unvalidated index in _XkbReadKeySyms() [CVE-2013-1997 5/15]

If the X server returns keymap indexes outside the range of the number of keys it told us to allocate, out of bounds memory access could occur. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>

unvalidated index in _XkbReadKeySyms() [CVE-2013-1997 5/15]
5dae1d3f · Alan Coopersmith · Ulrich Sibiller · e6fbdea8 · 5dae1d3f
Commit 5dae1d3f authored Mar 02, 2013 by Alan Coopersmith Committed by Ulrich Sibiller Oct 12, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 1 deletion

XKBGetMap.c nx-X11/lib/X11/XKBGetMap.c +6 -1

No files found.
--- a/nx-X11/lib/X11/XKBGetMap.c
+++ b/nx-X11/lib/X11/XKBGetMap.c
@@ -152,9 +152,12 @@ XkbClientMapPtr	map;
    map= xkb->map;
    if (map->key_sym_map==NULL) {
 	register int offset;
+	int size = xkb->max_key_code + 1;
 	XkbSymMapPtr	oldMap;
 	xkbSymMapWireDesc *newMap;
-	map->key_sym_map= _XkbTypedCalloc((xkb->max_key_code+1),XkbSymMapRec);
+	if (((unsigned short)rep->firstKeySym + rep->nKeySyms) > size)
+	    return BadLength;
+	map->key_sym_map= _XkbTypedCalloc(size,XkbSymMapRec);
 	if (map->key_sym_map==NULL)
 	    return BadAlloc;
 	if (map->syms==NULL) {
@@ -210,6 +213,8 @@ XkbClientMapPtr	map;
 	KeySym *		newSyms;
 	int			tmp;

+	if (((unsigned short)rep->firstKeySym + rep->nKeySyms) > map->num_syms)
+	    return BadLength;
 	oldMap = &map->key_sym_map[rep->firstKeySym];
 	for (i=0;i<(int)rep->nKeySyms;i++,oldMap++) {
 	    newMap= (xkbSymMapWireDesc *)