fdo-mirrors/xserver
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/xorg/xserver.git synced 2026-06-08 06:58:21 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
xserver/xkb
History
Peter Hutterer a439a7340a xkb: Add bounds check for action data in CheckKeyActions() 
CheckKeyActions() validates the per-key action count bytes individually
but does not verify that the computed total action data region falls
within the request buffer before advancing the wire pointer past it.

After the loop, the function calculates the final wire position as
wire + nActs * sizeof(XkbAnyAction), where nActs is the sum of per-key
action counts read from the request. The upstream length validation in
_XkbSetMapCheckLength() uses req->totalActs from the request header,
not the computed nActs. If a crafted request provides a totalActs value
that passes the length check but per-key action counts that sum to a
different nActs, the wire pointer could advance past the actual request
buffer.

The subsequent SetKeyActions() function uses memcpy to read from this
potentially out-of-bounds region, which could leak heap data or cause
a crash.

Assisted-by: Claude:claude-claude-opus-4-6
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2208>
2026-05-10 23:14:20 +00:00
..
ddxBeep.c Drop trailing whitespaces 2014-11-12 10:25:00 +10:00
ddxCtrls.c Drop trailing whitespaces 2014-11-12 10:25:00 +10:00
ddxKillSrv.c Drop trailing whitespaces 2014-11-12 10:25:00 +10:00
ddxLEDs.c Drop trailing whitespaces 2014-11-12 10:25:00 +10:00
ddxLoad.c xkb: handle -Wanalyzer-null-dereference in XkbDDXLoadKeymapByNames() 2026-04-11 18:12:24 +00:00
ddxPrivate.c Introduce a consistent coding style 2012-03-21 13:54:42 -07:00
ddxVT.c Drop trailing whitespaces 2014-11-12 10:25:00 +10:00
maprules.c xkb: drop defining XKBSRV_NEED_FILE_FUNCS 2026-01-19 12:32:18 -08:00
meson.build Add a Meson build system alongside autotools. 2017-04-26 15:25:27 -07:00
README.compiled Strip trailing whitespace from source files 2026-01-25 10:40:02 -08:00
xkb-procs.h xkb: rename xkb.h to xkb-procs.h 2022-07-08 14:27:04 +00:00
xkb.c xkb: Add bounds check for action data in CheckKeyActions() 2026-05-10 23:14:20 +00:00
xkbAccessX.c Zero out structs to avoid leaking information via padding 2026-04-24 01:14:55 +00:00
xkbActions.c xkb: Handle allocation failures in _XkbNextFreeFilter() 2026-04-28 02:37:44 +00:00
XKBAlloc.c xkb: ensure XkbAllocNames sets num_rg to 0 on allocation failure 2026-01-25 10:40:01 -08:00
xkbDflts.h Use ARRAY_SIZE all over the tree 2017-10-30 13:45:20 -04:00
xkbEvents.c Zero out structs to avoid leaking information via padding 2026-04-24 01:14:55 +00:00
xkbfmisc.c xkb: drop ununsed XkbNameMatchesPattern() 2026-01-19 12:32:25 -08:00
XKBGAlloc.c xkb: add missing NULL check for strdup in XkbAddGeomProperty update path 2026-04-28 02:37:43 +00:00
xkbgeom.h Drop trailing whitespaces 2014-11-12 10:25:00 +10:00
xkbInit.c xkb: fail if we can't strdup our default rules 2026-04-28 02:37:43 +00:00
xkbLEDs.c Fix typos 2026-03-03 06:50:01 -03:00
XKBMAlloc.c xkb: Check that needed is > 0 in XkbResizeKeyActions 2026-01-25 10:40:01 -08:00
XKBMisc.c xkb: Fix buffer overflow in XkbChangeTypesOfKey() 2026-01-25 10:40:01 -08:00
xkbout.c xkb: drop defining XKBSRV_NEED_FILE_FUNCS 2026-01-19 12:32:18 -08:00
xkbPrKeyEv.c xwayland: Don't run key behaviors and actions 2026-01-25 10:39:58 -08:00
xkbSwap.c xkb: drop swapping request length fields 2026-01-25 10:39:58 -08:00
xkbtext.c xkb: Fix potential uninitialized variable 2026-04-29 13:08:12 +00:00
xkbUtils.c Zero out structs to avoid leaking information via padding 2026-04-24 01:14:55 +00:00
XKM_file_format.txt Fix typos 2026-03-03 06:50:01 -03:00
xkmread.c xkb: make XkbInternAtom() static 2026-01-25 10:39:53 -08:00

README.compiled 

The X server uses this directory to store the compiled version of the
current keymap and/or any scratch keymaps used by clients.  The X server
or some other tool might destroy or replace the files in this directory,
so it is not a safe place to store compiled keymaps for long periods of
time.  The default keymap for any server is usually stored in:
     X<num>-default.xkm
where <num> is the display number of the server in question, which makes
it possible for several servers *on the same host* to share the same
directory.

Unless the X server is modified, sharing this directory between servers on
different hosts could cause problems.