[PATCH] xkb: fix invalid memory writes in _XkbCopyGeom.

Peter Hutterer peter.hutterer at who-t.net
Thu Jun 3 21:15:04 PDT 2010 

Classic strlen/strcpy mistake of
   foo = malloc(strlen(bar));
   strcpy(foo, bar);

Testcase: valgrind Xephyr :1

==8591== Invalid write of size 1
==8591==    at 0x4A0638F: strcpy (mc_replace_strmem.c:311)
==8591==    by 0x605593: _XkbCopyGeom (xkbUtils.c:1994)
==8591==    by 0x605973: XkbCopyKeymap (xkbUtils.c:2118)
==8591==    by 0x6122B3: InitKeyboardDeviceStruct (xkbInit.c:560)
==8591==    by 0x4472E2: CoreKeyboardProc (devices.c:577)
==8591==    by 0x447162: ActivateDevice (devices.c:530)
==8591==    by 0x4475D6: InitCoreDevices (devices.c:672)
==8591==    by 0x4449EE: main (main.c:254)
==8591==  Address 0x6f96505 is 0 bytes after a block of size 53 alloc'd
==8591==    at 0x4A0515D: malloc (vg_replace_malloc.c:195)
==8591==    by 0x6054B7: _XkbCopyGeom (xkbUtils.c:1980)
==8591==    by 0x605973: XkbCopyKeymap (xkbUtils.c:2118)
==8591==    by 0x6122B3: InitKeyboardDeviceStruct (xkbInit.c:560)
==8591==    by 0x4472E2: CoreKeyboardProc (devices.c:577)
==8591==    by 0x447162: ActivateDevice (devices.c:530)
==8591==    by 0x4475D6: InitCoreDevices (devices.c:672)
==8591==    by 0x4449EE: main (main.c:254)

Reported-by: Dave Airlie <airlied at redhat.com>
Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
---
 xkb/xkbUtils.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/xkb/xkbUtils.c b/xkb/xkbUtils.c
index e3fb9dc..0766922 100644
--- a/xkb/xkbUtils.c
+++ b/xkb/xkbUtils.c
@@ -1977,7 +1977,7 @@ _XkbCopyGeom(XkbDescPtr src, XkbDescPtr dst)
         /* font */
         if (src->geom->label_font) {
             if (!dst->geom->label_font) {
-                tmp = malloc(strlen(src->geom->label_font));
+                tmp = malloc(strlen(src->geom->label_font) + 1);
                 if (!tmp)
                     return FALSE;
                 dst->geom->label_font = tmp;
@@ -1985,7 +1985,7 @@ _XkbCopyGeom(XkbDescPtr src, XkbDescPtr dst)
             else if (strlen(src->geom->label_font) !=
                 strlen(dst->geom->label_font)) {
                 tmp = realloc(dst->geom->label_font,
-                               strlen(src->geom->label_font));
+                               strlen(src->geom->label_font) + 1);
                 if (!tmp)
                     return FALSE;
                 dst->geom->label_font = tmp;
-- 
1.6.5.2

More information about the xorg-devel mailing list