From 3578cc3c2e1b5cb8eb191e2d12ad88e1bc9e6e1e Mon Sep 17 00:00:00 2001 From: Andreas Wettstein Date: Wed, 19 Dec 2012 18:13:21 +0100 Subject: [PATCH] xkb: Do not use base group as an array index. The base group is not brought into range and, therefore, using it as an array index crashed the X server. Also, at this place, we should ignore locked groups, but not latched groups. Therefore, use sum of base and latched groups, brought into range. Reproducible with: key { type= "ONE_LEVEL", symbols[Group1]= [ NoSymbol ], actions[Group1]= [ LatchGroup(group=-1, clearLocks) ] }; And hitting F7 will exceed the group level and access arbitrary memory. Signed-off-by: Andreas Wettstein Reviewed-by: Peter Hutterer Signed-off-by: Peter Hutterer --- xkb/xkbUtils.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/xkb/xkbUtils.c b/xkb/xkbUtils.c index c23cd7784..6c6af60f0 100644 --- a/xkb/xkbUtils.c +++ b/xkb/xkbUtils.c @@ -642,6 +642,7 @@ XkbComputeCompatState(XkbSrvInfoPtr xkbi) CARD16 grp_mask; XkbStatePtr state = &xkbi->state; XkbCompatMapPtr map; + XkbControlsPtr ctrls; if (!state || !xkbi->desc || !xkbi->desc->ctrls || !xkbi->desc->compat) return; @@ -650,9 +651,14 @@ XkbComputeCompatState(XkbSrvInfoPtr xkbi) grp_mask = map->groups[state->group].mask; state->compat_state = state->mods | grp_mask; state->compat_lookup_mods = state->lookup_mods | grp_mask; + ctrls= xkbi->desc->ctrls; - if (xkbi->desc->ctrls->enabled_ctrls & XkbIgnoreGroupLockMask) - grp_mask = map->groups[state->base_group].mask; + if (ctrls->enabled_ctrls & XkbIgnoreGroupLockMask) { + unsigned char grp = state->base_group+state->latched_group; + if (grp >= ctrls->num_groups) + grp = XkbAdjustGroup(XkbCharToInt(grp), ctrls); + grp_mask = map->groups[grp].mask; + } state->compat_grab_mods = state->grab_mods | grp_mask; return; }