unvalidated index in _XkbReadVirtualModMap() [CVE-2013-1997 10/15]

If the X server returns modifier map indexes outside the range of the number of keys it told us to allocate, out of bounds memory writes could occur. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>

unvalidated index in _XkbReadVirtualModMap() [CVE-2013-1997 10/15]
e6d8856e · Alan Coopersmith · Ulrich Sibiller · e27df807 · e6d8856e
Commit e6d8856e authored Mar 02, 2013 by Alan Coopersmith Committed by Ulrich Sibiller Oct 12, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 0 deletions

XKBGetMap.c nx-X11/lib/X11/XKBGetMap.c +3 -0

No files found.
--- a/nx-X11/lib/X11/XKBGetMap.c
+++ b/nx-X11/lib/X11/XKBGetMap.c
@@ -426,6 +426,9 @@ xkbVModMapWireDesc *	wire;
 XkbServerMapPtr		srv;

    if ( rep->totalVModMapKeys>0 ) {
+	if (((int) rep->firstVModMapKey + rep->nVModMapKeys)
+	     > xkb->max_key_code)
+	    return BadLength;
 	if (((xkb->server==NULL)||(xkb->server->vmodmap==NULL))&&
 	    (XkbAllocServerMap(xkb,XkbVirtualModMapMask,0)!=Success)) {
 	    return BadAlloc;