From 04386fb2057cac34934e3f35177380cc5ce795ee Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Sat, 18 Apr 2026 09:23:52 +1000
Subject: [PATCH] xkb: Fix out-of-bounds array access in xkmread.c
 ReadXkmGeometry

The primary_ndx and approx_ndx fields from the XKM shape wire
description are used as indices into the shape->outlines[] array without
bounds checking against num_outlines.

Exploiting this (if it can be exploited) requires a malicious xkbcomp -
the path of which is built-in at compile time. There are lower-hanging
targets than trying to exploit through an XKM file.

Assisted-by: Claude:claude-claude-opus-4-6
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2207>
---
 xkb/xkmread.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/xkb/xkmread.c b/xkb/xkmread.c
index def60def8..94dd0f1ac 100644
--- a/xkb/xkmread.c
+++ b/xkb/xkmread.c
@@ -1132,9 +1132,11 @@ ReadXkmGeometry(FILE * file, XkbDescPtr xkb)
                         shape->bounds.y2 = ptWire.y;
                 }
             }
-            if (shapeWire.primary_ndx != XkbNoShape)
+            if (shapeWire.primary_ndx != XkbNoShape &&
+                shapeWire.primary_ndx < shapeWire.num_outlines)
                 shape->primary = &shape->outlines[shapeWire.primary_ndx];
-            if (shapeWire.approx_ndx != XkbNoShape)
+            if (shapeWire.approx_ndx != XkbNoShape &&
+                shapeWire.approx_ndx < shapeWire.num_outlines)
                 shape->approx = &shape->outlines[shapeWire.approx_ndx];
         }
     }