Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package xorg-x11-server for openSUSE:Factory
checked in at 2026-04-15 16:03:51
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/xorg-x11-server (Old)
and /work/SRC/openSUSE:Factory/.xorg-x11-server.new.21863 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "xorg-x11-server"
Wed Apr 15 16:03:51 2026 rev:449 rq:1346890 version:21.1.21
Changes:
--------
--- /work/SRC/openSUSE:Factory/xorg-x11-server/xorg-x11-server.changes
2026-03-09 16:15:01.109966019 +0100
+++
/work/SRC/openSUSE:Factory/.xorg-x11-server.new.21863/xorg-x11-server.changes
2026-04-15 16:05:17.016757622 +0200
@@ -1,0 +2,21 @@
+Thu Apr 9 10:52:22 UTC 2026 - Stefan Dirsch <[email protected]>
+
+- updated
bsc1260925_CVE-2026-34002_0002-xkb-Add-more-_XkbCheckRequestBounds.patch
+ * XKB Out-of-bounds read in CheckModifierMap() (bsc#1260925, CVE-2026-34002)
+
+-------------------------------------------------------------------
+Sat Mar 28 14:00:01 UTC 2026 - Stefan Dirsch <[email protected]>
+
+- bsc1260922_CVE-2026-33999_xkb-fix-buffer-re-use-in-_XkbSetCompatMap.patch
+ * XKB Integer Underflow in XkbSetCompatMap() (bsc#1260922, CVE-2026-33999)
+- bsc1260923_CVE-2026-34000_xkb-Fix-bounds-check-in-_CheckSetGeom.patch
+ * XKB Out-of-bounds Read in CheckSetGeom() (bsc#1260923, CVE-2026-34000)
+-
bsc1260924_CVE-2026-34001_miext-sync-Fix-use-after-free-in-miSyncTriggerFence.patch
+ * XSYNC Use-after-free in miSyncTriggerFence() (bsc#1260924, CVE-2026-34001)
+-
bsc1260925_CVE-2026-34002_0001-xkb-Fix-out-of-bounds-read-in-CheckModifierMap.patch
+ bsc1260925_CVE-2026-34002_0002-xkb-Add-more-_XkbCheckRequestBounds.patch
+ * XKB Out-of-bounds read in CheckModifierMap() (bsc#1260925, CVE-2026-34002)
+-
bsc1260926_CVE-2026-34003_0001-xkb-Add-additional-bound-checking-in-CheckKeyTypes.patch
+ * XKB Buffer overflow in CheckKeyTypes() (bsc#1260926, CVE-2026-34003)
+
+-------------------------------------------------------------------
New:
----
bsc1260922_CVE-2026-33999_xkb-fix-buffer-re-use-in-_XkbSetCompatMap.patch
bsc1260923_CVE-2026-34000_xkb-Fix-bounds-check-in-_CheckSetGeom.patch
bsc1260924_CVE-2026-34001_miext-sync-Fix-use-after-free-in-miSyncTriggerFence.patch
bsc1260925_CVE-2026-34002_0001-xkb-Fix-out-of-bounds-read-in-CheckModifierMap.patch
bsc1260925_CVE-2026-34002_0002-xkb-Add-more-_XkbCheckRequestBounds.patch
bsc1260926_CVE-2026-34003_0001-xkb-Add-additional-bound-checking-in-CheckKeyTypes.patch
----------(New B)----------
New:
- bsc1260922_CVE-2026-33999_xkb-fix-buffer-re-use-in-_XkbSetCompatMap.patch
* XKB Integer Underflow in XkbSetCompatMap() (bsc#1260922, CVE-2026-33999)
New: * XKB Integer Underflow in XkbSetCompatMap() (bsc#1260922,
CVE-2026-33999)
- bsc1260923_CVE-2026-34000_xkb-Fix-bounds-check-in-_CheckSetGeom.patch
* XKB Out-of-bounds Read in CheckSetGeom() (bsc#1260923, CVE-2026-34000)
New: * XKB Out-of-bounds Read in CheckSetGeom() (bsc#1260923, CVE-2026-34000)
-
