diff options
author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-03-02 09:18:26 -0800 |
---|---|---|
committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-05-09 18:59:51 -0700 |
commit | 59ae16a00d18588e98af57d26e442af8ea42b7aa (patch) | |
tree | 3417c3578a92836ed9aecacf1cfc58862b6b6b3a | |
parent | bff938b9fe1629cbacb726509edfa2a3840b7207 (diff) |
unvalidated indexes in _XkbReadGetGeometryReply() [CVE-2013-1997 4/15]
If the X server returns color indexes outside the range of the number of
colors it told us to allocate, out of bounds memory access could occur.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
-rw-r--r-- | src/xkb/XKBGeom.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/src/xkb/XKBGeom.c b/src/xkb/XKBGeom.c index 4ad21f85..7140a724 100644 --- a/src/xkb/XKBGeom.c +++ b/src/xkb/XKBGeom.c @@ -619,6 +619,9 @@ XkbGeometryPtr geom; if (status==Success) status= _XkbReadGeomKeyAliases(&buf,geom,rep); left= _XkbFreeReadBuffer(&buf); + if ((rep->baseColorNdx > geom->num_colors) || + (rep->labelColorNdx > geom->num_colors)) + status = BadLength; if ((status!=Success) || left || buf.error) { if (status==Success) status= BadLength; |