From de940e06f8733d87bbb857aef85d830053442cfe Mon Sep 17 00:00:00 2001 From: Peter Harris Date: Thu, 14 Nov 2019 14:06:21 -0500 Subject: [PATCH] xkb: fix key type index check in _XkbSetMapChecks This code block was moved from a function that returns 0 for failure to a function that returns 0 for Success in commit 649293f6b634e6305b6737a841d6e9d0f0065d6c. Change the return value to BadValue to match the other checks in _XkbSetMapChecks. Set nTypes to xkb->map->num_types when XkbKeyTypesMask is not set, to allow requests with the XkbKeyTypesMask flag unset in stuff->present to succeed. Fixes a potential heap smash when client->swapped is true, because the remainder of the request will not be swapped after "return 0", but _XkbSetMap will be called anyway (because 0 is Success). Signed-off-by: Peter Harris --- xkb/xkb.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/xkb/xkb.c b/xkb/xkb.c index 9ffaf68fb..d93078a6e 100644 --- a/xkb/xkb.c +++ b/xkb/xkb.c @@ -2419,6 +2419,9 @@ _XkbSetMapChecks(ClientPtr client, DeviceIntPtr dev, xkbSetMapReq * req, client->errorValue = nTypes; return BadValue; } + else { + nTypes = xkb->map->num_types; + } /* symsPerKey/mapWidths must be filled regardless of client-side flags */ map = &xkb->map->key_sym_map[xkb->min_key_code]; @@ -2429,7 +2432,7 @@ _XkbSetMapChecks(ClientPtr client, DeviceIntPtr dev, xkbSetMapReq * req, for (w = g = 0; g < ng; g++) { if (map->kt_index[g] >= (unsigned) nTypes) { client->errorValue = _XkbErrCode4(0x13, i, g, map->kt_index[g]); - return 0; + return BadValue; } if (mapWidths[map->kt_index[g]] > w) w = mapWidths[map->kt_index[g]];