From a402ad14e80a8505bf79cd28ee9a4b728563adb4 Mon Sep 17 00:00:00 2001
From: Matthieu Herrb <matthieu@cvs.openbsd.org>
Date: Tue, 29 Oct 2024 17:58:23 +0000
Subject: xkb: Fix buffer overflow in _XkbSetCompatMap()

The _XkbSetCompatMap() function attempts to resize the `sym_interpret`
buffer.

However, It didn't update its size properly. It updated `num_si` only,
without updating `size_si`.

CVE-2024-9632
---
 xserver/xkb/xkb.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'xserver')

diff --git a/xserver/xkb/xkb.c b/xserver/xkb/xkb.c
index 276dc1938..7da00a0c8 100644
--- a/xserver/xkb/xkb.c
+++ b/xserver/xkb/xkb.c
@@ -2992,13 +2992,13 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev,
         XkbSymInterpretPtr sym;
         unsigned int skipped = 0;
 
-        if ((unsigned) (req->firstSI + req->nSI) > compat->num_si) {
-            compat->num_si = req->firstSI + req->nSI;
+        if ((unsigned) (req->firstSI + req->nSI) > compat->size_si) {
+            compat->num_si = compat->size_si = req->firstSI + req->nSI;
             compat->sym_interpret = reallocarray(compat->sym_interpret,
-                                                 compat->num_si,
+                                                 compat->size_si,
                                                  sizeof(XkbSymInterpretRec));
             if (!compat->sym_interpret) {
-                compat->num_si = 0;
+                compat->num_si = compat->size_si = 0;
                 return BadAlloc;
             }
         }
-- 
cgit v1.2.3