From: Alex Henrie <alexhenrie24@gmail.com>
Subject: [PATCH v2] winex11: Avoid inefficiency and overflow in remove_startup_notification.
Message-Id: <1446522631-29107-1-git-send-email-alexhenrie24@gmail.com>
Date: Mon,  2 Nov 2015 20:50:31 -0700

Cc: Damjan Jovanovic <damjan.jov@gmail.com>
Cc: Vincent Povirk <vincent@codeweavers.com>

Coverity #713245, "Checking pos < 1022U implies that pos is between
1022 and 1023 (inclusive) on the false branch."

Signed-off-by: Alex Henrie <alexhenrie24@gmail.com>
---
 dlls/winex11.drv/window.c | 17 +++++++----------
 1 file changed, 7 insertions(+), 10 deletions(-)

diff --git a/dlls/winex11.drv/window.c b/dlls/winex11.drv/window.c
index b763677..683813a 100644
--- a/dlls/winex11.drv/window.c
+++ b/dlls/winex11.drv/window.c
@@ -110,49 +110,46 @@ static void remove_startup_notification(Display *display, Window window)
 {
     static LONG startup_notification_removed = 0;
     char id[1024];
-    char message[1024];
+    char message[4096];
     int i;
     int pos;
     XEvent xevent;
     const char *src;
     int srclen;
 
     if (InterlockedCompareExchange(&startup_notification_removed, 1, 0) != 0)
         return;
 
     if (GetEnvironmentVariableA("DESKTOP_STARTUP_ID", id, sizeof(id)) == 0)
         return;
     SetEnvironmentVariableA("DESKTOP_STARTUP_ID", NULL);
 
     if ((src = strstr( id, "_TIME" ))) update_user_time( atol( src + 5 ));
 
-    pos = snprintf(message, sizeof(message), "remove: ID=");
-    message[pos++] = '"';
-    for (i = 0; id[i] && pos < sizeof(message) - 2; i++)
+    pos = sprintf(message, "remove: ID=\"");
+    for (i = 0; id[i]; i++)
     {
         if (id[i] == '"' || id[i] == '\\')
             message[pos++] = '\\';
         message[pos++] = id[i];
     }
     message[pos++] = '"';
     message[pos++] = '\0';
 
     xevent.xclient.type = ClientMessage;
     xevent.xclient.message_type = x11drv_atom(_NET_STARTUP_INFO_BEGIN);
     xevent.xclient.display = display;
     xevent.xclient.window = window;
     xevent.xclient.format = 8;
 
     src = message;
-    srclen = strlen(src) + 1;
+    srclen = pos;
 
     while (srclen > 0)
     {
-        int msglen = srclen;
-        if (msglen > 20)
-            msglen = 20;
-        memset(&xevent.xclient.data.b[0], 0, 20);
-        memcpy(&xevent.xclient.data.b[0], src, msglen);
+        int msglen = min(srclen, sizeof(xevent.xclient.data.b));
+        memset(xevent.xclient.data.b, 0, sizeof(xevent.xclient.data.b));
+        memcpy(xevent.xclient.data.b, src, msglen);
         src += msglen;
         srclen -= msglen;
 

-- 
2.6.2