[PATCH libX11 v3] XKB: fix XkbGetKeyboardByName with Xming server

Olivier Fourdan ofourdan at redhat.com
Thu Jan 21 02:54:19 PST 2016

XkbGetKeyboardByName relies on flags to read the data from the server.

If the X server sends us the wrong flags or if a subreply is smaller
than it should be, XkbGetKeyboardByName will not read all the available
data and leave data in the buffer, which will cause the next _XReply()
to fail with:

[xcb] Extra reply data still left in queue
[xcb] This is most likely caused by a broken X extension library
[xcb] Aborting, sorry about that.
xcb_io.c:576: _XReply: Assertion `!xcb_xlib_extra_reply_data_left' failed.

Check if there is some extra data left at the end of
XkbGetKeyboardByName() and discard that data if any is found.

Many thanks to Peter Hutterer <peter.hutterer at who-t.net> for finding the
root cause of the issue and Adam Jackson <ajax at redhat.com> for helping
with the analysis!

Signed-off-by: Olivier Fourdan <ofourdan at redhat.com>
v2: bail out if extra data is found, do not return success.
v3: fix indentation, remove warning message

 src/xkb/XKBGetByName.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/xkb/XKBGetByName.c b/src/xkb/XKBGetByName.c
index 973052c..efd985b 100644
--- a/src/xkb/XKBGetByName.c
+++ b/src/xkb/XKBGetByName.c
@@ -44,7 +44,7 @@ XkbGetKeyboardByName(Display *dpy,
     register xkbGetKbdByNameReq *req;
     xkbGetKbdByNameReply rep;
-    int len, extraLen;
+    int len, extraLen = 0;
     char *str;
     XkbDescPtr xkb;
     int mapLen, codesLen, typesLen, compatLen;
@@ -204,12 +204,16 @@ XkbGetKeyboardByName(Display *dpy,
         if (status != Success)
             goto BAILOUT;
+    if (extraLen > 0)
+	goto BAILOUT;
     return xkb;
     if (xkb != NULL)
         XkbFreeKeyboard(xkb, XkbAllComponentsMask, xTrue);
+    if (extraLen > 0)
+        _XEatData(dpy, extraLen);
     return NULL;

More information about the xorg-devel mailing list