frederik
/
xserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
xserver/xkb
History
José Expósito 6d33834186 xkb: Check that needed is > 0 in XkbResizeKeyActions 
Passing a negative value in `needed` to the `XkbResizeKeyActions()`
function can create a `newActs` array of an unespected size.
Check the value and return if it is invalid.

This error has been found by a static analysis tool. This is the report:

    Error: OVERRUN (CWE-119):
    libX11-1.8.7/src/xkb/XKBMAlloc.c:811: cond_const:
      Checking "xkb->server->size_acts == 0" implies that
      "xkb->server->size_acts" is 0 on the true branch.
    libX11-1.8.7/src/xkb/XKBMAlloc.c:811: buffer_alloc:
      "calloc" allocates 8 bytes dictated by parameters
      "(size_t)((xkb->server->size_acts == 0) ? 1 : xkb->server->size_acts)"
      and "8UL".
    libX11-1.8.7/src/xkb/XKBMAlloc.c:811: var_assign:
      Assigning: "newActs" = "calloc((size_t)((xkb->server->size_acts == 0) ? 1 : xkb->server->size_acts), 8UL)".
    libX11-1.8.7/src/xkb/XKBMAlloc.c:815: assignment:
      Assigning: "nActs" = "1".
    libX11-1.8.7/src/xkb/XKBMAlloc.c:829: cond_at_least:
      Checking "nCopy > 0" implies that "nCopy" is at least 1 on the
      true branch.
    libX11-1.8.7/src/xkb/XKBMAlloc.c:830: overrun-buffer-arg:
      Overrunning buffer pointed to by "&newActs[nActs]" of 8 bytes by
      passing it to a function which accesses it at byte offset 15
      using argument "nCopy * 8UL" (which evaluates to 8).
    #  828|
    #  829|           if (nCopy > 0)
    #  830|->             memcpy(&newActs[nActs], XkbKeyActionsPtr(xkb, i),
    #  831|                      nCopy * sizeof(XkbAction));
    #  832|           if (nCopy < nKeyActs)

(cherry picked from xorg/lib/libx11@af1312d2873d2ce49b18708a5029895aed477392)

Signed-off-by: José Expósito <jexposit@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1821>
 		2025-02-26 13:15:34 +00:00
..
README.compiled R6.6 is the Xorg base-line 2003-11-14 15:54:54 +00:00
XKBAlloc.c xkb: ensure XkbAllocNames sets num_rg to 0 on allocation failure 2025-02-26 13:15:34 +00:00
XKBGAlloc.c drop obsolete HAVE_DIX_CONFIG_H 2024-10-10 13:38:31 +00:00
XKBMAlloc.c xkb: Check that needed is > 0 in XkbResizeKeyActions 2025-02-26 13:15:34 +00:00
XKBMisc.c xkb: Fix buffer overflow in XkbChangeTypesOfKey() 2025-02-25 11:43:01 +01:00
XKM_file_format.txt Fix spelling/wording issues 2020-07-05 13:07:33 -07:00
ddxBeep.c drop obsolete HAVE_DIX_CONFIG_H 2024-10-10 13:38:31 +00:00
ddxCtrls.c drop obsolete HAVE_DIX_CONFIG_H 2024-10-10 13:38:31 +00:00
ddxKillSrv.c drop obsolete HAVE_DIX_CONFIG_H 2024-10-10 13:38:31 +00:00
ddxLEDs.c drop obsolete HAVE_DIX_CONFIG_H 2024-10-10 13:38:31 +00:00
ddxLoad.c win32: use lib system() instead of our own function 2025-02-11 09:53:59 +01:00
ddxPrivate.c drop obsolete HAVE_DIX_CONFIG_H 2024-10-10 13:38:31 +00:00
ddxVT.c drop obsolete HAVE_DIX_CONFIG_H 2024-10-10 13:38:31 +00:00
maprules.c drop obsolete HAVE_DIX_CONFIG_H 2024-10-10 13:38:31 +00:00
meson.build Add a Meson build system alongside autotools. 2017-04-26 15:25:27 -07:00
xkb-procs.h xkb: rename xkb.h to xkb-procs.h 2022-07-08 14:27:04 +00:00
xkb.c xkb: Fix computation of XkbSizeKeySyms 2025-02-25 11:43:01 +01:00
xkbAccessX.c drop obsolete HAVE_DIX_CONFIG_H 2024-10-10 13:38:31 +00:00
xkbActions.c mi: unexport mieqProcessDeviceEvent() 2025-02-06 16:45:20 +02:00
xkbDflts.h Use ARRAY_SIZE all over the tree 2017-10-30 13:45:20 -04:00
xkbEvents.c drop obsolete HAVE_DIX_CONFIG_H 2024-10-10 13:38:31 +00:00
xkbInit.c os: move BUG_*() macros to own private header 2025-02-17 19:32:48 +00:00
xkbLEDs.c drop obsolete HAVE_DIX_CONFIG_H 2024-10-10 13:38:31 +00:00
xkbPrKeyEv.c xwayland: Don't run key behaviors and actions 2025-02-03 05:37:48 +00:00
xkbSwap.c xkb: drop swapping request length fields 2025-02-06 22:28:48 +00:00
xkbUtils.c xkb: Always use MAP_LENGTH keymap size 2025-01-13 11:44:11 +01:00
xkbfile_priv.h xkb: unexport remaining internal declarations 2025-02-06 22:45:25 +00:00
xkbfmisc.c xkb: unexport functions from xkbout.c 2025-02-06 22:45:25 +00:00
xkbfmisc_priv.h xkb: unexport functions from xkbfmisc.c 2025-02-06 22:45:25 +00:00
xkbgeom.h Drop trailing whitespaces 2014-11-12 10:25:00 +10:00
xkbout.c include: drop now empty xkbfile.h 2025-02-06 22:45:25 +00:00
xkbout_priv.h xkb: unexport functions from xkbout.c 2025-02-06 22:45:25 +00:00
xkbsrv_priv.h include: move private defs to dixstruct_priv.h 2024-04-30 00:47:38 +00:00
xkbtext.c xkb: Fix buffer overflow in XkbVModMaskText() 2025-02-25 11:43:01 +01:00
xkbtext_priv.h xkbtext_priv.h: fix typo in header guard definition 2024-11-10 12:51:10 -08:00
xkmread.c xkb: unexport remaining internal declarations 2025-02-06 22:45:25 +00:00

README.compiled 

The X server uses this directory to store the compiled version of the
current keymap and/or any scratch keymaps used by clients.  The X server
or some other tool might destroy or replace the files in this directory,
so it is not a safe place to store compiled keymaps for long periods of
time.  The default keymap for any server is usually stored in:
     X<num>-default.xkm
where <num> is the display number of the server in question, which makes
it possible for several servers *on the same host* to share the same 
directory.

Unless the X server is modified, sharing this directory between servers on
different hosts could cause problems.