From d92ac2d1b424e059e8e81d6dd58f0ac195fe3253 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Igor=20B=C3=B6hm?= <boehm.igor@gmail.com>
Date: Sat, 25 Jul 2020 02:17:21 +0200
Subject: [PATCH] libdraw: fix out-of-bounds access to local buffer in
 event.c:startrpc()

The function `startrpc()` stack allocates a local buffer of size 100:

```c
static Muxrpc*
startrpc(int type)
{
	uchar buf[100];
	      ^^^^^^^^
	Wsysmsg w;

	w.type = type;
	convW2M(&w, buf, sizeof buf);
	return muxrpcstart(display->mux, buf);
}
```

The function `convW2M()` is called passing `buf`. That function accesses
`buf` out-of-bounds:

```c
uint
convW2M(Wsysmsg *m, uchar *p, uint n)
{
  ...
  case Tcursor2:
    PUT(p+6, m->cursor.offset.x);
    PUT(p+10, m->cursor.offset.y);
    memmove(p+14, m->cursor.clr, sizeof m->cursor.clr);
    memmove(p+46, m->cursor.set, sizeof m->cursor.set);
    PUT(p+78, m->cursor2.offset.x);
    PUT(p+82, m->cursor2.offset.y);
    memmove(p+86, m->cursor2.clr, sizeof m->cursor2.clr);
    memmove(p+214, m->cursor2.set, sizeof m->cursor2.set);
    p[342] = m->arrowcursor;
    ^^^^^^
```

To fix the issue the size of local variable `buf` is increased from 100
to 512 to avoid out-of-bounds array access.
---
 src/libdraw/event.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/libdraw/event.c b/src/libdraw/event.c
index e2d5f707..da432db5 100644
--- a/src/libdraw/event.c
+++ b/src/libdraw/event.c
@@ -203,7 +203,7 @@ newebuf(Slave *s, int n)
 static Muxrpc*
 startrpc(int type)
 {
-	uchar buf[100];
+	uchar buf[512];
 	Wsysmsg w;
 
 	w.type = type;