summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMatthieu Herrb <matthieu@cvs.openbsd.org>2024-10-29 17:58:23 +0000
committerMatthieu Herrb <matthieu@cvs.openbsd.org>2024-10-29 17:58:23 +0000
commita402ad14e80a8505bf79cd28ee9a4b728563adb4 (patch)
tree0a39541996db0f682a266a2ec34cafac82dee0d2
parentb109964b968ebdf074864db6e3ffb6d3a5319eec (diff)
xkb: Fix buffer overflow in _XkbSetCompatMap()
The _XkbSetCompatMap() function attempts to resize the `sym_interpret` buffer. However, It didn't update its size properly. It updated `num_si` only, without updating `size_si`. CVE-2024-9632
-rw-r--r--xserver/xkb/xkb.c8
1 files changed, 4 insertions, 4 deletions
diff --git a/xserver/xkb/xkb.c b/xserver/xkb/xkb.c
index 276dc1938..7da00a0c8 100644
--- a/xserver/xkb/xkb.c
+++ b/xserver/xkb/xkb.c
@@ -2992,13 +2992,13 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev,
XkbSymInterpretPtr sym;
unsigned int skipped = 0;
- if ((unsigned) (req->firstSI + req->nSI) > compat->num_si) {
- compat->num_si = req->firstSI + req->nSI;
+ if ((unsigned) (req->firstSI + req->nSI) > compat->size_si) {
+ compat->num_si = compat->size_si = req->firstSI + req->nSI;
compat->sym_interpret = reallocarray(compat->sym_interpret,
- compat->num_si,
+ compat->size_si,
sizeof(XkbSymInterpretRec));
if (!compat->sym_interpret) {
- compat->num_si = 0;
+ compat->num_si = compat->size_si = 0;
return BadAlloc;
}
}