From af1312d2873d2ce49b18708a5029895aed477392 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jexposit@redhat.com>
Date: Tue, 30 Apr 2024 17:37:39 +0200
Subject: [PATCH 4/6] XKBMAlloc: Check that needed is >= 0 in
 XkbResizeKeyActions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Passing a negative value in `needed` to the `XkbResizeKeyActions()`
function can create a `newActs` array of an unespected size.
Check the value and return if it is invalid.

This error has been found by a static analysis tool. This is the report:

    Error: OVERRUN (CWE-119):
    libX11-1.8.7/src/xkb/XKBMAlloc.c:811: cond_const:
      Checking "xkb->server->size_acts == 0" implies that
      "xkb->server->size_acts" is 0 on the true branch.
    libX11-1.8.7/src/xkb/XKBMAlloc.c:811: buffer_alloc:
      "calloc" allocates 8 bytes dictated by parameters
      "(size_t)((xkb->server->size_acts == 0) ? 1 : xkb->server->size_acts)"
      and "8UL".
    libX11-1.8.7/src/xkb/XKBMAlloc.c:811: var_assign:
      Assigning: "newActs" = "calloc((size_t)((xkb->server->size_acts == 0) ? 1 : xkb->server->size_acts), 8UL)".
    libX11-1.8.7/src/xkb/XKBMAlloc.c:815: assignment:
      Assigning: "nActs" = "1".
    libX11-1.8.7/src/xkb/XKBMAlloc.c:829: cond_at_least:
      Checking "nCopy > 0" implies that "nCopy" is at least 1 on the
      true branch.
    libX11-1.8.7/src/xkb/XKBMAlloc.c:830: overrun-buffer-arg:
      Overrunning buffer pointed to by "&newActs[nActs]" of 8 bytes by
      passing it to a function which accesses it at byte offset 15
      using argument "nCopy * 8UL" (which evaluates to 8).
    #  828|
    #  829|           if (nCopy > 0)
    #  830|->             memcpy(&newActs[nActs], XkbKeyActionsPtr(xkb, i),
    #  831|                      nCopy * sizeof(XkbAction));
    #  832|           if (nCopy < nKeyActs)

Signed-off-by: José Expósito <jexposit@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/250>
---
 src/xkb/XKBMAlloc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/xkb/XKBMAlloc.c b/src/xkb/XKBMAlloc.c
index 8b3be303..0563a688 100644
--- a/src/xkb/XKBMAlloc.c
+++ b/src/xkb/XKBMAlloc.c
@@ -795,7 +795,7 @@ XkbResizeKeyActions(XkbDescPtr xkb, int key, int needed)
     register int i, nActs;
     XkbAction *newActs;
 
-    if (needed == 0) {
+    if (needed <= 0) {
         xkb->server->key_acts[key] = 0;
         return NULL;
     }
-- 
2.45.2