[PATCH v2] Fix overflow on XmbLookupString buffer
Ismael Luceno
ismael at iodev.co.uk
Wed Jun 29 10:08:43 UTC 2022
From: Mikael Magnusson <mikachu at gmail.com>
The returned nmbbytes value is the length we need the buffer to be, but
the current size is only bsize. We can't store a NUL at buf[nmbbytes]
before the realloc, so only do this when the buffer is sized properly.
Signed-off-by: Mikael Magnusson <mikachu at gmail.com>
[ismael at iodev.co.uk: Moved string termination out of the loop]
Signed-off-by: Ismael Luceno <ismael at iodev.co.uk>
---
xev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/xev.c b/xev.c
index de4e6e879e73..5b352df0cd0a 100644
--- a/xev.c
+++ b/xev.c
@@ -178,13 +178,13 @@ do_KeyPress(XEvent *eventp)
if (e->type == KeyPress && xic) {
do {
nmbbytes = XmbLookupString(xic, e, buf, bsize - 1, &ks, &status);
- buf[nmbbytes] = '\0';
if (status == XBufferOverflow) {
bsize = nmbbytes + 1;
buf = realloc(buf, bsize);
}
} while (status == XBufferOverflow);
+ buf[nmbbytes] = '\0';
}
if (ks == NoSymbol)
--
2.36.0
More information about the xorg-devel
mailing list