From 423f17a9827eeafff04d7d4547b03afc7dd8bc66 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jonas=20Dre=C3=9Fler?= <verdre@v0yd.nl>
Date: Thu, 13 Jun 2024 15:12:25 +0200
Subject: [PATCH] wayland/text-input: Add some input validation to
 set_surrounding()

The cursor and anchor position of the surrounding text *must* be within
(or right before/after) the string that is submitted as surrounding text.
Everything else is a client error that we shouldn't accept and log as such.

Part-of: <https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/3650>
---
 src/wayland/meta-wayland-text-input.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/wayland/meta-wayland-text-input.c b/src/wayland/meta-wayland-text-input.c
index 100d116c6..f1838e73b 100644
--- a/src/wayland/meta-wayland-text-input.c
+++ b/src/wayland/meta-wayland-text-input.c
@@ -505,10 +505,18 @@ text_input_set_surrounding_text (struct wl_client   *client,
                                  int32_t             anchor)
 {
   MetaWaylandTextInput *text_input = wl_resource_get_user_data (resource);
+  size_t text_len = strlen (text);
 
   if (!client_matches_focus (text_input, client))
     return;
 
+  if (cursor < 0 || anchor < 0 || cursor > text_len || anchor > text_len)
+    {
+      g_warning ("Client sent invalid surrounding text (text_len=%lu, cursor=%d, "
+                 "anchor=%d), ignoring", text_len, cursor, anchor);
+      return;
+    }
+
   g_free (text_input->pending_surrounding.text);
   text_input->pending_surrounding.text = g_strdup (text);
   text_input->pending_surrounding.cursor = cursor;