From 5e46e3380887dcd30dc7ea582496bbd9a6a4d70c Mon Sep 17 00:00:00 2001
From: Albrecht Schlosser <albrechts.fltk@online.de>
Date: Fri, 1 Jul 2022 18:49:57 +0200
Subject: [PATCH] Fix "Segfault if using very large selections" (issue 451)

Backported from 'master' (fltk 1.4.0). For more information see
  commit c5556291624eec58ed9de186474dfcc858dca691 and issue 451
  https://github.com/fltk/fltk/issues/451
---
 src/Fl_x.cxx | 66 +++++++++++++++++++++++++++++++++++++++-------------
 1 file changed, 50 insertions(+), 16 deletions(-)

diff --git a/src/Fl_x.cxx b/src/Fl_x.cxx
index 7c03d33..c8b9c06 100644
--- a/src/Fl_x.cxx
+++ b/src/Fl_x.cxx
@@ -1273,19 +1273,24 @@ static bool getNextEvent(XEvent *event_return)
   return true;
 }
 
-static long getIncrData(uchar* &data, const XSelectionEvent& selevent, long lower_bound)
-{
-//fprintf(stderr,"Incremental transfer starting due to INCR property\n");
+static long getIncrData(uchar* &data, const XSelectionEvent& selevent, size_t lower_bound) {
+  // fprintf(stderr,"Incremental transfer starting due to INCR property\n");
   size_t total = 0;
   XEvent event;
-  XDeleteProperty(fl_display, selevent.requestor, selevent.property);  
+  XDeleteProperty(fl_display, selevent.requestor, selevent.property);
   data = (uchar*)realloc(data, lower_bound);
-  for (;;)
-  {
-    if (!getNextEvent(&event)) break;
-    if (event.type == PropertyNotify)
-    {
-      if (event.xproperty.state != PropertyNewValue) continue;
+  if (!data) {
+    // fprintf(stderr, "[getIncrData:%d] realloc() FAILED, size = %ld\n", __LINE__, lower_bound);
+    Fl::fatal("Clipboard data transfer failed, size %ld too large.", lower_bound);
+  }
+  for (;;) {
+    if (!getNextEvent(&event)) {
+      // This is unexpected but may happen if the sender (clipboard owner) no longer sends data
+      // fprintf(stderr, "[getIncrData:%d] Failed to get next event (timeout) *** break! ***\n", __LINE__);
+      break;
+    }
+    if (event.type == PropertyNotify) {
+      if (event.xproperty.state != PropertyNewValue) continue; // ignore PropertyDelete
       Atom actual_type;
       int actual_format;
       unsigned long nitems;
@@ -1300,15 +1305,39 @@ static long getIncrData(uchar* &data, const XSelectionEvent& selevent, long lowe
 			   AnyPropertyType, &actual_type, &actual_format, &nitems, &bytes_after, &prop);
 	num_bytes = nitems * (actual_format / 8);
 	offset += num_bytes/4;
-	//slice_size += num_bytes;
-	if (total + num_bytes > (size_t)lower_bound) data = (uchar*)realloc(data, total + num_bytes);
-	memcpy(data + total, prop, num_bytes); total += num_bytes;
+	// slice_size += num_bytes;
+        if (total + num_bytes > lower_bound) {
+	  data = (uchar*)realloc(data, total + num_bytes);
+          if (!data) {
+            // fprintf(stderr, "[getIncrData():%d] realloc() FAILED, size = %ld\n", __LINE__, total + num_bytes);
+            Fl::fatal("Clipboard data transfer failed, size %ld too large.", total + num_bytes);
+	  }
+	}
+        memcpy(data + total, prop, num_bytes);
+        total += num_bytes;
 	if (prop) XFree(prop);
       } while (bytes_after != 0);
 //fprintf(stderr,"INCR data size:%ld\n", slice_size);
       if (num_bytes == 0) break;
     }
-    else break;
+    else {
+      // Unexpected next event. At this point we're handling the INCR protocol and can't deal with
+      // *some* other events due to potential recursions. We *could* call fl_handle(event) to handle
+      // *selected* other events but for the time being we ignore all other events!
+      // Handling the INCR protocol for very large data may take some time and multiple events.
+      // Interleaving "other" events are possible, for instance the KeyRelease event of the
+      // ctrl/v key pressed to insert the clipboard. This solution is not perfect but it can
+      // handle the INCR protocol with very large selections in most cases, although with potential
+      // side effects because other events may be ignored.
+      // See GitHub Issue #451: "Segfault if using very large selections".
+      // Note: the "fix" for Issue #451 is basically to use 'continue' rather than 'break'
+      // Debug:
+      // fprintf(stderr,
+      //   "[getIncrData:%d] getNextEvent() returned %d, not PropertyNotify (%d). Event ignored.\n",
+      //   __LINE__, event.type, PropertyNotify);
+
+      continue;
+    }
   }
   XDeleteProperty(fl_display, selevent.requestor, selevent.property);
   return (long)total;
@@ -1376,7 +1405,9 @@ int fl_handle(const XEvent& thisevent)
   case SelectionNotify: {
     static unsigned char* sn_buffer = 0;
     //static const char *buffer_format = 0;
-    if (sn_buffer) {XFree(sn_buffer); sn_buffer = 0;}
+    if (sn_buffer) {
+      free(sn_buffer); sn_buffer = 0;
+    }
     long bytesread = 0;
     if (fl_xevent->xselection.property) for (;;) {
       // The Xdnd code pastes 64K chunks together, possibly to avoid
@@ -1457,7 +1488,10 @@ fprintf(stderr,"\n");*/
 	return true;
       }
 	if (actual == fl_INCR) {
-	  bytesread = getIncrData(sn_buffer, xevent.xselection, *(long*)portion);
+	  // an X11 "integer" (32 bit), the "lower bound" of the clipboard size (see ICCCM)
+	  size_t lower_bound = (*(unsigned long *)portion) & 0xFFFFFFFF;
+	  // fprintf(stderr, "[fl_handle:%d] INCR: lower_bound = %ld\n", __LINE__, lower_bound);
+	  bytesread = getIncrData(sn_buffer, xevent.xselection, lower_bound);
 	  XFree(portion);
 	  break;
 	}