From 5c9f30300bec2f7eec9ba61d0c11df999e17f860 Mon Sep 17 00:00:00 2001 From: NRK Date: Sun, 15 Feb 2026 22:59:13 +0000 Subject: getstate: fix access type and remove redundant cast WM_STATE is defined to be format == 32 which xlib returns as `long` and so accessing it as `unsigned char` is incorrect. and also &p is already an `unsigned char **` and so the cast was completely redundant. given the redundant cast, i assume `p` was `long *` at some time but was changed to `unsigned char *` later, but the pointer access (and the cast) wasn't updated. also add a `format == 32` check as safety measure before accessing, just in case. --- dwm.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'dwm.c') diff --git a/dwm.c b/dwm.c index fc4232e..a5e1ce9 100644 --- a/dwm.c +++ b/dwm.c @@ -897,10 +897,10 @@ getstate(Window w) Atom real; if (XGetWindowProperty(dpy, w, wmatom[WMState], 0L, 2L, False, wmatom[WMState], - &real, &format, &n, &extra, (unsigned char **)&p) != Success) + &real, &format, &n, &extra, &p) != Success) return -1; - if (n != 0) - result = *p; + if (n != 0 && format == 32) + result = *(long *)p; XFree(p); return result; } -- cgit v1.3 From c3dd6a829b3f5cb9474bcca787a9c8a86932d75d Mon Sep 17 00:00:00 2001 From: NRK Date: Tue, 17 Feb 2026 07:31:35 +0000 Subject: more overflow fix in getatomprop() commit 244fa852 (and a9aa0d8) tried to fix overflow by checking the number of items returned. however this is not sufficient since the format may be lower than 32 bits. to reproduce the crash, i used the reproducer given in commit 244fa85 but changed the XChangeProperty line to the following to set the property to a 1 element 16 bit item: short si = 1; XChangeProperty(d, w, net_wm_state, XA_ATOM, 16, PropModeReplace, (unsigned char *)&si, 1); this client reliably crashes dwm under ASAN since dwm is trying to read a 32 bit value from a 16 bit one. fix it by checking for format == 32 as well. also change the access type from Atom to long, on my machine Atom is typedef-ed to long already but that may not be true everywere. the XGetWindowProperty manpage says format == 32 is returned as `long` so use `long` directly. (N.B: it also might be worth checking if the returned type is XA_ATOM as well, but i wasn't able to cause any crashes by setting different types so i'm leaving it out for now.) --- dwm.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'dwm.c') diff --git a/dwm.c b/dwm.c index a5e1ce9..0a67103 100644 --- a/dwm.c +++ b/dwm.c @@ -863,15 +863,15 @@ focusstack(const Arg *arg) Atom getatomprop(Client *c, Atom prop) { - int di; + int format; unsigned long nitems, dl; unsigned char *p = NULL; Atom da, atom = None; if (XGetWindowProperty(dpy, c->win, prop, 0L, sizeof atom, False, XA_ATOM, - &da, &di, &nitems, &dl, &p) == Success && p) { - if (nitems > 0) - atom = *(Atom *)p; + &da, &format, &nitems, &dl, &p) == Success && p) { + if (nitems > 0 && format == 32) + atom = *(long *)p; XFree(p); } return atom; -- cgit v1.3