My fork of dwm https://git.marcelscrem.com/dwm.git/atom?h=master 2026-01-10T21:35:13Z 2026-01-10T21:35:13Z Marcel Screm marcel@marcelscrem.com 2026-01-10T21:35:13Z urn:sha1:af31fc9683f28bfbaca539f87f43f253487a00ba dwm 6.7 2026-01-10T10:31:44Z Hiltjo Posthuma hiltjo@codemadness.org 2026-01-10T10:31:44Z urn:sha1:85fe518c1af5eb43f222f4d8579e4814ed769f3b Put the maintainer at the top and bump years (time flies). 2026-01-10T10:27:23Z Chris Down chris@chrisdown.name 2026-01-07T14:02:00Z urn:sha1:244fa852fe2775cf52a3901966cd6d8700df8227 When getatomprop() is called, it invokes XGetWindowProperty() to retrieve an Atom. If the property exists but has zero elements (length 0), Xlib returns Success and sets p to a valid, non-NULL memory address containing a single null byte. However, dl (that is, the number of items) is 0. dwm blindly casts p to Atom* and dereferences it. While Xlib guarantees that p is safe to read as a string (that is, it is null-terminated), it does _not_ guarantee it is safe to read as an Atom (an unsigned long). The Atom type is a typedef for unsigned long. Reading an Atom (which thus will either likely be 4 or 8 bytes) from a 1-byte allocated buffer results in a heap buffer overflow. Since property content is user controlled, this allows any client to trigger an out of bounds read simply by setting a property with format 32 and length 0. An example client which reliably crashes dwm under ASAN: #include <X11/Xlib.h> #include <X11/Xatom.h> #include <stdio.h> #include <stdlib.h> #include <unistd.h> int main(void) { Display *d; Window root, w; Atom net_wm_state; d = XOpenDisplay(NULL); if (!d) return 1; root = DefaultRootWindow(d); w = XCreateSimpleWindow(d, root, 10, 10, 200, 200, 1, 0, 0); net_wm_state = XInternAtom(d, "_NET_WM_STATE", False); if (net_wm_state == None) return 1; XChangeProperty(d, w, net_wm_state, XA_ATOM, 32, PropModeReplace, NULL, 0); XMapWindow(d, w); XSync(d, False); sleep(1); XCloseDisplay(d); return 0; } In order to avoid this, check that the number of items returned is greater than zero before dereferencing the pointer. 2026-01-05T17:49:07Z Marcel Screm marcel@marcelscrem.com 2026-01-05T17:49:07Z urn:sha1:57d6a1e9a9b00d427e9c919d906f61352be22ee6 2026-01-05T16:36:18Z Marcel Screm marcel@marcelscrem.com 2026-01-05T16:36:18Z urn:sha1:5d900a3458cc4051b1bb2168345ca3f3e2a718a9 2026-01-05T14:35:06Z Marcel Screm marcel@marcelscrem.com 2026-01-05T14:35:06Z urn:sha1:bb6593783f652d8f9a4bd5c620b68a2f7b8da6c4 2026-01-03T12:00:55Z Marcel Screm marcel@marcelscrem.com 2026-01-03T12:00:55Z urn:sha1:815dc9729f57701b1fe882a401cee3c9e7167d88 2026-01-03T00:55:35Z Marcel Screm marcel@marcelscrem.com 2026-01-03T00:55:35Z urn:sha1:f8bc36b617b970e41dc2e55a9d85feb9f157a26b 2025-12-04T13:23:10Z Marcel Screm marcel@marcelscrem.com 2025-12-04T13:23:10Z urn:sha1:b224668ef032f013cb4dc3831074f8dd553149bb 2025-09-29T16:48:27Z Hiltjo Posthuma hiltjo@codemadness.org 2025-09-29T16:48:27Z urn:sha1:7c3abae4e68b6a21f05cb04f3af31217259c0aa9 Because drw_scm_create() allocates it.