Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package xwayland for openSUSE:Factory checked in at 2026-04-15 16:03:55 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/xwayland (Old) and /work/SRC/openSUSE:Factory/.xwayland.new.21863 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "xwayland" Wed Apr 15 16:03:55 2026 rev:48 rq:1346892 version:24.1.9 Changes: -------- --- /work/SRC/openSUSE:Factory/xwayland/xwayland.changes 2026-01-21 14:13:33.425335977 +0100 +++ /work/SRC/openSUSE:Factory/.xwayland.new.21863/xwayland.changes 2026-04-15 16:05:19.368854318 +0200 @@ -1,0 +2,21 @@ +Thu Apr 9 09:47:54 UTC 2026 - Stefan Dirsch <[email protected]> + +- updated bsc1260925_CVE-2026-34002_0002-xkb-Add-more-_XkbCheckRequestBounds.patch + * XKB Out-of-bounds read in CheckModifierMap() (bsc#1260925, CVE-2026-34002) + +------------------------------------------------------------------- +Sat Mar 28 15:03:53 UTC 2026 - Stefan Dirsch <[email protected]> + +- bsc1260922_CVE-2026-33999_xkb-fix-buffer-re-use-in-_XkbSetCompatMap.patch + * XKB Integer Underflow in XkbSetCompatMap() (bsc#1260922, CVE-2026-33999) +- bsc1260923_CVE-2026-34000_xkb-Fix-bounds-check-in-_CheckSetGeom.patch + * XKB Out-of-bounds Read in CheckSetGeom() (bsc#1260923, CVE-2026-34000) +- bsc1260924_CVE-2026-34001_miext-sync-Fix-use-after-free-in-miSyncTriggerFence.patch + * XSYNC Use-after-free in miSyncTriggerFence() (bsc#1260924, CVE-2026-34001) +- bsc1260925_CVE-2026-34002_0001-xkb-Fix-out-of-bounds-read-in-CheckModifierMap.patch + bsc1260925_CVE-2026-34002_0002-xkb-Add-more-_XkbCheckRequestBounds.patch + * XKB Out-of-bounds read in CheckModifierMap() (bsc#1260925, CVE-2026-34002) +- bsc1260926_CVE-2026-34003_0001-xkb-Add-additional-bound-checking-in-CheckKeyTypes.patch + * XKB Buffer overflow in CheckKeyTypes() (bsc#1260926, CVE-2026-34003) + +------------------------------------------------------------------- New: ---- bsc1260922_CVE-2026-33999_xkb-fix-buffer-re-use-in-_XkbSetCompatMap.patch bsc1260923_CVE-2026-34000_xkb-Fix-bounds-check-in-_CheckSetGeom.patch bsc1260924_CVE-2026-34001_miext-sync-Fix-use-after-free-in-miSyncTriggerFence.patch bsc1260925_CVE-2026-34002_0001-xkb-Fix-out-of-bounds-read-in-CheckModifierMap.patch bsc1260925_CVE-2026-34002_0002-xkb-Add-more-_XkbCheckRequestBounds.patch bsc1260926_CVE-2026-34003_0001-xkb-Add-additional-bound-checking-in-CheckKeyTypes.patch ----------(New B)---------- New: - bsc1260922_CVE-2026-33999_xkb-fix-buffer-re-use-in-_XkbSetCompatMap.patch * XKB Integer Underflow in XkbSetCompatMap() (bsc#1260922, CVE-2026-33999) New: * XKB Integer Underflow in XkbSetCompatMap() (bsc#1260922, CVE-2026-33999) - bsc1260923_CVE-2026-34000_xkb-Fix-bounds-check-in-_CheckSetGeom.patch * XKB Out-of-bounds Read in CheckSetGeom() (bsc#1260923, CVE-2026-34000) New: * XKB Out-of-bounds Read in CheckSetGeom() (bsc#1260923, CVE-2026-34000) - bsc1260924_CVE-2026-34001_miext-sync-Fix-use-after-free-in-miSyncTriggerFence.patch * XSYNC Use-after-free in miSyncTriggerFence() (bsc#1260924, CVE-2026-34001) New: * XSYNC Use-after-free in miSyncTriggerFence() (bsc#1260924, CVE-2026-34001) - bsc1260925_CVE-2026-34002_0001-xkb-Fix-out-of-bounds-read-in-CheckModifierMap.patch bsc1260925_CVE-2026-34002_0002-xkb-Add-more-_XkbCheckRequestBounds.patch New: - updated bsc1260925_CVE-2026-34002_0002-xkb-Add-more-_XkbCheckRequestBounds.patch * XKB Out-of-bounds read in CheckModifierMap() (bsc#1260925, CVE-2026-34002) New: * XKB Out-of-bounds read in CheckModifierMap() (bsc#1260925, CVE-2026-34002) - bsc1260926_CVE-2026-34003_0001-xkb-Add-additional-bound-checking-in-CheckKeyTypes.patch * XKB Buffer overflow in CheckKeyTypes() (bsc#1260926, CVE-2026-34003) ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ xwayland.spec ++++++ --- /var/tmp/diff_new_pack.9odaqc/_old 2026-04-15 16:05:20.244890332 +0200 +++ /var/tmp/diff_new_pack.9odaqc/_new 2026-04-15 16:05:20.244890332 +0200 @@ -38,6 +38,13 @@ Source2: xwayland.keyring Patch3: U_xwayland_Dont_run_key_behaviors_and_actions.patch +Patch1260922: bsc1260922_CVE-2026-33999_xkb-fix-buffer-re-use-in-_XkbSetCompatMap.patch +Patch1260923: bsc1260923_CVE-2026-34000_xkb-Fix-bounds-check-in-_CheckSetGeom.patch +Patch1260924: bsc1260924_CVE-2026-34001_miext-sync-Fix-use-after-free-in-miSyncTriggerFence.patch +Patch1260925: bsc1260925_CVE-2026-34002_0001-xkb-Fix-out-of-bounds-read-in-CheckModifierMap.patch +Patch1260926: bsc1260925_CVE-2026-34002_0002-xkb-Add-more-_XkbCheckRequestBounds.patch +Patch1260927: bsc1260926_CVE-2026-34003_0001-xkb-Add-additional-bound-checking-in-CheckKeyTypes.patch + BuildRequires: meson BuildRequires: ninja BuildRequires: pkgconfig ++++++ bsc1260922_CVE-2026-33999_xkb-fix-buffer-re-use-in-_XkbSetCompatMap.patch ++++++ @@ -, +, @@ --- xkb/xkb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/xkb/xkb.c +++ a/xkb/xkb.c @@ -3008,7 +3008,7 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev, return BadAlloc; } } - else if (req->truncateSI) { + else if (req->truncateSI || req->firstSI + req->nSI > compat->num_si) { compat->num_si = req->firstSI + req->nSI; } sym = &compat->sym_interpret[req->firstSI]; -- ++++++ bsc1260923_CVE-2026-34000_xkb-Fix-bounds-check-in-_CheckSetGeom.patch ++++++ @@ -, +, @@ == Conditional jump or move depends on uninitialised value(s) == at 0x5CBE66: SrvXkbAddGeomKeyAlias (XKBGAlloc.c:585) == by 0x5AC7D5: _CheckSetGeom (xkb.c:5607) == by 0x5AC952: _XkbSetGeometry (xkb.c:5643) == by 0x5ACB58: ProcXkbSetGeometry (xkb.c:5684) == by 0x5B0DAC: ProcXkbDispatch (xkb.c:7070) == by 0x4A28C5: Dispatch (dispatch.c:553) == by 0x4B0B24: dix_main (main.c:274) == by 0x42915E: main (stubmain.c:34) == Uninitialised value was created by a heap allocation == at 0x4840B26: malloc (vg_replace_malloc.c:447) == by 0x5E13B0: AllocateInputBuffer (io.c:981) == by 