bsc1260924_CVE-2026-34001_miext-sync-Fix-use-after-free-in-miSyncTriggerFence.patch
* XSYNC Use-after-free in miSyncTriggerFence() (bsc#1260924, CVE-2026-34001)
New: * XSYNC Use-after-free in miSyncTriggerFence() (bsc#1260924,
CVE-2026-34001)
-
bsc1260925_CVE-2026-34002_0001-xkb-Fix-out-of-bounds-read-in-CheckModifierMap.patch
bsc1260925_CVE-2026-34002_0002-xkb-Add-more-_XkbCheckRequestBounds.patch
New:
- updated
bsc1260925_CVE-2026-34002_0002-xkb-Add-more-_XkbCheckRequestBounds.patch
* XKB Out-of-bounds read in CheckModifierMap() (bsc#1260925, CVE-2026-34002)
New: * XKB Out-of-bounds read in CheckModifierMap() (bsc#1260925,
CVE-2026-34002)
-
bsc1260926_CVE-2026-34003_0001-xkb-Add-additional-bound-checking-in-CheckKeyTypes.patch
* XKB Buffer overflow in CheckKeyTypes() (bsc#1260926, CVE-2026-34003)
----------(New E)----------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ xorg-x11-server.spec ++++++
--- /var/tmp/diff_new_pack.2yDnxH/_old 2026-04-15 16:05:18.692826526 +0200
+++ /var/tmp/diff_new_pack.2yDnxH/_new 2026-04-15 16:05:18.696826691 +0200
@@ -242,6 +242,13 @@
Patch1218176: u_miCloseScreen_check_for_null_pScreen_dev_private.patch
+Patch1260922:
bsc1260922_CVE-2026-33999_xkb-fix-buffer-re-use-in-_XkbSetCompatMap.patch
+Patch1260923:
bsc1260923_CVE-2026-34000_xkb-Fix-bounds-check-in-_CheckSetGeom.patch
+Patch1260924:
bsc1260924_CVE-2026-34001_miext-sync-Fix-use-after-free-in-miSyncTriggerFence.patch
+Patch1260925:
bsc1260925_CVE-2026-34002_0001-xkb-Fix-out-of-bounds-read-in-CheckModifierMap.patch
+Patch1260926:
bsc1260925_CVE-2026-34002_0002-xkb-Add-more-_XkbCheckRequestBounds.patch
+Patch1260927:
bsc1260926_CVE-2026-34003_0001-xkb-Add-additional-bound-checking-in-CheckKeyTypes.patch
+
%description
This package contains the X.Org Server.
@@ -395,6 +402,13 @@
%patch -P 1218176 -p1
+%patch -P 1260922 -p1
+%patch -P 1260923 -p1
+%patch -P 1260924 -p1
+%patch -P 1260925 -p1
+%patch -P 1260926 -p1
+%patch -P 1260927 -p1
+
%build
# We have some -z now related errors during X default startup (boo#1197994):
# - when loading modesetting: gbm_bo_get_plane_count
++++++
bsc1260922_CVE-2026-33999_xkb-fix-buffer-re-use-in-_XkbSetCompatMap.patch ++++++
@@ -, +, @@
---
xkb/xkb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/xkb/xkb.c
+++ a/xkb/xkb.c
@@ -3008,7 +3008,7 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev,
return BadAlloc;
}
}
- else if (req->truncateSI) {
+ else if (req->truncateSI || req->firstSI + req->nSI > compat->num_si) {
compat->num_si = req->firstSI + req->nSI;
}
sym = &compat->sym_interpret[req->firstSI];
--
++++++ bsc1260923_CVE-2026-34000_xkb-Fix-bounds-check-in-_CheckSetGeom.patch
++++++
@@ -, +, @@
== Conditional jump or move depends on uninitialised value(s)
== at 0x5CBE66: SrvXkbAddGeomKeyAlias (XKBGAlloc.c:585)
== by 0x5AC7D5: _CheckSetGeom (xkb.c:5607)
== by 0x5AC952: _XkbSetGeometry (xkb.c:5643)
== by 0x5ACB58: ProcXkbSetGeometry (xkb.c:5684)
== by 0x5B0DAC: ProcXkbDispatch (xkb.c:7070)
