wmaker: fix integer overflow in _NET_WM_ICON parser

findBestIcon() multiplies two attacker-controlled 32-bit ints (icon width * height) without overflow checking. A client setting _NET_WM_ICON = {2, 0x7FFFFFFF} makes "size" wrap to 0 so "i += size" never advances and wmaker spins forever at 100% CPU. The same loop also never verifies that the claimed icon actually fits inside the property buffer, allowing a 2-element property to drive a multi-KB OOB read in makeRImageFromARGBData(). Validate dimensions against a 4096-pixel cap (safe from unsigned long overflow) and reject icons whose pixel data would extend past the end of the property.
2026-06-13 22:05:21 +02:00 · 2026-04-09 22:55:00 +00:00
parent 931186bd18
commit 5eb3287535
1 changed files with 10 additions and 4 deletions
@@ -458,9 +458,11 @@ static RImage *findBestIcon(unsigned long *data, unsigned long items)
 		/* get the current icon's size */
 		sx = (int)data[i];
 		sy = (int)data[i + 1];
-		if ((sx < 1) || (sy < 1))
+		if (sx < 1 || sy < 1 || sx > 4096 || sy > 4096)
+			break;
+		size = (unsigned long)sx * (unsigned long)sy + 2;
+		if ((unsigned long)size > items - i)
 			break;
-		size = sx * sy + 2;

 		/* check the size difference if it's not too large */
 		if ((sx <= wanted) && (sy <= wanted)) {
@@ -485,8 +487,12 @@ static RImage *findBestIcon(unsigned long *data, unsigned long items)
 	 * small image by a small scale. */
 	largest = 0;
 	for (i = 0L; i < items - 1;) {
-		size = (int)data[i] * (int)data[i + 1];
-		if (size == 0)
+		sx = (int)data[i];
+		sy = (int)data[i + 1];
+		if (sx < 1 || sy < 1 || sx > 4096 || sy > 4096)
+			break;
+		size = (unsigned long)sx * (unsigned long)sy;
+		if ((unsigned long)size + 2 > items - i)
 			break;
 		if (size > largest) {
 			icon = &data[i];