From d8899ea65b1eb6f878019c280ce3517a210431f1 Mon Sep 17 00:00:00 2001 From: Linus Groh Date: Fri, 25 Dec 2020 22:45:47 +0100 Subject: [PATCH] WindowServer: Validate cursor type in SetWindowCursor message handler Fixes #4536. --- Libraries/LibGfx/StandardCursor.h | 1 + Services/WindowServer/ClientConnection.cpp | 5 +++++ Services/WindowServer/Cursor.cpp | 3 ++- 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/Libraries/LibGfx/StandardCursor.h b/Libraries/LibGfx/StandardCursor.h index 7bdd1a6204..38c35b7076 100644 --- a/Libraries/LibGfx/StandardCursor.h +++ b/Libraries/LibGfx/StandardCursor.h @@ -45,6 +45,7 @@ enum class StandardCursor { Drag, Move, Wait, + __Count, }; } diff --git a/Services/WindowServer/ClientConnection.cpp b/Services/WindowServer/ClientConnection.cpp index 87b21f5987..8e390469ed 100644 --- a/Services/WindowServer/ClientConnection.cpp +++ b/Services/WindowServer/ClientConnection.cpp @@ -27,6 +27,7 @@ #include #include #include +#include #include #include #include @@ -609,6 +610,10 @@ OwnPtr ClientConnection::handle return nullptr; } auto& window = *(*it).value; + if (message.cursor_type() < 0 || message.cursor_type() >= (i32)Gfx::StandardCursor::__Count) { + did_misbehave("SetWindowCursor: Bad cursor type"); + return nullptr; + } window.set_cursor(Cursor::create((Gfx::StandardCursor)message.cursor_type())); Compositor::the().invalidate_cursor(); return make(); diff --git a/Services/WindowServer/Cursor.cpp b/Services/WindowServer/Cursor.cpp index 236c27a50d..23d34fe8ae 100644 --- a/Services/WindowServer/Cursor.cpp +++ b/Services/WindowServer/Cursor.cpp @@ -177,8 +177,9 @@ RefPtr Cursor::create(Gfx::StandardCursor standard_cursor) return WindowManager::the().move_cursor(); case Gfx::StandardCursor::Wait: return WindowManager::the().wait_cursor(); + default: + ASSERT_NOT_REACHED(); } - ASSERT_NOT_REACHED(); } }