From 39befa04f92a5acd2f97ef414a799a4a38e979d1 Mon Sep 17 00:00:00 2001 From: Peter Hutterer Date: Sat, 18 Apr 2026 07:34:51 +1000 Subject: [PATCH] xkb: Fix out-of-bounds array access in _CheckSetShapes() The primaryNdx and approxNdx fields in the shape wire description are attacker-controlled CARD8 values from the client request. They are used to index into the shape->outlines[] array, but were only checked against XkbNoShape (0xff) and never validated against the actual number of outlines (shapeWire->nOutlines). Assisted-by: Claude:claude-claude-opus-4-6 (cherry picked from commit 86a321ad98213957bbb56f295417b0939326718b) Part-of: --- xkb/xkb.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/xkb/xkb.c b/xkb/xkb.c index 15ee8ba04..1ab8dd732 100644 --- a/xkb/xkb.c +++ b/xkb/xkb.c @@ -5563,10 +5563,22 @@ _CheckSetShapes(XkbGeometryPtr geom, ol->num_points = olWire->nPoints; olWire = (xkbOutlineWireDesc *)ptWire; } - if (shapeWire->primaryNdx != XkbNoShape) + if (shapeWire->primaryNdx != XkbNoShape) { + if (shapeWire->primaryNdx >= shapeWire->nOutlines) { + client->errorValue = _XkbErrCode3(0x08, shapeWire->primaryNdx, + shapeWire->nOutlines); + return BadValue; + } shape->primary = &shape->outlines[shapeWire->primaryNdx]; - if (shapeWire->approxNdx != XkbNoShape) + } + if (shapeWire->approxNdx != XkbNoShape) { + if (shapeWire->approxNdx >= shapeWire->nOutlines) { + client->errorValue = _XkbErrCode3(0x08, shapeWire->approxNdx, + shapeWire->nOutlines); + return BadValue; + } shape->approx = &shape->outlines[shapeWire->approxNdx]; + } shapeWire = (xkbShapeWireDesc *) olWire; } wire = (char *) shapeWire;