andreacavalli
/
xserver-multidpi
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

xkb: Fix heap overflow caused by optimized away min. 

Calling strlen on char[4] that does not need to contain '\0' is wrong and X
server may end up running into uninitialized memory.

In addition GCC 8 is clever enough that it knows that strlen on char[4] can
return 0, 1, 2, 3 or cause undefined behavior. With this knowledge it can
optimize away the min(..., 4). In reality it can cause the memcpy to be called
with bigger size than 4 and overflow the destination buffer.

Fixes: 83913de25d (xkb: Silence some compiler warnings)
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/288
Signed-off-by: Matt Turner <mattst88@gmail.com>
This commit is contained in:
Michal Srb 2018-06-21 13:44:04 +02:00 committed by Matt Turner
parent 446ff2d317
commit 74627d13c7
1 changed files with 5 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
xkb/XKBGAlloc.c
View File

@ -588,8 +588,7 @@ XkbAddGeomKeyAlias(XkbGeometryPtr geom, char *aliasStr, char *realStr)
i++, alias++) {
if (strncmp(alias->alias, aliasStr, XkbKeyNameLength) == 0) {
memset(alias->real, 0, XkbKeyNameLength);
memcpy(alias->real, realStr,
min(XkbKeyNameLength, strlen(realStr)));
memcpy(alias->real, realStr, strnlen(realStr, XkbKeyNameLength));
return alias;
}
}
@ -599,8 +598,8 @@ XkbAddGeomKeyAlias(XkbGeometryPtr geom, char *aliasStr, char *realStr)
}
alias = &geom->key_aliases[geom->num_key_aliases];
memset(alias, 0, sizeof(XkbKeyAliasRec));
memcpy(alias->alias, aliasStr, min(XkbKeyNameLength, strlen(aliasStr)));
memcpy(alias->real, realStr, min(XkbKeyNameLength, strlen(realStr)));
memcpy(alias->alias, aliasStr, strnlen(aliasStr, XkbKeyNameLength));
memcpy(alias->real, realStr, strnlen(realStr, XkbKeyNameLength));
geom->num_key_aliases++;
return alias;
}
@ -815,8 +814,8 @@ XkbAddGeomOverlayKey(XkbOverlayPtr overlay,
(_XkbAllocOverlayKeys(row, 1) != Success))
return NULL;
key = &row->keys[row->num_keys];
memcpy(key->under.name, under, min(XkbKeyNameLength, strlen(under)));
memcpy(key->over.name, over, min(XkbKeyNameLength, strlen(over)));
memcpy(key->under.name, under, strnlen(under, XkbKeyNameLength));
memcpy(key->over.name, over, strnlen(over, XkbKeyNameLength));
row->num_keys++;
return key;
}