From b10abf6b99d5acf846c26f305f1a14a86360a96c Mon Sep 17 00:00:00 2001
From: Mikhail Dmitrichenko <m.dmitrichenko222@gmail.com>
Date: Wed, 15 Apr 2026 11:18:31 +0300
Subject: [PATCH] xkb: fix incorrect size check when growing doodads in a
 section

In XkbAddGeomDoodad(), when adding a doodad to a specific section
(section != NULL), there is a comparison between section->num_doodads
and geom->sz_doodads instead of the section's own section->sz_doodads.

The else branch (global geometry doodads) was already correct.

Compare section->num_doodads against section->sz_doodads to prevent
a potential out-of-bounds.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Signed-off-by: Mikhail Dmitrichenko <m.dmitrichenko222@gmail.com>
Part-of: <https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/300>
---
 src/xkb/XKBGAlloc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/xkb/XKBGAlloc.c b/src/xkb/XKBGAlloc.c
index 5b02f34c..cb3904a8 100644
--- a/src/xkb/XKBGAlloc.c
+++ b/src/xkb/XKBGAlloc.c
@@ -879,7 +879,7 @@ XkbAddGeomDoodad(XkbGeometryPtr geom, XkbSectionPtr section, Atom name)
             return doodad;
     }
     if (section) {
-        if ((section->num_doodads >= geom->sz_doodads) &&
+        if ((section->num_doodads >= section->sz_doodads) &&
             (_XkbAllocDoodads(section, 1) != Success)) {
             return NULL;
         }