more overflow fix in getatomprop()

commit 244fa852 (and a9aa0d8) tried to fix overflow by checking
the number of items returned. however this is not sufficient
since the format may be lower than 32 bits.

to reproduce the crash, i used the reproducer given in commit
244fa85 but changed the XChangeProperty line to the following to
set the property to a 1 element 16 bit item:

	short si = 1;
	XChangeProperty(d, w, net_wm_state, XA_ATOM, 16,
		PropModeReplace, (unsigned char *)&si, 1);

this client reliably crashes dwm under ASAN since dwm is trying
to read a 32 bit value from a 16 bit one. fix it by checking for
format == 32 as well.

also change the access type from Atom to long, on my machine
Atom is typedef-ed to long already but that may not be true
everywere. the XGetWindowProperty manpage says format == 32 is
returned as `long` so use `long` directly.

(N.B: it also might be worth checking if the returned type is
 XA_ATOM as well, but i wasn't able to cause any crashes by
 setting different types so i'm leaving it out for now.)

diff --git a/dwm.c b/dwm.c
index a5e1ce967d6b56c04dce4c8e5a5c9732d57bc9c5..0a6710382a9b2f5d3409d390400f65ab2ee528f3 100644 (file)
--- a/dwm.c
+++ b/dwm.c
@@ -863,15 +863,15 @@ focusstack(const Arg *arg)
 Atom
 getatomprop(Client *c, Atom prop)
 {
-       int di;
+       int format;
        unsigned long nitems, dl;
        unsigned char *p = NULL;
        Atom da, atom = None;
 
        if (XGetWindowProperty(dpy, c->win, prop, 0L, sizeof atom, False, XA_ATOM,
-               &da, &di, &nitems, &dl, &p) == Success && p) {
-               if (nitems > 0)
-                       atom = *(Atom *)p;
+               &da, &format, &nitems, &dl, &p) == Success && p) {
+               if (nitems > 0 && format == 32)
+                       atom = *(long *)p;
                XFree(p);
        }
        return atom;