0x5E05CD: InsertFakeRequest (io.c:516) == by 0x4AA860: NextAvailableClient (dispatch.c:3629) == by 0x5DE0D7: AllocNewConnection (connection.c:628) == by 0x5DE2C6: EstablishNewConnections (connection.c:692) == by 0x5DE600: HandleNotifyFd (connection.c:809) == by 0x5E2598: ospoll_wait (ospoll.c:660) == by 0x5DA00C: WaitForSomething (WaitFor.c:208) == by 0x4A26E5: Dispatch (dispatch.c:493) == by 0x4B0B24: dix_main (main.c:274) == by 0x42915E: main (stubmain.c:34) --- xkb/xkb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/xkb/xkb.c +++ a/xkb/xkb.c @@ -5613,7 +5613,7 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSetGeometryReq * req, ClientPtr client) } for (i = 0; i < req->nKeyAliases; i++) { - if (!_XkbCheckRequestBounds(client, req, wire, wire + XkbKeyNameLength)) + if (!_XkbCheckRequestBounds(client, req, wire, wire + 2 * XkbKeyNameLength)) return BadLength; if (XkbAddGeomKeyAlias(geom, &wire[XkbKeyNameLength], wire) == NULL) -- ++++++ bsc1260924_CVE-2026-34001_miext-sync-Fix-use-after-free-in-miSyncTriggerFence.patch ++++++ @@ -, +, @@ miSyncTriggerFence() == Invalid read of size 8 == at 0x568C14: miSyncTriggerFence (misync.c:140) == by 0x540688: ProcSyncTriggerFence (sync.c:1957) == by 0x540CCC: ProcSyncDispatch (sync.c:2152) == by 0x4A28C5: Dispatch (dispatch.c:553) == by 0x4B0B24: dix_main (main.c:274) == by 0x42915E: main (stubmain.c:34) == Address 0x17e35488 is 8 bytes inside a block of size 16 free'd == at 0x4843E43: free (vg_replace_malloc.c:990) == by 0x53D683: SyncDeleteTriggerFromSyncObject (sync.c:169) == by 0x53F14D: FreeAwait (sync.c:1208) == by 0x4DFB06: doFreeResource (resource.c:888) == by 0x4DFC59: FreeResource (resource.c:918) == by 0x53E349: SyncAwaitTriggerFired (sync.c:701) == by 0x568C52: miSyncTriggerFence (misync.c:142) == by 0x540688: ProcSyncTriggerFence (sync.c:1957) == by 0x540CCC: ProcSyncDispatch (sync.c:2152) == by 0x4A28C5: Dispatch (dispatch.c:553) == by 0x4B0B24: dix_main (main.c:274) == by 0x42915E: main (stubmain.c:34) == Block was alloc'd at == at 0x4840B26: malloc (vg_replace_malloc.c:447) == by 0x5E50E1: XNFalloc (utils.c:1129) == by 0x53D772: SyncAddTriggerToSyncObject (sync.c:206) == by 0x53DCA8: SyncInitTrigger (sync.c:414) == by 0x5409C7: ProcSyncAwaitFence (sync.c:2089) == by 0x540D04: ProcSyncDispatch (sync.c:2160) == by 0x4A28C5: Dispatch (dispatch.c:553) == by 0x4B0B24: dix_main (main.c:274) == by 0x42915E: main (stubmain.c:34) --- miext/sync/misync.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) --- a/miext/sync/misync.c +++ a/miext/sync/misync.c @@ -131,16 +131,22 @@ miSyncDestroyFence(SyncFence * pFence) void miSyncTriggerFence(SyncFence * pFence) { - SyncTriggerList *ptl, *pNext; + SyncTriggerList *ptl; + Bool triggered; pFence->funcs.SetTriggered(pFence); /* run through triggers to see if any fired */ - for (ptl = pFence->sync.pTriglist; ptl; ptl = pNext) { - pNext = ptl->next; - if ((*ptl->pTrigger->CheckTrigger) (ptl->pTrigger, 0)) - (*ptl->pTrigger->TriggerFired) (ptl->pTrigger); - } + do { + triggered = FALSE; + for (ptl = pFence->sync.pTriglist; ptl; ptl = ptl->next) { + if ((*ptl->pTrigger->CheckTrigger) (ptl->pTrigger, 0)) { + (*ptl->pTrigger->TriggerFired) (ptl->pTrigger); + triggered = TRUE; + break; + } + } + } while (triggered); } SyncScreenFuncsPtr -- ++++++ bsc1260925_CVE-2026-34002_0001-xkb-Fix-out-of-bounds-read-in-CheckModifierMap.patch ++++++ @@ -, +, @@ == Conditional jump or move depends on uninitialised value(s) == at 0x547E5B: CheckModifierMap (xkb.c:1972) == by 0x54A086: _XkbSetMapChecks (xkb.c:2574) == by 0x54A845: ProcXkbSetMap (xkb.c:2741) == by 0x556EF4: ProcXkbDispatch (xkb.c:7048) == by 0x454A8C: Dispatch (dispatch.c:553) == by 0x462CEB: dix_main (main.c:274) == by 0x405EA7: main (stubmain.c:34) == Uninitialised value was created by a heap allocation == at 0x4840B26: malloc (vg_replace_malloc.c:447) == by 0x592D5A: AllocateInputBuffer (io.c:981) == by 0x591F77: InsertFakeRequest (io.c:516) == by 0x45CA27: NextAvailableClient (dispatch.c:3629) == by 0x58FA81: AllocNewConnection (connection.c:628) == by 0x58FC70: EstablishNewConnections (connection.c:692) == by 0x58FFAA: HandleNotifyFd (connection.c:809) == by 0x593F42: ospoll_wait (ospoll.c:660) == by 0x58B9B6: WaitForSomething (WaitFor.c:208) == by 0x4548AC: Dispatch (dispatch.c:493) == by 0x462CEB: dix_main (main.c:274) == by 0x405EA7: main (stubmain.c:34) --- xkb/xkb.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) --- a/xkb/xkb.c +++ a/xkb/xkb.c @@ -1944,8 +1944,8 @@ CheckKeyExplicit(XkbDescPtr xkb, } static int -CheckModifierMap(XkbDescPtr xkb, xkbSetMapReq * req, CARD8 **wireRtrn, - int *errRtrn) +CheckModifierMap(ClientPtr client, XkbDescPtr xkb, xkbSetMapReq * req, + CARD8 **wireRtrn, int *errRtrn) { register CARD8 *wire = *wireRtrn; CARD8 *start; @@ -1969,6 +1969,10 @@ CheckModifierMap(XkbDescPtr xkb, xkbSetMapReq * req, CARD8 **wireRtrn, } start = wire; for (i = 0; i < req->totalModMapKeys; i++, wire += 2) { + if (!_XkbCheckRequestBounds(client, req, wire, wire + 2)) { + *errRtrn = _XkbErrCode3(0x64, req->totalModMapKeys, i); + return 0; + } if ((wire[0] < first) || (wire[0] > last)) { *errRtrn = _XkbErrCode4(0x63, first, last, wire[0]); return 0; @@ -2571,7 +2575,7 @@ _XkbSetMapChecks(ClientPtr client, DeviceIntPtr dev, xkbSetMapReq * req, return BadValue; } if ((req->present & XkbModifierMapMask) && - (!CheckModifierMap(xkb, req, (CARD8 **) &values, &error))) { + (!CheckModifierMap(client, xkb, req, (CARD8 **) &values, &error))) { client->errorValue = error; return BadValue; } -- ++++++ bsc1260925_CVE-2026-34002_0002-xkb-Add-more-_XkbCheckRequestBounds.patch ++++++ @@ -, +, @@ * CheckKeySyms() * CheckKeyActions() * CheckKeyBehaviors() * CheckVirtualMods() * CheckKeyExplicit() * CheckVirtualModMap() * _XkbSetMapChecks() --- xkb/xkb.c | 69 ++++++++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 55 insertions(+), 14 deletions(-) --- a/xkb/xkb.c +++ a/xkb/xkb.c @@ -1756,6 +1756,11 @@ CheckKeySyms(ClientPtr client, KeySym *pSyms; register unsigned nG; + /* Check we received enough data to read the next xkbSymMapWireDesc */ + if (!