diff options
author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-03-01 22:49:01 -0800 |
---|---|---|
committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-05-09 18:59:51 -0700 |
commit | f293659d5a4024bda386305bb7ebeb4647c40934 (patch) | |
tree | 8351500c62568696d314bd77da4b75be17c76a25 | |
parent | cddc4e7e3cb4b9b7ad25f8591971a86901c249f2 (diff) |
unvalidated index in _XkbReadGetDeviceInfoReply() [CVE-2013-1997 2/15]
If the X server returns more buttons than are allocated in the XKB
device info structures, out of bounds writes could occur.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
-rw-r--r-- | src/xkb/XKBExtDev.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/src/xkb/XKBExtDev.c b/src/xkb/XKBExtDev.c index 353e769b..dd383bc1 100644 --- a/src/xkb/XKBExtDev.c +++ b/src/xkb/XKBExtDev.c @@ -181,6 +181,9 @@ int tmp; return tmp; } if (rep->nBtnsWanted>0) { + if (((unsigned short) rep->firstBtnWanted + rep->nBtnsWanted) + >= devi->num_btns) + goto BAILOUT; act= &devi->btn_acts[rep->firstBtnWanted]; bzero((char *)act,(rep->nBtnsWanted*sizeof(XkbAction))); } @@ -190,6 +193,9 @@ int tmp; goto BAILOUT; if (rep->nBtnsRtrn>0) { int size; + if (((unsigned short) rep->firstBtnRtrn + rep->nBtnsRtrn) + >= devi->num_btns) + goto BAILOUT; act= &devi->btn_acts[rep->firstBtnRtrn]; size= rep->nBtnsRtrn*SIZEOF(xkbActionWireDesc); if (!_XkbCopyFromReadBuffer(&buf,(char *)act,size)) |