File U_CVE-2025-26596-0001-xkb-Fix-computation-of-XkbSizeKeySyms.patch of Package xorg-x11-server

From b41f6fce201e77a174550935330e2f7772d4adf9 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Thu, 28 Nov 2024 11:49:34 +0100
Subject: [PATCH xserver] xkb: Fix computation of XkbSizeKeySyms

The computation of the length in XkbSizeKeySyms() differs from what is
actually written in XkbWriteKeySyms(), leading to a heap overflow.

Fix the calculation in XkbSizeKeySyms() to match what kbWriteKeySyms()
does.

CVE-2025-26596, ZDI-CAN-25543

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
---
 xkb/xkb.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

Index: xwayland-22.1.5/xkb/xkb.c
===================================================================
--- xwayland-22.1.5.orig/xkb/xkb.c
+++ xwayland-22.1.5/xkb/xkb.c
@@ -1093,10 +1093,10 @@ XkbSizeKeySyms(XkbDescPtr xkb, xkbGetMap
     len = rep->nKeySyms * SIZEOF(xkbSymMapWireDesc);
     symMap = &xkb->map->key_sym_map[rep->firstKeySym];
     for (i = nSyms = 0; i < rep->nKeySyms; i++, symMap++) {
-        if (symMap->offset != 0) {
-            nSymsThisKey = XkbNumGroups(symMap->group_info) * symMap->width;
-            nSyms += nSymsThisKey;
-        }
+        nSymsThisKey = XkbNumGroups(symMap->group_info) * symMap->width;
+        if (nSymsThisKey == 0)
+            continue;
+        nSyms += nSymsThisKey;
     }
     len += nSyms * 4;
     rep->totalSyms = nSyms;