[PATCH v2] winex11: Avoid inefficiency and overflow in remove_startup_notification.
Alex Henrie
alexhenrie24 at gmail.com
Mon Nov 2 21:50:31 CST 2015
Cc: Damjan Jovanovic <damjan.jov at gmail.com>
Cc: Vincent Povirk <vincent at codeweavers.com>
Coverity #713245, "Checking pos < 1022U implies that pos is between
1022 and 1023 (inclusive) on the false branch."
Signed-off-by: Alex Henrie <alexhenrie24 at gmail.com>
---
dlls/winex11.drv/window.c | 17 +++++++----------
1 file changed, 7 insertions(+), 10 deletions(-)
diff --git a/dlls/winex11.drv/window.c b/dlls/winex11.drv/window.c
index b763677..683813a 100644
--- a/dlls/winex11.drv/window.c
+++ b/dlls/winex11.drv/window.c
@@ -110,49 +110,46 @@ static void remove_startup_notification(Display *display, Window window)
{
static LONG startup_notification_removed = 0;
char id[1024];
- char message[1024];
+ char message[4096];
int i;
int pos;
XEvent xevent;
const char *src;
int srclen;
if (InterlockedCompareExchange(&startup_notification_removed, 1, 0) != 0)
return;
if (GetEnvironmentVariableA("DESKTOP_STARTUP_ID", id, sizeof(id)) == 0)
return;
SetEnvironmentVariableA("DESKTOP_STARTUP_ID", NULL);
if ((src = strstr( id, "_TIME" ))) update_user_time( atol( src + 5 ));
- pos = snprintf(message, sizeof(message), "remove: ID=");
- message[pos++] = '"';
- for (i = 0; id[i] && pos < sizeof(message) - 2; i++)
+ pos = sprintf(message, "remove: ID=\"");
+ for (i = 0; id[i]; i++)
{
if (id[i] == '"' || id[i] == '\\')
message[pos++] = '\\';
message[pos++] = id[i];
}
message[pos++] = '"';
message[pos++] = '\0';
xevent.xclient.type = ClientMessage;
xevent.xclient.message_type = x11drv_atom(_NET_STARTUP_INFO_BEGIN);
xevent.xclient.display = display;
xevent.xclient.window = window;
xevent.xclient.format = 8;
src = message;
- srclen = strlen(src) + 1;
+ srclen = pos;
while (srclen > 0)
{
- int msglen = srclen;
- if (msglen > 20)
- msglen = 20;
- memset(&xevent.xclient.data.b[0], 0, 20);
- memcpy(&xevent.xclient.data.b[0], src, msglen);
+ int msglen = min(srclen, sizeof(xevent.xclient.data.b));
+ memset(xevent.xclient.data.b, 0, sizeof(xevent.xclient.data.b));
+ memcpy(xevent.xclient.data.b, src, msglen);
src += msglen;
srclen -= msglen;
--
2.6.2
More information about the wine-patches
mailing list