[packages/xorg-xserver-server.git] / xorg-xserver-server-xkb.patch

From: Daniel Stone <daniel@fooishbar.org>
Date: Sun, 5 Nov 2006 00:47:59 +0000 (+0200)
Subject: XkbCopyKeymap: don't iterate broken types, or dereference null pointers
X-Git-Url: http://gitweb.freedesktop.org/?p=xorg/xserver.git;a=commitdiff;h=389275d240e4ba19d62fda0f138a45c7ecb245ff

XkbCopyKeymap: don't iterate broken types, or dereference null pointers

Don't iterate invalid destination types (>= num_types) when coping key
types.
Don't free key_aliases if it's NULL (theoretical, but sure).
Make sure dst's label_font gets allocated if it's NULL.
(Thanks, Chris Lee.)
---

--- a/xkb/xkbUtils.c
+++ b/xkb/xkbUtils.c
@@ -1047,34 +1047,40 @@ XkbCopyKeymap(XkbDescPtr src, XkbDescPtr
             }
         }
 
-        if (src->map->types) {
-            if (src->map->size_types > dst->map->size_types) {
-                if (dst->map->types) {
+        if (src->map->types && src->map->num_types) {
+            if (src->map->num_types > dst->map->size_types ||
+                !dst->map->types || !dst->map->size_types) {
+                if (dst->map->types && dst->map->size_types) {
                     tmp = xrealloc(dst->map->types,
-                                   src->map->size_types * sizeof(XkbKeyTypeRec));
+                                   src->map->num_types * sizeof(XkbKeyTypeRec));
                     if (!tmp)
                         return FALSE;
                     dst->map->types = tmp;
                     bzero(dst->map->types +
-                            (dst->map->size_types * sizeof(XkbKeyTypeRec)),
-                          (src->map->size_types - dst->map->size_types) *
+                            (dst->map->num_types * sizeof(XkbKeyTypeRec)),
+                          (src->map->num_types - dst->map->size_types) *
                             sizeof(XkbKeyTypeRec));
                 }
                 else {
-                    tmp = xcalloc(src->map->size_types, sizeof(XkbKeyTypeRec));
+                    tmp = xcalloc(src->map->num_types, sizeof(XkbKeyTypeRec));
                     if (!tmp)
                         return FALSE;
                     dst->map->types = tmp;
                 }
             }
-            else if (src->map->size_types < dst->map->size_types) {
-                if (dst->map->types) {
-                    for (i = src->map->num_types, dtype = (dst->map->types + i);
-                         i < dst->map->size_types; i++, dtype++) {
-                        if (dtype->level_names)
-                            xfree(dtype->level_names);
-                        dtype->level_names = NULL;
-                        dtype->num_levels = 0;
+            else if (src->map->num_types < dst->map->num_types &&
+                     dst->map->types) {
+                for (i = src->map->num_types, dtype = (dst->map->types + i);
+                     i < dst->map->num_types; i++, dtype++) {
+                    if (dtype->level_names)
+                        xfree(dtype->level_names);
+                    dtype->level_names = NULL;
+                    dtype->num_levels = 0;
+                    if (dtype->map_count) {
+                        if (dtype->map)
+                            xfree(dtype->map);
+                        if (dtype->preserve)
+                            xfree(dtype->preserve);
                     }
                 }
             }
@@ -1082,16 +1088,18 @@ XkbCopyKeymap(XkbDescPtr src, XkbDescPtr
             stype = src->map->types;
             dtype = dst->map->types;
             for (i = 0; i < src->map->num_types; i++, dtype++, stype++) {
-                if (stype->num_levels) {
+                if (stype->num_levels && stype->level_names) {
                     if (stype->num_levels != dtype->num_levels &&
-                        dtype->num_levels && dtype->level_names) {
+                        dtype->num_levels && dtype->level_names &&
+                        i < dst->map->num_types) {
                         tmp = xrealloc(dtype->level_names,
                                        stype->num_levels * sizeof(Atom));
                         if (!tmp)
                             continue;
                         dtype->level_names = tmp;
                     }
-                    else if (!dtype->num_levels || !dtype->level_names) {
+                    else if (!dtype->num_levels || !dtype->level_names ||
+                             i >= dst->map->num_types) {
                         tmp = xalloc(stype->num_levels * sizeof(Atom));
                         if (!tmp)
                             continue;
@@ -1102,7 +1110,8 @@ XkbCopyKeymap(XkbDescPtr src, XkbDescPtr
                            stype->num_levels * sizeof(Atom));
                 }
                 else {
-                    if (dtype->num_levels && dtype->level_names)
+                    if (dtype->num_levels && dtype->level_names &&
+                        i < dst->map->num_types)
                         xfree(dtype->level_names);
                     dtype->num_levels = 0;
                     dtype->level_names = NULL;
@@ -1114,15 +1123,17 @@ XkbCopyKeymap(XkbDescPtr src, XkbDescPtr
                 if (stype->map_count) {
                     if (stype->map) {
                         if (stype->map_count != dtype->map_count &&
-                            dtype->map_count && dtype->map) {
+                            dtype->map_count && dtype->map &&
+                            i < dst->map->num_types) {
                             tmp = xrealloc(dtype->map,
                                            stype->map_count *
                                              sizeof(XkbKTMapEntryRec));
                             if (!tmp)
                                 return FALSE;
                             dtype->map = tmp;
-                       }
-                        else if (!dtype->map_count || !dtype->map) {
+                        }
+                        else if (!dtype->map_count || !dtype->map ||
+                                 i >= dst->map->num_types) {
                             tmp = xalloc(stype->map_count *
                                            sizeof(XkbKTMapEntryRec));
                             if (!tmp)
@@ -1136,7 +1147,8 @@ XkbCopyKeymap(XkbDescPtr src, XkbDescPtr
 