== by 0x4A28C5: Dispatch (dispatch.c:553)
== by 0x4B0B24: dix_main (main.c:274)
== by 0x42915E: main (stubmain.c:34)
== Uninitialised value was created by a heap allocation
== at 0x4840B26: malloc (vg_replace_malloc.c:447)
== by 0x5E13B0: AllocateInputBuffer (io.c:981)
== by 0x5E05CD: InsertFakeRequest (io.c:516)
== by 0x4AA860: NextAvailableClient (dispatch.c:3629)
== by 0x5DE0D7: AllocNewConnection (connection.c:628)
== by 0x5DE2C6: EstablishNewConnections (connection.c:692)
== by 0x5DE600: HandleNotifyFd (connection.c:809)
== by 0x5E2598: ospoll_wait (ospoll.c:660)
== by 0x5DA00C: WaitForSomething (WaitFor.c:208)
== by 0x4A26E5: Dispatch (dispatch.c:493)
== by 0x4B0B24: dix_main (main.c:274)
== by 0x42915E: main (stubmain.c:34)
---
xkb/xkb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/xkb/xkb.c
+++ a/xkb/xkb.c
@@ -5613,7 +5613,7 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSetGeometryReq *
req, ClientPtr client)
}
for (i = 0; i < req->nKeyAliases; i++) {
- if (!_XkbCheckRequestBounds(client, req, wire, wire +
XkbKeyNameLength))
+ if (!_XkbCheckRequestBounds(client, req, wire, wire + 2 *
XkbKeyNameLength))
return BadLength;
if (XkbAddGeomKeyAlias(geom, &wire[XkbKeyNameLength], wire) == NULL)
--
++++++
bsc1260924_CVE-2026-34001_miext-sync-Fix-use-after-free-in-miSyncTriggerFence.patch
++++++
@@ -, +, @@
miSyncTriggerFence()
== Invalid read of size 8
== at 0x568C14: miSyncTriggerFence (misync.c:140)
== by 0x540688: ProcSyncTriggerFence (sync.c:1957)
== by 0x540CCC: ProcSyncDispatch (sync.c:2152)
== by 0x4A28C5: Dispatch (dispatch.c:553)
== by 0x4B0B24: dix_main (main.c:274)
== by 0x42915E: main (stubmain.c:34)
== Address 0x17e35488 is 8 bytes inside a block of size 16 free'd
== at 0x4843E43: free (vg_replace_malloc.c:990)
== by 0x53D683: SyncDeleteTriggerFromSyncObject (sync.c:169)
== by 0x53F14D: FreeAwait (sync.c:1208)
== by 0x4DFB06: doFreeResource (resource.c:888)
== by 0x4DFC59: FreeResource (resource.c:918)
== by 0x53E349: SyncAwaitTriggerFired (sync.c:701)
== by 0x568C52: miSyncTriggerFence (misync.c:142)
== by 0x540688: ProcSyncTriggerFence (sync.c:1957)
== by 0x540CCC: ProcSyncDispatch (sync.c:2152)
== by 0x4A28C5: Dispatch (dispatch.c:553)
== by 0x4B0B24: dix_main (main.c:274)
== by 0x42915E: main (stubmain.c:34)
== Block was alloc'd at
== at 0x4840B26: malloc (vg_replace_malloc.c:447)
== by 0x5E50E1: XNFalloc (utils.c:1129)
== by 0x53D772: SyncAddTriggerToSyncObject (sync.c:206)
== by 0x53DCA8: SyncInitTrigger (sync.c:414)
== by 0x5409C7: ProcSyncAwaitFence (sync.c:2089)
== by 0x540D04: ProcSyncDispatch (sync.c:2160)
== by 0x4A28C5: Dispatch (dispatch.c:553)
== by 0x4B0B24: dix_main (main.c:274)
== by 0x42915E: main (stubmain.c:34)
---
miext/sync/misync.c | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
--- a/miext/sync/misync.c
+++ a/miext/sync/misync.c
@@ -131,16 +131,22 @@ miSyncDestroyFence(SyncFence * pFence)
void
miSyncTriggerFence(SyncFence * pFence)
{
