[PATCH v2 2/7] xkb: Fix possible NULL pointer dereference

Wed Jul 28 18:22:16 PDT 2010

On Wed, Jul 28, 2010 at 10:47:02PM +0300, Pauli Nieminen wrote:
> changes is deferenced unconditionaly later on in function. Because
> XkbUpdateKeyTypesFromCore is exported function paramters should be
                                                 ^ typo

> checked for driver errors.
> 
> Fixes:
> Variable "changes" tracked as NULL was dereferenced.
> 
> Signed-off-by: Pauli Nieminen <ext-pauli.nieminen at nokia.com>
> ---
> 
> Added NULL check for changes because it deferenced unconditionaly in
> function that can be called by drivers.
> 
>  xkb/xkbUtils.c |   11 +++++++----
>  1 files changed, 7 insertions(+), 4 deletions(-)
> 
> diff --git a/xkb/xkbUtils.c b/xkb/xkbUtils.c
> index 14dc784..bf0affb 100644
> --- a/xkb/xkbUtils.c
> +++ b/xkb/xkbUtils.c
> @@ -223,16 +223,19 @@ XkbDescPtr		xkb;
>  unsigned		key,nG,explicit;
>  int			types[XkbNumKbdGroups];
>  KeySym			tsyms[XkbMaxSymsPerKey],*syms;
> -XkbMapChangesPtr	mc;
> +
> +    if (!changes) {
> +	LogMessage(X_ERROR, "XKB: XkbUpdateKeyTypesFromCore without changes\n");
> +	return;
> +    }
>  
>      xkb= pXDev->key->xkbInfo->desc;
> +

unnecessary whitespace change.

>      if (first+num-1>xkb->max_key_code) {
>  	/* 1/12/95 (ef) -- XXX! should allow XKB structures to grow */
>  	num= xkb->max_key_code-first+1;
>      }
>  
> -    mc= (changes?(&changes->map):NULL);
> -
>      syms= &pCore->map[(first - pCore->minKeyCode) * pCore->mapWidth];
>      for (key=first; key<(first+num); key++,syms+= pCore->mapWidth) {
>          explicit= xkb->server->explicit[key]&XkbExplicitKeyTypesMask;
> @@ -242,7 +245,7 @@ XkbMapChangesPtr	mc;
>          types[XkbGroup4Index]= XkbKeyKeyTypeIndex(xkb,key,XkbGroup4Index);
>          nG= XkbKeyTypesForCoreSymbols(xkb,pCore->mapWidth,syms,explicit,types,
>  									tsyms);
> -	XkbChangeTypesOfKey(xkb,key,nG,XkbAllGroupsMask,types,mc);
> +	XkbChangeTypesOfKey(xkb,key,nG,XkbAllGroupsMask,types,&changes->map);
>  	memcpy((char *)XkbKeySymsPtr(xkb,key),(char *)tsyms,
>  					XkbKeyNumSyms(xkb,key)*sizeof(KeySym));
>      }
> -- 
> 1.6.3.3

Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net> with the typo fixed
and whitespace change removed.

Cheers,
  Peter