https://bugs.kde.org/show_bug.cgi?id=491130
--- Comment #7 from Matt Whitlock <k...@mattwhitlock.name> --- Created attachment 175571 --> https://bugs.kde.org/attachment.cgi?id=175571&action=edit Patch to avoid out-of-bounds access or truncation of magic cookie data in KSMServer Found the problem. It's actually more laughable than use-after-free. David Edmundson rewrote[1] part of KSMServer to eliminate a dependency on the `iceauth` utility, but he botched the handling of magic cookie data. Specifically, he calls strdup() on a fixed-length character sequence that is not guaranteed to be NUL-terminated and may in fact contain NUL bytes. It's a little amazing that this never crashes KSMServer outright since it is an out-of-bounds memory access. [1] https://invent.kde.org/plasma/plasma-workspace/-/commit/9398f6cf8933055b31506ba155aef2fc2b3561d7 Attached is an untested patch that should fix the issue. I'm rebuilding plasma-workspace with the patch now and will test it out the next time I restart my Plasma session (which could be weeks from now). -- You are receiving this mail because: You are watching all bug changes.