                     if (stype->preserve) {
                         if (stype->map_count != dtype->map_count &&
-                            dtype->map_count && dtype->preserve) {
+                            dtype->map_count && dtype->preserve &&
+                            i < dst->map->num_types) {
                             tmp = xrealloc(dtype->preserve,
                                            stype->map_count *
                                              sizeof(XkbModsRec));
@@ -1144,7 +1156,8 @@ XkbCopyKeymap(XkbDescPtr src, XkbDescPtr
                                 return FALSE;
                             dtype->preserve = tmp;
                         }
-                        else if (!dtype->preserve || !dtype->map_count) {
+                        else if (!dtype->preserve || !dtype->map_count ||
+                                 i >= dst->map->num_types) {
                             tmp = xalloc(stype->map_count *
                                          sizeof(XkbModsRec));
                             if (!tmp)
@@ -1179,14 +1192,14 @@ XkbCopyKeymap(XkbDescPtr src, XkbDescPtr
                         xfree(dtype->level_names);
                     if (dtype->map && dtype->map_count)
                         xfree(dtype->map);
-                    if (dtype->preserve && dtype->preserve)
+                    if (dtype->preserve && dtype->map_count)
                         xfree(dtype->preserve);
                 }
                 xfree(dst->map->types);
                 dst->map->types = NULL;
             }
         }
-        dst->map->size_types = src->map->size_types;
+        dst->map->size_types = src->map->num_types;
         dst->map->num_types = src->map->num_types;
 
         if (src->map->modmap) {
@@ -1957,7 +1970,7 @@ XkbCopyKeymap(XkbDescPtr src, XkbDescPtr
             dst->geom->num_key_aliases = dst->geom->sz_key_aliases;
         }
         else {
-            if (dst->geom->sz_key_aliases) {
+            if (dst->geom->sz_key_aliases && dst->geom->key_aliases) {
                 xfree(dst->geom->key_aliases);
                 dst->geom->key_aliases = NULL;
             }
@@ -1967,13 +1980,16 @@ XkbCopyKeymap(XkbDescPtr src, XkbDescPtr
         
