Bug 34151

Summary: setxkbmap: Potential bug and buffer overflow due to misused rules filename.
Product: xorg Reporter: van.de.bugger
Component: App/xkbcompAssignee: Xorg Project Team <xorg-team>
Status: RESOLVED FIXED QA Contact: Xorg Project Team <xorg-team>
Severity: normal    
Priority: medium    
Version: 7.5 (2009.10)   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:

Description van.de.bugger 2011-02-10 13:05:56 UTC 
It seems there is potential bug in setxkbmap. Look at applyRules function:

        if (svSrc[RULES_NDX])
            rfName = svValue[RULES_NDX];
        else
            rfName = DFLT_XKB_RULES_FILE;
##### rfName is either specified name of rules file, or default name. 
##### It seems further rfName should be used as name of rules file.
        if (rfName[0] == '/')
        {
            rules = XkbRF_Load(rfName, svValue[LOCALE_NDX], True, True);
##### That's ok.
        }
        else
        {
            /* try to load rules files from all include paths until the first
             * we succeed with */
            for (i = 0; (i < numInclPath) && (!rules); i++)
            {
                if ((strlen(inclPath[i]) + strlen(rfName) + 8) > PATH_MAX)
##### rfName is used for calculating length of path.
                {
                    VMSG2(0, "Path too long (%s/rules/%s). Ignored.\n",
                          inclPath[i], rfName);
##### rfName is used in warning message.
                    continue;
                }
                sprintf(buf, "%s/rules/%s", inclPath[i], svValue[RULES_NDX]);
##### Oops! svValue[RULES_NDX] is used. I guess it should be rfName instead.
                rules = XkbRF_Load(buf, svValue[LOCALE_NDX], True, True);
            }
        }
        if (!rules)
        {
            ERR1("Couldn't find rules file (%s) \n", svValue[RULES_NDX]);
#### Oops again. It seems rfName should be used there, not svValue[RULES_DNX].
            return False;
        }

If you agree it should be fixed, I can prepare a patch.
Comment 1 Alan Coopersmith 2011-02-10 13:37:00 UTC 
As it turns out, I submitted a patch last night that would prevent buffer
overflow using snprintf instead of trying to calculate the length by hand,
but I failed to notice it was using different strings:

http://lists.x.org/archives/xorg-devel/2011-February/019121.html

Good catch!   (I haven't had a chance to analyze to see which string is
correct to use yet.)
Comment 2 Alan Coopersmith 2011-02-13 09:21:27 UTC 
Confirmed analysis, and had fix reviewed on xorg-devel - it's now pushed
to git master:

http://cgit.freedesktop.org/xorg/app/setxkbmap/commit/?id=fce78beab4b5f7ee99bf66d35c36b7ed12871d5a

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.