45 lines
1.5 KiB
Diff
45 lines
1.5 KiB
Diff
From b41f6fce201e77a174550935330e2f7772d4adf9 Mon Sep 17 00:00:00 2001
|
|
From: Olivier Fourdan <ofourdan@redhat.com>
|
|
Date: Thu, 28 Nov 2024 11:49:34 +0100
|
|
Subject: [PATCH xserver] xkb: Fix computation of XkbSizeKeySyms
|
|
|
|
The computation of the length in XkbSizeKeySyms() differs from what is
|
|
actually written in XkbWriteKeySyms(), leading to a heap overflow.
|
|
|
|
Fix the calculation in XkbSizeKeySyms() to match what kbWriteKeySyms()
|
|
does.
|
|
|
|
CVE-2025-26596, ZDI-CAN-25543
|
|
|
|
This vulnerability was discovered by:
|
|
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
|
|
|
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
|
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
---
|
|
xkb/xkb.c | 8 ++++----
|
|
1 file changed, 4 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/xkb/xkb.c b/xkb/xkb.c
|
|
index 85659382d..744dba63d 100644
|
|
--- a/xkb/xkb.c
|
|
+++ b/xkb/xkb.c
|
|
@@ -1095,10 +1095,10 @@ XkbSizeKeySyms(XkbDescPtr xkb, xkbGetMapReply * rep)
|
|
len = rep->nKeySyms * SIZEOF(xkbSymMapWireDesc);
|
|
symMap = &xkb->map->key_sym_map[rep->firstKeySym];
|
|
for (i = nSyms = 0; i < rep->nKeySyms; i++, symMap++) {
|
|
- if (symMap->offset != 0) {
|
|
- nSymsThisKey = XkbNumGroups(symMap->group_info) * symMap->width;
|
|
- nSyms += nSymsThisKey;
|
|
- }
|
|
+ nSymsThisKey = XkbNumGroups(symMap->group_info) * symMap->width;
|
|
+ if (nSymsThisKey == 0)
|
|
+ continue;
|
|
+ nSyms += nSymsThisKey;
|
|
}
|
|
len += nSyms * 4;
|
|
rep->totalSyms = nSyms;
|
|
--
|
|
2.48.1
|
|
|