unvalidated index in _XkbReadGetDeviceInfoReply() [CVE-2013-1997 2/15]

If the X server returns more buttons than are allocated in the XKB device info structures, out of bounds writes could occur. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>

unvalidated index in _XkbReadGetDeviceInfoReply() [CVE-2013-1997 2/15]
b0695260 · Alan Coopersmith · Ulrich Sibiller · 2a1fbb18 · b0695260
Commit b0695260 authored Mar 01, 2013 by Alan Coopersmith Committed by Ulrich Sibiller Oct 12, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 0 deletions

XKBExtDev.c nx-X11/lib/X11/XKBExtDev.c +6 -0

No files found.
--- a/nx-X11/lib/X11/XKBExtDev.c
+++ b/nx-X11/lib/X11/XKBExtDev.c
@@ -181,6 +181,9 @@ int			tmp;
 	    return tmp;
    }
    if (rep->nBtnsWanted>0) {
+	if (((unsigned short) rep->firstBtnWanted + rep->nBtnsWanted)
+	    >= devi->num_btns)
+	    goto BAILOUT;
 	act= &devi->btn_acts[rep->firstBtnWanted];
 	bzero((char *)act,(rep->nBtnsWanted*sizeof(XkbAction)));
    }
@@ -190,6 +193,9 @@ int			tmp;
 	goto BAILOUT;
    if (rep->nBtnsRtrn>0) {
 	int size;
+	if (((unsigned short) rep->firstBtnRtrn + rep->nBtnsRtrn)
+	    >= devi->num_btns)
+	    goto BAILOUT;
 	act= &devi->btn_acts[rep->firstBtnRtrn];
 	size= rep->nBtnsRtrn*SIZEOF(xkbActionWireDesc);
 	if (!_XkbCopyFromReadBuffer(&buf,(char *)act,size))