[PATCH v2] Fix overflow on XmbLookupString buffer
Alan Coopersmith
alan.coopersmith at oracle.com
Sun Jul 17 16:08:27 UTC 2022
We use gitlab merge requests instead of email for patches now, so I've
converted this to one after getting pinged on IRC:
https://gitlab.freedesktop.org/xorg/app/xev/-/merge_requests/7
(Even when we used email, we needed people to tell us which of the 200+
Xorg repos a patch was for to be able to keep track of them.)
-Alan Coopersmith- alan.coopersmith at oracle.com
Oracle Solaris Engineering - https://blogs.oracle.com/solaris
On 6/29/22 03:08, Ismael Luceno wrote:
> From: Mikael Magnusson <mikachu at gmail.com>
>
> The returned nmbbytes value is the length we need the buffer to be, but
> the current size is only bsize. We can't store a NUL at buf[nmbbytes]
> before the realloc, so only do this when the buffer is sized properly.
>
> Signed-off-by: Mikael Magnusson <mikachu at gmail.com>
> [ismael at iodev.co.uk: Moved string termination out of the loop]
> Signed-off-by: Ismael Luceno <ismael at iodev.co.uk>
> ---
> xev.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/xev.c b/xev.c
> index de4e6e879e73..5b352df0cd0a 100644
> --- a/xev.c
> +++ b/xev.c
> @@ -178,13 +178,13 @@ do_KeyPress(XEvent *eventp)
> if (e->type == KeyPress && xic) {
> do {
> nmbbytes = XmbLookupString(xic, e, buf, bsize - 1, &ks, &status);
> - buf[nmbbytes] = '\0';
>
> if (status == XBufferOverflow) {
> bsize = nmbbytes + 1;
> buf = realloc(buf, bsize);
> }
> } while (status == XBufferOverflow);
> + buf[nmbbytes] = '\0';
> }
>
> if (ks == NoSymbol)
More information about the xorg-devel
mailing list