Bug#931332: xserver-xorg-core: X crash on keyboard remapping
Package: xserver-xorg-core
Version: 2:1.20.4-1
Severity: important
Tags: patch a11y
Forwarded: https://gitlab.freedesktop.org/xorg/xserver/issues/574
Hello,
As reported on https://gitlab.freedesktop.org/xorg/xserver/issues/574
X crashes on XkbSetMap. Running the attached patch is enough to crash
the server.
This is notably a concern for people using Braille devices to type text,
because at-spi and xbrlapi use keyboard remapping to be able to simulate
all needed keysyms. Just typing e.g. 'ô' (⢹ in french Braille) is
enough to crash the server.
The attached patch was commited upstream to fix this, could you consider
including it in the next Buster point release?
Stretch does not seem to be affected.
Samuel
#include <X11/Xlib.h>
#include <X11/Intrinsic.h>
#include <X11/XKBlib.h>
#define XK_LATIN1
#include <X11/keysymdef.h>
#include <stdio.h>
int main(void) {
Display *dpy;
dpy = XOpenDisplay("");
int keycode = 240;
int keysym = XK_ecircumflex;
XkbDescPtr desc;
if (!(desc = XkbGetMap (dpy, XkbAllMapComponentsMask, XkbUseCoreKbd)))
{
fprintf (stderr, "ERROR getting map\n");
}
XFlush (dpy);
XSync (dpy, False);
if (desc && desc->map)
{
int offset = desc->map->key_sym_map[keycode].offset;
desc->map->syms[offset] = keysym;
}
else
{
fprintf (stderr, "Error changing key map: empty server structure\n");
}
XkbSetMap (dpy, XkbAllMapComponentsMask, desc);
/**
* FIXME: the use of XkbChangeMap, and the reuse of the priv->xkb_desc structure,
* would be far preferable.
* HOWEVER it does not seem to work using XFree 4.3.
**/
/* XkbChangeMap (dpy, priv->xkb_desc, priv->changes); */
XFlush (dpy);
XSync (dpy, False);
XkbFreeKeyboard (desc, 0, TRUE);
return TRUE;
}
commit 8469bfead9515ab3644f1769a1ff51466ba8ffee
Author: Samuel Thibault <samuel.thibault@ens-lyon.org>
Date: Mon Jul 1 02:31:02 2019 +0200
Fix crash on XkbSetMap
Some devices may not have keyboard information.
Fixes #574
diff --git a/xkb/xkb.c b/xkb/xkb.c
index 764079506..9bd45a34a 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
@@ -2383,6 +2383,9 @@ _XkbSetMapChecks(ClientPtr client, DeviceIntPtr dev, xkbSetMapReq * req,
XkbSymMapPtr map;
int i;
+ if (!dev->key)
+ return 0;
+
xkbi = dev->key->xkbInfo;
xkb = xkbi->desc;
@@ -2495,6 +2498,9 @@ _XkbSetMap(ClientPtr client, DeviceIntPtr dev, xkbSetMapReq * req, char *values)
XkbSrvInfoPtr xkbi;
XkbDescPtr xkb;
+ if (!dev->key)
+ return Success;
+
xkbi = dev->key->xkbInfo;
xkb = xkbi->desc;
commit fabc4219622f3c0b41b1cb897c46e092377059e3
Author: Samuel Thibault <samuel.thibault@ens-lyon.org>
Date: Mon Jul 1 02:33:26 2019 +0200
Fix crash on XkbSetMap
Since group_info and width are used for the key actions allocations,
when modifying them we need to take care of reallocation key actions if
needed.
diff --git a/xkb/xkb.c b/xkb/xkb.c
index 9bd45a34a..3162574a4 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
@@ -2110,6 +2110,9 @@ SetKeySyms(ClientPtr client,
}
}
}
+ if (XkbKeyHasActions(xkb, i + req->firstKeySym))
+ XkbResizeKeyActions(xkb, i + req->firstKeySym,
+ XkbNumGroups(wire->groupInfo) * wire->width);
oldMap->kt_index[0] = wire->ktIndex[0];
oldMap->kt_index[1] = wire->ktIndex[1];
oldMap->kt_index[2] = wire->ktIndex[2];
Reply to: