xserver: Branch 'master'
Keith Packard
keithp at kemper.freedesktop.org
Wed Jul 4 23:38:31 PDT 2007
xkb/xkbUtils.c | 5 ++---
1 files changed, 2 insertions(+), 3 deletions(-)
New commits:
diff-tree 9ff7ff2fda30f334515b16ef0867c1500c41bc0f (from 9131d560a0d42067cc4e726e445e060216c9acdc)
Author: Keith Packard <keithp at neko.keithp.com>
Date: Wed Jul 4 23:38:27 2007 -0700
Fix MEMORY SMASH in XkbCopyKeymap.
XkbCopyKeymap reallocates the destination keymap when it is not large enough
to hold the source data. When reallocating the map->types data, it needs to
zero out the new entries. The computation for where to start bzero'ing was
accounting for the size of the data type twice, once implicitly in the
pointer arithmetic, and once explicitly with '* sizeof (XkbKeyTypeRec)'.
This would often lead to random memory corruption when the destination
keymap had existing map->types data.
diff --git a/xkb/xkbUtils.c b/xkb/xkbUtils.c
index bb6d8a0..c7f9a26 100644
--- a/xkb/xkbUtils.c
+++ b/xkb/xkbUtils.c
@@ -1003,9 +1003,8 @@ XkbCopyKeymap(XkbDescPtr src, XkbDescPtr
if (!tmp)
return FALSE;
dst->map->types = tmp;
- bzero(dst->map->types +
- (dst->map->num_types * sizeof(XkbKeyTypeRec)),
- (src->map->num_types - dst->map->size_types) *
+ bzero(dst->map->types + dst->map->num_types,
+ (src->map->num_types - dst->map->num_types) *
sizeof(XkbKeyTypeRec));
}
else {
More information about the xorg-commit
mailing list