From 4d7c422a37eb9617fb22f8e37527c2b34b105665 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 2 Mar 2013 11:04:44 -0800
Subject: unvalidated index in _XkbReadExplicitComponents() [CVE-2013-1997
 9/15]

If the X server returns key indexes outside the range of the number of
keys it told us to allocate, out of bounds memory writes could occur.

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
---
 src/xkb/XKBGetMap.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'src/xkb/XKBGetMap.c')

diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c
index a68455bd..ea77f2a3 100644
--- a/src/xkb/XKBGetMap.c
+++ b/src/xkb/XKBGetMap.c
@@ -362,8 +362,10 @@ register int i;
 unsigned char *wire;
 
     if ( rep->totalKeyExplicit>0 ) {
+	int size = xkb->max_key_code + 1;
+	if ( ((int) rep->firstKeyExplicit + rep->nKeyExplicit) > size)
+	    return BadLength;
 	if ( xkb->server->explicit == NULL ) {
-	    int size = xkb->max_key_code+1;
 	    xkb->server->explicit = _XkbTypedCalloc(size,unsigned char);
 	    if (xkb->server->explicit==NULL)
 		return BadAlloc;
@@ -377,6 +379,8 @@ unsigned char *wire;
 	if (!wire)
 	    return BadLength;
 	for (i=0;i<rep->totalKeyExplicit;i++,wire+=2) {
+	    if (wire[0] > xkb->max_key_code || wire[1] > xkb->max_key_code)
+		return BadLength;
 	    xkb->server->explicit[wire[0]]= wire[1];
 	}
     }
-- 
cgit v1.2.3