fdo-mirrors/xserver
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/xorg/xserver.git synced 2026-06-07 04:08:25 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

xkb: Fix out-of-bounds array access in xkmread.c ReadXkmGeometry

Browse source 
The primary_ndx and approx_ndx fields from the XKM shape wire
description are used as indices into the shape->outlines[] array without
bounds checking against num_outlines.

Exploiting this (if it can be exploited) requires a malicious xkbcomp -
the path of which is built-in at compile time. There are lower-hanging
targets than trying to exploit through an XKM file.

Assisted-by: Claude:claude-claude-opus-4-6
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2207>
This commit is contained in:
Peter Hutterer 2026-04-18 09:23:52 +10:00 committed by Marge Bot
parent a439a7340a
commit 04386fb205
1 changed files with 4 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
xkb/xkmread.c
View file

@ -1132,9 +1132,11 @@ ReadXkmGeometry(FILE * file, XkbDescPtr xkb)
shape->bounds.y2 = ptWire.y;
}
}
if (shapeWire.primary_ndx != XkbNoShape)
if (shapeWire.primary_ndx != XkbNoShape &&
shapeWire.primary_ndx < shapeWire.num_outlines)
shape->primary = &shape->outlines[shapeWire.primary_ndx];
if (shapeWire.approx_ndx != XkbNoShape)
if (shapeWire.approx_ndx != XkbNoShape &&
shapeWire.approx_ndx < shapeWire.num_outlines)
shape->approx = &shape->outlines[shapeWire.approx_ndx];
}
}