compositor-x11: fix title overflow in x11_backend_create_output

sprintf can overflow the fixed length title which is char[32]. This
patch change title to dynamically allocated char array using asprintf or
strdup. If one of them fail we leave returning NULL to indicate the
failure.

Signed-off-by: Benoit Gschwind <gschwind@gnu-log.net>
Reviewed-by: Yong Bakos <ybakos@humanoriented.com>
Tested-by: Yong Bakos <ybakos@humanoriented.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
Reviewed-by: Bryce Harrington <bryce@osg.samsung.com>
Signed-off-by: Daniel Stone <daniels@collabora.com>

diff --git a/libweston/compositor-x11.c b/libweston/compositor-x11.c
index 5e46e68..a3319b4 100644 (file)
--- a/libweston/compositor-x11.c
+++ b/libweston/compositor-x11.c
@@ -782,7 +782,7 @@ x11_backend_create_output(struct x11_backend *b, int x, int y,
 {
        static const char name[] = "Weston Compositor";
        static const char class[] = "weston-1\0Weston Compositor";
-       char title[32];
+       char *title = NULL;
        struct x11_output *output;
        xcb_screen_t *screen;
        struct wm_normal_hints normal_hints;
@@ -800,11 +800,6 @@ x11_backend_create_output(struct x11_backend *b, int x, int y,
        output_width = width * scale;
        output_height = height * scale;
 
-       if (configured_name)
-               sprintf(title, "%s - %s", name, configured_name);
-       else
-               strcpy(title, name);
-
        if (!no_input)
                values[0] |=
                        XCB_EVENT_MASK_KEY_PRESS |
@@ -871,9 +866,24 @@ x11_backend_create_output(struct x11_backend *b, int x, int y,
        }
 
        /* Set window name.  Don't bother with non-EWMH WMs. */
-       xcb_change_property(b->conn, XCB_PROP_MODE_REPLACE, output->window,
-                           b->atom.net_wm_name, b->atom.utf8_string, 8,
-                           strlen(title), title);
+       if (configured_name) {
+               if (asprintf(&title, "%s - %s", name, configured_name) < 0)
+                       title = NULL;
+       } else {
+               title = strdup(name);
+       }
+
+       if (title) {
+               xcb_change_property(b->conn, XCB_PROP_MODE_REPLACE, output->window,
+                                   b->atom.net_wm_name, b->atom.utf8_string, 8,
+                                   strlen(title), title);
+               free(title);
+       } else {
+               xcb_destroy_window(b->conn, output->window);
+               free(output);
+               return NULL;
+       }
+
        xcb_change_property(b->conn, XCB_PROP_MODE_REPLACE, output->window,
                            b->atom.wm_class, b->atom.string, 8,
                            sizeof class, class);