59 lines
2.0 KiB
Diff
59 lines
2.0 KiB
Diff
From 65977c33a6735b0ffc7d2c691243452f75c1f68c Mon Sep 17 00:00:00 2001
|
|
From: Olivier Fourdan <ofourdan@redhat.com>
|
|
Date: Wed, 27 Nov 2024 14:41:45 +0100
|
|
Subject: [PATCH] xkb: Fix buffer overflow in XkbVModMaskText()
|
|
|
|
The code in XkbVModMaskText() allocates a fixed sized buffer on the
|
|
stack and copies the virtual mod name.
|
|
|
|
There's actually two issues in the code that can lead to a buffer
|
|
overflow.
|
|
|
|
First, the bound check mixes pointers and integers using misplaced
|
|
parenthesis, defeating the bound check.
|
|
|
|
But even though, if the check fails, the data is still copied, so the
|
|
stack overflow will occur regardless.
|
|
|
|
Change the logic to skip the copy entirely if the bound check fails.
|
|
|
|
(cherry picked from xorg/xserver@11fcda8753e994e15eb915d28cf487660ec8e722)
|
|
|
|
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
|
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
---
|
|
src/xkbtext.c | 16 ++++++++--------
|
|
1 file changed, 8 insertions(+), 8 deletions(-)
|
|
|
|
diff --git a/src/xkbtext.c b/src/xkbtext.c
|
|
index 4459ca7..59429b2 100644
|
|
--- a/src/xkbtext.c
|
|
+++ b/src/xkbtext.c
|
|
@@ -190,14 +190,14 @@ XkbVModMaskText(Display * dpy,
|
|
len = strlen(tmp) + 1 + (str == buf ? 0 : 1);
|
|
if (format == XkbCFile)
|
|
len += 4;
|
|
- if ((str - (buf + len)) <= BUFFER_SIZE) {
|
|
- if (str != buf) {
|
|
- if (format == XkbCFile)
|
|
- *str++ = '|';
|
|
- else
|
|
- *str++ = '+';
|
|
- len--;
|
|
- }
|
|
+ if ((str - buf) + len > BUFFER_SIZE)
|
|
+ continue; /* Skip */
|
|
+ if (str != buf) {
|
|
+ if (format == XkbCFile)
|
|
+ *str++ = '|';
|
|
+ else
|
|
+ *str++ = '+';
|
|
+ len--;
|
|
}
|
|
if (format == XkbCFile)
|
|
sprintf(str, "%sMask", tmp);
|
|
--
|
|
GitLab
|
|
|