[PATCH] Fix overflow on XmbLookupString buffer

Mikael Magnusson mikachu at gmail.com
Mon Jun 27 03:21:57 UTC 2022


The returned nmbbytes value is the length we need the buffer to be, but
the current size is only bsize. We can't store a NUL at buf[nmbbytes]
before the realloc, so only do this when the buffer is sized properly.

Signed-off-by: Mikael Magnusson <mikachu at gmail.com>
---
 xev.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/xev.c b/xev.c
index de4e6e879e..b9b15d242d 100644
--- a/xev.c
+++ b/xev.c
@@ -178,12 +178,12 @@ do_KeyPress(XEvent *eventp)
     if (e->type == KeyPress && xic) {
         do {
             nmbbytes = XmbLookupString(xic, e, buf, bsize - 1, &ks, &status);
-            buf[nmbbytes] = '\0';

             if (status == XBufferOverflow) {
                 bsize = nmbbytes + 1;
                 buf = realloc(buf, bsize);
-            }
+            } else
+                buf[nmbbytes] = '\0';
         } while (status == XBufferOverflow);
     }

-- 
2.36.1


-- 
Mikael Magnusson


More information about the xorg-devel mailing list