WindowServer: Validate cursor type in SetWindowCursor message handler

Fixes #4536.

3 files changed, 8 insertions, 1 deletions

diff --git a/Libraries/LibGfx/StandardCursor.h b/Libraries/LibGfx/StandardCursor.h
index 7bdd1a6204..38c35b7076 100644
--- a/Libraries/LibGfx/StandardCursor.h
+++ b/Libraries/LibGfx/StandardCursor.h
@@ -45,6 +45,7 @@ enum class StandardCursor {
     Drag,
     Move,
     Wait,
+    __Count,
 };
 
 }
diff --git a/Services/WindowServer/ClientConnection.cpp b/Services/WindowServer/ClientConnection.cpp
index 87b21f5987..8e390469ed 100644
--- a/Services/WindowServer/ClientConnection.cpp
+++ b/Services/WindowServer/ClientConnection.cpp
@@ -27,6 +27,7 @@
 #include <AK/Badge.h>
 #include <AK/SharedBuffer.h>
 #include <LibGfx/Bitmap.h>
+#include <LibGfx/StandardCursor.h>
 #include <LibGfx/SystemTheme.h>
 #include <WindowServer/AppletManager.h>
 #include <WindowServer/ClientConnection.h>
@@ -609,6 +610,10 @@ OwnPtr<Messages::WindowServer::SetWindowCursorResponse> ClientConnection::handle
         return nullptr;
     }
     auto& window = *(*it).value;
+    if (message.cursor_type() < 0 || message.cursor_type() >= (i32)Gfx::StandardCursor::__Count) {
+        did_misbehave("SetWindowCursor: Bad cursor type");
+        return nullptr;
+    }
     window.set_cursor(Cursor::create((Gfx::StandardCursor)message.cursor_type()));
     Compositor::the().invalidate_cursor();
     return make<Messages::WindowServer::SetWindowCursorResponse>();
diff --git a/Services/WindowServer/Cursor.cpp b/Services/WindowServer/Cursor.cpp
index 236c27a50d..23d34fe8ae 100644
--- a/Services/WindowServer/Cursor.cpp
+++ b/Services/WindowServer/Cursor.cpp
@@ -177,8 +177,9 @@ RefPtr<Cursor> Cursor::create(Gfx::StandardCursor standard_cursor)
         return WindowManager::the().move_cursor();
     case Gfx::StandardCursor::Wait:
         return WindowManager::the().wait_cursor();
+    default:
+        ASSERT_NOT_REACHED();
     }
-    ASSERT_NOT_REACHED();
 }
 
 }