summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlan Coopersmith <alan.coopersmith@oracle.com>2013-03-02 11:04:44 -0800
committerAlan Coopersmith <alan.coopersmith@oracle.com>2013-05-09 18:59:51 -0700
commit4d7c422a37eb9617fb22f8e37527c2b34b105665 (patch)
tree1c2ee0c7218ea05cdf6db046d1278743ee53ea64
parente56a2ada719c5cfac5ed61a52a80ade86c0f5957 (diff)
unvalidated index in _XkbReadExplicitComponents() [CVE-2013-1997 9/15]
If the X server returns key indexes outside the range of the number of keys it told us to allocate, out of bounds memory writes could occur. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
-rw-r--r--src/xkb/XKBGetMap.c6
1 files changed, 5 insertions, 1 deletions
diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c
index a68455bd..ea77f2a3 100644
--- a/src/xkb/XKBGetMap.c
+++ b/src/xkb/XKBGetMap.c
@@ -362,8 +362,10 @@ register int i;
unsigned char *wire;
if ( rep->totalKeyExplicit>0 ) {
+ int size = xkb->max_key_code + 1;
+ if ( ((int) rep->firstKeyExplicit + rep->nKeyExplicit) > size)
+ return BadLength;
if ( xkb->server->explicit == NULL ) {
- int size = xkb->max_key_code+1;
xkb->server->explicit = _XkbTypedCalloc(size,unsigned char);
if (xkb->server->explicit==NULL)
return BadAlloc;
@@ -377,6 +379,8 @@ unsigned char *wire;
if (!wire)
return BadLength;
for (i=0;i<rep->totalKeyExplicit;i++,wire+=2) {
+ if (wire[0] > xkb->max_key_code || wire[1] > xkb->max_key_code)
+ return BadLength;
xkb->server->explicit[wire[0]]= wire[1];
}
}