From e8ec7ca022bd21077885a99f34c3a363aa88fe1f Mon Sep 17 00:00:00 2001
From: Mikhail Dmitrichenko <m.dmitrichenko222@gmail.com>
Date: Tue, 14 Apr 2026 12:06:51 +0300
Subject: [PATCH] xkb: fix incorrect size check when growing doodads in a
 section

In XkbAddGeomDoodad(), when adding a doodad to a specific section
(section != NULL), there is a comparison between section->num_doodads
and geom->sz_doodads instead of the section's own section->sz_doodads.

The else branch (global geometry doodads) was already correct.

Compare section->num_doodads against section->sz_doodads to prevent
a potential out-of-bounds.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Signed-off-by: Mikhail Dmitrichenko <m.dmitrichenko222@gmail.com>
(cherry picked from commit dd8b8cf49d326802c53b01835618a7e3765d91cb)

Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2225>
---
 xkb/XKBGAlloc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/xkb/XKBGAlloc.c b/xkb/XKBGAlloc.c
index f0cda24fe..9b71f6121 100644
--- a/xkb/XKBGAlloc.c
+++ b/xkb/XKBGAlloc.c
@@ -769,7 +769,7 @@ XkbAddGeomDoodad(XkbGeometryPtr geom, XkbSectionPtr section, Atom name)
             return doodad;
     }
     if (section) {
-        if ((section->num_doodads >= geom->sz_doodads) &&
+        if ((section->num_doodads >= section->sz_doodads) &&
             (_XkbAllocDoodads(section, 1) != Success)) {
             return NULL;
         }