aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
11 daysMerge branch 'master' into flyflyXiao Pan
12 daysdwm: Fix getatomprop regression from heap overflow fixHEADmasterChris Down
Commit 244fa852fe27 ("dwm: Fix heap buffer overflow in getatomprop") introduced a check for dl > 0 before dereferencing the property pointer. However, I missed that the variable dl is passed to XGetWindowProperty for both nitems_return and bytes_after_return parameters: XGetWindowProperty(..., &dl, &dl, &p) The final value in dl is bytes_after_return, not nitems_return. For a successfully read property, bytes_after is typically 0 (indicating all data was retrieved), so the check `dl > 0` is always false and dwm never reads any atom properties. So this is safe, but not very helpful :-) dl is probably just a dummy variable anyway, so fix by using a separate variable for nitems, and check nitems > 0 as originally intended.
2026-01-10Merge branch 'master' into flyXiao Pan
2026-01-10bump version to 6.7Hiltjo Posthuma
Put the maintainer at the top and bump years (time flies).
2026-01-10dwm: Fix heap buffer overflow in getatompropChris Down
When getatomprop() is called, it invokes XGetWindowProperty() to retrieve an Atom. If the property exists but has zero elements (length 0), Xlib returns Success and sets p to a valid, non-NULL memory address containing a single null byte. However, dl (that is, the number of items) is 0. dwm blindly casts p to Atom* and dereferences it. While Xlib guarantees that p is safe to read as a string (that is, it is null-terminated), it does _not_ guarantee it is safe to read as an Atom (an unsigned long). The Atom type is a typedef for unsigned long. Reading an Atom (which thus will either likely be 4 or 8 bytes) from a 1-byte allocated buffer results in a heap buffer overflow. Since property content is user controlled, this allows any client to trigger an out of bounds read simply by setting a property with format 32 and length 0. An example client which reliably crashes dwm under ASAN: #include <X11/Xlib.h> #include <X11/Xatom.h> #include <stdio.h> #include <stdlib.h> #include <unistd.h> int main(void) { Display *d; Window root, w; Atom net_wm_state; d = XOpenDisplay(NULL); if (!d) return 1; root = DefaultRootWindow(d); w = XCreateSimpleWindow(d, root, 10, 10, 200, 200, 1, 0, 0); net_wm_state = XInternAtom(d, "_NET_WM_STATE", False); if (net_wm_state == None) return 1; XChangeProperty(d, w, net_wm_state, XA_ATOM, 32, PropModeReplace, NULL, 0); XMapWindow(d, w); XSync(d, False); sleep(1); XCloseDisplay(d); return 0; } In order to avoid this, check that the number of items returned is greater than zero before dereferencing the pointer.
2025-09-30Merge branch 'master' into flyXiao Pan
2025-09-29drw.c: drw_scm_free: call free insideHiltjo Posthuma
Because drw_scm_create() allocates it.
2025-09-28Merge branch 'master' into flyXiao Pan
2025-09-27cleanup schemes and colorsHiltjo Posthuma
2025-08-13Merge branch 'master' into flyXiao Pan
2025-08-12config: make refreshrate for mouse move/resize a config optionHiltjo Posthuma
Bump the default from 60 to 120.
2025-08-09bump version to 6.6Hiltjo Posthuma
2025-01-11wireguard switch to use cfg repo branches as namesXiao Pan
2024-12-29consider new ib serverXiao Pan
2024-10-30Merge branch 'master' into flyXiao Pan
2024-10-30Avoid unsigned integer underflow in drw_text()Raymond Cole
2024-10-28Merge branch 'master' into flyXiao Pan
2024-10-27util.c: output function might override errno and thus affect perror()Hiltjo Posthuma
Original patch by Raymond Cole with some modifications, thanks!
2024-10-05Merge branch 'master' into flyXiao Pan
2024-10-05sync drw.{c,h} from dmenuHiltjo Posthuma
- drw: minor improvement to the nomatches cache - overhaul utf8decoding and render invalid utf8 sequences as U+FFFD. Thanks NRK for these improvements!
2024-09-04pme hotkey change to fit my habitXiao Pan
2024-08-22tsp mpvy use -u url so tsp can show urls for each tasksXiao Pan
2024-08-22no more -u needed for mpvy; mpvy -c use tspXiao Pan
2024-08-22mpvy yt-dlp use cookie hotkeyXiao Pan
2024-08-14my passmenu now can output usernameXiao Pan
2024-08-14use my own passmenu script pmeXiao Pan
2024-08-14I would like dmenu prompt same as actual cli, actual vpn cli no need wg_ prefixXiao Pan
2024-08-14one hotkey using dmenu prompt to choose vpnXiao Pan
2024-08-13new ca wg vpnXiao Pan
2024-07-22reco fullscreen hotkeyXiao Pan
2024-06-30Revert "fix: press modifiers when xdotool --clearmodifiers will cause key ↵Xiao Pan
not pressed but show pressed, try sleep 0.1 to see if fixed" This reverts commit 72444bf2002d71bceb0ffe183685cd08d2d765ab.
2024-06-30fix: press modifiers when xdotool --clearmodifiers will cause key not ↵Xiao Pan
pressed but show pressed, try sleep 0.1 to see if fixed
2024-06-26feat: add aa vpn hotkeyXiao Pan
2024-06-25feat: hotkey to auto type sjsu passwordXiao Pan
2024-06-22add hotkey toggle firefox userjs webglXiao Pan
2024-06-08Merge branch 'master' into flyXiao Pan
2024-06-08Add missing void to updateclientlist definitionPontus Stenetorp
Caught by -pedantic implying -Wstrict-prototypes for OpenBSD's 16.0.6 Clang.
2024-04-22new pass hotkeyXiao Pan
2024-04-21ia wg vpn seems used more than studio, so change ia to an easier hotkeyXiao Pan
2024-04-21remove ka vpsXiao Pan
2024-04-06pass otp no need tail because the other lines are stderr instead of stdout; ↵Xiao Pan
also use carriage return for auto enter
2024-04-06fix: use carriage return so gpg agent can correctly identify itXiao Pan
2024-04-01better commentXiao Pan
2024-04-01use xdotool for pass otp, more automatedXiao Pan
2024-04-01mod-a for xdotool type master passwords, temporary solution before I ↵Xiao Pan
automate upd
2024-03-19bump version to 6.5Hiltjo Posthuma
2024-03-11use new vpn script to simplify dwm configXiao Pan
2024-03-11advanced wireguardXiao Pan
2024-03-05feat: add ia wgXiao Pan
2024-01-26Try to make search more seamless by adding hotkey, to overcome fear/laziness ↵Xiao Pan
to search
generated by cgit v1.2.3-70-g09d2 (git 2.52.0) at 2026-01-28 07:58:37 +0000