Commit 6f093ad56b88488b95dc8bb543be89b7da9c25ee
2012-10-24T23:09:26
state: fix possible index-out-of-bounds in action dispatch table The current code assumes that action->type always falls in the range of the xkb_action_type enum. But keymaps can also have Private actions, which are allowed to set their own type number. So with a default xkeyboard-config keymap, keycode 86 at level 4, which triggers such an action, causes us to crash. Fix it by always checking the bounds. Signed-off-by: Ran Benita <ran234@gmail.com>
diff --git a/src/state.c b/src/state.c
index 8624a9c..ad8c203 100644
--- a/src/state.c
+++ b/src/state.c
@@ -540,6 +540,17 @@ xkb_filter_apply_all(struct xkb_state *state,
return;
action = xkb_key_get_action(state, key);
+
+ /*
+ * It's possible for the keymap to set action->type explicitly, like so:
+ * interpret XF86_Next_VMode {
+ * action = Private(type=0x86, data="+VMode");
+ * };
+ * We don't handle those.
+ */
+ if (action->type >= _ACTION_TYPE_NUM_ENTRIES)
+ return;
+
if (!filter_action_funcs[action->type].new)
return;