From 5f1631cb0e6f3544e9d13e7deb60ff3473a8a3f3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Camilla=20L=C3=B6wy?= <elmindreda@elmindreda.org>
Date: Wed, 15 Jan 2020 16:34:58 +0100
Subject: [PATCH] Check scancode before use in glfwGetKeyName

---
 README.md          | 2 ++
 src/cocoa_window.m | 7 +++++++
 src/win32_window.c | 7 +++++++
 src/x11_window.c   | 7 +++++++
 4 files changed, 23 insertions(+)

diff --git a/README.md b/README.md
index c4b57ad0..f1aaf849 100644
--- a/README.md
+++ b/README.md
@@ -142,6 +142,8 @@ information on what to include when reporting a bug.
    window (#1499)
  - [Win32] Bugfix: Disabled cursor mode interfered with some non-client actions
  - [Win32] Bugfix: Super key was not released after Win+V hotkey (#1622)
+ - [Win32] Bugfix: `glfwGetKeyName` could access out of bounds and return an
+   invalid pointer
  - [Cocoa] Added support for `VK_EXT_metal_surface` (#1619)
  - [Cocoa] Added locating the Vulkan loader at runtime in an application bundle
  - [Cocoa] Removed dependency on the CoreVideo framework
diff --git a/src/cocoa_window.m b/src/cocoa_window.m
index 2a24f812..e12b5cda 100644
--- a/src/cocoa_window.m
+++ b/src/cocoa_window.m
@@ -1516,6 +1516,13 @@ const char* _glfwPlatformGetScancodeName(int scancode)
 {
     @autoreleasepool {
 
+    if (scancode < 0 || scancode > 0xff ||
+        _glfw.ns.keycodes[scancode] == GLFW_KEY_UNKNOWN)
+    {
+        _glfwInputError(GLFW_INVALID_VALUE, "Invalid scancode");
+        return NULL;
+    }
+
     const int key = _glfw.ns.keycodes[scancode];
 
     UInt32 deadKeyState = 0;
diff --git a/src/win32_window.c b/src/win32_window.c
index d07a0203..f99fb7fb 100644
--- a/src/win32_window.c
+++ b/src/win32_window.c
@@ -2026,6 +2026,13 @@ void _glfwPlatformSetCursorMode(_GLFWwindow* window, int mode)
 
 const char* _glfwPlatformGetScancodeName(int scancode)
 {
+    if (scancode < 0 || scancode > (KF_EXTENDED | 0xff) ||
+        _glfw.win32.keycodes[scancode] == GLFW_KEY_UNKNOWN)
+    {
+        _glfwInputError(GLFW_INVALID_VALUE, "Invalid scancode");
+        return NULL;
+    }
+
     return _glfw.win32.keynames[_glfw.win32.keycodes[scancode]];
 }
 
diff --git a/src/x11_window.c b/src/x11_window.c
index 98388bd8..23dc89ad 100644
--- a/src/x11_window.c
+++ b/src/x11_window.c
@@ -2862,6 +2862,13 @@ const char* _glfwPlatformGetScancodeName(int scancode)
     if (!_glfw.x11.xkb.available)
         return NULL;
 
+    if (scancode < 0 || scancode > 0xff ||
+        _glfw.x11.keycodes[scancode] == GLFW_KEY_UNKNOWN)
+    {
+        _glfwInputError(GLFW_INVALID_VALUE, "Invalid scancode");
+        return NULL;
+    }
+
     const int key = _glfw.x11.keycodes[scancode];
     const KeySym keysym = XkbKeycodeToKeysym(_glfw.x11.display,
                                              scancode, _glfw.x11.xkb.group, 0);