From becce7afa0880d6576e250c8abbcb50c8baa3557 Mon Sep 17 00:00:00 2001 From: "Jasper St. Pierre" Date: Sat, 12 Apr 2014 08:08:02 -0700 Subject: [PATCH] stack: Fix a crasher from a buffer overrun The code that restacks X11 windows at the end first tracks any old windows we know about, and then handles any windows created. It starts when it ended, and then walks forwards and then back looking for the first X11 window it doesn't know about. However, when there aren't any X11 windows, it flies off the end of the array and starts looking through random memory. When it finds the X11 window, it then goes through and then tries to restack the remaining windows according to how we've sorted them. Unfortunately, META_WINDOW_CLIENT_TYPE_X11 is 0, which is quite common in random memory we have lying around, so we enter that path and then just crash. Fix the buffer overrun by adding the proper bounds check to the search. You can easily reproduce this by opening a menu while bloatpad is full-screen. Why it only crashes when full-screen and not when a standard window, I have no idea. --- src/core/stack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/core/stack.c b/src/core/stack.c index a8d97532e..546531004 100644 --- a/src/core/stack.c +++ b/src/core/stack.c @@ -1508,7 +1508,7 @@ stack_sync_to_xserver (MetaStack *stack) if (x_ref->any.type != META_WINDOW_CLIENT_TYPE_X11) { for (x_ref = newp; - x_ref->any.type != META_WINDOW_CLIENT_TYPE_X11 && x_ref > new_stack; + x_ref->any.type != META_WINDOW_CLIENT_TYPE_X11 && x_ref < new_end; x_ref++) ; }