diff options
author | Matthieu Herrb <matthieu@cvs.openbsd.org> | 2024-10-29 17:58:23 +0000 |
---|---|---|
committer | Matthieu Herrb <matthieu@cvs.openbsd.org> | 2024-10-29 17:58:23 +0000 |
commit | a402ad14e80a8505bf79cd28ee9a4b728563adb4 (patch) | |
tree | 0a39541996db0f682a266a2ec34cafac82dee0d2 | |
parent | b109964b968ebdf074864db6e3ffb6d3a5319eec (diff) |
xkb: Fix buffer overflow in _XkbSetCompatMap()
The _XkbSetCompatMap() function attempts to resize the `sym_interpret`
buffer.
However, It didn't update its size properly. It updated `num_si` only,
without updating `size_si`.
CVE-2024-9632
-rw-r--r-- | xserver/xkb/xkb.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/xserver/xkb/xkb.c b/xserver/xkb/xkb.c index 276dc1938..7da00a0c8 100644 --- a/xserver/xkb/xkb.c +++ b/xserver/xkb/xkb.c @@ -2992,13 +2992,13 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev, XkbSymInterpretPtr sym; unsigned int skipped = 0; - if ((unsigned) (req->firstSI + req->nSI) > compat->num_si) { - compat->num_si = req->firstSI + req->nSI; + if ((unsigned) (req->firstSI + req->nSI) > compat->size_si) { + compat->num_si = compat->size_si = req->firstSI + req->nSI; compat->sym_interpret = reallocarray(compat->sym_interpret, - compat->num_si, + compat->size_si, sizeof(XkbSymInterpretRec)); if (!compat->sym_interpret) { - compat->num_si = 0; + compat->num_si = compat->size_si = 0; return BadAlloc; } } |