- SyncTriggerList *ptl, *pNext;
+ SyncTriggerList *ptl;
+ Bool triggered;
pFence->funcs.SetTriggered(pFence);
/* run through triggers to see if any fired */
- for (ptl = pFence->sync.pTriglist; ptl; ptl = pNext) {
- pNext = ptl->next;
- if ((*ptl->pTrigger->CheckTrigger) (ptl->pTrigger, 0))
- (*ptl->pTrigger->TriggerFired) (ptl->pTrigger);
- }
+ do {
+ triggered = FALSE;
+ for (ptl = pFence->sync.pTriglist; ptl; ptl = ptl->next) {
+ if ((*ptl->pTrigger->CheckTrigger) (ptl->pTrigger, 0)) {
+ (*ptl->pTrigger->TriggerFired) (ptl->pTrigger);
+ triggered = TRUE;
+ break;
+ }
+ }
+ } while (triggered);
}
SyncScreenFuncsPtr
--
++++++
bsc1260925_CVE-2026-34002_0001-xkb-Fix-out-of-bounds-read-in-CheckModifierMap.patch
++++++
@@ -, +, @@
== Conditional jump or move depends on uninitialised value(s)
== at 0x547E5B: CheckModifierMap (xkb.c:1972)
== by 0x54A086: _XkbSetMapChecks (xkb.c:2574)
== by 0x54A845: ProcXkbSetMap (xkb.c:2741)
== by 0x556EF4: ProcXkbDispatch (xkb.c:7048)
== by 0x454A8C: Dispatch (dispatch.c:553)
== by 0x462CEB: dix_main (main.c:274)
== by 0x405EA7: main (stubmain.c:34)
== Uninitialised value was created by a heap allocation
== at 0x4840B26: malloc (vg_replace_malloc.c:447)
== by 0x592D5A: AllocateInputBuffer (io.c:981)
== by 0x591F77: InsertFakeRequest (io.c:516)
== by 0x45CA27: NextAvailableClient (dispatch.c:3629)
== by 0x58FA81: AllocNewConnection (connection.c:628)
== by 0x58FC70: EstablishNewConnections (connection.c:692)
== by 0x58FFAA: HandleNotifyFd (connection.c:809)
== by 0x593F42: ospoll_wait (ospoll.c:660)
== by 0x58B9B6: WaitForSomething (WaitFor.c:208)
== by 0x4548AC: Dispatch (dispatch.c:493)
== by 0x462CEB: dix_main (main.c:274)
== by 0x405EA7: main (stubmain.c:34)
---
xkb/xkb.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
--- a/xkb/xkb.c
+++ a/xkb/xkb.c
@@ -1944,8 +1944,8 @@ CheckKeyExplicit(XkbDescPtr xkb,
}
static int
-CheckModifierMap(XkbDescPtr xkb, xkbSetMapReq * req, CARD8 **wireRtrn,
- int *errRtrn)
+CheckModifierMap(ClientPtr client, XkbDescPtr xkb, xkbSetMapReq * req,
+ CARD8 **wireRtrn, int *errRtrn)
{
register CARD8 *wire = *wireRtrn;
CARD8 *start;
@@ -1969,6 +1969,10 @@ CheckModifierMap(XkbDescPtr xkb, xkbSetMapReq * req,
CARD8 **wireRtrn,
}
start = wire;
for (i = 0; i < req->totalModMapKeys; i++, wire += 2) {
+ if (!_XkbCheckRequestBounds(client, req, wire, wire + 2)) {
+ *errRtrn = _XkbErrCode3(0x64, req->totalModMapKeys, i);
+ return 0;
+ }
if ((wire[0] < first) || (wire[0] > last)) {
*errRtrn = _XkbErrCode4(0x63, first, last, wire[0]);
return 0;
@@ -2571,7 +2575,7 @@ _XkbSetMapChecks(ClientPtr client, DeviceIntPtr dev,
xkbSetMapReq * req,
return BadValue;
}
if ((req->present & XkbModifierMapMask) &&
- (!CheckModifierMap(xkb, req, (CARD8 **) &values, &error))) {
+ (!CheckModifierMap(client, xkb, req, (CARD8 **) &values, &error))) {
client->errorValue = error;
return BadValue;
}
--
++++++ bsc1260925_CVE-2026-34002_0002-xkb-Add-more-_XkbCheckRequestBounds.patch
++++++
