fdo-mirrors/xserver
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/xorg/xserver.git synced 2026-05-05 05:18:25 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

xkb: Fix computation of XkbSizeKeySyms

Browse source 
The computation of the length in XkbSizeKeySyms() differs from what is
actually written in XkbWriteKeySyms(), leading to a heap overflow.

Fix the calculation in XkbSizeKeySyms() to match what kbWriteKeySyms()
does.

CVE-2025-26596, ZDI-CAN-25543

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 80d69f0142)

Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1831>
This commit is contained in:
Olivier Fourdan 2024-11-28 11:49:34 +01:00
parent bfbb53e0b9
commit 60df821467
1 changed files with 4 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
xkb/xkb.c
View file

@ -1092,10 +1092,10 @@ XkbSizeKeySyms(XkbDescPtr xkb, xkbGetMapReply * rep)
len = rep->nKeySyms * SIZEOF(xkbSymMapWireDesc);
symMap = &xkb->map->key_sym_map[rep->firstKeySym];
for (i = nSyms = 0; i < rep->nKeySyms; i++, symMap++) {
if (symMap->offset != 0) {
nSymsThisKey = XkbNumGroups(symMap->group_info) * symMap->width;
nSyms += nSymsThisKey;
}
nSymsThisKey = XkbNumGroups(symMap->group_info) * symMap->width;
if (nSymsThisKey == 0)
continue;
nSyms += nSymsThisKey;
}
len += nSyms * 4;
rep->totalSyms = nSyms;