xkb: Fix buffer overflow in XkbVModMaskText()

The code in XkbVModMaskText() allocates a fixed sized buffer on the stack and copies the virtual mod name. There's actually two issues in the code that can lead to a buffer overflow. First, the bound check mixes pointers and integers using misplaced parenthesis, defeating the bound check. But even though, if the check fails, the data is still copied, so the stack overflow will occur regardless. Change the logic to skip the copy entirely if the bound check fails. CVE-2025-26595, ZDI-CAN-25545 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> (cherry picked from commit 11fcda8753) Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1831>
2026-01-14 10:10:33 +01:00 · 2024-11-27 14:41:45 +01:00 · 2024-11-27 14:41:45 +01:00 · bfbb53e0b9
commit bfbb53e0b9
parent 80f8d0b8e2
1 changed files with 8 additions and 8 deletions
--- a/xkb/xkbtext.c
+++ b/xkb/xkbtext.c
@ -174,14 +174,14 @@ XkbVModMaskText(XkbDescPtr xkb,
                len = strlen(tmp) + 1 + (str == buf ? 0 : 1);
                if (format == XkbCFile)
                    len += 4;
-                if ((str - (buf + len)) <= VMOD_BUFFER_SIZE) {
-                    if (str != buf) {
-                        if (format == XkbCFile)
-                            *str++ = '|';
-                        else
-                            *str++ = '+';
-                        len--;
-                    }
+                if ((str - buf) + len > VMOD_BUFFER_SIZE)
+                    continue; /* Skip */
+                if (str != buf) {
+                    if (format == XkbCFile)
+                        *str++ = '|';
+                    else
+                        *str++ = '+';
+                    len--;
                }
                if (format == XkbCFile)
                    sprintf(str, "%sMask", tmp);