unvalidated index in _XkbReadExplicitComponents() [CVE-2013-1997 9/15]

If the X server returns key indexes outside the range of the number of keys it told us to allocate, out of bounds memory writes could occur. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>

unvalidated index in _XkbReadExplicitComponents() [CVE-2013-1997 9/15]
e27df807 · Alan Coopersmith · Ulrich Sibiller · 7564bf7e · e27df807
Commit e27df807 authored Mar 02, 2013 by Alan Coopersmith Committed by Ulrich Sibiller Oct 12, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 1 deletion

XKBGetMap.c nx-X11/lib/X11/XKBGetMap.c +5 -1

No files found.
--- a/nx-X11/lib/X11/XKBGetMap.c
+++ b/nx-X11/lib/X11/XKBGetMap.c
@@ -363,8 +363,10 @@ register int i;
 unsigned char *wire;

    if ( rep->totalKeyExplicit>0 ) {
+	int size = xkb->max_key_code + 1;
+	if ( ((int) rep->firstKeyExplicit + rep->nKeyExplicit) > size)
+	    return BadLength;
 	if ( xkb->server->explicit == NULL ) {
-	    int size = xkb->max_key_code+1;
 	    xkb->server->explicit = _XkbTypedCalloc(size,unsigned char);
 	    if (xkb->server->explicit==NULL)
 		return BadAlloc;
@@ -378,6 +380,8 @@ unsigned char *wire;
 	if (!wire)
 	    return BadLength;
 	for (i=0;i<rep->totalKeyExplicit;i++,wire+=2) {
+	    if (wire[0] > xkb->max_key_code || wire[1] > xkb->max_key_code)
+		return BadLength;
 	    xkb->server->explicit[wire[0]]= wire[1];
 	}
    }