On Wed, Dec 23, 2009 at 12:54:14 +1000, Peter Hutterer wrote:
> If the keycode range exceeds the allowable length, memory gets overwritten.
> Catch this case by making sure that only allowed class types are
> present.
>
Should this also be handled outside of the tests by not overwriting
memory in the first place, or is it impossible to get a keycode range
this big in the server?
diff --git a/dix/eventconvert.c b/dix/eventconvert.c
index e25f3ee..f8b2252 100644
--- a/dix/eventconvert.c
+++ b/dix/eventconvert.c
@@ -379,6 +379,8 @@ appendKeyInfo(DeviceChangedEvent *dce, xXIKeyInfo* info)
uint32_t *kc;
int i;
+ if (dce->keys.max_keycode - dce->keys.min_keycode > USHRT_MAX -
sizeof(*info)/4 - 1)
+ return 0;
info->type = XIKeyClass;
info->num_keycodes = dce->keys.max_keycode - dce->keys.min_keycode + 1;
info->length = sizeof(xXIKeyInfo)/4 + info->num_keycodes;
Cheers,
Julien
_______________________________________________
xorg-devel mailing list
[email protected]
http://lists.x.org/mailman/listinfo/xorg-devel