@@ -, +, @@
* CheckKeySyms()
* CheckKeyActions()
* CheckKeyBehaviors()
* CheckVirtualMods()
* CheckKeyExplicit()
* CheckVirtualModMap()
* _XkbSetMapChecks()
---
xkb/xkb.c | 69 ++++++++++++++++++++++++++++++++++++++++++++-----------
1 file changed, 55 insertions(+), 14 deletions(-)
--- a/xkb/xkb.c
+++ a/xkb/xkb.c
@@ -1756,6 +1756,11 @@ CheckKeySyms(ClientPtr client,
KeySym *pSyms;
register unsigned nG;
+ /* Check we received enough data to read the next xkbSymMapWireDesc */
+ if (!_XkbCheckRequestBounds(client, req, wire, wire + 1)) {
+ *errorRtrn = _XkbErrCode3(0x18, i + req->firstKeySym, i);
+ return 0;
+ }
if (client->swapped && doswap) {
swaps(&wire->nSyms);
}
@@ -1794,6 +1799,12 @@ CheckKeySyms(ClientPtr client,
return 0;
}
pSyms = (KeySym *) &wire[1];
+ if (wire->nSyms != 0) {
+ if (!_XkbCheckRequestBounds(client, req, pSyms,
&pSyms[wire->nSyms])) {
+ *errorRtrn = _XkbErrCode3(0x19, i + req->firstKeySym,
wire->nSyms);
+ return 0;
+ }
+ }
wire = (xkbSymMapWireDesc *) &pSyms[wire->nSyms];
}
@@ -1817,11 +1828,12 @@ CheckKeySyms(ClientPtr client,
}
static int
-CheckKeyActions(XkbDescPtr xkb,
- xkbSetMapReq * req,
- int nTypes,
- CARD8 *mapWidths,
- CARD16 *symsPerKey, CARD8 **wireRtrn, int *nActsRtrn)
+CheckKeyActions(ClientPtr client,
+ XkbDescPtr xkb,
+ xkbSetMapReq * req,
+ int nTypes,
+ CARD8 *mapWidths,
+ CARD16 *symsPerKey, CARD8 **wireRtrn, int *nActsRtrn)
{
int nActs;
CARD8 *wire = *wireRtrn;
@@ -1832,6 +1844,11 @@ CheckKeyActions(XkbDescPtr xkb,
CHK_REQ_KEY_RANGE2(0x21, req->firstKeyAct, req->nKeyActs, req,
(*nActsRtrn),
0);
for (nActs = i = 0; i < req->nKeyActs; i++) {
+ /* Check we received enough data to read the next byte on the wire */
+ if (!_XkbCheckRequestBounds(client, req, wire, wire + 1)) {
+ *nActsRtrn = _XkbErrCode3(0x24, i + req->firstKeyAct, i);
+ return 0;
+ }
if (wire[0] != 0) {
if (wire[0] == symsPerKey[i + req->firstKeyAct])
nActs += wire[0];
@@ -1850,7 +1867,8 @@ CheckKeyActions(XkbDescPtr xkb,
}
static int
-CheckKeyBehaviors(XkbDescPtr xkb,
+CheckKeyBehaviors(ClientPtr client,
+ XkbDescPtr xkb,
xkbSetMapReq * req,
xkbBehaviorWireDesc ** wireRtrn, int *errorRtrn)
{
@@ -1876,6 +1894,11 @@ CheckKeyBehaviors(XkbDescPtr xkb,
}
for (i = 0; i < req->totalKeyBehaviors; i++, wire++) {
+ /* Check we received enough data to read the next behavior */
+ if (!_XkbCheckRequestBounds(client, req, wire, wire + 1)) {
+ *errorRtrn = _XkbErrCode3(0x36, first, i);
+ return 0;
+ }
if ((wire->key < first) || (wire->key > last)) {
*errorRtrn = _XkbErrCode4(0x33, first, last, wire->key);
return 0;
@@ -1901,7 +1924,8 @@ CheckKeyBehaviors(XkbDescPtr xkb,
}
static int
-CheckVirtualMods(XkbDescRec * xkb,
+CheckVirtualMods(ClientPtr client,
+ XkbDescRec * xkb,
xkbSetMapReq * req, CARD8 **wireRtrn, int *errorRtrn)
{
register CARD8 *wire = *wireRtrn;
@@ -1913,12 +1937,18 @@ CheckVirtualMods(XkbDescRec * xkb,
if (req->virtualMods & bit)
nMods++;
}
+ /* Check we received enough data for the number of virtual mods expected */
