[PATCH] Fix overflow on XmbLookupString buffer
Mikael Magnusson
mikachu at gmail.com
Mon Jun 27 03:21:57 UTC 2022
The returned nmbbytes value is the length we need the buffer to be, but
the current size is only bsize. We can't store a NUL at buf[nmbbytes]
before the realloc, so only do this when the buffer is sized properly.
Signed-off-by: Mikael Magnusson <mikachu at gmail.com>
---
xev.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/xev.c b/xev.c
index de4e6e879e..b9b15d242d 100644
--- a/xev.c
+++ b/xev.c
@@ -178,12 +178,12 @@ do_KeyPress(XEvent *eventp)
if (e->type == KeyPress && xic) {
do {
nmbbytes = XmbLookupString(xic, e, buf, bsize - 1, &ks, &status);
- buf[nmbbytes] = '\0';
if (status == XBufferOverflow) {
bsize = nmbbytes + 1;
buf = realloc(buf, bsize);
- }
+ } else
+ buf[nmbbytes] = '\0';
} while (status == XBufferOverflow);
}
--
2.36.1
--
Mikael Magnusson
More information about the xorg-devel
mailing list