unvalidated index in _XkbReadKeyActions() [CVE-2013-1997 6/15]

If the X server returns key action indexes outside the range of the number of keys it told us to allocate, out of bounds memory access could occur. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
author: Alan Coopersmith <alan.coopersmith@oracle.com> 2013-03-02 09:40:22 -0800
committer: Alan Coopersmith <alan.coopersmith@oracle.com> 2013-05-09 18:59:51 -0700
commit: 00626c3830b869259098985afa38933d77ccec72 (patch)
tree: e46487c7676e02b1314ff46eded1835447d1567f
parent: fd7d4956bc7a1c4b5c38661b12777ebee4d685d9 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c
index 4a428d3a..86ecf9db 100644
--- a/src/xkb/XKBGetMap.c
+++ b/src/xkb/XKBGetMap.c
@@ -269,6 +269,10 @@ Status		ret = Success;
 	symMap = &info->map->key_sym_map[rep->firstKeyAct];
 	for (i=0;i<(int)rep->nKeyActs;i++,symMap++) {
 	    if (numDesc[i]==0) {
+		if ((i + rep->firstKeyAct) > (info->max_key_code + 1)) {
+		    ret = BadLength;
+		    goto done;
+		}
 		info->server->key_acts[i+rep->firstKeyAct]= 0;
 	    }
 	    else {
author	Alan Coopersmith <alan.coopersmith@oracle.com>	2013-03-02 09:40:22 -0800
committer	Alan Coopersmith <alan.coopersmith@oracle.com>	2013-05-09 18:59:51 -0700
commit	00626c3830b869259098985afa38933d77ccec72 (patch)
tree	e46487c7676e02b1314ff46eded1835447d1567f
parent	fd7d4956bc7a1c4b5c38661b12777ebee4d685d9 (diff)