From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7BD6B1548C
	for <kbd@lists.linux.dev>; Sun, 15 Feb 2026 17:34:23 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1771176863; cv=none; b=ufxOF8UkiRI3OMeKthssBI2R+gNocdSDi8jZ1+SQXr+F3hdoRbI6drMQoMAu92RgL2W1nkW0JoEv+IjFPGEkwsws/pUQTwundv6XUA5SFN7BOhTAwaw+7CIL51o8a0Tvd82oXx1w/dsUAjiZdFfk2wh2H3ByHsF6evpZnXZ/b4I=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1771176863; c=relaxed/simple;
	bh=FsIE9hzbjvjM4L1nAT3FPpHIJx1T3nQywoB7STdjYJo=;
	h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:
	 Content-Type:Content-Disposition:In-Reply-To; b=tjCp/wBXHXcQU6k5dLt7d+/es2nsLWYyzeyozt4RiYO40o5euFZnOxxAOGsFe1Yu+Rj9kYkLapp4MdLQ/S7GwSC/57M5iRhISqJ944qX+vFXxkRIiIQ6nJwlzQX48rmT1p8PZUYXoJWBZNxeqrOTUdLEQJjWGkVbU/aNs2iUNOs=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=funKhq0P; arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="funKhq0P"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 584D6C4CEF7;
	Sun, 15 Feb 2026 17:34:22 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1771176863;
	bh=FsIE9hzbjvjM4L1nAT3FPpHIJx1T3nQywoB7STdjYJo=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=funKhq0PeEefYe9z36aAaB82abJhhxJC0eGNIOHsdvRucOXnYDAp7YOm0d+9RgtDh
	 51HGOxeMNVvts7QhFkO6MNO3PSkD7RlvkYeYFeQjvPCmkgf0VrWvqLc7MVwy45qUba
	 3uus4W/wt4xY5WcqYQdhN+sAQsW8K7oGBalNz7qZXf6UdOMLv/qzeATWAZBzTlU3wy
	 T0cRgDCNUA6NW+D18C/A55ZEqij0UqfwylCaBWRW7bl+1sGoozyxm6ee8K+bzGf6WR
	 R1rhG2pNBq6E9hQ6IV5VDYp4hygR74rSbXkWnwazV2Me2Hd0aLvUEHR87nvY5jgIph
	 YztzTowdOr0tA==
Date: Sun, 15 Feb 2026 18:34:18 +0100
From: Alexey Gladkov <legion@kernel.org>
To: Krdyan Areg <areg.krdian@gmail.com>
Cc: kbd@lists.linux.dev
Subject: Re: [PATCH 1/4] libkeymap: prevent NULL dereference in parser
Message-ID: <aZIDmv7HkLH7q-bg@example.org>
References: <20260214172813.1075064-1-areg.krdian@gmail.com>
Precedence: bulk
X-Mailing-List: kbd@lists.linux.dev
List-Id: <kbd.lists.linux.dev>
List-Subscribe: <mailto:kbd+subscribe@lists.linux.dev>
List-Unsubscribe: <mailto:kbd+unsubscribe@lists.linux.dev>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20260214172813.1075064-1-areg.krdian@gmail.com>

On Sat, Feb 14, 2026 at 08:27:30PM +0300, Krdyan Areg wrote:
> The parser accesses ctx->key_line array elements without checking if
> lk_array_get() returns NULL, which can lead to crashes.
> 
> Add NULL checks before dereferencing array values.
> 
> Signed-off-by: Krdyan Areg areg.krdian@gmail.com
> ---
>  src/libkeymap/parser.y | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/src/libkeymap/parser.y b/src/libkeymap/parser.y
> index 2cd509f..a87fb54 100644
> --- a/src/libkeymap/parser.y
> +++ b/src/libkeymap/parser.y
> @@ -320,6 +320,9 @@ singleline	: KEYCODE NUMBER EQUALS rvalue0 EOL
>  
>  							if (i < ctx->key_line->count) {
>  								val = lk_array_get(ctx->key_line, i);
> +								if (!val)
> +									YYERROR;
> +

I do not think this change is needed right now. In these parser paths,
lk_array_get() is used with indices bounded by ctx->key_line->count, and
count is built only through lk_array_append().

I already fixed in master the real failure by checking lk_array_append()
and aborting on OOM.

So this patch mostly adds defensive checks for an internal-corruption
scenario, rather than fixing a practical bug in normal execution.

>  								keycode = *val;
>  							}
>  
> @@ -338,7 +341,7 @@ singleline	: KEYCODE NUMBER EQUALS rvalue0 EOL
>  					for (i = 0; i < ctx->key_line->count; i++) {
>  						val = lk_array_get(ctx->key_line, i);
>  
> -						if (lk_add_key(ctx, i, $2, *val) < 0)
> +						if (!val || lk_add_key(ctx, i, $2, *val) < 0)
>  							YYERROR;
>  					}
>  				}
> -- 
> 2.52.0
> 

-- 
Rgrds, legion