From de2e6c322c4aca22856b380f67f8e488e7510015 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 2 Mar 2013 11:11:08 -0800
Subject: unvalidated index/length in _XkbReadGetNamesReply() [CVE-2013-1997
 11/15]

If the X server returns key name indexes outside the range of the number
of keys it told us to allocate, out of bounds memory writes could occur.

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
---
 src/xkb/XKBNames.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/xkb/XKBNames.c b/src/xkb/XKBNames.c
index 0276c05b..0f1e48e5 100644
--- a/src/xkb/XKBNames.c
+++ b/src/xkb/XKBNames.c
@@ -180,6 +180,8 @@ _XkbReadGetNamesReply(	Display *		dpy,
 	    nKeys= xkb->max_key_code+1;
 	    names->keys= _XkbTypedCalloc(nKeys,XkbKeyNameRec);
 	}
+	else if ( ((int)rep->firstKey + rep->nKeys) > xkb->max_key_code)
+	    goto BAILOUT;
 	if (names->keys!=NULL) {
 	    if (!_XkbCopyFromReadBuffer(&buf,
 					(char *)&names->keys[rep->firstKey],
-- 
cgit v1.2.1