Fix overflow on XmbLookupString buffer

The returned nmbbytes value is the length we need the buffer to be, but the current size is only bsize. We can't store a NUL at buf[nmbbytes] before the realloc, so only do this when the buffer is sized properly. Signed-off-by: Mikael Magnusson <mikachu@gmail.com> [ismael@iodev.co.uk: Moved string termination out of the loop] Signed-off-by: Ismael Luceno <ismael@iodev.co.uk> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
author: Mikael Magnusson <mikachu@gmail.com> 2022-06-29 12:08:43 +0200
committer: Alan Coopersmith <alan.coopersmith@oracle.com> 2022-07-17 09:04:40 -0700
commit: fa66bacb97ab55840630f717406c588885637739 (patch)
tree: 80b330caef821a440b6fc7d4bc58d984d99133dc
parent: 19e473aa6b1fbd01bb8c7206c06aacf5e789d758 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/xev.c b/xev.c
index de4e6e8..5b352df 100644
--- a/xev.c
+++ b/xev.c
@@ -178,13 +178,13 @@ do_KeyPress(XEvent *eventp)
     if (e->type == KeyPress && xic) {
         do {
             nmbbytes = XmbLookupString(xic, e, buf, bsize - 1, &ks, &status);
-            buf[nmbbytes] = '\0';
 
             if (status == XBufferOverflow) {
                 bsize = nmbbytes + 1;
                 buf = realloc(buf, bsize);
             }
         } while (status == XBufferOverflow);
+        buf[nmbbytes] = '\0';
     }
 
     if (ks == NoSymbol)
author	Mikael Magnusson <mikachu@gmail.com>	2022-06-29 12:08:43 +0200
committer	Alan Coopersmith <alan.coopersmith@oracle.com>	2022-07-17 09:04:40 -0700
commit	fa66bacb97ab55840630f717406c588885637739 (patch)
tree	80b330caef821a440b6fc7d4bc58d984d99133dc
parent	19e473aa6b1fbd01bb8c7206c06aacf5e789d758 (diff)