From 4f527b0923facd0a0f262f8211fe2adc1fdd539b Mon Sep 17 00:00:00 2001 From: thereisnotime <37583483+thereisnotime@users.noreply.github.com> Date: Sun, 12 Jul 2026 16:02:28 +0300 Subject: [PATCH] connection: guard surrounding_text against out-of-bounds cursor/anchor The compositor's cursor and anchor byte offsets are passed straight into QString::fromUtf8 as lengths with no validation. A bogus offset larger than the text (KWin on Plasma 6 sends values like 6881396) makes fromUtf8 read past the end of the buffer and segfault, which is the frequent maliit-keyboard crash in maliit/keyboard#262. Clamp cursor and anchor to the text length before use. --- connection/waylandinputmethodconnection.cpp | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/connection/waylandinputmethodconnection.cpp b/connection/waylandinputmethodconnection.cpp index 25e6fbfa..bebc177a 100644 --- a/connection/waylandinputmethodconnection.cpp +++ b/connection/waylandinputmethodconnection.cpp @@ -596,6 +596,14 @@ void InputMethodContext::zwp_input_method_context_v1_surrounding_text(const QStr const QByteArray &utf8_text(text.toUtf8()); + // cursor and anchor are byte offsets supplied by the compositor and cannot be + // trusted: a bogus value larger than the text (seen in the wild as e.g. 6881396) + // makes the QString::fromUtf8 calls below read past the end of utf8_text and + // crash. Clamp them to the actual length before using them as offsets/lengths. + const uint32_t utf8_len = static_cast(utf8_text.size()); + cursor = qMin(cursor, utf8_len); + anchor = qMin(anchor, utf8_len); + m_stateInfo[SurroundingTextAttribute] = text; m_stateInfo[CursorPositionAttribute] = QString::fromUtf8(utf8_text.constData(), cursor).size(); m_stateInfo[AnchorPositionAttribute] = QString::fromUtf8(utf8_text.constData(), anchor).size();