diff options
author | Keith Packard <keithp@neko.keithp.com> | 2007-07-04 23:38:27 -0700 |
---|---|---|
committer | Keith Packard <keithp@neko.keithp.com> | 2007-07-04 23:38:27 -0700 |
commit | 9ff7ff2fda30f334515b16ef0867c1500c41bc0f (patch) | |
tree | 6575c26111550b99f8f067d7ba2445a38f79e36d | |
parent | 9131d560a0d42067cc4e726e445e060216c9acdc (diff) |
Fix MEMORY SMASH in XkbCopyKeymap.
XkbCopyKeymap reallocates the destination keymap when it is not large enough
to hold the source data. When reallocating the map->types data, it needs to
zero out the new entries. The computation for where to start bzero'ing was
accounting for the size of the data type twice, once implicitly in the
pointer arithmetic, and once explicitly with '* sizeof (XkbKeyTypeRec)'.
This would often lead to random memory corruption when the destination
keymap had existing map->types data.
-rw-r--r-- | xkb/xkbUtils.c | 5 |
1 files changed, 2 insertions, 3 deletions
diff --git a/xkb/xkbUtils.c b/xkb/xkbUtils.c index bb6d8a0ae..c7f9a2681 100644 --- a/xkb/xkbUtils.c +++ b/xkb/xkbUtils.c @@ -1003,9 +1003,8 @@ XkbCopyKeymap(XkbDescPtr src, XkbDescPtr dst, Bool sendNotifies) if (!tmp) return FALSE; dst->map->types = tmp; - bzero(dst->map->types + - (dst->map->num_types * sizeof(XkbKeyTypeRec)), - (src->map->num_types - dst->map->size_types) * + bzero(dst->map->types + dst->map->num_types, + (src->map->num_types - dst->map->num_types) * sizeof(XkbKeyTypeRec)); } else { |