summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKeith Packard <keithp@neko.keithp.com>2007-07-04 23:38:27 -0700
committerKeith Packard <keithp@neko.keithp.com>2007-07-04 23:38:27 -0700
commit9ff7ff2fda30f334515b16ef0867c1500c41bc0f (patch)
tree6575c26111550b99f8f067d7ba2445a38f79e36d
parent9131d560a0d42067cc4e726e445e060216c9acdc (diff)
Fix MEMORY SMASH in XkbCopyKeymap.
XkbCopyKeymap reallocates the destination keymap when it is not large enough to hold the source data. When reallocating the map->types data, it needs to zero out the new entries. The computation for where to start bzero'ing was accounting for the size of the data type twice, once implicitly in the pointer arithmetic, and once explicitly with '* sizeof (XkbKeyTypeRec)'. This would often lead to random memory corruption when the destination keymap had existing map->types data.
-rw-r--r--xkb/xkbUtils.c5
1 files changed, 2 insertions, 3 deletions
diff --git a/xkb/xkbUtils.c b/xkb/xkbUtils.c
index bb6d8a0ae..c7f9a2681 100644
--- a/xkb/xkbUtils.c
+++ b/xkb/xkbUtils.c
@@ -1003,9 +1003,8 @@ XkbCopyKeymap(XkbDescPtr src, XkbDescPtr dst, Bool sendNotifies)
if (!tmp)
return FALSE;
dst->map->types = tmp;
- bzero(dst->map->types +
- (dst->map->num_types * sizeof(XkbKeyTypeRec)),
- (src->map->num_types - dst->map->size_types) *
+ bzero(dst->map->types + dst->map->num_types,
+ (src->map->num_types - dst->map->num_types) *
sizeof(XkbKeyTypeRec));
}
else {