModeReplace, (unsigned char *)&si, 1);
this client reliably crashes dwm under ASAN since dwm is trying
to read a 32 bit value from a 16 bit one. fix it by checking for
format == 32 as well.
also change the access type from Atom to long, on my machine
Atom is typedef-ed to long already but that may not be true
everywere. the XGetWindowProperty manpage says format == 32 is
returned as `long` so use `long` directly.
(N.B: it also might be worth checking if the returned type is
XA_ATOM as well, but i wasn't able to cause any crashes by
setting different types so i'm leaving it out for now.)
diff --git a/dwm.c b/dwm.c
index a5e1ce9..0a67103 100644
--- a/dwm.c
+++ b/dwm.c
_AT_@ -863,15 +863,15 @@ focusstack(const Arg *arg)
Atom
getatomprop(Client *c, Atom prop)
{
- int di;
+ int format;
unsigned long nitems, dl;
unsigned char *p = NULL;
Atom da, atom = None;
if (XGetWindowProperty(dpy, c->win, prop, 0L, sizeof atom, False, XA_ATOM,
- &da, &di, &nitems, &dl, &p) == Success && p) {
- if (nitems > 0)
- atom = *(Atom *)p;
+ &da, &format, &nitems, &dl, &p) == Success && p) {
+ if (nitems > 0 && format == 32)
+ atom = *(long *)p;
XFree(p);
}
return atom;
Received on Fri Feb 20 2026 - 15:36:10 CET
This archive was generated by hypermail 2.3.0
: Fri Feb 20 2026 - 15:48:32 CET