unvalidated index in _XkbReadModifierMap() [CVE-2013-1997 8/15]

If the X server returns modifier map indexes outside the range of the number of keys it told us to allocate, out of bounds memory writes could occur. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>

unvalidated index in _XkbReadModifierMap() [CVE-2013-1997 8/15]
7564bf7e · Alan Coopersmith · Ulrich Sibiller · 8f2c0508 · 7564bf7e
Commit 7564bf7e authored Mar 02, 2013 by Alan Coopersmith Committed by Ulrich Sibiller Oct 12, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 0 deletions

XKBGetMap.c nx-X11/lib/X11/XKBGetMap.c +5 -0

No files found.
--- a/nx-X11/lib/X11/XKBGetMap.c
+++ b/nx-X11/lib/X11/XKBGetMap.c
@@ -391,6 +391,9 @@ register int i;
 unsigned char *wire;

    if ( rep->totalModMapKeys>0 ) {
+	if ( ((int)rep->firstModMapKey + rep->nModMapKeys) >
+	     (xkb->max_key_code + 1))
+	    return BadLength;
 	if ((xkb->map->modmap==NULL)&&
 	    (XkbAllocClientMap(xkb,XkbModifierMapMask,0)!=Success)) {
 	    return BadAlloc;
@@ -403,6 +406,8 @@ unsigned char *wire;
 	if (!wire)
 	    return BadLength;
 	for (i=0;i<rep->totalModMapKeys;i++,wire+=2) {
+	    if (wire[0] > xkb->max_key_code || wire[1] > xkb->max_key_code)
+		return BadLength;
 	    xkb->map->modmap[wire[0]]= wire[1];
 	}
    }