From: Ran Benita <ran234@gmail.com>
Date: Wed, 24 Oct 2012 21:09:26 +0000 (+0200)
Subject: state: fix possible index-out-of-bounds in action dispatch table
X-Git-Tag: xkbcommon-0.3.0~92
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=6f093ad56b88488b95dc8bb543be89b7da9c25ee;p=platform%2Fupstream%2Flibxkbcommon.git

state: fix possible index-out-of-bounds in action dispatch table

The current code assumes that action->type always falls in the range of
the xkb_action_type enum. But keymaps can also have Private actions,
which are allowed to set their own type number.

So with a default xkeyboard-config keymap, keycode 86 at level 4, which
triggers such an action, causes us to crash.

Fix it by always checking the bounds.

Signed-off-by: Ran Benita <ran234@gmail.com>
---

diff --git a/src/state.c b/src/state.c
index 8624a9c..ad8c203 100644
--- a/src/state.c
+++ b/src/state.c
@@ -540,6 +540,17 @@ xkb_filter_apply_all(struct xkb_state *state,
         return;
 
     action = xkb_key_get_action(state, key);
+
+    /*
+     * It's possible for the keymap to set action->type explicitly, like so:
+     *     interpret XF86_Next_VMode {
+     *         action = Private(type=0x86, data="+VMode");
+     *     };
+     * We don't handle those.
+     */
+    if (action->type >= _ACTION_TYPE_NUM_ENTRIES)
+        return;
+
     if (!filter_action_funcs[action->type].new)
         return;