unvalidated indexes in _XkbReadGetGeometryReply() [CVE-2013-1997 4/15]

If the X server returns color indexes outside the range of the number of colors it told us to allocate, out of bounds memory access could occur. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
author: Alan Coopersmith <alan.coopersmith@oracle.com> 2013-03-02 09:18:26 -0800
committer: Alan Coopersmith <alan.coopersmith@oracle.com> 2013-05-09 18:59:51 -0700
commit: 59ae16a00d18588e98af57d26e442af8ea42b7aa (patch)
tree: 3417c3578a92836ed9aecacf1cfc58862b6b6b3a
parent: bff938b9fe1629cbacb726509edfa2a3840b7207 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/src/xkb/XKBGeom.c b/src/xkb/XKBGeom.c
index 4ad21f85..7140a724 100644
--- a/src/xkb/XKBGeom.c
+++ b/src/xkb/XKBGeom.c
@@ -619,6 +619,9 @@ XkbGeometryPtr	geom;
 	    if (status==Success)
 		status= _XkbReadGeomKeyAliases(&buf,geom,rep);
 	    left= _XkbFreeReadBuffer(&buf);
+	    if ((rep->baseColorNdx > geom->num_colors) ||
+		(rep->labelColorNdx > geom->num_colors))
+		status = BadLength;
 	    if ((status!=Success) || left || buf.error) {
 		if (status==Success)
 		    status= BadLength;
author	Alan Coopersmith <alan.coopersmith@oracle.com>	2013-03-02 09:18:26 -0800
committer	Alan Coopersmith <alan.coopersmith@oracle.com>	2013-05-09 18:59:51 -0700
commit	59ae16a00d18588e98af57d26e442af8ea42b7aa (patch)
tree	3417c3578a92836ed9aecacf1cfc58862b6b6b3a
parent	bff938b9fe1629cbacb726509edfa2a3840b7207 (diff)