From e56a2ada719c5cfac5ed61a52a80ade86c0f5957 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 2 Mar 2013 10:51:51 -0800
Subject: unvalidated index in _XkbReadModifierMap() [CVE-2013-1997 8/15]

If the X server returns modifier map indexes outside the range of the number
of keys it told us to allocate, out of bounds memory writes could occur.

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
---
 src/xkb/XKBGetMap.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c
index af93a5cb..a68455bd 100644
--- a/src/xkb/XKBGetMap.c
+++ b/src/xkb/XKBGetMap.c
@@ -390,6 +390,9 @@ register int i;
 unsigned char *wire;
 
     if ( rep->totalModMapKeys>0 ) {
+	if ( ((int)rep->firstModMapKey + rep->nModMapKeys) >
+	     (xkb->max_key_code + 1))
+	    return BadLength;
 	if ((xkb->map->modmap==NULL)&&
 	    (XkbAllocClientMap(xkb,XkbModifierMapMask,0)!=Success)) {
 	    return BadAlloc;
@@ -402,6 +405,8 @@ unsigned char *wire;
 	if (!wire)
 	    return BadLength;
 	for (i=0;i<rep->totalModMapKeys;i++,wire+=2) {
+	    if (wire[0] > xkb->max_key_code || wire[1] > xkb->max_key_code)
+		return BadLength;
 	    xkb->map->modmap[wire[0]]= wire[1];
 	}
     }
-- 
cgit v1.2.3