From 06c086e8a1d8374ea9a95ff989f053c96bb1bdca Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 2 Mar 2013 10:39:21 -0800
Subject: unvalidated index in _XkbReadKeyBehaviors() [CVE-2013-1997 7/15]

If the X server returns key behavior indexes outside the range of the number
of keys it told us to allocate, out of bounds memory writes could occur.

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
---
 src/xkb/XKBGetMap.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'src/xkb/XKBGetMap.c')

diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c
index 86ecf9db..af93a5cb 100644
--- a/src/xkb/XKBGetMap.c
+++ b/src/xkb/XKBGetMap.c
@@ -305,8 +305,10 @@ register int i;
 xkbBehaviorWireDesc	*wire;
 
     if ( rep->totalKeyBehaviors>0 ) {
+	int size = xkb->max_key_code + 1;
+	if ( ((int) rep->firstKeyBehavior + rep->nKeyBehaviors) > size)
+	    return BadLength;
 	if ( xkb->server->behaviors == NULL ) {
-	    int size = xkb->max_key_code+1;
 	    xkb->server->behaviors = _XkbTypedCalloc(size,XkbBehavior);
 	    if (xkb->server->behaviors==NULL)
 		return BadAlloc;
@@ -318,7 +320,7 @@ xkbBehaviorWireDesc	*wire;
 	for (i=0;i<rep->totalKeyBehaviors;i++) {
 	    wire= (xkbBehaviorWireDesc *)_XkbGetReadBufferPtr(buf,
 						SIZEOF(xkbBehaviorWireDesc));
-	    if (wire==NULL)
+	    if (wire==NULL || wire->key >= size)
 		return BadLength;
 	    xkb->server->behaviors[wire->key].type= wire->type;
 	    xkb->server->behaviors[wire->key].data= wire->data;
-- 
cgit v1.2.3