summaryrefslogtreecommitdiff
authorAlan Coopersmith <alan.coopersmith@oracle.com>2013-03-02 17:28:33 (GMT)
committer Alan Coopersmith <alan.coopersmith@oracle.com>2013-05-10 01:59:51 (GMT)
commitfd7d4956bc7a1c4b5c38661b12777ebee4d685d9 (patch) (side-by-side diff)
tree2ac73470b8e9ec032671579deae78b9a5f0d18a4
parent59ae16a00d18588e98af57d26e442af8ea42b7aa (diff)
downloadlibX11-fd7d4956bc7a1c4b5c38661b12777ebee4d685d9.zip
libX11-fd7d4956bc7a1c4b5c38661b12777ebee4d685d9.tar.gz
unvalidated index in _XkbReadKeySyms() [CVE-2013-1997 5/15]
If the X server returns keymap indexes outside the range of the number of keys it told us to allocate, out of bounds memory access could occur. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Diffstat (more/less context) (ignore whitespace changes)
-rw-r--r--src/xkb/XKBGetMap.c7
1 files changed, 6 insertions, 1 deletions
diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c
index 30fb629..4a428d3 100644
--- a/src/xkb/XKBGetMap.c
+++ b/src/xkb/XKBGetMap.c
@@ -151,9 +151,12 @@ XkbClientMapPtr map;
map= xkb->map;
if (map->key_sym_map==NULL) {
register int offset;
+ int size = xkb->max_key_code + 1;
XkbSymMapPtr oldMap;
xkbSymMapWireDesc *newMap;
- map->key_sym_map= _XkbTypedCalloc((xkb->max_key_code+1),XkbSymMapRec);
+ if (((unsigned short)rep->firstKeySym + rep->nKeySyms) > size)
+ return BadLength;
+ map->key_sym_map= _XkbTypedCalloc(size,XkbSymMapRec);
if (map->key_sym_map==NULL)
return BadAlloc;
if (map->syms==NULL) {
@@ -209,6 +212,8 @@ XkbClientMapPtr map;
KeySym * newSyms;
int tmp;
+ if (((unsigned short)rep->firstKeySym + rep->nKeySyms) > map->num_syms)
+ return BadLength;
oldMap = &map->key_sym_map[rep->firstKeySym];
for (i=0;i<(int)rep->nKeySyms;i++,oldMap++) {
newMap= (xkbSymMapWireDesc *)