xkb: fix off-by-one in _XkbReadGetNamesReply and _XkbReadVirtualModMap

The size of the arrays is max_key_code + 1. This makes these functions consistent with the other checks added for CVE-2013-1997. Also check the XkbGetNames reply when names->keys was just allocated. Signed-off-by: Julien Cristau <jcristau@debian.org> Tested-by: Colin Walters <walters@verbum.org> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
author: Julien Cristau <jcristau@debian.org> 2013-05-23 20:39:46 +0200
committer: Julien Cristau <jcristau@debian.org> 2013-05-23 20:39:46 +0200
commit: a3bdd2b090915fe0163b062f0e6576fe05dd332e (patch)
tree: 83ec620f37a2afed8fa24b592a8294453b34b95c /src
parent: 7e30056e78e4b7979ff47f102e00327617266019 (diff)
2 files changed, 2 insertions, 2 deletions
diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c
index 0875dfd0..c73e655a 100644
--- a/src/xkb/XKBGetMap.c
+++ b/src/xkb/XKBGetMap.c
@@ -428,3 +428,3 @@ XkbServerMapPtr		srv;
 	if (((int) rep->firstVModMapKey + rep->nVModMapKeys)
-	     > xkb->max_key_code)
+	     > xkb->max_key_code + 1)
 	    return BadLength;
diff --git a/src/xkb/XKBNames.c b/src/xkb/XKBNames.c
index 0f1e48e5..3a8860be 100644
--- a/src/xkb/XKBNames.c
+++ b/src/xkb/XKBNames.c
@@ -182,3 +182,3 @@ _XkbReadGetNamesReply(	Display *		dpy,
 	}
-	else if ( ((int)rep->firstKey + rep->nKeys) > xkb->max_key_code)
+	if ( ((int)rep->firstKey + rep->nKeys) > xkb->max_key_code + 1)
 	    goto BAILOUT;
author	Julien Cristau <jcristau@debian.org>	2013-05-23 20:39:46 +0200
committer	Julien Cristau <jcristau@debian.org>	2013-05-23 20:39:46 +0200
commit	a3bdd2b090915fe0163b062f0e6576fe05dd332e (patch)
tree	83ec620f37a2afed8fa24b592a8294453b34b95c /src
parent	7e30056e78e4b7979ff47f102e00327617266019 (diff)