Fix MEMORY SMASH in XkbCopyKeymap.

XkbCopyKeymap reallocates the destination keymap when it is not large enough to hold the source data. When reallocating the map->types data, it needs to zero out the new entries. The computation for where to start bzero'ing was accounting for the size of the data type twice, once implicitly in the pointer arithmetic, and once explicitly with '* sizeof (XkbKeyTypeRec)'. This would often lead to random memory corruption when the destination keymap had existing map->types data.
author: Keith Packard <keithp@neko.keithp.com> 2007-07-04 23:38:27 -0700
committer: Keith Packard <keithp@neko.keithp.com> 2007-07-04 23:38:27 -0700
commit: 9ff7ff2fda30f334515b16ef0867c1500c41bc0f (patch)
tree: 6575c26111550b99f8f067d7ba2445a38f79e36d /xkb/xkbUtils.c
parent: 9131d560a0d42067cc4e726e445e060216c9acdc (diff)
1 files changed, 2 insertions, 3 deletions
diff --git a/xkb/xkbUtils.c b/xkb/xkbUtils.c
index bb6d8a0ae..c7f9a2681 100644
--- a/xkb/xkbUtils.c
+++ b/xkb/xkbUtils.c
@@ -1003,9 +1003,8 @@ XkbCopyKeymap(XkbDescPtr src, XkbDescPtr dst, Bool sendNotifies)
                     if (!tmp)
                         return FALSE;
                     dst->map->types = tmp;
-                    bzero(dst->map->types +
-                            (dst->map->num_types * sizeof(XkbKeyTypeRec)),
-                          (src->map->num_types - dst->map->size_types) *
+                    bzero(dst->map->types + dst->map->num_types,
+                          (src->map->num_types - dst->map->num_types) *
                             sizeof(XkbKeyTypeRec));
                 }
                 else {
author	Keith Packard <keithp@neko.keithp.com>	2007-07-04 23:38:27 -0700
committer	Keith Packard <keithp@neko.keithp.com>	2007-07-04 23:38:27 -0700
commit	9ff7ff2fda30f334515b16ef0867c1500c41bc0f (patch)
tree	6575c26111550b99f8f067d7ba2445a38f79e36d /xkb/xkbUtils.c
parent	9131d560a0d42067cc4e726e445e060216c9acdc (diff)