From f70bda9f6de2d38ae3859afb3f96cad1e9c47590 Mon Sep 17 00:00:00 2001 From: Aleksei Bavshin Date: Fri, 23 Jun 2023 03:14:09 -0700 Subject: [PATCH] locale1: fix use-after-free in xkb_keymap creation qPrintable creates temporary objects that are destroyed before `xkb_keymap_new_from_names` is called. It's highly likely that the data we pass to xkbcommon will be overwritten by random data by that point. Fix that by storing values as QByteArrays just like `Xkb::loadKeymapFromConfig` does. --- src/xkb.cpp | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/src/xkb.cpp b/src/xkb.cpp index 9593437634..ad08ea21c2 100644 --- a/src/xkb.cpp +++ b/src/xkb.cpp @@ -246,16 +246,24 @@ xkb_keymap *Xkb::loadKeymapFromLocale1() { OrgFreedesktopDBusPropertiesInterface locale1Properties(s_locale1Interface, "/org/freedesktop/locale1", QDBusConnection::systemBus(), this); const QVariantMap properties = locale1Properties.GetAll(s_locale1Interface); - const QString layouts = properties["X11Layout"].toString(); + + const QByteArray model = properties["X11Model"].toByteArray(); + const QByteArray layout = properties["X11Layout"].toByteArray(); + const QByteArray variant = properties["X11Variant"].toByteArray(); + const QByteArray options = properties["X11Options"].toByteArray(); + xkb_rule_names ruleNames = { - nullptr, - qPrintable(properties["X11Model"].toString()), - qPrintable(layouts), - qPrintable(properties["X11Variant"].toString()), - qPrintable(properties["X11Options"].toString()), + .rules = nullptr, + .model = model.constData(), + .layout = layout.constData(), + .variant = variant.constData(), + .options = options.constData(), }; + applyEnvironmentRules(ruleNames); - m_layoutList = layouts.split(QLatin1Char(',')); + + m_layoutList = QString::fromLatin1(ruleNames.layout).split(QLatin1Char(',')); + return xkb_keymap_new_from_names(m_context, &ruleNames, XKB_KEYMAP_COMPILE_NO_FLAGS); }