From 07971191760ae37bf2b213a27e2aae8835a8e6ce Mon Sep 17 00:00:00 2001 From: dec05eba Date: Wed, 23 Jul 2025 15:30:30 +0200 Subject: [PATCH] Revert "xfixes: use dixGetAtomID()" This reverts commit c32b5b4d5ba189d39ffaf41dc38bf6b695704395. The commit writes out of bounds with tchar[stuff->nbytes] write since the string isn't null terminated. This messed other data which makes requests fail and window managers/ desktop environments fail to start. ProcXFixesSetCursorName also incorrectly uses dixGetAtomID which doesn't create the atom if it doesn't exist, which it previously did with MakeAtom(..., TRUE). The new dixGet/AddAtom methods dont work without null-terminated strings so the change has to be reverted instead. Signed-off-by: dec05eba --- xfixes/cursor.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/xfixes/cursor.c b/xfixes/cursor.c index c20f3509d0..738d433130 100644 --- a/xfixes/cursor.c +++ b/xfixes/cursor.c @@ -413,12 +413,12 @@ ProcXFixesSetCursorName(ClientPtr client) char *tchar; REQUEST(xXFixesSetCursorNameReq); + Atom atom; REQUEST_FIXED_SIZE(xXFixesSetCursorNameReq, stuff->nbytes); VERIFY_CURSOR(pCursor, stuff->cursor, client, DixSetAttrAccess); tchar = (char *) &stuff[1]; - tchar[stuff->nbytes] = 0; - Atom atom = dixGetAtomID(tchar); + atom = MakeAtom(tchar, stuff->nbytes, TRUE); if (atom == BAD_RESOURCE) return BadAlloc; @@ -692,6 +692,7 @@ int ProcXFixesChangeCursorByName(ClientPtr client) { CursorPtr pSource; + Atom name; char *tchar; REQUEST(xXFixesChangeCursorByNameReq); @@ -700,8 +701,7 @@ ProcXFixesChangeCursorByName(ClientPtr client) VERIFY_CURSOR(pSource, stuff->source, client, DixReadAccess | DixGetAttrAccess); tchar = (char *) &stuff[1]; - tchar[stuff->nbytes] = 0; - Atom name = dixGetAtomID(tchar); + name = MakeAtom(tchar, stuff->nbytes, FALSE); if (name) ReplaceCursor(pSource, TestForCursorName, &name); return Success;