mirror of
https://gitlab.freedesktop.org/xorg/xserver.git
synced 2026-05-06 11:38:20 +02:00
xkb: fix buffer re-use in _XkbSetCompatMap
If the "compat" buffer has previously been truncated, there will be
unused space in the buffer. The code uses this space, but does not
update the number of valid entries in the buffer.
In the best case, this leads to the new compat entries being ignored. In the
worst case, if there are any "skipped" compat entries, the number of
valid entries will be corrupted, potentially leading to a buffer read
overrun when processing a future request.
Set the number of used "compat" entries when re-using previously
allocated space in the buffer.
CVE-2026-33999, ZDI-CAN-28593
This vulnerability was discovered by:
Jan-Niklas Sohn working with TrendAI Zero Day Initiative
Signed-off-by: Peter Harris <pharris2@rocketsoftware.com>
Acked-by: Olivier Fourdan <ofourdan@redhat.com>
(cherry picked from commit b024ae1749)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2178>
This commit is contained in:
Peter Harris
Olivier Fourdan
parent
fd9f9f747e
commit
432cb931cf
1 changed files with 1 additions and 1 deletions
|
|
@ -3004,7 +3004,7 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev,
|
|||
return BadAlloc;
|
||||
}
|
||||
}
|
||||
else if (req->truncateSI) {
|
||||
else if (req->truncateSI || req->firstSI + req->nSI > compat->num_si) {
|
||||
compat->num_si = req->firstSI + req->nSI;
|
||||
}
|
||||
sym = &compat->sym_interpret[req->firstSI];
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue