[PATCH] test/xi2: fail if xi2 class type is garbage. (#25492)
Julien Cristau
jcristau at debian.org
Sat Dec 26 06:57:40 PST 2009
On Wed, Dec 23, 2009 at 12:54:14 +1000, Peter Hutterer wrote:
> If the keycode range exceeds the allowable length, memory gets overwritten.
> Catch this case by making sure that only allowed class types are
> present.
>
Should this also be handled outside of the tests by not overwriting
memory in the first place, or is it impossible to get a keycode range
this big in the server?
diff --git a/dix/eventconvert.c b/dix/eventconvert.c
index e25f3ee..f8b2252 100644
--- a/dix/eventconvert.c
+++ b/dix/eventconvert.c
@@ -379,6 +379,8 @@ appendKeyInfo(DeviceChangedEvent *dce, xXIKeyInfo* info)
uint32_t *kc;
int i;
+ if (dce->keys.max_keycode - dce->keys.min_keycode > USHRT_MAX - sizeof(*info)/4 - 1)
+ return 0;
info->type = XIKeyClass;
info->num_keycodes = dce->keys.max_keycode - dce->keys.min_keycode + 1;
info->length = sizeof(xXIKeyInfo)/4 + info->num_keycodes;
Cheers,
Julien
More information about the xorg-devel
mailing list