Bug 9180 - memmove in SetKeySymsMap (dix/devices.c:677) writes too many bytes
Summary: memmove in SetKeySymsMap (dix/devices.c:677) writes too many bytes
Status: RESOLVED WONTFIX
Alias: None
Product: xorg
Classification: Unclassified
Component: Server/General (show other bugs)
Version: git
Hardware: x86 (IA32) Linux (All)
: high normal
Assignee: Daniel Stone
QA Contact: Xorg Project Team
URL:
Whiteboard:
Keywords: NEEDINFO
Depends on:
Blocks: xorg-7.4 xorg-server-1.4.1
  Show dependency treegraph
 
Reported: 2006-11-27 15:22 UTC by xorg
Modified: 2008-04-30 19:19 UTC (History)
1 user (show)

See Also:
i915 platform:
i915 features:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description xorg 2006-11-27 15:22:02 UTC
The memmove() at the end of SetKeySymsMap in xserver/dix/devices.c, line 677, writes beyond the end of dst->map.
Probably the calculation of the size which is currently "(int)(src->maxKeyCode - src->minKeyCode + 1) * dst->mapWidth * sizeof(KeySym)" has to take rowDif into account too.
Comment 1 Daniel Stone 2007-02-27 01:34:51 UTC
Sorry about the phenomenal bug spam, guys.  Adding xorg-team@ to the QA contact so bugs don't get lost in future.
Comment 2 Peter Hutterer 2008-02-28 03:31:31 UTC
(In reply to comment #0)
> The memmove() at the end of SetKeySymsMap in xserver/dix/devices.c, line 677,
> writes beyond the end of dst->map.
> Probably the calculation of the size which is currently "(int)(src->maxKeyCode
> - src->minKeyCode + 1) * dst->mapWidth * sizeof(KeySym)" has to take rowDif
> into account too.
> 

hmm. I looked at this code for quite a while now and it seems correct. Who is the caller when it overruns?
Comment 3 Peter Hutterer 2008-04-30 19:19:26 UTC
no reply and I can't reproduce it. Marking as WONTFIX with NEEDINFO.


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.