Having a format of 32c with two elemtents, and a dformat of '?$3=0(foo)' would result in an invalid read past the thunks array. Handle references to invalid fields as error while parsing the dformat.
Signed-off-by: Bert Wesarg <[email protected]> --- xprop.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) diff --git a/xprop.c b/xprop.c index 4c4c702..04b4301 100644 --- a/xprop.c +++ b/xprop.c @@ -1220,9 +1220,10 @@ Scan_Term (const char *string, thunk *thunks, const char *format, long *value) if (isdigit((unsigned char) *string)) string = Scan_Long(string, value); else if (*string == '$') { - string = Scan_Long(++string, &i); + const char *bad_string = string++; + string = Scan_Long(string, &i); if (i >= thunks->thunk_count) - i = thunks->thunk_count; + Fatal_Error("Bad field reference %d in conditional %s", (int) i, bad_string); *value = thunks[i].value; } else if (*string == 'm') { string = Scan_Long(++string, &i); -- 1.7.7.759.gfc8c6 _______________________________________________ [email protected]: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
