XkbAdjustGroup DIV-0 crash if ctrls->num_groups == 0

Submitted by Jeremy Huddleston Sequoia

Assigned to Xorg Project Team

Link to original bug (#73311)

Description

Initially reported to XQuartz at https://xquartz.macosforge.org/trac/ticket/854

Exception Type:  EXC_ARITHMETIC (SIGFPE)
Exception Codes: EXC_I386_DIV (divide by zero)

Application Specific Information:
X.Org X Server 1.14.4 Build Date: 20131110
...
Thread 2 Crashed:
0   X11.bin                             0x00000001000a066d XkbAdjustGroup (xkbUtils.c:705)
1   X11.bin                             0x00000001000a0713 XkbComputeDerivedState (xkbUtils.c:729)
2   X11.bin                             0x0000000100094823 ProcXkbLatchLockState (xkb.c:654)
3   X11.bin                             0x00000001000c4842 Dispatch (dispatch.c:433)
4   X11.bin                             0x0000000100026467 dix_main (main.c:302)
5   X11.bin                             0x00000001000117e5 server_thread (quartzStartup.c:66)
6   libsystem_c.dylib                   0x00007fff8f9ec772 _pthread_start (pthreads/pthread.c:954)
7   libsystem_c.dylib                   0x00007fff8f9d91a1 thread_start + 0x11a1

The crash point can be seen here: http://cgit.freedesktop.org/xorg/xserver/tree/xkb/xkbUtils.c?id=xorg-server-1.14.4#n705

ctrls->num_groups is 0 here:

    else if (group >= ctrls->num_groups) {
        if (act == XkbClampIntoRange) {
            group = ctrls->num_groups - 1;
        }
        else if (act == XkbRedirectIntoRange) {
            int newGroup;

            newGroup = XkbOutOfRangeGroupNumber(ctrls->groups_wrap);
            if (newGroup >= ctrls->num_groups)
                group = XkbGroup1Index;
            else
                group = newGroup;
        }
        else {
            group %= ctrls->num_groups;   /// <------------ DIV-0 crash point
        }
    }

See also

• http://xquartz.macosforge.org/trac/ticket/630
• https://xquartz.macosforge.org/trac/ticket/854