Bugzilla – Bug 1099113
Heap overflow in X server compiled using GCC8 with LTO
Last modified: 2018-11-22 14:05:09 UTC
This problem was already reported publicly on firstname.lastname@example.org:
Since commit 83913de2 (xorg-server-18.104.22.1683-20-g83913de25) X server causes undefined behavior in XKBGAlloc.c by calling strlen on char which does not need to contain '\0'. Strlen would read into memory behind the array and (if it did not crash) return some bogus huge number. That was later clamped back to 4 and used to memcpy data around.
GCC8 with LTO can prove that the strlen is called on char and as such must not return number bigger than 3 or cause undefined behavior. The clamping to 4 is optimized away. In practice it means that the memcpy is called with bigger buffer than the destination.
Created attachment 775265 [details]
xkb: Fix heap overflow caused by optimized away min.
Submitted to Factory, nothing else is affected, closing the bug.
This is an autogenerated message for OBS integration:
This bug (1099113) was mentioned in
https://build.opensuse.org/request/show/624084 Factory / xorg-x11-server