         /* font */
         if (src->geom->label_font) {
-            if (strlen(src->geom->label_font) !=
+            if (!dst->geom->label_font) {
+                tmp = xalloc(strlen(src->geom->label_font));
+                if (!tmp)
+                    return FALSE;
+                dst->geom->label_font = tmp;
+            }
+            else if (strlen(src->geom->label_font) !=
                 strlen(dst->geom->label_font)) {
-                if (dst->geom->label_font)
-                    tmp = xrealloc(dst->geom->label_font,
-                                   strlen(src->geom->label_font));
-                else
-                    tmp = xalloc(strlen(src->geom->label_font));
+                tmp = xrealloc(dst->geom->label_font,
+                               strlen(src->geom->label_font));
                 if (!tmp)
                     return FALSE;
                 dst->geom->label_font = tmp;
Commit	Line	Data
faad3d65 AM	1	From: Daniel Stone <daniel@fooishbar.org>
	2	Date: Sun, 5 Nov 2006 00:47:59 +0000 (+0200)
	3	Subject: XkbCopyKeymap: don't iterate broken types, or dereference null pointers
	4	X-Git-Url: http://gitweb.freedesktop.org/?p=xorg/xserver.git;a=commitdiff;h=389275d240e4ba19d62fda0f138a45c7ecb245ff
	5
	6	XkbCopyKeymap: don't iterate broken types, or dereference null pointers
	7
	8	Don't iterate invalid destination types (>= num_types) when coping key
	9	types.
	10	Don't free key_aliases if it's NULL (theoretical, but sure).
	11	Make sure dst's label_font gets allocated if it's NULL.
	12	(Thanks, Chris Lee.)
	13	---
	14
	15	--- a/xkb/xkbUtils.c
	16	+++ b/xkb/xkbUtils.c
	17	@@ -1047,34 +1047,40 @@ XkbCopyKeymap(XkbDescPtr src, XkbDescPtr
	18	}
	19	}
	20
	21	- if (src->map->types) {
	22	- if (src->map->size_types > dst->map->size_types) {
	23	- if (dst->map->types) {
	24	+ if (src->map->types && src->map->num_types) {
	25	+ if (src->map->num_types > dst->map->size_types \|\|
	26	+ !dst->map->types \|\| !dst->map->size_types) {
	27	+ if (dst->map->types && dst->map->size_types) {
	28	tmp = xrealloc(dst->map->types,
	29	- src->map->size_types * sizeof(XkbKeyTypeRec));
	30	+ src->map->num_types * sizeof(XkbKeyTypeRec));
	31	if (!tmp)
	32	return FALSE;
	33	dst->map->types = tmp;
	34	bzero(dst->map->types +
	35	- (dst->map->size_types * sizeof(XkbKeyTypeRec)),
	36	- (src->map->size_types - dst->map->size_types) *
	37	+ (dst->map->num_types * sizeof(XkbKeyTypeRec)),
	38	+ (src->map->num_types - dst->map->size_types) *
	39	sizeof(XkbKeyTypeRec));
	40	}
	41	else {
	42	- tmp = xcalloc(src->map->size_types, sizeof(XkbKeyTypeRec));
	43	+ tmp = xcalloc(src->map->num_types, sizeof(XkbKeyTypeRec));
	44	if (!tmp)
	45	return FALSE;
	46	dst->map->types = tmp;
	47	}
	48	}
	49	- else if (src->map->size_types < dst->map->size_types) {
	50	- if (dst->map->types) {
	51	- for (i = src->map->num_types, dtype = (dst->map->types + i);
	52	- i < dst->map->size_types; i++, dtype++) {
	53	- if (dtype->level_names)
	54	- xfree(dtype->level_names);
	55	- dtype->level_names = NULL;
	56	- dtype->num_levels = 0;
	57	+ else if (src->map->num_types < dst->map->num_types &&
	58	+ dst->map->types) {
	59	+ for (i = src->map->num_types, dtype = (dst->map->types + i);
	60	+ i < dst->map->num_types; i++, dtype++) {
	61	+ if (dtype->level_names)
	62	+ xfree(dtype->level_names);
	63	+ dtype->level_names = NULL;
	64	+ dtype->num_levels = 0;
65	+ if (dtype->map_count) {
66	+ if (dtype->map)
67	+ xfree(dtype->map);
68	+ if (dtype->preserve)
69	+ xfree(dtype->preserve);
70	}
71	}
72	}
73	@@ -1082,16 +1088,18 @@ XkbCopyKeymap(XkbDescPtr src, XkbDescPtr
74	stype = src->map->types;
75	dtype = dst->map->types;
76	for (i = 0; i < src->map->num_types; i++, dtype++, stype++) {
77	- if (stype->num_levels) {
78	+ if (stype->num_levels && stype->level_names) {
