fdo-mirrors/xserver
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/xorg/xserver.git synced 2026-01-09 01:50:17 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix MEMORY SMASH in XkbCopyKeymap.

Browse source 
XkbCopyKeymap reallocates the destination keymap when it is not large enough
to hold the source data. When reallocating the map->types data, it needs to
zero out the new entries. The computation for where to start bzero'ing was
accounting for the size of the data type twice, once implicitly in the
pointer arithmetic, and once explicitly with '* sizeof (XkbKeyTypeRec)'.
This would often lead to random memory corruption when the destination
keymap had existing map->types data.
This commit is contained in:
Keith Packard 2007-07-04 23:38:27 -07:00
parent 9131d560a0
commit 9ff7ff2fda
1 changed files with 2 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
xkb/xkbUtils.c
View file

@ -1003,9 +1003,8 @@ XkbCopyKeymap(XkbDescPtr src, XkbDescPtr dst, Bool sendNotifies)
if (!tmp)
return FALSE;
dst->map->types = tmp;
bzero(dst->map->types +
(dst->map->num_types * sizeof(XkbKeyTypeRec)),
(src->map->num_types - dst->map->size_types) *
bzero(dst->map->types + dst->map->num_types,
(src->map->num_types - dst->map->num_types) *
sizeof(XkbKeyTypeRec));
}
else {