diff options
author | Julien Cristau <jcristau@debian.org> | 2013-05-23 20:39:46 +0200 |
---|---|---|
committer | Julien Cristau <jcristau@debian.org> | 2013-05-23 20:39:46 +0200 |
commit | a3bdd2b090915fe0163b062f0e6576fe05dd332e (patch) | |
tree | 83ec620f37a2afed8fa24b592a8294453b34b95c /src | |
parent | 7e30056e78e4b7979ff47f102e00327617266019 (diff) |
xkb: fix off-by-one in _XkbReadGetNamesReply and _XkbReadVirtualModMap
The size of the arrays is max_key_code + 1. This makes these functions
consistent with the other checks added for CVE-2013-1997.
Also check the XkbGetNames reply when names->keys was just allocated.
Signed-off-by: Julien Cristau <jcristau@debian.org>
Tested-by: Colin Walters <walters@verbum.org>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Diffstat (limited to 'src')
-rw-r--r-- | src/xkb/XKBGetMap.c | 2 | ||||
-rw-r--r-- | src/xkb/XKBNames.c | 2 |
2 files changed, 2 insertions, 2 deletions
diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c index 0875dfd0..c73e655a 100644 --- a/src/xkb/XKBGetMap.c +++ b/src/xkb/XKBGetMap.c @@ -426,7 +426,7 @@ XkbServerMapPtr srv; if ( rep->totalVModMapKeys>0 ) { if (((int) rep->firstVModMapKey + rep->nVModMapKeys) - > xkb->max_key_code) + > xkb->max_key_code + 1) return BadLength; if (((xkb->server==NULL)||(xkb->server->vmodmap==NULL))&& (XkbAllocServerMap(xkb,XkbVirtualModMapMask,0)!=Success)) { diff --git a/src/xkb/XKBNames.c b/src/xkb/XKBNames.c index 0f1e48e5..3a8860be 100644 --- a/src/xkb/XKBNames.c +++ b/src/xkb/XKBNames.c @@ -180,7 +180,7 @@ _XkbReadGetNamesReply( Display * dpy, nKeys= xkb->max_key_code+1; names->keys= _XkbTypedCalloc(nKeys,XkbKeyNameRec); } - else if ( ((int)rep->firstKey + rep->nKeys) > xkb->max_key_code) + if ( ((int)rep->firstKey + rep->nKeys) > xkb->max_key_code + 1) goto BAILOUT; if (names->keys!=NULL) { if (!_XkbCopyFromReadBuffer(&buf, |