Bug 9180 - memmove in SetKeySymsMap (dix/devices.c:677) writes too many bytes
memmove in SetKeySymsMap (dix/devices.c:677) writes too many bytes
Status: RESOLVED WONTFIX
Product: xorg
Classification: Unclassified
Component: Server/General
git
x86 (IA32) Linux (All)
: high normal
Assigned To: Daniel Stone
Xorg Project Team
: NEEDINFO
Depends on:
Blocks: xorg-7.4 xorg-server-1.4.1
  Show dependency treegraph
 
Reported: 2006-11-27 15:22 UTC by xorg
Modified: 2008-04-30 19:19 UTC (History)
1 user (show)

See Also:
i915 platform:
i915 features:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description xorg 2006-11-27 15:22:02 UTC
The memmove() at the end of SetKeySymsMap in xserver/dix/devices.c, line 677, writes beyond the end of dst->map.
Probably the calculation of the size which is currently "(int)(src->maxKeyCode - src->minKeyCode + 1) * dst->mapWidth * sizeof(KeySym)" has to take rowDif into account too.
Comment 1 Daniel Stone 2007-02-27 01:34:51 UTC
Sorry about the phenomenal bug spam, guys.  Adding xorg-team@ to the QA contact so bugs don't get lost in future.
Comment 2 Peter Hutterer 2008-02-28 03:31:31 UTC
(In reply to comment #0)
> The memmove() at the end of SetKeySymsMap in xserver/dix/devices.c, line 677,
> writes beyond the end of dst->map.
> Probably the calculation of the size which is currently "(int)(src->maxKeyCode
> - src->minKeyCode + 1) * dst->mapWidth * sizeof(KeySym)" has to take rowDif
> into account too.
> 

hmm. I looked at this code for quite a while now and it seems correct. Who is the caller when it overruns?
Comment 3 Peter Hutterer 2008-04-30 19:19:26 UTC
no reply and I can't reproduce it. Marking as WONTFIX with NEEDINFO.