aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlan Coopersmith <alan.coopersmith@oracle.com>2013-08-16 18:14:14 -0700
committerUlrich Sibiller <uli42@gmx.de>2016-10-19 21:40:28 +0200
commit3cd82252610ac02483f776de95c9c771e71d8864 (patch)
treeb6264f23236cbd9c73d88767ad004897ba41482b
parentc22524d30e773048fad4c14e4636bb045e20439f (diff)
downloadnx-libs-3cd82252610ac02483f776de95c9c771e71d8864.tar.gz
nx-libs-3cd82252610ac02483f776de95c9c771e71d8864.tar.bz2
nx-libs-3cd82252610ac02483f776de95c9c771e71d8864.zip
Fix overflow checks in _XkbReadKeySyms when key_sym_map is already created
We were checking to make sure that the largest keysym value was within the range of the allocated buffer, but checking against different limits in the not-yet-allocated vs. the already-allocated branches. The check should be the same in both, and reflect the size used for the allocation, which is based on the maximum key code value, so we move it to be a common check, before we branch, instead of duplicating in each branch. map->key_sym_map is an array of XkbSymMapRec structs, [0..max_key_code] map->syms is the array for which num_syms is recorded, hence is not the right value to check for ensuring our key_sym_map accesses are in range. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reported-by: Barry Kauler <bkauler@gmail.com> Tested-by: Barry Kauler <bkauler@gmail.com> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
-rw-r--r--nx-X11/lib/X11/XKBGetMap.c9
1 files changed, 4 insertions, 5 deletions
diff --git a/nx-X11/lib/X11/XKBGetMap.c b/nx-X11/lib/X11/XKBGetMap.c
index bfba747aa..529177858 100644
--- a/nx-X11/lib/X11/XKBGetMap.c
+++ b/nx-X11/lib/X11/XKBGetMap.c
@@ -147,15 +147,16 @@ _XkbReadKeySyms(XkbReadBufferPtr buf,XkbDescPtr xkb,xkbGetMapReply *rep)
{
register int i;
XkbClientMapPtr map;
+int size = xkb->max_key_code + 1;
+
+ if (((unsigned short)rep->firstKeySym + rep->nKeySyms) > size)
+ return BadLength;
map= xkb->map;
if (map->key_sym_map==NULL) {
register int offset;
- int size = xkb->max_key_code + 1;
XkbSymMapPtr oldMap;
xkbSymMapWireDesc *newMap;
- if (((unsigned short)rep->firstKeySym + rep->nKeySyms) > size)
- return BadLength;
map->key_sym_map= _XkbTypedCalloc(size,XkbSymMapRec);
if (map->key_sym_map==NULL)
return BadAlloc;
@@ -212,8 +213,6 @@ XkbClientMapPtr map;
KeySym * newSyms;
int tmp;
- if (((unsigned short)rep->firstKeySym + rep->nKeySyms) > map->num_syms)
- return BadLength;
oldMap = &map->key_sym_map[rep->firstKeySym];
for (i=0;i<(int)rep->nKeySyms;i++,oldMap++) {
newMap= (xkbSymMapWireDesc *)