_XkbCheckRequestBounds(client, req, wire, wire + 1)) { + *errorRtrn = _XkbErrCode3(0x18, i + req->firstKeySym, i); + return 0; + } if (client->swapped && doswap) { swaps(&wire->nSyms); } @@ -1794,6 +1799,12 @@ CheckKeySyms(ClientPtr client, return 0; } pSyms = (KeySym *) &wire[1]; + if (wire->nSyms != 0) { + if (!_XkbCheckRequestBounds(client, req, pSyms, &pSyms[wire->nSyms])) { + *errorRtrn = _XkbErrCode3(0x19, i + req->firstKeySym, wire->nSyms); + return 0; + } + } wire = (xkbSymMapWireDesc *) &pSyms[wire->nSyms]; } @@ -1817,11 +1828,12 @@ CheckKeySyms(ClientPtr client, } static int -CheckKeyActions(XkbDescPtr xkb, - xkbSetMapReq * req, - int nTypes, - CARD8 *mapWidths, - CARD16 *symsPerKey, CARD8 **wireRtrn, int *nActsRtrn) +CheckKeyActions(ClientPtr client, + XkbDescPtr xkb, + xkbSetMapReq * req, + int nTypes, + CARD8 *mapWidths, + CARD16 *symsPerKey, CARD8 **wireRtrn, int *nActsRtrn) { int nActs; CARD8 *wire = *wireRtrn; @@ -1832,6 +1844,11 @@ CheckKeyActions(XkbDescPtr xkb, CHK_REQ_KEY_RANGE2(0x21, req->firstKeyAct, req->nKeyActs, req, (*nActsRtrn), 0); for (nActs = i = 0; i < req->nKeyActs; i++) { + /* Check we received enough data to read the next byte on the wire */ + if (!_XkbCheckRequestBounds(client, req, wire, wire + 1)) { + *nActsRtrn = _XkbErrCode3(0x24, i + req->firstKeyAct, i); + return 0; + } if (wire[0] != 0) { if (wire[0] == symsPerKey[i + req->firstKeyAct]) nActs += wire[0]; @@ -1850,7 +1867,8 @@ CheckKeyActions(XkbDescPtr xkb, } static int -CheckKeyBehaviors(XkbDescPtr xkb, +CheckKeyBehaviors(ClientPtr client, + XkbDescPtr xkb, xkbSetMapReq * req, xkbBehaviorWireDesc ** wireRtrn, int *errorRtrn) { @@ -1876,6 +1894,11 @@ CheckKeyBehaviors(XkbDescPtr xkb, } for (i = 0; i < req->totalKeyBehaviors; i++, wire++) { + /* Check we received enough data to read the next behavior */ + if (!_XkbCheckRequestBounds(client, req, wire, wire + 1)) { + *errorRtrn = _XkbErrCode3(0x36, first, i); + return 0; + } if ((wire->key < first) || (wire->key > last)) { *errorRtrn = _XkbErrCode4(0x33, first, last, wire->key); return 0; @@ -1901,7 +1924,8 @@ CheckKeyBehaviors(XkbDescPtr xkb, } static int -CheckVirtualMods(XkbDescRec * xkb, +CheckVirtualMods(ClientPtr client, + XkbDescRec * xkb, xkbSetMapReq * req, CARD8 **wireRtrn, int *errorRtrn) { register CARD8 *wire = *wireRtrn; @@ -1913,12 +1937,18 @@ CheckVirtualMods(XkbDescRec * xkb, if (req->virtualMods & bit) nMods++; } + /* Check we received enough data for the number of virtual mods expected */ + if (!