unvalidated index in _XkbReadKeyActions() [CVE-2013-1997 6/15]

If the X server returns key action indexes outside the range of the number of keys it told us to allocate, out of bounds memory access could occur. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>

unvalidated index in _XkbReadKeyActions() [CVE-2013-1997 6/15]
4c19cd0c · Alan Coopersmith · Ulrich Sibiller · 5dae1d3f · 4c19cd0c
Commit 4c19cd0c authored Mar 02, 2013 by Alan Coopersmith Committed by Ulrich Sibiller Oct 12, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 0 deletions

XKBGetMap.c nx-X11/lib/X11/XKBGetMap.c +4 -0

No files found.
--- a/nx-X11/lib/X11/XKBGetMap.c
+++ b/nx-X11/lib/X11/XKBGetMap.c
@@ -270,6 +270,10 @@ Status		ret = Success;
 	symMap = &info->map->key_sym_map[rep->firstKeyAct];
 	for (i=0;i<(int)rep->nKeyActs;i++,symMap++) {
 	    if (numDesc[i]==0) {
+		if ((i + rep->firstKeyAct) > (info->max_key_code + 1)) {
+		    ret = BadLength;
+		    goto done;
+		}
 		info->server->key_acts[i+rep->firstKeyAct]= 0;
 	    }
 	    else {