[PATCH] test/xi2: fail if xi2 class type is garbage. (#25492)

Peter Hutterer peter.hutterer at who-t.net
Sun Dec 27 13:48:53 PST 2009


On Sat, Dec 26, 2009 at 03:57:40PM +0100, Julien Cristau wrote:
> On Wed, Dec 23, 2009 at 12:54:14 +1000, Peter Hutterer wrote:
> 
> > If the keycode range exceeds the allowable length, memory gets overwritten.
> > Catch this case by making sure that only allowed class types are
> > present.
> > 
> Should this also be handled outside of the tests by not overwriting
> memory in the first place, or is it impossible to get a keycode range
> this big in the server?
> 
> diff --git a/dix/eventconvert.c b/dix/eventconvert.c
> index e25f3ee..f8b2252 100644
> --- a/dix/eventconvert.c
> +++ b/dix/eventconvert.c
> @@ -379,6 +379,8 @@ appendKeyInfo(DeviceChangedEvent *dce, xXIKeyInfo* info)
>      uint32_t *kc;
>      int i;
>  
> +    if (dce->keys.max_keycode - dce->keys.min_keycode > USHRT_MAX - sizeof(*info)/4 - 1)
> +        return 0;
>      info->type = XIKeyClass;
>      info->num_keycodes = dce->keys.max_keycode - dce->keys.min_keycode + 1;
>      info->length = sizeof(xXIKeyInfo)/4 + info->num_keycodes;

this should be caught during device initialization instead and prevent
devices from ever going above this range. 

note that the current intialisation process still uses the old XKB setups.
no device can have more than 255 keycodes anyway, hence this test is merely
a theoretical case.

Cheers,
  Peter


More information about the xorg-devel mailing list