GNOME Bugzilla – Bug 338254
control-center settings daemon may overrun mouse button mapping buffer in unusual circumstances
Last modified: 2006-05-26 05:56:27 UTC
Hi, Today I was doing a bugzilla query and ran across bug 323724. The patch applied to resolve that bug looks good overall, but there may be a corner case where it could overwrite a byte of memory that it isn't supposed to. The patch has: + /* find the right button */ + for (i = 0; i < n_buttons; i++) + { + if (buttons[i] == right_button) + break; + } + /* swap the buttons */ + buttons[left_button - 1] = right_button; + buttons[i] = left_button; when going to left handed mode (and something similiar when going to right handed mode). buttons[] is n_buttons bytes long. If the "buttons[i] == right_button" never succeeds then the loop will end with i == n_buttons, and then the button[i] = left_button will write to memory that is out of bounds.
Created attachment 63357 [details] [review] When swapping buttons, if one of them isn't mapped, only map it and not the other one
If this fixes it, please feel free to commit
commited to HEAD and gnome-2-14: 2006-04-17 Ray Strode <rstrode@redhat.com> * gnome-settings-mouse.c (configure_button_layout): fix potential (tiny, hard to trigger) overrun (bug 338254)
I just filed bug 342980, which seems to be the same problem under 2.14.1 with the patche from this bug applied to it.