diff options
author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-03-02 09:40:22 -0800 |
---|---|---|
committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-05-09 18:59:51 -0700 |
commit | 00626c3830b869259098985afa38933d77ccec72 (patch) | |
tree | e46487c7676e02b1314ff46eded1835447d1567f | |
parent | fd7d4956bc7a1c4b5c38661b12777ebee4d685d9 (diff) |
unvalidated index in _XkbReadKeyActions() [CVE-2013-1997 6/15]
If the X server returns key action indexes outside the range of the number
of keys it told us to allocate, out of bounds memory access could occur.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
-rw-r--r-- | src/xkb/XKBGetMap.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c index 4a428d3a..86ecf9db 100644 --- a/src/xkb/XKBGetMap.c +++ b/src/xkb/XKBGetMap.c @@ -269,6 +269,10 @@ Status ret = Success; symMap = &info->map->key_sym_map[rep->firstKeyAct]; for (i=0;i<(int)rep->nKeyActs;i++,symMap++) { if (numDesc[i]==0) { + if ((i + rep->firstKeyAct) > (info->max_key_code + 1)) { + ret = BadLength; + goto done; + } info->server->key_acts[i+rep->firstKeyAct]= 0; } else { |