Project 'benjaminl/shader-db' was moved to 'olivia/shader-db'. Please update any links and bookmarks that may still have the old path.

Commit 11fcda87 authored 4 months ago by Olivier Fourdan

xkb: Fix buffer overflow in XkbVModMaskText()


The code in XkbVModMaskText() allocates a fixed sized buffer on the
stack and copies the virtual mod name.

There's actually two issues in the code that can lead to a buffer
overflow.

First, the bound check mixes pointers and integers using misplaced
parenthesis, defeating the bound check.

But even though, if the check fails, the data is still copied, so the
stack overflow will occur regardless.

Change the logic to skip the copy entirely if the bound check fails.

CVE-2025-26595, ZDI-CAN-25545

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Part-of: <xorg/xserver!1828>

parent b0a09ba6

No related branches found

No related tags found

Hide whitespace changes

Inline Side-by-side

Showing with 8 additions and 8 deletions

Olivier Fourdan @ofourdan
mentioned in commit alanc/libxkbfile@65977c33
· 1 month ago

mentioned in commit alanc/libxkbfile@65977c33

mentioned in commit alanc/libxkbfile@65977c33a6735b0ffc7d2c691243452f75c1f68c

Toggle commit list
Olivier Fourdan @ofourdan
mentioned in commit alanc/libxkbfile@f6592c6f
· 1 month ago

mentioned in commit alanc/libxkbfile@f6592c6f

mentioned in commit alanc/libxkbfile@f6592c6f272587456f69aef6e1db6a1aef5731ca

Toggle commit list

Please register or to comment

Admin message

Admin message

xkb: Fix buffer overflow in XkbVModMaskText()