more overflow fix in getatomprop()

commit 244fa852 (and a9aa0d8) tried to fix overflow by checking the number of items returned. however this is not sufficient since the format may be lower than 32 bits. to reproduce the crash, i used the reproducer given in commit 244fa85 but changed the XChangeProperty line to the following to set the property to a 1 element 16 bit item: short si = 1; XChangeProperty(d, w, net_wm_state, XA_ATOM, 16, PropModeReplace, (unsigned char *)&si, 1); this client reliably crashes dwm under ASAN since dwm is trying to read a 32 bit value from a 16 bit one. fix it by checking for format == 32 as well. also change the access type from Atom to long, on my machine Atom is typedef-ed to long already but that may not be true everywere. the XGetWindowProperty manpage says format == 32 is returned as `long` so use `long` directly. (N.B: it also might be worth checking if the returned type is XA_ATOM as well, but i wasn't able to cause any crashes by setting different types so i'm leaving it out for now.)
2026-02-17 07:31:35 +00:00
parent 5c9f30300b
commit c3dd6a829b
1 changed files with 4 additions and 4 deletions
--- a/dwm.c
+++ b/dwm.c
@@ -863,15 +863,15 @@ focusstack(const Arg *arg)
 Atom
 getatomprop(Client *c, Atom prop)
 {
-	int di;
+	int format;
 	unsigned long nitems, dl;
 	unsigned char *p = NULL;
 	Atom da, atom = None;

 	if (XGetWindowProperty(dpy, c->win, prop, 0L, sizeof atom, False, XA_ATOM,
-		&da, &di, &nitems, &dl, &p) == Success && p) {
-		if (nitems > 0)
-			atom = *(Atom *)p;
+		&da, &format, &nitems, &dl, &p) == Success && p) {
+		if (nitems > 0 && format == 32)
+			atom = *(long *)p;
 		XFree(p);
 	}
 	return atom;