mirror of
https://github.com/X11Libre/xserver.git
synced 2026-03-24 08:04:30 +00:00
xkb: Prevent overflow in XkbSetCompatMap()
The XkbCompatMap structure stores its "num_si" and "size_si" fields using an unsigned short. However, the function _XkbSetCompatMap() will store the sum of the input data "firstSI" and "nSI" in both XkbCompatMap's "num_si" and "size_si" without first checking if the sum overflows the maximum unsigned short value, leading to a possible overflow. To avoid the issue, check whether the sum does not exceed the maximum unsigned short value, or return a "BadValue" error otherwise. CVE-2025-62231, ZDI-CAN-27560 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> Reviewed-by: Michel Dänzer <mdaenzer@redhat.com> Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2086>
This commit is contained in:
Olivier Fourdan
committed by
Enrico Weigelt, metux IT consult
Enrico Weigelt, metux IT consult
parent
0e1a023be5
commit
3d886958e6
@@ -2952,6 +2952,8 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev,
|
||||
XkbSymInterpretPtr sym;
|
||||
unsigned int skipped = 0;
|
||||
|
||||
if ((unsigned) (req->firstSI + req->nSI) > USHRT_MAX)
|
||||
return BadValue;
|
||||
if ((unsigned) (req->firstSI + req->nSI) > compat->size_si) {
|
||||
compat->num_si = compat->size_si = req->firstSI + req->nSI;
|
||||
compat->sym_interpret = reallocarray(compat->sym_interpret,
|
||||
|
||||
Reference in New Issue
Block a user