fdo-mirrors/xserver
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/xorg/xserver.git synced 2026-06-07 02:58:22 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

xkb: fix potential buff overflow in XkbVModIndexText for XkbCFile format

Browse source 
len calculation and strncpy limit were off by one when prefixing
"vmod_" to the virtual modifier name. This could write the final
NULL one byte past the allocated buffer from tbGetBuffer().

Use proper allocation len for prefix to avoid writing out-of-bounds.

Found by Linux Verification Center (linuxtesting.org) with SVACE

Signed-off-by: Mikhail Dmitrichenko <m.dmitrichenko222@gmail.com>
(cherry picked from commit 5dfb435c1d)

Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2225>
This commit is contained in:
Mikhail Dmitrichenko 2026-04-14 13:22:35 +03:00 committed by Alan Coopersmith
parent e8ec7ca022
commit b3e1ebc42b
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
xkb/xkbtext.c
View file

@ -138,11 +138,11 @@ XkbVModIndexText(XkbDescPtr xkb, unsigned ndx, unsigned format)
len = strlen(tmp) + 1;
if (format == XkbCFile)
len += 4;
len += 5;
rtrn = tbGetBuffer(len);
if (format == XkbCFile) {
strcpy(rtrn, "vmod_");
strncpy(&rtrn[5], tmp, len - 4);
strncpy(&rtrn[5], tmp, len - 5);
}
else
strncpy(rtrn, tmp, len);