From: Byrial Jensen Date: Sun, 18 Dec 2011 14:41:46 +0000 (+0100) Subject: Fix possible crash on 64-bit systems when copying game or position X-Git-Url: http://winboard.nl/cgi-bin?a=commitdiff_plain;h=92b1e8aaef115278eb3bc6902d76824def8f734a;p=xboard.git Fix possible crash on 64-bit systems when copying game or position The two convertproc's for X selections caused reads out of bounds on 64-bit systems. I hope that this is the right solution. I am not experienced with X stuff, but it follows that I have seen in other programs, testing shows that copying still works, and the reading out of bounds have disappearinged with this patch. --- diff --git a/xboard.c b/xboard.c index 527c3b3..b74f81c 100644 --- a/xboard.c +++ b/xboard.c @@ -5643,11 +5643,19 @@ SendPositionSelection(Widget w, Atom *selection, Atom *target, *value_return = targets_tmp; *type_return = XA_ATOM; *length_return = 2; +#if 0 + // This code leads to a read of value_return out of bounds on 64-bit systems. + // Other code which I have seen always sets *format_return to 32 independent of + // sizeof(Atom) without adjusting *length_return. For instance see TextConvertSelection() + // at http://cgit.freedesktop.org/xorg/lib/libXaw/tree/src/Text.c -- BJ *format_return = 8 * sizeof(Atom); if (*format_return > 32) { *length_return *= *format_return / 32; *format_return = 32; } +#else + *format_return = 32; +#endif return True; } else { return False; @@ -5752,11 +5760,19 @@ SendGameSelection(Widget w, Atom *selection, Atom *target, *value_return = targets_tmp; *type_return = XA_ATOM; *length_return = 2; +#if 0 + // This code leads to a read of value_return out of bounds on 64-bit systems. + // Other code which I have seen always sets *format_return to 32 independent of + // sizeof(Atom) without adjusting *length_return. For instance see TextConvertSelection() + // at http://cgit.freedesktop.org/xorg/lib/libXaw/tree/src/Text.c -- BJ *format_return = 8 * sizeof(Atom); if (*format_return > 32) { *length_return *= *format_return / 32; *format_return = 32; } +#else + *format_return = 32; +#endif return True; } else { return False;