xkb: Do not use base group as an array index.

The base group is not brought into range and, therefore, using it as an array
index crashed the X server.  Also, at this place, we should ignore locked
groups, but not latched groups.  Therefore, use sum of base and latched groups,
brought into range.

Reproducible with:
key <FK07> {
    type= "ONE_LEVEL",
    symbols[Group1]= [              NoSymbol ],
    actions[Group1]= [ LatchGroup(group=-1, clearLocks) ]
};

And hitting F7 will exceed the group level and access arbitrary memory.

Signed-off-by: Andreas Wettstein <wettstein509@solnet.ch>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>

1 files changed, 8 insertions, 2 deletions

diff --git a/xkb/xkbUtils.c b/xkb/xkbUtils.c
index c23cd7784..6c6af60f0 100644
--- a/xkb/xkbUtils.c
+++ b/xkb/xkbUtils.c
@@ -642,6 +642,7 @@ XkbComputeCompatState(XkbSrvInfoPtr xkbi)
     CARD16 grp_mask;
     XkbStatePtr state = &xkbi->state;
     XkbCompatMapPtr map;
+    XkbControlsPtr ctrls;
 
     if (!state || !xkbi->desc || !xkbi->desc->ctrls || !xkbi->desc->compat)
         return;
@@ -650,9 +651,14 @@ XkbComputeCompatState(XkbSrvInfoPtr xkbi)
     grp_mask = map->groups[state->group].mask;
     state->compat_state = state->mods | grp_mask;
     state->compat_lookup_mods = state->lookup_mods | grp_mask;
+    ctrls= xkbi->desc->ctrls;
 
-    if (xkbi->desc->ctrls->enabled_ctrls & XkbIgnoreGroupLockMask)
-        grp_mask = map->groups[state->base_group].mask;
+    if (ctrls->enabled_ctrls & XkbIgnoreGroupLockMask) {
+	unsigned char grp = state->base_group+state->latched_group;
+	if (grp >= ctrls->num_groups)
+	    grp = XkbAdjustGroup(XkbCharToInt(grp), ctrls);
+        grp_mask = map->groups[grp].mask;
+    }
     state->compat_grab_mods = state->grab_mods | grp_mask;
     return;
 }