fdo-mirrors/libei
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/libinput/libei.git synced 2026-04-19 17:20:39 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

util: fix heap buffer overflow in xread_with_fds()

Browse source 
This situation cannot happen in a normal protocol conversation, the only
message that transports an fd (ei_keyboard.keymap) has one single fd and
(32 + 1 * sizeof(int)) is large enough on the platforms that matters.

fd transport is always EIS to ei, so a long as EIS is trusted enough,
this is not a security issue that matters.

Found-by: Claude Code <noreply@anthropic.com>
Part-of: <https://gitlab.freedesktop.org/libinput/libei/-/merge_requests/380>
This commit is contained in:
Peter Hutterer 2026-03-11 14:34:30 +10:00 committed by Marge Bot
parent 5141212fb4
commit e5c72682da
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
src/util-io.c
View file

@ -54,7 +54,7 @@ xread_with_fds(int fd, void *buf, size_t count, int **fds)
if (received > 0) {
*fds = NULL;
_cleanup_free_ int *fd_return = xalloc(MAX_FDS + 1 * sizeof(int));
_cleanup_free_ int *fd_return = xalloc((MAX_FDS + 1) * sizeof(int));
size_t idx = 0;
for (struct cmsghdr *hdr = CMSG_FIRSTHDR(&msg); hdr; hdr = CMSG_NXTHDR(&msg, hdr)) {