AuroraMiddleware/qt5base-lts
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix badAtom issues introduced by behavior changes between Xlib and xcb.

Browse Source 
In Xlib, the 'length' variable gets updated with the the actual number
of 8-bit, 16-bit, or 32-bit items stored in the returned data, but xcb
returns the actual number of bytes read through xcb_get_property_value_length,
therefore the logic of calculating offset was broken.

Task-number: QTBUG-26709
Change-Id: I04de3b5c5631cfaf9b3c2c3d4513be73c569f61f
Reviewed-by: Friedemann Kleint <Friedemann.Kleint@nokia.com>
Reviewed-by: Samuel Rødal <samuel.rodal@nokia.com>
This commit is contained in:
Gatis Paeglis 2012-07-30 11:31:54 +02:00 committed by Qt by Nokia
parent 95bba3802b
commit 7781e95623
1 changed files with 7 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
src/plugins/platforms/xcb/qxcbclipboard.cpp
View File

@ -608,26 +608,9 @@ bool QXcbClipboard::clipboardReadProperty(xcb_window_t win, xcb_atom_t property,
bytes_left = reply->bytes_after;
free(reply);
int offset = 0, buffer_offset = 0, format_inc = 1, proplen = bytes_left;
int offset = 0, buffer_offset = 0;
switch (*format) {
case 8:
default:
format_inc = sizeof(char) / 1;
break;
case 16:
format_inc = sizeof(short) / 2;
proplen *= sizeof(short) / 2;
break;
case 32:
format_inc = sizeof(long) / 4;
proplen *= sizeof(long) / 4;
break;
}
int newSize = proplen;
int newSize = bytes_left;
buffer->resize(newSize);
bool ok = (buffer->size() == newSize);
@ -650,13 +633,11 @@ bool QXcbClipboard::clipboardReadProperty(xcb_window_t win, xcb_atom_t property,
char *data = (char *)xcb_get_property_value(reply);
int length = xcb_get_property_value_length(reply);
offset += length / (32 / *format);
length *= format_inc * (*format) / 8;
// Here we check if we get a buffer overflow and tries to
// recover -- this shouldn't normally happen, but it doesn't
// hurt to be defensive
if ((int)(buffer_offset + length) > buffer->size()) {
qWarning("QXcbClipboard: buffer overflow");
length = buffer->size() - buffer_offset;
// escape loop
@ -666,6 +647,10 @@ bool QXcbClipboard::clipboardReadProperty(xcb_window_t win, xcb_atom_t property,
memcpy(buffer->data() + buffer_offset, data, length);
buffer_offset += length;
if (bytes_left) {
// offset is specified in 32-bit multiples
offset += length / 4;
}
free(reply);
}
}