xkb: Fix heap overflow caused by optimized away min.

Calling strlen on char[4] that does not need to contain '\0' is wrong and X server may end up running into uninitialized memory. In addition GCC 8 is clever enough that it knows that strlen on char[4] can return 0, 1, 2, 3 or cause undefined behavior. With this knowledge it can optimize away the min(..., 4). In reality it can cause the memcpy to be called with bigger size than 4 and overflow the destination buffer. Fixes: 83913de25d (xkb: Silence some compiler warnings) Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/288 Signed-off-by: Matt Turner <mattst88@gmail.com>
2018-06-21 13:44:04 +02:00 · 2018-06-21 13:44:04 +02:00 · 74627d13c7
parent 446ff2d317
commit 74627d13c7
1 changed files with 5 additions and 6 deletions
--- a/xkb/XKBGAlloc.c
+++ b/xkb/XKBGAlloc.c
@ -588,8 +588,7 @@ XkbAddGeomKeyAlias(XkbGeometryPtr geom, char *aliasStr, char *realStr)
         i++, alias++) {
        if (strncmp(alias->alias, aliasStr, XkbKeyNameLength) == 0) {
            memset(alias->real, 0, XkbKeyNameLength);
-            memcpy(alias->real, realStr,
-                   min(XkbKeyNameLength, strlen(realStr)));
+            memcpy(alias->real, realStr, strnlen(realStr, XkbKeyNameLength));
            return alias;
        }
    }
@ -599,8 +598,8 @@ XkbAddGeomKeyAlias(XkbGeometryPtr geom, char *aliasStr, char *realStr)
    }
    alias = &geom->key_aliases[geom->num_key_aliases];
    memset(alias, 0, sizeof(XkbKeyAliasRec));
-    memcpy(alias->alias, aliasStr, min(XkbKeyNameLength, strlen(aliasStr)));
-    memcpy(alias->real, realStr, min(XkbKeyNameLength, strlen(realStr)));
+    memcpy(alias->alias, aliasStr, strnlen(aliasStr, XkbKeyNameLength));
+    memcpy(alias->real, realStr, strnlen(realStr, XkbKeyNameLength));
    geom->num_key_aliases++;
    return alias;
 }
@ -815,8 +814,8 @@ XkbAddGeomOverlayKey(XkbOverlayPtr overlay,
        (_XkbAllocOverlayKeys(row, 1) != Success))
        return NULL;
    key = &row->keys[row->num_keys];
-    memcpy(key->under.name, under, min(XkbKeyNameLength, strlen(under)));
-    memcpy(key->over.name, over, min(XkbKeyNameLength, strlen(over)));
+    memcpy(key->under.name, under, strnlen(under, XkbKeyNameLength));
+    memcpy(key->over.name, over, strnlen(over, XkbKeyNameLength));
    row->num_keys++;
    return key;
 }