xorg-x11-server/0004-xkb-Fix-computation-of-XkbSizeKeySyms.patch

From ddf9500846982402250114803b28180036a54cac Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Thu, 28 Nov 2024 11:49:34 +0100
Subject: [PATCH xserver 04/13] xkb: Fix computation of XkbSizeKeySyms

The computation of the length in XkbSizeKeySyms() differs from what is
actually written in XkbWriteKeySyms(), leading to a heap overflow.

Fix the calculation in XkbSizeKeySyms() to match what kbWriteKeySyms()
does.

CVE-2025-26596, ZDI-CAN-25543

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 80d69f01423fc065c950e1ff4e8ddf9f675df773)

Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1831>
---
 xkb/xkb.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/xkb/xkb.c b/xkb/xkb.c
index 68c59df02..175a81bf7 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
@@ -1093,10 +1093,10 @@ XkbSizeKeySyms(XkbDescPtr xkb, xkbGetMapReply * rep)
     len = rep->nKeySyms * SIZEOF(xkbSymMapWireDesc);
     symMap = &xkb->map->key_sym_map[rep->firstKeySym];
     for (i = nSyms = 0; i < rep->nKeySyms; i++, symMap++) {
-        if (symMap->offset != 0) {
-            nSymsThisKey = XkbNumGroups(symMap->group_info) * symMap->width;
-            nSyms += nSymsThisKey;
-        }
+        nSymsThisKey = XkbNumGroups(symMap->group_info) * symMap->width;
+        if (nSymsThisKey == 0)
+            continue;
+        nSyms += nSymsThisKey;
     }
     len += nSyms * 4;
     rep->totalSyms = nSyms;
-- 
2.48.1
CVE fix for CVE-2025-26594, CVE-2025-26595, CVE-2025-26596, CVE-2025-26597, CVE-2025-26598, CVE-2025-26599, CVE-2025-26600, CVE-2025-26601 Resolves: https://issues.redhat.com/browse/RHEL-80201 Resolves: https://issues.redhat.com/browse/RHEL-80186 Resolves: https://issues.redhat.com/browse/RHEL-80188 Resolves: https://issues.redhat.com/browse/RHEL-80191 Resolves: https://issues.redhat.com/browse/RHEL-80192 Resolves: https://issues.redhat.com/browse/RHEL-80199 Resolves: https://issues.redhat.com/browse/RHEL-80198 Resolves: https://issues.redhat.com/browse/RHEL-80200 2025-02-26 16:08:24 +00:00			`From ddf9500846982402250114803b28180036a54cac Mon Sep 17 00:00:00 2001`
			`From: Olivier Fourdan <ofourdan@redhat.com>`
			`Date: Thu, 28 Nov 2024 11:49:34 +0100`
			`Subject: [PATCH xserver 04/13] xkb: Fix computation of XkbSizeKeySyms`

			`The computation of the length in XkbSizeKeySyms() differs from what is`
			`actually written in XkbWriteKeySyms(), leading to a heap overflow.`

			`Fix the calculation in XkbSizeKeySyms() to match what kbWriteKeySyms()`
			`does.`

			`CVE-2025-26596, ZDI-CAN-25543`

			`This vulnerability was discovered by:`
			`Jan-Niklas Sohn working with Trend Micro Zero Day Initiative`

			`Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>`
			`Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>`
			`(cherry picked from commit 80d69f01423fc065c950e1ff4e8ddf9f675df773)`

			`Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1831>`
			`---`
			`xkb/xkb.c \| 8 ++++----`
			`1 file changed, 4 insertions(+), 4 deletions(-)`

			`diff --git a/xkb/xkb.c b/xkb/xkb.c`
			`index 68c59df02..175a81bf7 100644`
			`--- a/xkb/xkb.c`
			`+++ b/xkb/xkb.c`
			`@@ -1093,10 +1093,10 @@ XkbSizeKeySyms(XkbDescPtr xkb, xkbGetMapReply * rep)`
			`len = rep->nKeySyms * SIZEOF(xkbSymMapWireDesc);`
			`symMap = &xkb->map->key_sym_map[rep->firstKeySym];`
			`for (i = nSyms = 0; i < rep->nKeySyms; i++, symMap++) {`
			`- if (symMap->offset != 0) {`
			`- nSymsThisKey = XkbNumGroups(symMap->group_info) * symMap->width;`
			`- nSyms += nSymsThisKey;`
			`- }`
			`+ nSymsThisKey = XkbNumGroups(symMap->group_info) * symMap->width;`
			`+ if (nSymsThisKey == 0)`
			`+ continue;`
			`+ nSyms += nSymsThisKey;`
			`}`
			`len += nSyms * 4;`
			`rep->totalSyms = nSyms;`
			`--`
			`2.48.1`