summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorJulien Cristau <jcristau@debian.org>2013-05-23 18:39:46 (GMT)
committerJulien Cristau <jcristau@debian.org>2013-05-23 18:39:46 (GMT)
commita3bdd2b090915fe0163b062f0e6576fe05dd332e (patch)
tree83ec620f37a2afed8fa24b592a8294453b34b95c /src
parent7e30056e78e4b7979ff47f102e00327617266019 (diff)
xkb: fix off-by-one in _XkbReadGetNamesReply and _XkbReadVirtualModMap
The size of the arrays is max_key_code + 1. This makes these functions consistent with the other checks added for CVE-2013-1997. Also check the XkbGetNames reply when names->keys was just allocated. Signed-off-by: Julien Cristau <jcristau@debian.org> Tested-by: Colin Walters <walters@verbum.org> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Diffstat (limited to 'src')
-rw-r--r--src/xkb/XKBGetMap.c2
-rw-r--r--src/xkb/XKBNames.c2
2 files changed, 2 insertions, 2 deletions
diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c
index 0875dfd..c73e655 100644
--- a/src/xkb/XKBGetMap.c
+++ b/src/xkb/XKBGetMap.c
@@ -426,7 +426,7 @@ XkbServerMapPtr srv;
if ( rep->totalVModMapKeys>0 ) {
if (((int) rep->firstVModMapKey + rep->nVModMapKeys)
- > xkb->max_key_code)
+ > xkb->max_key_code + 1)
return BadLength;
if (((xkb->server==NULL)||(xkb->server->vmodmap==NULL))&&
(XkbAllocServerMap(xkb,XkbVirtualModMapMask,0)!=Success)) {
diff --git a/src/xkb/XKBNames.c b/src/xkb/XKBNames.c
index 0f1e48e..3a8860b 100644
--- a/src/xkb/XKBNames.c
+++ b/src/xkb/XKBNames.c
@@ -180,7 +180,7 @@ _XkbReadGetNamesReply( Display * dpy,
nKeys= xkb->max_key_code+1;
names->keys= _XkbTypedCalloc(nKeys,XkbKeyNameRec);
}
- else if ( ((int)rep->firstKey + rep->nKeys) > xkb->max_key_code)
+ if ( ((int)rep->firstKey + rep->nKeys) > xkb->max_key_code + 1)
goto BAILOUT;
if (names->keys!=NULL) {
if (!_XkbCopyFromReadBuffer(&buf,