Due to an influx of spam, we have had to impose restrictions on new accounts. Please see this wiki page for instructions on how to get full permissions. Sorry for the inconvenience.
gitlab.freedesktop.org will be unavailable for up to a week starting March 16th, due to our ongoing infrastructure move. You can follow our planning tracker at https://gitlab.freedesktop.org/freedesktop/freedesktop/-/issues/2076
Generating the modifier modmap, the helper function generate_modkeymap() would check the entire range up to the MAP_LENGTH.
However, the given keymap might have less keycodes than MAP_LENGTH, in which case we would go beyond the size of the modmap, as reported by ASAN:
==ERROR: AddressSanitizer: heap-buffer-overflow
READ of size 1 at 0x5110001c225b thread T0
#0 0x5e7369393873 in generate_modkeymap ../dix/inpututils.c:309
#1 0x5e736930dcce in ProcGetModifierMapping ../dix/devices.c:1794
#2 0x5e7369336489 in Dispatch ../dix/dispatch.c:550
#3 0x5e736934407d in dix_main ../dix/main.c:275
#5 0x7e46d47b2ecb in __libc_start_main
#6 0x5e73691be324 in _start (xserver/build/hw/xwayland/Xwayland)
Address is located 0 bytes after 219-byte region
allocated by thread T0 here:
#0 0x7e46d4cfc542 in realloc
#1 0x5e73695aa90e in _XkbCopyClientMap ../xkb/xkbUtils.c:1142
#2 0x5e73695aa90e in XkbCopyKeymap ../xkb/xkbUtils.c:1966
#3 0x5e73695b1b2f in XkbDeviceApplyKeymap ../xkb/xkbUtils.c:2023
#4 0x5e73691c6c18 in keyboard_handle_keymap ../hw/xwayland/xwayland-input.c:1194As MAP_LENGTH is used in various code paths where the max keycode might not be easily available, best is to always use MAP_LENGTH to allocate the keymaps so that the code never run past the buffer size.
If the max key code is smaller than the MAP_LENGTH limit, fill-in the gap with zeros.
That also simplifies the code slightly as we do not constantly need to reallocate the keymap to adjust to the max key code size.
Closes: #1780 (closed)
Signed-off-by: Olivier Fourdan ofourdan@redhat.com