[PATCH] test/xi2: fail if xi2 class type is garbage. (#25492)

Julien Cristau jcristau at debian.org
Sat Dec 26 06:57:40 PST 2009


On Wed, Dec 23, 2009 at 12:54:14 +1000, Peter Hutterer wrote:

> If the keycode range exceeds the allowable length, memory gets overwritten.
> Catch this case by making sure that only allowed class types are
> present.
> 
Should this also be handled outside of the tests by not overwriting
memory in the first place, or is it impossible to get a keycode range
this big in the server?

diff --git a/dix/eventconvert.c b/dix/eventconvert.c
index e25f3ee..f8b2252 100644
--- a/dix/eventconvert.c
+++ b/dix/eventconvert.c
@@ -379,6 +379,8 @@ appendKeyInfo(DeviceChangedEvent *dce, xXIKeyInfo* info)
     uint32_t *kc;
     int i;
 
+    if (dce->keys.max_keycode - dce->keys.min_keycode > USHRT_MAX - sizeof(*info)/4 - 1)
+        return 0;
     info->type = XIKeyClass;
     info->num_keycodes = dce->keys.max_keycode - dce->keys.min_keycode + 1;
     info->length = sizeof(xXIKeyInfo)/4 + info->num_keycodes;

Cheers,
Julien


More information about the xorg-devel mailing list