frederik
/
xserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

xkb: Fix computation of XkbSizeKeySyms 

The computation of the length in XkbSizeKeySyms() differs from what is
actually written in XkbWriteKeySyms(), leading to a heap overflow.

Fix the calculation in XkbSizeKeySyms() to match what kbWriteKeySyms()
does.

CVE-2025-26596, ZDI-CAN-25543

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828>
This commit is contained in:
Olivier Fourdan 2024-11-28 11:49:34 +01:00
parent 11fcda8753
commit 80d69f0142
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
xkb/xkb.c
View File

@ -1095,10 +1095,10 @@ XkbSizeKeySyms(XkbDescPtr xkb, xkbGetMapReply * rep)
len = rep->nKeySyms * SIZEOF(xkbSymMapWireDesc); len = rep->nKeySyms * SIZEOF(xkbSymMapWireDesc);
symMap = &xkb->map->key_sym_map[rep->firstKeySym]; symMap = &xkb->map->key_sym_map[rep->firstKeySym];
for (i = nSyms = 0; i < rep->nKeySyms; i++, symMap++) { for (i = nSyms = 0; i < rep->nKeySyms; i++, symMap++) {
if (symMap->offset != 0) { nSymsThisKey = XkbNumGroups(symMap->group_info) * symMap->width;
nSymsThisKey = XkbNumGroups(symMap->group_info) * symMap->width; if (nSymsThisKey == 0)
nSyms += nSymsThisKey; continue;
} nSyms += nSymsThisKey;
} }
len += nSyms * 4; len += nSyms * 4;
rep->totalSyms = nSyms; rep->totalSyms = nSyms;