unvalidated index/length in _XkbReadGetNamesReply() [CVE-2013-1997 11/15]

If the X server returns key name indexes outside the range of the number of keys it told us to allocate, out of bounds memory writes could occur. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>

unvalidated index/length in _XkbReadGetNamesReply() [CVE-2013-1997 11/15]
0bf09b4b · Alan Coopersmith · Ulrich Sibiller · e6d8856e · 0bf09b4b
Commit 0bf09b4b authored Mar 02, 2013 by Alan Coopersmith Committed by Ulrich Sibiller Oct 12, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 0 deletions

XKBNames.c nx-X11/lib/X11/XKBNames.c +2 -0

No files found.
--- a/nx-X11/lib/X11/XKBNames.c
+++ b/nx-X11/lib/X11/XKBNames.c
@@ -180,6 +180,8 @@ _XkbReadGetNamesReply(	Display *		dpy,
 	    nKeys= xkb->max_key_code+1;
 	    names->keys= _XkbTypedCalloc(nKeys,XkbKeyNameRec);
 	}
+	else if ( ((int)rep->firstKey + rep->nKeys) > xkb->max_key_code)
+	    goto BAILOUT;
 	if (names->keys!=NULL) {
 	    if (!_XkbCopyFromReadBuffer(&buf,
 					(char *)&names->keys[rep->firstKey],