+ if (!_XkbCheckRequestBounds(client, req, wire, wire +
XkbPaddedSize(nMods))) {
+ *errorRtrn = _XkbErrCode3(0x37, nMods, i);
+ return 0;
+ }
*wireRtrn = (wire + XkbPaddedSize(nMods));
return 1;
}
static int
-CheckKeyExplicit(XkbDescPtr xkb,
+CheckKeyExplicit(ClientPtr client,
+ XkbDescPtr xkb,
xkbSetMapReq * req, CARD8 **wireRtrn, int *errorRtrn)
{
register CARD8 *wire = *wireRtrn;
@@ -1944,6 +1974,11 @@ CheckKeyExplicit(XkbDescPtr xkb,
}
start = wire;
for (i = 0; i < req->totalKeyExplicit; i++, wire += 2) {
+ /* Check we received enough data to read the next two bytes */
+ if (!_XkbCheckRequestBounds(client, req, wire, wire + 2)) {
+ *errorRtrn = _XkbErrCode4(0x54, first, last, i);
+ return 0;
+ }
if ((wire[0] < first) || (wire[0] > last)) {
*errorRtrn = _XkbErrCode4(0x53, first, last, wire[0]);
return 0;
@@ -1999,7 +2034,8 @@ CheckModifierMap(ClientPtr client, XkbDescPtr xkb,
xkbSetMapReq * req,
}
static int
-CheckVirtualModMap(XkbDescPtr xkb,
+CheckVirtualModMap(ClientPtr client,
+ XkbDescPtr xkb,
xkbSetMapReq * req,
xkbVModMapWireDesc ** wireRtrn, int *errRtrn)
{
@@ -2023,6 +2059,11 @@ CheckVirtualModMap(XkbDescPtr xkb,
return 0;
}
for (i = 0; i < req->totalVModMapKeys; i++, wire++) {
+ /* Check we received enough data to read the next virtual mod map key
*/
+ if (!_XkbCheckRequestBounds(client, req, wire, wire + 1)) {
+ *errRtrn = _XkbErrCode3(0x74, first, i);
+ return 0;
+ }
if ((wire->key < first) || (wire->key > last)) {
*errRtrn = _XkbErrCode4(0x73, first, last, wire->key);
return 0;
@@ -2566,7 +2607,7 @@ _XkbSetMapChecks(ClientPtr client, DeviceIntPtr dev,
xkbSetMapReq * req,
}
if ((req->present & XkbKeyActionsMask) &&
- (!CheckKeyActions(xkb, req, nTypes, mapWidths, symsPerKey,
+ (!CheckKeyActions(client, xkb, req, nTypes, mapWidths, symsPerKey,
(CARD8 **) &values, &nActions))) {
client->errorValue = nActions;
return BadValue;
@@ -2574,18 +2615,18 @@ _XkbSetMapChecks(ClientPtr client, DeviceIntPtr dev,
xkbSetMapReq * req,
if ((req->present & XkbKeyBehaviorsMask) &&
(!CheckKeyBehaviors
- (xkb, req, (xkbBehaviorWireDesc **) &values, &error))) {
+ (client, xkb, req, (xkbBehaviorWireDesc **) &values, &error))) {
client->errorValue = error;
return BadValue;
}
if ((req->present & XkbVirtualModsMask) &&
- (!CheckVirtualMods(xkb, req, (CARD8 **) &values, &error))) {
+ (!CheckVirtualMods(client, xkb, req, (CARD8 **) &values, &error))) {
client->errorValue = error;
return BadValue;
}
if ((req->present & XkbExplicitComponentsMask) &&
- (!CheckKeyExplicit(xkb, req, (CARD8 **) &values, &error))) {
+ (!CheckKeyExplicit(client, xkb, req, (CARD8 **) &values, &error))) {
client->errorValue = error;
return BadValue;
}
@@ -2596,7 +2637,7 @@ _XkbSetMapChecks(ClientPtr client, DeviceIntPtr dev,
xkbSetMapReq * req,
}
if ((req->present & XkbVirtualModMapMask) &&
(!CheckVirtualModMap
- (xkb, req, (xkbVModMapWireDesc **) &values, &error))) {
+ (client, xkb, req, (xkbVModMapWireDesc **) &values, &error))) {
