[PATCH v2 2/7] xkb: Fix possible NULL pointer dereference

Pauli Nieminen ext-pauli.nieminen at nokia.com
Wed Jul 28 12:47:02 PDT 2010


changes is deferenced unconditionaly later on in function. Because
XkbUpdateKeyTypesFromCore is exported function paramters should be
checked for driver errors.

Fixes:
Variable "changes" tracked as NULL was dereferenced.

Signed-off-by: Pauli Nieminen <ext-pauli.nieminen at nokia.com>
---

Added NULL check for changes because it deferenced unconditionaly in
function that can be called by drivers.

 xkb/xkbUtils.c |   11 +++++++----
 1 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/xkb/xkbUtils.c b/xkb/xkbUtils.c
index 14dc784..bf0affb 100644
--- a/xkb/xkbUtils.c
+++ b/xkb/xkbUtils.c
@@ -223,16 +223,19 @@ XkbDescPtr		xkb;
 unsigned		key,nG,explicit;
 int			types[XkbNumKbdGroups];
 KeySym			tsyms[XkbMaxSymsPerKey],*syms;
-XkbMapChangesPtr	mc;
+
+    if (!changes) {
+	LogMessage(X_ERROR, "XKB: XkbUpdateKeyTypesFromCore without changes\n");
+	return;
+    }
 
     xkb= pXDev->key->xkbInfo->desc;
+
     if (first+num-1>xkb->max_key_code) {
 	/* 1/12/95 (ef) -- XXX! should allow XKB structures to grow */
 	num= xkb->max_key_code-first+1;
     }
 
-    mc= (changes?(&changes->map):NULL);
-
     syms= &pCore->map[(first - pCore->minKeyCode) * pCore->mapWidth];
     for (key=first; key<(first+num); key++,syms+= pCore->mapWidth) {
         explicit= xkb->server->explicit[key]&XkbExplicitKeyTypesMask;
@@ -242,7 +245,7 @@ XkbMapChangesPtr	mc;
         types[XkbGroup4Index]= XkbKeyKeyTypeIndex(xkb,key,XkbGroup4Index);
         nG= XkbKeyTypesForCoreSymbols(xkb,pCore->mapWidth,syms,explicit,types,
 									tsyms);
-	XkbChangeTypesOfKey(xkb,key,nG,XkbAllGroupsMask,types,mc);
+	XkbChangeTypesOfKey(xkb,key,nG,XkbAllGroupsMask,types,&changes->map);
 	memcpy((char *)XkbKeySymsPtr(xkb,key),(char *)tsyms,
 					XkbKeyNumSyms(xkb,key)*sizeof(KeySym));
     }
-- 
1.6.3.3



More information about the xorg-devel mailing list