From e3f751be660e28e48d1477660e99e5456c864296 Mon Sep 17 00:00:00 2001
From: Ran Benita <ran234@gmail.com>
Date: Wed, 14 May 2014 11:44:29 +0300
Subject: [PATCH] x11: fix out-of-bounds access in adopt_atoms() error handling

Two problems:

- `j` can be >= `SIZE`, and needs to be wrapped like in the rest of the
   code.

- `cookies[j % SIZE]` is not initialized if there's no atom in `from[j]`.

The is manifested when:

- We've already gone through one batch (>= 128 atoms) (in fact this
  cannot happen in call to `adopt_atoms` in the current code).

- An XCB request failed in the middle of a batch.

Signed-off-by: Ran Benita <ran234@gmail.com>
---
 src/x11/util.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/x11/util.c b/src/x11/util.c
index 92ff2e6..47bb92a 100644
--- a/src/x11/util.c
+++ b/src/x11/util.c
@@ -195,11 +195,12 @@ adopt_atoms(struct xkb_context *ctx, xcb_connection_t *conn,
 
             /*
              * If we don't discard the uncollected replies, they just
-             * sit there waiting. Sad.
+             * sit in the XCB queue waiting forever. Sad.
              */
 err_discard:
             for (size_t j = i + 1; j < stop; j++)
-                xcb_discard_reply(conn, cookies[j].sequence);
+                if (from[j] != XCB_ATOM_NONE)
+                    xcb_discard_reply(conn, cookies[j % SIZE].sequence);
             return false;
         }
     }
-- 
2.7.4