XChangeProperty accesses 32 bit values as 64 bit
Hanno Böck
hanno at hboeck.de
Wed Jan 2 15:31:39 UTC 2019
Hi,
Trying to debug a crash (in gajim) I discovered that it was due to a
stack buffer overread in gtk+/libX11.
Digging down I am not entirely sure how to interpret it and whether
it's libX11's or GTK's fault. Here's what's going on:
Gtk+ calls XChangeProperty where the second last parameters are a
pointer to a pid, see e.g. [1]. The "format" parameter is "32", which
is the bit size.
Now in libX11 it ends up crashing in the function _XData32, because it
tries to access the variable as a long, which is 64 bit.
Now this is kinda documented [2], where it says:
"If the specified format is 32, the property data must be a long array."
However that is - to put it mildly - unexpected and confusing. If I
have a function that lets me tell I want to process a 32 bit value then
learning that I have to pass that 32 bit value as a 64 bit value is
surely the last thing I expected.
Given this API this probably needs to be fixed in gtk by using long
instead of pid_t for the pid, but I strongly recommend rethinking that
design in libX11 and make it accept 32 bit values.
[1]
https://github.com/GNOME/gtk/blob/gtk-3-24/gdk/x11/gdkwindow-x11.c#L937
[2]
https://tronche.com/gui/x/xlib/window-information/XChangeProperty.html
--
Hanno Böck
https://hboeck.de/
mail/jabber: hanno at hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
More information about the xorg-devel
mailing list