diff options
author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-03-02 11:11:08 -0800 |
---|---|---|
committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-05-09 18:59:52 -0700 |
commit | de2e6c322c4aca22856b380f67f8e488e7510015 (patch) | |
tree | ca3c884707d5ad87d2051ba68860611288d2c22b | |
parent | 2df882eeb3a70256170127a746a9ba26376599a1 (diff) |
unvalidated index/length in _XkbReadGetNamesReply() [CVE-2013-1997 11/15]
If the X server returns key name indexes outside the range of the number
of keys it told us to allocate, out of bounds memory writes could occur.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
-rw-r--r-- | src/xkb/XKBNames.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/src/xkb/XKBNames.c b/src/xkb/XKBNames.c index 0276c05b..0f1e48e5 100644 --- a/src/xkb/XKBNames.c +++ b/src/xkb/XKBNames.c @@ -180,6 +180,8 @@ _XkbReadGetNamesReply( Display * dpy, nKeys= xkb->max_key_code+1; names->keys= _XkbTypedCalloc(nKeys,XkbKeyNameRec); } + else if ( ((int)rep->firstKey + rep->nKeys) > xkb->max_key_code) + goto BAILOUT; if (names->keys!=NULL) { if (!_XkbCopyFromReadBuffer(&buf, (char *)&names->keys[rep->firstKey], |