mirror of
https://gitlab.freedesktop.org/xorg/xserver.git
synced 2025-12-20 14:00:03 +01:00
xkb: Fix buffer overflow in XkbChangeTypesOfKey()
If XkbChangeTypesOfKey() is called with nGroups == 0, it will resize the
key syms to 0 but leave the key actions unchanged.
If later, the same function is called with a non-zero value for nGroups,
this will cause a buffer overflow because the key actions are of the wrong
size.
To avoid the issue, make sure to resize both the key syms and key actions
when nGroups is 0.
CVE-2025-26597, ZDI-CAN-25683
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 0e4ed94952)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1831>
This commit is contained in:
Olivier Fourdan
parent
60df821467
commit
39c7ed837b
1 changed files with 1 additions and 0 deletions
|
|
@ -552,6 +552,7 @@ XkbChangeTypesOfKey(XkbDescPtr xkb,
|
||||||
i = XkbSetNumGroups(i, 0);
|
i = XkbSetNumGroups(i, 0);
|
||||||
xkb->map->key_sym_map[key].group_info = i;
|
xkb->map->key_sym_map[key].group_info = i;
|
||||||
XkbResizeKeySyms(xkb, key, 0);
|
XkbResizeKeySyms(xkb, key, 0);
|
||||||
|
XkbResizeKeyActions(xkb, key, 0);
|
||||||
return Success;
|
return Success;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue