summaryrefslogtreecommitdiff
path: root/src/xkb/XKBGetMap.c
diff options
context:
space:
mode:
authorAlan Coopersmith <alan.coopersmith@oracle.com>2013-03-02 10:39:21 -0800
committerAlan Coopersmith <alan.coopersmith@oracle.com>2013-05-09 18:59:51 -0700
commit06c086e8a1d8374ea9a95ff989f053c96bb1bdca (patch)
tree786fdfca5c3fd6f80cc2801610fe566e5b9d7882 /src/xkb/XKBGetMap.c
parent00626c3830b869259098985afa38933d77ccec72 (diff)
unvalidated index in _XkbReadKeyBehaviors() [CVE-2013-1997 7/15]
If the X server returns key behavior indexes outside the range of the number of keys it told us to allocate, out of bounds memory writes could occur. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Diffstat (limited to 'src/xkb/XKBGetMap.c')
-rw-r--r--src/xkb/XKBGetMap.c6
1 files changed, 4 insertions, 2 deletions
diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c
index 86ecf9db..af93a5cb 100644
--- a/src/xkb/XKBGetMap.c
+++ b/src/xkb/XKBGetMap.c
@@ -305,8 +305,10 @@ register int i;
xkbBehaviorWireDesc *wire;
if ( rep->totalKeyBehaviors>0 ) {
+ int size = xkb->max_key_code + 1;
+ if ( ((int) rep->firstKeyBehavior + rep->nKeyBehaviors) > size)
+ return BadLength;
if ( xkb->server->behaviors == NULL ) {
- int size = xkb->max_key_code+1;
xkb->server->behaviors = _XkbTypedCalloc(size,XkbBehavior);
if (xkb->server->behaviors==NULL)
return BadAlloc;
@@ -318,7 +320,7 @@ xkbBehaviorWireDesc *wire;
for (i=0;i<rep->totalKeyBehaviors;i++) {
wire= (xkbBehaviorWireDesc *)_XkbGetReadBufferPtr(buf,
SIZEOF(xkbBehaviorWireDesc));
- if (wire==NULL)
+ if (wire==NULL || wire->key >= size)
return BadLength;
xkb->server->behaviors[wire->key].type= wire->type;
xkb->server->behaviors[wire->key].data= wire->data;