From fa66bacb97ab55840630f717406c588885637739 Mon Sep 17 00:00:00 2001
From: Mikael Magnusson <mikachu@gmail.com>
Date: Wed, 29 Jun 2022 12:08:43 +0200
Subject: Fix overflow on XmbLookupString buffer

The returned nmbbytes value is the length we need the buffer to be, but
the current size is only bsize. We can't store a NUL at buf[nmbbytes]
before the realloc, so only do this when the buffer is sized properly.

Signed-off-by: Mikael Magnusson <mikachu@gmail.com>
[ismael@iodev.co.uk: Moved string termination out of the loop]
Signed-off-by: Ismael Luceno <ismael@iodev.co.uk>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
 xev.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/xev.c b/xev.c
index de4e6e8..5b352df 100644
--- a/xev.c
+++ b/xev.c
@@ -178,13 +178,13 @@ do_KeyPress(XEvent *eventp)
     if (e->type == KeyPress && xic) {
         do {
             nmbbytes = XmbLookupString(xic, e, buf, bsize - 1, &ks, &status);
-            buf[nmbbytes] = '\0';
 
             if (status == XBufferOverflow) {
                 bsize = nmbbytes + 1;
                 buf = realloc(buf, bsize);
             }
         } while (status == XBufferOverflow);
+        buf[nmbbytes] = '\0';
     }
 
     if (ks == NoSymbol)
-- 
cgit v1.2.3