dwm: Fix getatomprop regression from heap overflow fix

Commit 244fa852fe27 ("dwm: Fix heap buffer overflow in getatomprop")
introduced a check for dl > 0 before dereferencing the property pointer.
However, I missed that the variable dl is passed to XGetWindowProperty
for both nitems_return and bytes_after_return parameters:

    XGetWindowProperty(..., &dl, &dl, &p)

The final value in dl is bytes_after_return, not nitems_return. For a
successfully read property, bytes_after is typically 0 (indicating all
data was retrieved), so the check `dl > 0` is always false and dwm never
reads any atom properties. So this is safe, but not very helpful :-)

dl is probably just a dummy variable anyway, so fix by using a separate
variable for nitems, and check nitems > 0 as originally intended.

diff --git a/dwm.c b/dwm.c
index 8f4fa7518d7993074528d83d8b608d24b07e6706..53b393e62bff0981a85746537be71cb1e6b9b8e4 100644 (file)
--- a/dwm.c
+++ b/dwm.c
@@ -864,13 +864,13 @@ Atom
 getatomprop(Client *c, Atom prop)
 {
        int di;
-       unsigned long dl;
+       unsigned long nitems, dl;
        unsigned char *p = NULL;
        Atom da, atom = None;
 
        if (XGetWindowProperty(dpy, c->win, prop, 0L, sizeof atom, False, XA_ATOM,
-               &da, &di, &dl, &dl, &p) == Success && p) {
-               if (dl > 0)
+               &da, &di, &nitems, &dl, &p) == Success && p) {
+               if (nitems > 0)
                        atom = *(Atom *)p;
                XFree(p);
        }