Bug #6428, #16458, #21464: Fix crash due to uninitialized VModMap fields.

In ProcXkbGetKbdByName, mrep.firstVModMapKey, .nVModMapKeys and .totalVModMapKeys were not initialized, contained random values and caused accesses to unallocated and later modified memory, causing XkbSizeVirtualModMap and XkbWriteVirtualModMap to see different number of nonzero values, resulting in writes past the end of an array in XkbSendMap. This patch initializes those values sensibly and reverts commits 5c0a2088 and 6dd4fc46, which have been plain non-sense. Signed-off-by: Tomas Janousek <tomi@nomi.cz> Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> (cherry picked from commit 525aa17f80) Signed-off-by: Keith Packard <keithp@keithp.com>
2009-05-20 15:03:01 +02:00 · 2009-05-20 15:03:01 +02:00 · bbe0be1e45
commit bbe0be1e45
parent 6056d429e7
1 changed files with 5 additions and 3 deletions
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
@ -1311,7 +1311,7 @@ XkbSizeVirtualModMap(XkbDescPtr xkb,xkbGetMapReply *rep)
 	rep->totalVModMapKeys= 0;
 	return 0;
    }
-    for (nRtrn=i=0;i<rep->nVModMapKeys-1;i++) {
+    for (nRtrn=i=0;i<rep->nVModMapKeys;i++) {
 	if (xkb->server->vmodmap[i+rep->firstVModMapKey]!=0)
 	    nRtrn++;
    }
@ -1330,7 +1330,7 @@ unsigned short *	pMap;

    wire= (xkbVModMapWireDesc *)buf;
    pMap= &xkb->server->vmodmap[rep->firstVModMapKey];
-    for (i=0;i<rep->nVModMapKeys-1;i++,pMap++) {
+    for (i=0;i<rep->nVModMapKeys;i++,pMap++) {
 	if (*pMap!=0) {
 	    wire->key= i+rep->firstVModMapKey;
 	    wire->vmods= *pMap;
@ -5673,7 +5673,7 @@ ProcXkbGetKbdByName(ClientPtr client)
 	    mrep.present = 0;
 	    mrep.totalSyms = mrep.totalActs =
 		mrep.totalKeyBehaviors= mrep.totalKeyExplicit= 
-		mrep.totalModMapKeys= 0;
+		mrep.totalModMapKeys= mrep.totalVModMapKeys= 0;
 	    if (rep.reported&(XkbGBN_TypesMask|XkbGBN_ClientSymbolsMask)) {
 		mrep.present|= XkbKeyTypesMask;
 		mrep.firstType = 0;
@ -5699,6 +5699,8 @@ ProcXkbGetKbdByName(ClientPtr client)
 			mrep.firstKeyExplicit = new->min_key_code;
 		mrep.nKeyActs = mrep.nKeyBehaviors = 
 			mrep.nKeyExplicit = XkbNumKeys(new);
+		mrep.firstVModMapKey= new->min_key_code;
+		mrep.nVModMapKeys= XkbNumKeys(new);
 	    }
 	    else {
 		mrep.virtualMods= 0;