xkb: Fix buffer overflow in XkbVModMaskText()HEADmaster

The code in XkbVModMaskText() allocates a fixed sized buffer on the
stack and copies the virtual mod name.

There's actually two issues in the code that can lead to a buffer
overflow.

First, the bound check mixes pointers and integers using misplaced
parenthesis, defeating the bound check.

But even though, if the check fails, the data is still copied, so the
stack overflow will occur regardless.

Change the logic to skip the copy entirely if the bound check fails.

(cherry picked from xorg/xserver@11fcda8753e994e15eb915d28cf487660ec8e722)

Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxkbfile/-/merge_requests/24>

1 files changed, 8 insertions, 8 deletions

diff --git a/src/xkbtext.c b/src/xkbtext.c
index 4459ca7..59429b2 100644
--- a/src/xkbtext.c
+++ b/src/xkbtext.c
@@ -190,14 +190,14 @@ XkbVModMaskText(Display *       dpy,
                 len = strlen(tmp) + 1 + (str == buf ? 0 : 1);
                 if (format == XkbCFile)
                     len += 4;
-                if ((str - (buf + len)) <= BUFFER_SIZE) {
-                    if (str != buf) {
-                        if (format == XkbCFile)
-                            *str++ = '|';
-                        else
-                            *str++ = '+';
-                        len--;
-                    }
+                if ((str - buf) + len > BUFFER_SIZE)
+                    continue; /* Skip */
+                if (str != buf) {
+                    if (format == XkbCFile)
+                        *str++ = '|';
+                    else
+                        *str++ = '+';
+                    len--;
                 }
                 if (format == XkbCFile)
                     sprintf(str, "%sMask", tmp);