Skip to content

hints: Fix buffer overflow with ASan-enabled Xlib

correctmost requested to merge correctmost/xfwm4:cm/fix-setwmstate-overflow into master

Description

xfwm4 triggers a buffer overflow when I run it against an ASan-enabled Xlib (both codebases are built from master).

ASan report

ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7baddb87a3a8 at pc 0x7bade030095d bp 0x7ffc8e4d1050 sp 0x7ffc8e4d1040
READ of size 8 at 0x7baddb87a3a8 thread T0
    #0 0x7bade030095c in _XData32 libx11/src/XlibInt.c:1684
    #1 0x7bade01e0e53 in XChangeProperty libx11/src/ChProp.c:83
    #2 0x58f754bce6a8 in setWMState xfwm4/src/hints.c:91
    #3 0x58f754b48c84 in clientShowSingle xfwm4/src/client.c:2403
    #4 0x58f754b48c84 in clientShow xfwm4/src/client.c:2429
    #5 0x58f754bbcf3b in clientFocusNew xfwm4/src/focus.c:249
    #6 0x58f754b61a38 in clientFrame xfwm4/src/client.c:2017
    #7 0x58f754bb17c4 in handleMapRequest xfwm4/src/events.c:1171
    #8 0x58f754bb17c4 in handleEvent xfwm4/src/events.c:2221
    #9 0x58f754bb17c4 in xfwm4_event_filter xfwm4/src/events.c:2302
    #10 0x58f754ba422a in eventXfwmFilter xfwm4/src/event_filter.c:175
    #11 0x7bade6d5d337 in gdk_event_apply_filters gdk/x11/gdkeventsource.c:79
    #12 0x7bade6d5dc84 in gdk_event_source_translate_event gdk/x11/gdkeventsource.c:198
    #13 0x7bade6d5dc84 in _gdk_x11_display_queue_events gdk/x11/gdkeventsource.c:341
    #14 0x7bade6c9c1fc in gdk_display_get_event gdk/gdkdisplay.c:442
    #15 0x7bade6d5d492 in gdk_event_source_dispatch gdk/x11/gdkeventsource.c:363
    #16 0x7bade128ed06 in g_main_dispatch glib/gmain.c:3357
    #17 0x7bade128ed06 in g_main_context_dispatch_unlocked glib/gmain.c:4208
    #18 0x7bade129ba5a in g_main_context_iterate_unlocked glib/gmain.c:4273
    #19 0x7bade129d1be in g_main_loop_run glib/gmain.c:4475
    #20 0x7bade75f7bd6 in gtk_main gtk/gtkmain.c:1329
    #21 0x58f754be21a2 in main xfwm4/src/main.c:721

Address 0x7baddb87a3a8 is located in stack of thread T0 at offset 40 in frame
    #0 0x58f754bce568 in setWMState xfwm4/src/hints.c:83

  This frame has 1 object(s):
    [32, 40) 'data' (line 84) <== Memory access at offset 40 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow libx11/src/XlibInt.c:1684 in _XData32

Similar bugs in other projects

Testing

  • No issues were detected when testing the patch with UBSan, LSan, and ASan

Merge request reports