Skip to content
GitLab
Closed
Issue created by Yichao Yu@yuyichaoContributor

Regression in 1.6.10

Introduced by 388b303c .

In particular, 388b303c and 388b303c.

For both lines, data_len is the readable data length in bytes. However, the LHS uses the result data type (XIMStyle and XIMHotKeyTrigger) instead of the read data type (CARD32 and 3x CARD32), i.e.

diff --git a/modules/im/ximcp/imRmAttr.c b/modules/im/ximcp/imRmAttr.c
index 2491908e..10be5619 100644
--- a/modules/im/ximcp/imRmAttr.c
+++ b/modules/im/ximcp/imRmAttr.c
@@ -265,7 +265,7 @@ _XimAttributeToValue(

            if (num > (USHRT_MAX / sizeof(XIMStyle)))
                return False;
-           if ((sizeof(num) + (num * sizeof(XIMStyle))) > data_len)
+           if ((sizeof(num) + (num * sizeof(CARD32))) > data_len)
                return False;
            alloc_len = sizeof(XIMStyles) + sizeof(XIMStyle) * num;
            if (alloc_len < sizeof(XIMStyles))
@@ -379,7 +379,7 @@ _XimAttributeToValue(

            if (num > (UINT_MAX / sizeof(XIMHotKeyTrigger)))
                return False;
-           if ((sizeof(num) + (num * sizeof(XIMHotKeyTrigger))) > data_len)
+           if ((sizeof(num) + (num * 3 * sizeof(CARD32))) > data_len)
                return False;
            alloc_len = sizeof(XIMHotKeyTriggers)
                      + sizeof(XIMHotKeyTrigger) * num;

As a side note, I believe the correct version for the sizeof(num) is 2 * sizeof(CARD16) since this is the offset in data the array of data starts.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information