Fix use-before-set in inplace_XRRMonitorInfo_enlarge#3512
Merged
ptitSeb merged 1 commit intoptitSeb:mainfrom Feb 14, 2026
Merged
Fix use-before-set in inplace_XRRMonitorInfo_enlarge#3512ptitSeb merged 1 commit intoptitSeb:mainfrom
ptitSeb merged 1 commit intoptitSeb:mainfrom
Conversation
Owner
|
You can also simply put the for loop in the end, instead of on top |
In inplace_XRRMonitorInfo_enlarge(), dst and src alias the same memory with different struct layouts (64-bit vs 32-bit). The inner loop read dst->noutput and dst->outputs at 64-bit struct offsets before they were copied from src, so dst->noutput actually read src->x (wrong field) and dst->outputs read past the 32-bit struct boundary (garbage pointer). Additionally, the loop used from_ulong(dst->outputs[j]) which reads 8-byte unsigned long elements, but the source data contains 4-byte ulong_t XIDs packed in the 32-bit layout. Fix by saving src->noutput and from_ptrv(src->outputs) to local variables before the conversion loop, and reading source elements as ((ulong_t*)outputs)[j] to match the 32-bit element size. This could cause crashes or memory corruption in multi-monitor setups when enlarging XRRMonitorInfo arrays from 32-bit to 64-bit layout.
Contributor
Author
That makes sense |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
In
inplace_XRRMonitorInfo_enlarge(),dstandsrcalias the same memory with different struct layouts (64-bit vs 32-bit). The inner loop readdst->noutputanddst->outputsat 64-bit struct offsets before they were copied from src, sodst->noutputactually readsrc->xanddst->outputsread past the 32-bit struct boundary.Additionally, the loop used
from_ulong(dst->outputs[j])which reads 8-byte unsigned long elements, but the source data contains 4-byteulong_t XIDs packed in the 32-bit layout.Fix by saving
src->noutputandfrom_ptrv(src->outputs)to local variables before the conversion loop, and reading source elements as((ulong_t*)outputs)[j]to match the 32-bit element size.This could cause crashes or memory corruption in multi-monitor setups when enlarging XRRMonitorInfo arrays from 32-bit to 64-bit layout.