From 1e3a6828ce9fef952bbc40ff40a5c47e542c671a Mon Sep 17 00:00:00 2001 From: Adam Higerd Date: Tue, 13 Feb 2024 18:36:53 -0600 Subject: [PATCH] Handle integer overflow caused by bogus client data --- openbox/client.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/openbox/client.c b/openbox/client.c index fae932414..b1cb6dc3f 100644 --- a/openbox/client.c +++ b/openbox/client.c @@ -2241,15 +2241,20 @@ void client_update_icons(ObClient *self) while (i + 2 < num) { /* +2 is to make sure there is a w and h */ w = data[i++]; h = data[i++]; + /* calculate the data size as guint64 to prevent integer + overflow due to invalid data */ + guint64 size = w * h; /* watch for the data being too small for the specified size, - or for zero sized icons. */ - if (i + w*h > num || w == 0 || h == 0) { - i += w*h; + or for zero sized icons */ + if (i + size > num || size < w || size < h) { + break; + } else if (w == 0 || h == 0) { + i += size; continue; } /* convert it to the right bit order for ObRender */ - for (j = 0; j < w*h; ++j) + for (j = 0; j < size; ++j) data[i+j] = (((data[i+j] >> 24) & 0xff) << RrDefaultAlphaOffset) + (((data[i+j] >> 16) & 0xff) << RrDefaultRedOffset) + @@ -2262,7 +2267,7 @@ void client_update_icons(ObClient *self) else RrImageAddFromData(img, &data[i], w, h); - i += w*h; + i += size; } g_free(data);