79	if (stype->num_levels != dtype->num_levels &&
80	- dtype->num_levels && dtype->level_names) {
81	+ dtype->num_levels && dtype->level_names &&
82	+ i < dst->map->num_types) {
83	tmp = xrealloc(dtype->level_names,
84	stype->num_levels * sizeof(Atom));
85	if (!tmp)
86	continue;
87	dtype->level_names = tmp;
88	}
89	- else if (!dtype->num_levels \|\| !dtype->level_names) {
90	+ else if (!dtype->num_levels \|\| !dtype->level_names \|\|
91	+ i >= dst->map->num_types) {
92	tmp = xalloc(stype->num_levels * sizeof(Atom));
93	if (!tmp)
94	continue;
95	@@ -1102,7 +1110,8 @@ XkbCopyKeymap(XkbDescPtr src, XkbDescPtr
96	stype->num_levels * sizeof(Atom));
97	}
98	else {
99	- if (dtype->num_levels && dtype->level_names)
100	+ if (dtype->num_levels && dtype->level_names &&
101	+ i < dst->map->num_types)
102	xfree(dtype->level_names);
103	dtype->num_levels = 0;
104	dtype->level_names = NULL;
105	@@ -1114,15 +1123,17 @@ XkbCopyKeymap(XkbDescPtr src, XkbDescPtr
106	if (stype->map_count) {
107	if (stype->map) {
108	if (stype->map_count != dtype->map_count &&
109	- dtype->map_count && dtype->map) {
110	+ dtype->map_count && dtype->map &&
111	+ i < dst->map->num_types) {
112	tmp = xrealloc(dtype->map,
113	stype->map_count *
114	sizeof(XkbKTMapEntryRec));
115	if (!tmp)
116	return FALSE;
117	dtype->map = tmp;
118	- }
119	- else if (!dtype->map_count \|\| !dtype->map) {
120	+ }
121	+ else if (!dtype->map_count \|\| !dtype->map \|\|
122	+ i >= dst->map->num_types) {
123	tmp = xalloc(stype->map_count *
124	sizeof(XkbKTMapEntryRec));
125	if (!tmp)
126	@@ -1136,7 +1147,8 @@ XkbCopyKeymap(XkbDescPtr src, XkbDescPtr
127
128	if (stype->preserve) {
129	if (stype->map_count != dtype->map_count &&
130	- dtype->map_count && dtype->preserve) {
131	+ dtype->map_count && dtype->preserve &&
132	+ i < dst->map->num_types) {
133	tmp = xrealloc(dtype->preserve,
134	stype->map_count *
135	sizeof(XkbModsRec));
136	@@ -1144,7 +1156,8 @@ XkbCopyKeymap(XkbDescPtr src, XkbDescPtr
137	return FALSE;
138	dtype->preserve = tmp;
139	}
140	- else if (!dtype->preserve \|\| !dtype->map_count) {
141	+ else if (!dtype->preserve \|\| !dtype->map_count \|\|
142	+ i >= dst->map->num_types) {
143	tmp = xalloc(stype->map_count *
144	sizeof(XkbModsRec));
145	if (!tmp)
146	@@ -1179,14 +1192,14 @@ XkbCopyKeymap(XkbDescPtr src, XkbDescPtr
147	xfree(dtype->level_names);
148	if (dtype->map && dtype->map_count)
149	xfree(dtype->map);
150	- if (dtype->preserve && dtype->preserve)
151	+ if (dtype->preserve && dtype->map_count)
152	xfree(dtype->preserve);
153	}
154	xfree(dst->map->types);
155	dst->map->types = NULL;
156	}
157	}
158	- dst->map->size_types = src->map->size_types;
159	+ dst->map->size_types = src->map->num_types;
160	dst->map->num_types = src->map->num_types;
161
162	if (src->map->modmap) {
163	@@ -1957,7 +1970,7 @@ XkbCopyKeymap(XkbDescPtr src, XkbDescPtr
164	dst->geom->num_key_aliases = dst->geom->sz_key_aliases;
165	}
166	else {
167	- if (dst->geom->sz_key_aliases) {
168	+ if (dst->geom->sz_key_aliases && dst->geom->key_aliases) {
169	xfree(dst->geom->key_aliases);
170	dst->geom->key_aliases = NULL;
171	}
172	@@ -1967,13 +1980,16 @@ XkbCopyKeymap(XkbDescPtr src, XkbDescPtr
173
174	/* font */
175	if (src->geom->label_font) {
176	- if (strlen(src->geom->label_font) !=
177	+ if (!dst->geom->label_font) {
178	+ tmp = xalloc(strlen(src->geom->label_font));
179	+ if (!tmp)
180	+ return FALSE;
181	+ dst->geom->label_font = tmp;
182	+ }
183	+ else if (strlen(src->geom->label_font) !=
184	strlen(dst->geom->label_font)) {
185	- if (dst->geom->label_font)
186	- tmp = xrealloc(dst->geom->label_font,
187	- strlen(src->geom->label_font));
188	- else
189	- tmp = xalloc(strlen(src->geom->label_font));
190	+ tmp = xrealloc(dst->geom->label_font,
191	+ strlen(src->geom->label_font));
192	if (!tmp)
193	return FALSE;
194	dst->geom->label_font = tmp;