From cc2bd590f368cb6aaa5d1b54e3ac4689f37f54ed Mon Sep 17 00:00:00 2001
From: Mikhail Dmitrichenko <m.dmitrichenko222@gmail.com>
Date: Tue, 14 Apr 2026 13:22:35 +0300
Subject: [PATCH] xkb: fix potential buff overflow in XkbVModIndexText for
 XkbCFile format

len calculation and strncpy limit were off by one when prefixing
"vmod_" to the virtual modifier name. This could write the final
NULL one byte past the allocated buffer from tbGetBuffer().

Use proper allocation len for prefix to avoid writing out-of-bounds.

Found by Linux Verification Center (linuxtesting.org) with SVACE

Signed-off-by: Mikhail Dmitrichenko <m.dmitrichenko222@gmail.com>
(cherry picked from commit 5dfb435c1d864bf154369cb86d085d4159730378)

Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2224>
---
 xkb/xkbtext.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/xkb/xkbtext.c b/xkb/xkbtext.c
index 53b98c848..dd826b189 100644
--- a/xkb/xkbtext.c
+++ b/xkb/xkbtext.c
@@ -139,11 +139,11 @@ XkbVModIndexText(XkbDescPtr xkb, unsigned ndx, unsigned format)
 
     len = strlen(tmp) + 1;
     if (format == XkbCFile)
-        len += 4;
+        len += 5;
     rtrn = tbGetBuffer(len);
     if (format == XkbCFile) {
         strcpy(rtrn, "vmod_");
-        strncpy(&rtrn[5], tmp, len - 4);
+        strncpy(&rtrn[5], tmp, len - 5);
     }
     else
         strncpy(rtrn, tmp, len);