[PATCH v2] Fix overflow on XmbLookupString buffer

Alan Coopersmith alan.coopersmith at oracle.com
Sun Jul 17 16:08:27 UTC 2022


We use gitlab merge requests instead of email for patches now, so I've
converted this to one after getting pinged on IRC:
https://gitlab.freedesktop.org/xorg/app/xev/-/merge_requests/7

(Even when we used email, we needed people to tell us which of the 200+
  Xorg repos a patch was for to be able to keep track of them.)

         -Alan Coopersmith-                 alan.coopersmith at oracle.com
          Oracle Solaris Engineering - https://blogs.oracle.com/solaris

On 6/29/22 03:08, Ismael Luceno wrote:
> From: Mikael Magnusson <mikachu at gmail.com>
> 
> The returned nmbbytes value is the length we need the buffer to be, but
> the current size is only bsize. We can't store a NUL at buf[nmbbytes]
> before the realloc, so only do this when the buffer is sized properly.
> 
> Signed-off-by: Mikael Magnusson <mikachu at gmail.com>
> [ismael at iodev.co.uk: Moved string termination out of the loop]
> Signed-off-by: Ismael Luceno <ismael at iodev.co.uk>
> ---
>   xev.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/xev.c b/xev.c
> index de4e6e879e73..5b352df0cd0a 100644
> --- a/xev.c
> +++ b/xev.c
> @@ -178,13 +178,13 @@ do_KeyPress(XEvent *eventp)
>       if (e->type == KeyPress && xic) {
>           do {
>               nmbbytes = XmbLookupString(xic, e, buf, bsize - 1, &ks, &status);
> -            buf[nmbbytes] = '\0';
>   
>               if (status == XBufferOverflow) {
>                   bsize = nmbbytes + 1;
>                   buf = realloc(buf, bsize);
>               }
>           } while (status == XBufferOverflow);
> +        buf[nmbbytes] = '\0';
>       }
>   
>       if (ks == NoSymbol)



More information about the xorg-devel mailing list