26c6b983e8
Upstream merge request: https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/250 Resolves: https://issues.redhat.com/browse/RHEL-34918
63 lines
2.4 KiB
Diff
63 lines
2.4 KiB
Diff
From af1312d2873d2ce49b18708a5029895aed477392 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jexposit@redhat.com>
|
|
Date: Tue, 30 Apr 2024 17:37:39 +0200
|
|
Subject: [PATCH 4/6] XKBMAlloc: Check that needed is >= 0 in
|
|
XkbResizeKeyActions
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
Passing a negative value in `needed` to the `XkbResizeKeyActions()`
|
|
function can create a `newActs` array of an unespected size.
|
|
Check the value and return if it is invalid.
|
|
|
|
This error has been found by a static analysis tool. This is the report:
|
|
|
|
Error: OVERRUN (CWE-119):
|
|
libX11-1.8.7/src/xkb/XKBMAlloc.c:811: cond_const:
|
|
Checking "xkb->server->size_acts == 0" implies that
|
|
"xkb->server->size_acts" is 0 on the true branch.
|
|
libX11-1.8.7/src/xkb/XKBMAlloc.c:811: buffer_alloc:
|
|
"calloc" allocates 8 bytes dictated by parameters
|
|
"(size_t)((xkb->server->size_acts == 0) ? 1 : xkb->server->size_acts)"
|
|
and "8UL".
|
|
libX11-1.8.7/src/xkb/XKBMAlloc.c:811: var_assign:
|
|
Assigning: "newActs" = "calloc((size_t)((xkb->server->size_acts == 0) ? 1 : xkb->server->size_acts), 8UL)".
|
|
libX11-1.8.7/src/xkb/XKBMAlloc.c:815: assignment:
|
|
Assigning: "nActs" = "1".
|
|
libX11-1.8.7/src/xkb/XKBMAlloc.c:829: cond_at_least:
|
|
Checking "nCopy > 0" implies that "nCopy" is at least 1 on the
|
|
true branch.
|
|
libX11-1.8.7/src/xkb/XKBMAlloc.c:830: overrun-buffer-arg:
|
|
Overrunning buffer pointed to by "&newActs[nActs]" of 8 bytes by
|
|
passing it to a function which accesses it at byte offset 15
|
|
using argument "nCopy * 8UL" (which evaluates to 8).
|
|
# 828|
|
|
# 829| if (nCopy > 0)
|
|
# 830|-> memcpy(&newActs[nActs], XkbKeyActionsPtr(xkb, i),
|
|
# 831| nCopy * sizeof(XkbAction));
|
|
# 832| if (nCopy < nKeyActs)
|
|
|
|
Signed-off-by: José Expósito <jexposit@redhat.com>
|
|
Part-of: <https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/250>
|
|
---
|
|
src/xkb/XKBMAlloc.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/src/xkb/XKBMAlloc.c b/src/xkb/XKBMAlloc.c
|
|
index 8b3be303..0563a688 100644
|
|
--- a/src/xkb/XKBMAlloc.c
|
|
+++ b/src/xkb/XKBMAlloc.c
|
|
@@ -795,7 +795,7 @@ XkbResizeKeyActions(XkbDescPtr xkb, int key, int needed)
|
|
register int i, nActs;
|
|
XkbAction *newActs;
|
|
|
|
- if (needed == 0) {
|
|
+ if (needed <= 0) {
|
|
xkb->server->key_acts[key] = 0;
|
|
return NULL;
|
|
}
|
|
--
|
|
2.45.2
|
|
|