xwayland/wm: TYPE_WM_NORMAL_HINTS xcb value buffer overread when starting LibreOffice
Found by ASan (AddressSanitizer). I added a log statement:
--- a/xwayland/window-manager.c
+++ b/xwayland/window-manager.c
@@ -616,6 +616,11 @@ weston_wm_window_read_properties(struct weston_wm_window *window)
}
break;
case TYPE_WM_NORMAL_HINTS:
+ if (xcb_get_property_value_length(reply) < sizeof window->size_hints) {
+ weston_log("TYPE_WM_NORMAL_HINTS is too short: %d < %d\n",
+ xcb_get_property_value_length(reply), sizeof window->size_hints);
+ break;
+ };
memcpy(&window->size_hints,
xcb_get_property_value(reply),
sizeof window->size_hints);
Happens only when launching LibreOffice (built with GTK3) under Xwayland (GDK_BACKEND=x11 soffice
):
[14:16:06.178] TYPE_WM_NORMAL_HINTS is too short: 60 < 72
[14:16:06.182] TYPE_WM_NORMAL_HINTS is too short: 60 < 72
Doesn't seem to cause any actual problems, but still weird...
P.S. looking forward to merge requests being enabled here :)