[PATCH] Fix overflow on XmbLookupString buffer
Ismael Luceno
ismael at iodev.co.uk
Mon Jun 27 18:02:11 UTC 2022
On 27/Jun/2022 05:21, Mikael Magnusson wrote:
> The returned nmbbytes value is the length we need the buffer to be, but
> the current size is only bsize. We can't store a NUL at buf[nmbbytes]
> before the realloc, so only do this when the buffer is sized properly.
>
> Signed-off-by: Mikael Magnusson <mikachu at gmail.com>
> ---
> xev.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/xev.c b/xev.c
> index de4e6e879e..b9b15d242d 100644
> --- a/xev.c
> +++ b/xev.c
> @@ -178,12 +178,12 @@ do_KeyPress(XEvent *eventp)
> if (e->type == KeyPress && xic) {
> do {
> nmbbytes = XmbLookupString(xic, e, buf, bsize - 1, &ks, &status);
> - buf[nmbbytes] = '\0';
>
> if (status == XBufferOverflow) {
> bsize = nmbbytes + 1;
> buf = realloc(buf, bsize);
> - }
> + } else
> + buf[nmbbytes] = '\0';
It should be moved out of the loop.
> } while (status == XBufferOverflow);
> }
>
> --
> 2.36.1
>
>
> --
> Mikael Magnusson
--
Ismael Luceno
http://iodev.co.uk/
More information about the xorg-devel
mailing list