wmaker: fix integer overflow in _NET_WM_ICON parser

findBestIcon() multiplies two attacker-controlled 32-bit ints (icon
width * height) without overflow checking. A client setting
_NET_WM_ICON = {2, 0x7FFFFFFF} makes "size" wrap to 0 so "i += size"
never advances and wmaker spins forever at 100% CPU.

The same loop also never verifies that the claimed icon actually fits
inside the property buffer, allowing a 2-element property to drive a
multi-KB OOB read in makeRImageFromARGBData().

Validate dimensions against a 4096-pixel cap (safe from unsigned long
overflow) and reject icons whose pixel data would extend past the end
of the property.

src/wmspec.c

@@ -458,9 +458,11 @@ static RImage *findBestIcon(unsigned long *data, unsigned long items)
 		/* get the current icon's size */
 		sx = (int)data[i];
 		sy = (int)data[i + 1];
-		if ((sx < 1) || (sy < 1))
+		if (sx < 1 || sy < 1 || sx > 4096 || sy > 4096)
+			break;
+		size = (unsigned long)sx * (unsigned long)sy + 2;
+		if ((unsigned long)size > items - i)
 			break;
-		size = sx * sy + 2;
 
 		/* check the size difference if it's not too large */
 		if ((sx <= wanted) && (sy <= wanted)) {
@@ -485,8 +487,12 @@ static RImage *findBestIcon(unsigned long *data, unsigned long items)
 	 * small image by a small scale. */
 	largest = 0;
 	for (i = 0L; i < items - 1;) {
-		size = (int)data[i] * (int)data[i + 1];
+		sx = (int)data[i];
-		if (size == 0)
+		sy = (int)data[i + 1];
+		if (sx < 1 || sy < 1 || sx > 4096 || sy > 4096)
+			break;
+		size = (unsigned long)sx * (unsigned long)sy;
+		if ((unsigned long)size + 2 > items - i)
 			break;
 		if (size > largest) {
 			icon = &data[i];