Bug 738886 – Out of bounds access in MyEnhancedXkbTranslateKeyCode

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 738886 - Out of bounds access in MyEnhancedXkbTranslateKeyCode


Summary:	Out of bounds access in MyEnhancedXkbTranslateKeyCode


Status:	RESOLVED FIXED

Product:	gtk+
Classification:	Platform
Component:	Backend: X11
Version:	3.14.x
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	---
Assigned To:	gtk-bugs
QA Contact:	gtk-bugs

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2014-10-20 17:39 UTC by Ran Benita
Modified:	2014-10-27 01:53 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
Demonstrative assert (532 bytes, patch) 2014-10-20 17:39 UTC, Ran Benita	none	Details \| Review

Description Ran Benita 2014-10-20 17:39:29 UTC

Created attachment 288973 [details] [review]
Demonstrative assert

I've attached a diff to demonstrate this. The assert quickly fails with e.g. Shift+<A>.

The code seems to assume that `col` points to the base of the group's syms, but this does not hold after `found` becomes true and the loop continues. So in some cases the syms of the next group (if there one) or key (if there is one) are unintentionally accessed.

I am not entirely sure what was the exact intention of this line, i.e. whether the LHS or RHS of the `==` should change (the comment below is somewhat ambiguous), so I'll leave the fix for someone more familiar with the code.