From 6f093ad56b88488b95dc8bb543be89b7da9c25ee Mon Sep 17 00:00:00 2001
From: Ran Benita <ran234@gmail.com>
Date: Wed, 24 Oct 2012 23:09:26 +0200
Subject: [PATCH] state: fix possible index-out-of-bounds in action dispatch
 table

The current code assumes that action->type always falls in the range of
the xkb_action_type enum. But keymaps can also have Private actions,
which are allowed to set their own type number.

So with a default xkeyboard-config keymap, keycode 86 at level 4, which
triggers such an action, causes us to crash.

Fix it by always checking the bounds.

Signed-off-by: Ran Benita <ran234@gmail.com>
---
 src/state.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/src/state.c b/src/state.c
index 8624a9c..ad8c203 100644
--- a/src/state.c
+++ b/src/state.c
@@ -540,6 +540,17 @@ xkb_filter_apply_all(struct xkb_state *state,
         return;
 
     action = xkb_key_get_action(state, key);
+
+    /*
+     * It's possible for the keymap to set action->type explicitly, like so:
+     *     interpret XF86_Next_VMode {
+     *         action = Private(type=0x86, data="+VMode");
+     *     };
+     * We don't handle those.
+     */
+    if (action->type >= _ACTION_TYPE_NUM_ENTRIES)
+        return;
+
     if (!filter_action_funcs[action->type].new)
         return;
 
-- 
2.7.4