_XkbCheckRequestBounds(client, req, wire, wire + XkbPaddedSize(nMods))) { + *errorRtrn = _XkbErrCode3(0x37, nMods, i); + return 0; + } *wireRtrn = (wire + XkbPaddedSize(nMods)); return 1; } static int -CheckKeyExplicit(XkbDescPtr xkb, +CheckKeyExplicit(ClientPtr client, + XkbDescPtr xkb, xkbSetMapReq * req, CARD8 **wireRtrn, int *errorRtrn) { register CARD8 *wire = *wireRtrn; @@ -1944,6 +1974,11 @@ CheckKeyExplicit(XkbDescPtr xkb, } start = wire; for (i = 0; i < req->totalKeyExplicit; i++, wire += 2) { + /* Check we received enough data to read the next two bytes */ + if (!_XkbCheckRequestBounds(client, req, wire, wire + 2)) { + *errorRtrn = _XkbErrCode4(0x54, first, last, i); + return 0; + } if ((wire[0] < first) || (wire[0] > last)) { *errorRtrn = _XkbErrCode4(0x53, first, last, wire[0]); return 0; @@ -1999,7 +2034,8 @@ CheckModifierMap(ClientPtr client, XkbDescPtr xkb, xkbSetMapReq * req, } static int -CheckVirtualModMap(XkbDescPtr xkb, +CheckVirtualModMap(ClientPtr client, + XkbDescPtr xkb, xkbSetMapReq * req, xkbVModMapWireDesc ** wireRtrn, int *errRtrn) { @@ -2023,6 +2059,11 @@ CheckVirtualModMap(XkbDescPtr xkb, return 0; } for (i = 0; i < req->totalVModMapKeys; i++, wire++) { + /* Check we received enough data to read the next virtual mod map key */ + if (!_XkbCheckRequestBounds(client, req, wire, wire + 1)) { + *errRtrn = _XkbErrCode3(0x74, first, i); + return 0; + } if ((wire->key < first) || (wire->key > last)) { *errRtrn = _XkbErrCode4(0x73, first, last, wire->key); return 0; @@ -2566,7 +2607,7 @@ _XkbSetMapChecks(ClientPtr client, DeviceIntPtr dev, xkbSetMapReq * req, } if ((req->present & XkbKeyActionsMask) && - (!CheckKeyActions(xkb, req, nTypes, mapWidths, symsPerKey, + (!CheckKeyActions(client, xkb, req, nTypes, mapWidths, symsPerKey, (CARD8 **) &values, &nActions))) { client->errorValue = nActions; return BadValue; @@ -2574,18 +2615,18 @@ _XkbSetMapChecks(ClientPtr client, DeviceIntPtr dev, xkbSetMapReq * req, if ((req->present & XkbKeyBehaviorsMask) && (!CheckKeyBehaviors - (xkb, req, (xkbBehaviorWireDesc **) &values, &error))) { + (client, xkb, req, (xkbBehaviorWireDesc **) &values, &error))) { client->errorValue = error; return BadValue; } if ((req->present & XkbVirtualModsMask) && - (!CheckVirtualMods(xkb, req, (CARD8 **) &values, &error))) { + (!CheckVirtualMods(client, xkb, req, (CARD8 **) &values, &error))) { client->errorValue = error; return BadValue; } if ((req->present & XkbExplicitComponentsMask) && - (!CheckKeyExplicit(xkb, req, (CARD8 **) &values, &error))) { + (!CheckKeyExplicit(client, xkb, req, (CARD8 **) &values, &error))) { client->errorValue = error; return BadValue; } @@ -2596,7 +2637,7 @@ _XkbSetMapChecks(ClientPtr client, DeviceIntPtr dev, xkbSetMapReq * req, } if ((req->present & XkbVirtualModMapMask) && (!CheckVirtualModMap - (xkb, req, (xkbVModMapWireDesc **) &values, &error))) { + (client, xkb, req, (xkbVModMapWireDesc **) &values, &error))) { client->errorValue = error; return BadValue; } -- ++++++ bsc1260926_CVE-2026-34003_0001-xkb-Add-additional-bound-checking-in-CheckKeyTypes.patch ++++++ @@ -, +, @@ CheckKeyTypes() == Invalid read of size 2 == at 0x5A3D1D: CheckKeyTypes (xkb.c:1694) == by 0x5A6A9C: _XkbSetMapChecks (xkb.c:2515) == by 0x5A759E: ProcXkbSetMap (xkb.c:2736) == by 0x5BF832: SProcXkbSetMap (xkbSwap.c:245) == by 0x5C05ED: SProcXkbDispatch (xkbSwap.c:501) == by 0x4A20DF: Dispatch (dispatch.c:551) == by 0x4B03B4: dix_main (main.c:277) == by 0x428941: main (stubmain.c:34) == Address is 30 bytes after a block of size 28,672 in arena "client" == == Invalid read of size 2 == at 0x5A3AB6: CheckKeyTypes (xkb.c:1669) == by 0x5A6A9C: _XkbSetMapChecks (xkb.c:2515) == by 0x5A759E: ProcXkbSetMap (xkb.c:2736) == by 0x5BF832: SProcXkbSetMap (xkbSwap.c:245) == by 0x5C05ED: SProcXkbDispatch (xkbSwap.c:501) == by 0x4A20DF: Dispatch (dispatch.c:551) == by 0x4B03B4: dix_main (main.c:277) == by 0x428941: main (stubmain.c:34) == Address is 2 bytes after a block of size 28,672 alloc'd == at 0x4848897: realloc (vg_replace_malloc.c:1804) == by 0x5E357A: ReadRequestFromClient (io.c:336) == by 0x4A1FAB: Dispatch (dispatch.c:519) == by 0x4B03B4: dix_main (main.c:277) == by 0x428941: main (stubmain.c:34) == == Invalid write of size 2 == at 0x5A3AD7: CheckKeyTypes (xkb.c:1669) == by 0x5A6A9C: _XkbSetMapChecks (xkb.c:2515) == by 0x5A759E: ProcXkbSetMap (xkb.c:2736) == by 0x5BF832: SProcXkbSetMap (xkbSwap.c:245) == by 0x5C05ED: SProcXkbDispatch (xkbSwap.c:501) == by 0x4A20DF: Dispatch (dispatch.c:551) == by 0x4B03B4: dix_main (main.c:277) == by 0x428941: main (stubmain.c:34) == Address is 2 bytes after a block of size 28,672 alloc'd == at 0x4848897: realloc (vg_replace_malloc.c:1804) == by 0x5E357A: ReadRequestFromClient (io.c:336) == by 0x4A1FAB: Dispatch (dispatch.c:519) == by 0x4B03B4: dix_main (main.c:277) == by 0x428941: main (stubmain.c:34) == --- xkb/xkb.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) --- a/xkb/xkb.c +++ a/xkb/xkb.c @@ -1643,6 +1643,10 @@ CheckKeyTypes(ClientPtr client, for (i = 0; i < req->nTypes; i++) { unsigned width; + if (!_XkbCheckRequestBounds(client, req, wire, wire + 1)) { + *nMapsRtrn = _XkbErrCode3(0x0b, req->nTypes, i); + return 0; + } if (client->swapped && doswap) { swaps(&wire->virtualMods); } @@ -1668,7 +1672,18 @@ CheckKeyTypes(ClientPtr client, xkbModsWireDesc *preWire; mapWire = (xkbKTSetMapEntryWireDesc *) &wire[1]; + if (!_XkbCheckRequestBounds(client, req, mapWire, + &mapWire[wire->nMapEntries])) { + *nMapsRtrn = _XkbErrCode3(0x0c, i, wire->nMapEntries); + return 0; + } preWire = (xkbModsWireDesc *) &mapWire[wire->nMapEntries]; + if (wire->preserve && + !_XkbCheckRequestBounds(client, req, preWire, + &preWire[wire->nMapEntries])) { + *nMapsRtrn = _XkbErrCode3(0x0d, i, wire->nMapEntries); + return 0; + } for (n = 0; n < wire->nMapEntries; n++) { if (client->swapped && doswap) { swaps(&mapWire[n].virtualMods); --
