Segfault in _apply_name because xcb's strings aren't null-terminated

[falsifian]

I recently got a SIGSEGV with this backtrace.

#0  0x00000556bc78a1e0 in mknodat () at /tmp/-:2
#1  0x00000556bc7bc887 in __svfscanf (fp=0x737d11cdb830, fmt0=<optimized out>, ap=0x737d11cdbbb0)
    at /usr/src/lib/libc/stdio/vfscanf.c:652
#2  0x00000556bc7570da in inet_ntop6 (src=0x100 <error: Cannot access memory at address 0x100>, 
    dst=0x737d11cdbd00 "`\275\315\021}s", size=<optimized out>) at /usr/src/lib/libc/net/inet_ntop.c:176
#3  _libc_inet_ntop (af=<optimized out>, src=0x100, dst=0x737d11cdbd00 "`\275\315\021}s", size=29565)
    at /usr/src/lib/libc/net/inet_ntop.c:51
#4  0x00000553e24a2725 in _apply_name (win=39845900, csq=0x556a967f000) at src/rule.c:310
#5  0x00000553e24a2e9b in apply_rules (win=39845900, csq=0x556a967f000) at src/rule.c:333
#6  0x00000553e2489f79 in schedule_window (win=39845900) at src/window.c:67
#7  0x00000553e2486c11 in map_request (evt=0x556a965cbd0) at src/events.c:95
#8  0x00000553e2486ae1 in handle_event (evt=0x556a965cbd0) at src/events.c:45
#9  0x00000553e2475497 in main (argc=1, argv=0x737d11cdc9a8) at src/bspwm.c:263

I suspect the first few frames are garbage, but in #4, in the _apply_name function,, reply.name is not null-terminated:

(gdb) print reply.name
$7 = 0x556a9695fb0 "tmux", '\337' <repeats 75 times>, <incomplete sequence \337><error: Cannot access memory at address 0x556a9696000>

I don't know anything about xcb, but based on some brief searching, it looks like xcb gives no guarantee that reply.name is null-terminated. Instead, there's a length field.

This is at falsifian@b0ecf25 in my personal fork but I'm pretty sure none of my local changes would affect this.

I've gotten a similar crash previously (not sure how similar, but something about applying rules), and I vaguely recall bspwm crashing in the past without me bothering to look into it. I guess it happens every few days or few weeks, somewhere in that range.