summaryrefslogtreecommitdiff
authorTomas Janousek <tomi@nomi.cz>2009-05-20 13:03:01 (GMT)
committer Peter Hutterer <peter.hutterer@who-t.net>2009-05-22 02:24:21 (GMT)
commit525aa17f804d37d1cfcbbf6b8e6cddb45e999b20 (patch) (side-by-side diff)
tree290af078c9e5e0f2b215faae0cfa527682f66f0f
parent7db55a0806c82bd4143c8bf1b8eb2b62e456ad9a (diff)
downloadxserver-525aa17f804d37d1cfcbbf6b8e6cddb45e999b20.zip
xserver-525aa17f804d37d1cfcbbf6b8e6cddb45e999b20.tar.gz
Bug #6428, #16458, #21464: Fix crash due to uninitialized VModMap fields.
In ProcXkbGetKbdByName, mrep.firstVModMapKey, .nVModMapKeys and .totalVModMapKeys were not initialized, contained random values and caused accesses to unallocated and later modified memory, causing XkbSizeVirtualModMap and XkbWriteVirtualModMap to see different number of nonzero values, resulting in writes past the end of an array in XkbSendMap. This patch initializes those values sensibly and reverts commits 5c0a2088 and 6dd4fc46, which have been plain non-sense. Signed-off-by: Tomas Janousek <tomi@nomi.cz> Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Diffstat (more/less context) (ignore whitespace changes)
-rw-r--r--xkb/xkb.c8
1 files changed, 5 insertions, 3 deletions
diff --git a/xkb/xkb.c b/xkb/xkb.c
index 445c55f..ec46238 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
@@ -1308,7 +1308,7 @@ XkbSizeVirtualModMap(XkbDescPtr xkb,xkbGetMapReply *rep)
rep->totalVModMapKeys= 0;
return 0;
}
- for (nRtrn=i=0;i<rep->nVModMapKeys-1;i++) {
+ for (nRtrn=i=0;i<rep->nVModMapKeys;i++) {
if (xkb->server->vmodmap[i+rep->firstVModMapKey]!=0)
nRtrn++;
}
@@ -1327,7 +1327,7 @@ unsigned short * pMap;
wire= (xkbVModMapWireDesc *)buf;
pMap= &xkb->server->vmodmap[rep->firstVModMapKey];
- for (i=0;i<rep->nVModMapKeys-1;i++,pMap++) {
+ for (i=0;i<rep->nVModMapKeys;i++,pMap++) {
if (*pMap!=0) {
wire->key= i+rep->firstVModMapKey;
wire->vmods= *pMap;
@@ -5670,7 +5670,7 @@ ProcXkbGetKbdByName(ClientPtr client)
mrep.present = 0;
mrep.totalSyms = mrep.totalActs =
mrep.totalKeyBehaviors= mrep.totalKeyExplicit=
- mrep.totalModMapKeys= 0;
+ mrep.totalModMapKeys= mrep.totalVModMapKeys= 0;
if (rep.reported&(XkbGBN_TypesMask|XkbGBN_ClientSymbolsMask)) {
mrep.present|= XkbKeyTypesMask;
mrep.firstType = 0;
@@ -5696,6 +5696,8 @@ ProcXkbGetKbdByName(ClientPtr client)
mrep.firstKeyExplicit = new->min_key_code;
mrep.nKeyActs = mrep.nKeyBehaviors =
mrep.nKeyExplicit = XkbNumKeys(new);
+ mrep.firstVModMapKey= new->min_key_code;
+ mrep.nVModMapKeys= XkbNumKeys(new);
}
else {
mrep.virtualMods= 0;