From 08414410f71d66deb7c6ce6c2d985a3884945f70 Mon Sep 17 00:00:00 2001
From: Anonymous <anonymous@users.noreply.github.com>
Date: Fri, 8 May 2026 21:22:28 +0200
Subject: [PATCH] Fix heap overflow in Razer SetupZones when KLM overlay
 expands grid

KLM overlay opcodes (INSERT_SHIFT_RIGHT etc.) can expand the key grid
beyond the zone's declared height/width. GetKeyMap writes up to
max(declared, actual)^2 entries but the map buffer was only allocated
for declared^2, causing a heap overflow and crash on affected devices
(e.g. Razer Blade 15 Late 2021 Advanced).

Reallocate the map buffer to the actual KLM dimensions before calling
GetKeyMap. new_map height/width intentionally remain at the declared
values so the HID packet structure is unchanged.
---
 .../RazerController/RGBController_Razer.cpp      | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/Controllers/RazerController/RazerController/RGBController_Razer.cpp b/Controllers/RazerController/RazerController/RGBController_Razer.cpp
index abda18dc0..dc994bcdb 100644
--- a/Controllers/RazerController/RazerController/RGBController_Razer.cpp
+++ b/Controllers/RazerController/RazerController/RGBController_Razer.cpp
@@ -221,9 +221,21 @@ void RGBController_Razer::SetupZones()
                         new_kb.ChangeKeys(*temp);
 
                         /*---------------------------------------------------------*\
-                        | Matrix map still uses declared zone rows and columns      |
-                        |   as the packet structure depends on the matrix map       |
+                        | KLM overlay insertions can expand the key grid beyond the |
+                        | declared zone dimensions. Reallocate the map buffer to    |
+                        | the actual KLM dimensions to prevent a heap overflow.     |
+                        | new_map height/width stay at declared values so the HID   |
+                        | packet structure (which depends on them) is unchanged.    |
                         \*---------------------------------------------------------*/
+                        unsigned int map_height = std::max((unsigned int)new_map->height, new_kb.GetRowCount());
+                        unsigned int map_width  = std::max((unsigned int)new_map->width,  new_kb.GetColumnCount());
+
+                        if(map_height * map_width > (unsigned int)new_map->height * new_map->width)
+                        {
+                            delete[] new_map->map;
+                            new_map->map = new unsigned int[map_height * map_width];
+                        }
+
                         new_kb.GetKeyMap(new_map->map, KEYBOARD_MAP_FILL_TYPE_INDEX, new_map->height, new_map->width);
                     }