Bug 9180

Summary: memmove in SetKeySymsMap (dix/devices.c:677) writes too many bytes
Product: xorg Reporter: xorg
Component: Server/GeneralAssignee: Daniel Stone <daniel>
Status: RESOLVED WONTFIX QA Contact: Xorg Project Team <xorg-team>
Severity: normal    
Priority: high CC: esigra
Version: gitKeywords: NEEDINFO
Hardware: x86 (IA32)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:
Bug Depends on:    
Bug Blocks: 10101, 12560    

Description xorg 2006-11-27 15:22:02 UTC 
The memmove() at the end of SetKeySymsMap in xserver/dix/devices.c, line 677, writes beyond the end of dst->map.
Probably the calculation of the size which is currently "(int)(src->maxKeyCode - src->minKeyCode + 1) * dst->mapWidth * sizeof(KeySym)" has to take rowDif into account too.
Comment 1 Daniel Stone 2007-02-27 01:34:51 UTC 
Sorry about the phenomenal bug spam, guys.  Adding xorg-team@ to the QA contact so bugs don't get lost in future.
Comment 2 Peter Hutterer 2008-02-28 03:31:31 UTC 
(In reply to comment #0)
> The memmove() at the end of SetKeySymsMap in xserver/dix/devices.c, line 677,
> writes beyond the end of dst->map.
> Probably the calculation of the size which is currently "(int)(src->maxKeyCode
> - src->minKeyCode + 1) * dst->mapWidth * sizeof(KeySym)" has to take rowDif
> into account too.
> 

hmm. I looked at this code for quite a while now and it seems correct. Who is the caller when it overruns?
Comment 3 Peter Hutterer 2008-04-30 19:19:26 UTC 
no reply and I can't reproduce it. Marking as WONTFIX with NEEDINFO.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.