stack: Fix a crasher from a buffer overrun

The code that restacks X11 windows at the end first tracks any
old windows we know about, and then handles any windows created.

It starts when it ended, and then walks forwards and then
back looking for the first X11 window it doesn't know about.
However, when there aren't any X11 windows, it flies off the end
of the array and starts looking through random memory.

When it finds the X11 window, it then goes through and then tries
to restack the remaining windows according to how we've sorted
them.

Unfortunately, META_WINDOW_CLIENT_TYPE_X11 is 0, which is quite
common in random memory we have lying around, so we enter that
path and then just crash.

Fix the buffer overrun by adding the proper bounds check to the
search.

You can easily reproduce this by opening a menu while bloatpad
is full-screen. Why it only crashes when full-screen and not
when a standard window, I have no idea.
This commit is contained in:
Jasper St. Pierre 2014-04-12 08:08:02 -07:00
parent 862d57d459
commit becce7afa0

View File

@ -1508,7 +1508,7 @@ stack_sync_to_xserver (MetaStack *stack)
if (x_ref->any.type != META_WINDOW_CLIENT_TYPE_X11)
{
for (x_ref = newp;
x_ref->any.type != META_WINDOW_CLIENT_TYPE_X11 && x_ref > new_stack;
x_ref->any.type != META_WINDOW_CLIENT_TYPE_X11 && x_ref < new_end;
x_ref++)
;
}