On Sat, Dec 26, 2009 at 03:57:40PM +0100, Julien Cristau wrote: > On Wed, Dec 23, 2009 at 12:54:14 +1000, Peter Hutterer wrote: > > > If the keycode range exceeds the allowable length, memory gets overwritten. > > Catch this case by making sure that only allowed class types are > > present. > > > Should this also be handled outside of the tests by not overwriting > memory in the first place, or is it impossible to get a keycode range > this big in the server? > > diff --git a/dix/eventconvert.c b/dix/eventconvert.c > index e25f3ee..f8b2252 100644 > --- a/dix/eventconvert.c > +++ b/dix/eventconvert.c > @@ -379,6 +379,8 @@ appendKeyInfo(DeviceChangedEvent *dce, xXIKeyInfo* info) > uint32_t *kc; > int i; > > + if (dce->keys.max_keycode - dce->keys.min_keycode > USHRT_MAX - > sizeof(*info)/4 - 1) > + return 0; > info->type = XIKeyClass; > info->num_keycodes = dce->keys.max_keycode - dce->keys.min_keycode + 1; > info->length = sizeof(xXIKeyInfo)/4 + info->num_keycodes;
this should be caught during device initialization instead and prevent devices from ever going above this range. note that the current intialisation process still uses the old XKB setups. no device can have more than 255 keycodes anyway, hence this test is merely a theoretical case. Cheers, Peter _______________________________________________ xorg-devel mailing list [email protected] http://lists.x.org/mailman/listinfo/xorg-devel
