unvalidated indexes in _XkbReadGeomShapes() [CVE-2013-1997 3/15]

If the X server returns shape indexes outside the range of the number of shapes it told us to allocate, out of bounds memory access could occur. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>

unvalidated indexes in _XkbReadGeomShapes() [CVE-2013-1997 3/15]
0445730b · Alan Coopersmith · Ulrich Sibiller · b0695260 · 0445730b
Commit 0445730b authored Mar 02, 2013 by Alan Coopersmith Committed by Ulrich Sibiller Oct 12, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 4 deletions

XKBGeom.c nx-X11/lib/X11/XKBGeom.c +8 -4

No files found.
--- a/nx-X11/lib/X11/XKBGeom.c
+++ b/nx-X11/lib/X11/XKBGeom.c
@@ -364,12 +364,16 @@ Status	rtrn;
 	    }
 	    ol->num_points= olWire->nPoints;
 	}
-	if (shapeWire->primaryNdx!=XkbNoShape)
+	if ((shapeWire->primaryNdx!=XkbNoShape) &&
+	    (shapeWire->primaryNdx < shapeWire->nOutlines))
 	     shape->primary= &shape->outlines[shapeWire->primaryNdx];
-	else shape->primary= NULL;
-	if (shapeWire->approxNdx!=XkbNoShape)
+	else
+	    shape->primary= NULL;
+	if ((shapeWire->approxNdx!=XkbNoShape) &&
+	    (shapeWire->approxNdx < shapeWire->nOutlines))
 	     shape->approx= &shape->outlines[shapeWire->approxNdx];
-	else shape->approx= NULL;
+	else
+	    shape->approx= NULL;
 	XkbComputeShapeBounds(shape);
    }
    return Success;