unvalidated indexes in _XkbReadGetGeometryReply() [CVE-2013-1997 4/15]

If the X server returns color indexes outside the range of the number of colors it told us to allocate, out of bounds memory access could occur. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>

unvalidated indexes in _XkbReadGetGeometryReply() [CVE-2013-1997 4/15]
e6fbdea8 · Alan Coopersmith · Ulrich Sibiller · 0445730b · e6fbdea8
Commit e6fbdea8 authored Mar 02, 2013 by Alan Coopersmith Committed by Ulrich Sibiller Oct 12, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 0 deletions

XKBGeom.c nx-X11/lib/X11/XKBGeom.c +3 -0

No files found.
--- a/nx-X11/lib/X11/XKBGeom.c
+++ b/nx-X11/lib/X11/XKBGeom.c
@@ -619,6 +619,9 @@ XkbGeometryPtr	geom;
 	    if (status==Success)
 		status= _XkbReadGeomKeyAliases(&buf,geom,rep);
 	    left= _XkbFreeReadBuffer(&buf);
+	    if ((rep->baseColorNdx > geom->num_colors) ||
+		(rep->labelColorNdx > geom->num_colors))
+		status = BadLength;
 	    if ((status!=Success) || left || buf.error) {
 		if (status==Success)
 		    status= BadLength;