client->errorValue = error;
return BadValue;
}
--
++++++
bsc1260926_CVE-2026-34003_0001-xkb-Add-additional-bound-checking-in-CheckKeyTypes.patch
++++++
@@ -, +, @@
CheckKeyTypes()
== Invalid read of size 2
== at 0x5A3D1D: CheckKeyTypes (xkb.c:1694)
== by 0x5A6A9C: _XkbSetMapChecks (xkb.c:2515)
== by 0x5A759E: ProcXkbSetMap (xkb.c:2736)
== by 0x5BF832: SProcXkbSetMap (xkbSwap.c:245)
== by 0x5C05ED: SProcXkbDispatch (xkbSwap.c:501)
== by 0x4A20DF: Dispatch (dispatch.c:551)
== by 0x4B03B4: dix_main (main.c:277)
== by 0x428941: main (stubmain.c:34)
== Address is 30 bytes after a block of size 28,672 in arena "client"
==
== Invalid read of size 2
== at 0x5A3AB6: CheckKeyTypes (xkb.c:1669)
== by 0x5A6A9C: _XkbSetMapChecks (xkb.c:2515)
== by 0x5A759E: ProcXkbSetMap (xkb.c:2736)
== by 0x5BF832: SProcXkbSetMap (xkbSwap.c:245)
== by 0x5C05ED: SProcXkbDispatch (xkbSwap.c:501)
== by 0x4A20DF: Dispatch (dispatch.c:551)
== by 0x4B03B4: dix_main (main.c:277)
== by 0x428941: main (stubmain.c:34)
== Address is 2 bytes after a block of size 28,672 alloc'd
== at 0x4848897: realloc (vg_replace_malloc.c:1804)
== by 0x5E357A: ReadRequestFromClient (io.c:336)
== by 0x4A1FAB: Dispatch (dispatch.c:519)
== by 0x4B03B4: dix_main (main.c:277)
== by 0x428941: main (stubmain.c:34)
==
== Invalid write of size 2
== at 0x5A3AD7: CheckKeyTypes (xkb.c:1669)
== by 0x5A6A9C: _XkbSetMapChecks (xkb.c:2515)
== by 0x5A759E: ProcXkbSetMap (xkb.c:2736)
== by 0x5BF832: SProcXkbSetMap (xkbSwap.c:245)
== by 0x5C05ED: SProcXkbDispatch (xkbSwap.c:501)
== by 0x4A20DF: Dispatch (dispatch.c:551)
== by 0x4B03B4: dix_main (main.c:277)
== by 0x428941: main (stubmain.c:34)
== Address is 2 bytes after a block of size 28,672 alloc'd
== at 0x4848897: realloc (vg_replace_malloc.c:1804)
== by 0x5E357A: ReadRequestFromClient (io.c:336)
== by 0x4A1FAB: Dispatch (dispatch.c:519)
== by 0x4B03B4: dix_main (main.c:277)
== by 0x428941: main (stubmain.c:34)
==
---
xkb/xkb.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
--- a/xkb/xkb.c
+++ a/xkb/xkb.c
@@ -1643,6 +1643,10 @@ CheckKeyTypes(ClientPtr client,
for (i = 0; i < req->nTypes; i++) {
unsigned width;
+ if (!_XkbCheckRequestBounds(client, req, wire, wire + 1)) {
+ *nMapsRtrn = _XkbErrCode3(0x0b, req->nTypes, i);
+ return 0;
+ }
if (client->swapped && doswap) {
swaps(&wire->virtualMods);
}
@@ -1668,7 +1672,18 @@ CheckKeyTypes(ClientPtr client,
xkbModsWireDesc *preWire;
mapWire = (xkbKTSetMapEntryWireDesc *) &wire[1];
+ if (!_XkbCheckRequestBounds(client, req, mapWire,
+ &mapWire[wire->nMapEntries])) {
+ *nMapsRtrn = _XkbErrCode3(0x0c, i, wire->nMapEntries);
+ return 0;
+ }
preWire = (xkbModsWireDesc *) &mapWire[wire->nMapEntries];
+ if (wire->preserve &&
+ !_XkbCheckRequestBounds(client, req, preWire,
+ &preWire[wire->nMapEntries])) {
+ *nMapsRtrn = _XkbErrCode3(0x0d, i, wire->nMapEntries);
+ return 0;
+ }
for (n = 0; n < wire->nMapEntries; n++) {
if (client->swapped && doswap) {
swaps(&mapWire[n].virtualMods);
--
