From 772b799a83e72382d5594cf0eca8a01d42e4002e Mon Sep 17 00:00:00 2001
From: Giuseppe D'Angelo <giuseppe.dangelo@kdab.com>
Date: Sat, 20 Sep 2014 20:12:38 +0200
Subject: XCB: fix a possible array overflow leading to a crash

The QClipboard::Mode returned from modeForAtom should be checked
everywhere because values greater than Selection (i.e. FindBuffer)
aren't supported on X and should mean error conditions.

The lack of such a check did an out-of-bounds array access, which
could lead to a crash.

Change-Id: I70f70b5f713ab2f892e258d4df2f7afeb434f0c1
Reviewed-by: Uli Schlachter <psychon@znc.in>
Reviewed-by: Gatis Paeglis <gatis.paeglis@digia.com>
---
 src/plugins/platforms/xcb/qxcbclipboard.cpp | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'src/plugins/platforms/xcb/qxcbclipboard.cpp')

diff --git a/src/plugins/platforms/xcb/qxcbclipboard.cpp b/src/plugins/platforms/xcb/qxcbclipboard.cpp
index e7f8510706..a5bbefcfd1 100644
--- a/src/plugins/platforms/xcb/qxcbclipboard.cpp
+++ b/src/plugins/platforms/xcb/qxcbclipboard.cpp
@@ -738,6 +738,9 @@ void QXcbClipboard::handleSelectionRequest(xcb_selection_request_event_t *req)
 void QXcbClipboard::handleXFixesSelectionRequest(xcb_xfixes_selection_notify_event_t *event)
 {
     QClipboard::Mode mode = modeForAtom(event->selection);
+    if (mode > QClipboard::Selection)
+        return;
+
     // here we care only about the xfixes events that come from non Qt processes
     if (event->owner != XCB_NONE && event->owner != owner()) {
         if (!m_xClipboard[mode]) {
-- 
cgit v1.2.3