diff options
author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-03-02 09:28:33 -0800 |
---|---|---|
committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-05-09 18:59:51 -0700 |
commit | fd7d4956bc7a1c4b5c38661b12777ebee4d685d9 (patch) | |
tree | 2ac73470b8e9ec032671579deae78b9a5f0d18a4 | |
parent | 59ae16a00d18588e98af57d26e442af8ea42b7aa (diff) |
unvalidated index in _XkbReadKeySyms() [CVE-2013-1997 5/15]
If the X server returns keymap indexes outside the range of the number of
keys it told us to allocate, out of bounds memory access could occur.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
-rw-r--r-- | src/xkb/XKBGetMap.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c index 30fb6297..4a428d3a 100644 --- a/src/xkb/XKBGetMap.c +++ b/src/xkb/XKBGetMap.c @@ -148,15 +148,18 @@ _XkbReadKeySyms(XkbReadBufferPtr buf,XkbDescPtr xkb,xkbGetMapReply *rep) register int i; XkbClientMapPtr map; map= xkb->map; if (map->key_sym_map==NULL) { register int offset; + int size = xkb->max_key_code + 1; XkbSymMapPtr oldMap; xkbSymMapWireDesc *newMap; - map->key_sym_map= _XkbTypedCalloc((xkb->max_key_code+1),XkbSymMapRec); + if (((unsigned short)rep->firstKeySym + rep->nKeySyms) > size) + return BadLength; + map->key_sym_map= _XkbTypedCalloc(size,XkbSymMapRec); if (map->key_sym_map==NULL) return BadAlloc; if (map->syms==NULL) { int sz; sz= (rep->totalSyms*12)/10; sz= ((sz+(unsigned)128)/128)*128; @@ -206,12 +209,14 @@ XkbClientMapPtr map; else { xkbSymMapWireDesc * newMap; XkbSymMapPtr oldMap; KeySym * newSyms; int tmp; + if (((unsigned short)rep->firstKeySym + rep->nKeySyms) > map->num_syms) + return BadLength; oldMap = &map->key_sym_map[rep->firstKeySym]; for (i=0;i<(int)rep->nKeySyms;i++,oldMap++) { newMap= (xkbSymMapWireDesc *) _XkbGetReadBufferPtr(buf,SIZEOF(xkbSymMapWireDesc)); if (newMap==NULL) return BadLength; |