Package: xloadimage
Version: 4.1-14.3
A call to XGetWindowProperty() in root.c incorrectly casts between
pointers to ints and longs, causing the values returned from the
function to be incorrect on platforms such as AMD64 where longs are
larger than ints. Under some circumstances, this seems to cause the
program to believe the function has returned a correct value when it
has not, and then dereference a null pointer in the argument to the
following call to XKillClient(), though this crash occurs only
intermittently. (I can see the crash when loading a PPM image with
"xsetbg -fullscreen", but whether it shows up seems to vary depending
on whether I pass the image by filename or on stdin, and other aspects
of the environment; and I wasn't able to reproduce with optimization
disabled for that file or a different GCC version.)
The attached patch fixes the types of the locals used for the return
values to what the function expects, and seems to fix the bug.
-- Stephen
--- root.c.orig 2006-10-20 16:05:45.000000000 -0400
+++ root.c 2006-10-20 16:18:09.000000000 -0400
@@ -68,16 +68,16 @@
Pixmap *pm;
Atom actual_type; /* NOTUSED */
int format;
- int nitems;
- int bytes_after;
+ unsigned long nitems;
+ unsigned long bytes_after;
/* intern the property name */
Atom atom = XInternAtom(dpy, RETAIN_PROP_NAME, 0);
/* look for existing resource allocation */
if ((XGetWindowProperty(dpy, w, atom, 0, 1, 1/*delete*/,
- AnyPropertyType, &actual_type, &format, (unsigned
long *)&nitems,
- (unsigned long *)&bytes_after, (unsigned char **)&pm)
== Success) &&
+ AnyPropertyType, &actual_type, &format, &nitems,
+ &bytes_after, (unsigned char **)&pm) == Success) &&
nitems == 1) {
if ((actual_type == XA_PIXMAP) && (format == 32) &&
(nitems == 1) && (bytes_after == 0)) {
