unvalidated index/length in _XkbReadGetNamesReply() [CVE-2013-1997 11/15]

If the X server returns key name indexes outside the range of the number of keys it told us to allocate, out of bounds memory writes could occur. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
author: Alan Coopersmith <alan.coopersmith@oracle.com> 2013-03-02 11:11:08 -0800
committer: Ulrich Sibiller <uli42@gmx.de> 2016-10-12 09:34:39 +0200
commit: 0bf09b4bb1e469f37b75a088b1a5ba093ab36252 (patch)
tree: a83e956afd96a9b60e3a69ce29490cb70eb90a84
parent: e6d8856ef465f9ab973026236df15d975e9cb069 (diff)
download: nx-libs-0bf09b4bb1e469f37b75a088b1a5ba093ab36252.tar.gz
nx-libs-0bf09b4bb1e469f37b75a088b1a5ba093ab36252.tar.bz2
nx-libs-0bf09b4bb1e469f37b75a088b1a5ba093ab36252.zip
1 files changed, 2 insertions, 0 deletions
diff --git a/nx-X11/lib/X11/XKBNames.c b/nx-X11/lib/X11/XKBNames.c
index 04cd6f3e3..1f5207493 100644
--- a/nx-X11/lib/X11/XKBNames.c
+++ b/nx-X11/lib/X11/XKBNames.c
@@ -180,6 +180,8 @@ _XkbReadGetNamesReply(	Display *		dpy,
 	    nKeys= xkb->max_key_code+1;
 	    names->keys= _XkbTypedCalloc(nKeys,XkbKeyNameRec);
 	}
+	else if ( ((int)rep->firstKey + rep->nKeys) > xkb->max_key_code)
+	    goto BAILOUT;
 	if (names->keys!=NULL) {
 	    if (!_XkbCopyFromReadBuffer(&buf,
 					(char *)&names->keys[rep->firstKey],
author	Alan Coopersmith <alan.coopersmith@oracle.com>	2013-03-02 11:11:08 -0800
committer	Ulrich Sibiller <uli42@gmx.de>	2016-10-12 09:34:39 +0200
commit	0bf09b4bb1e469f37b75a088b1a5ba093ab36252 (patch)
tree	a83e956afd96a9b60e3a69ce29490cb70eb90a84
parent	e6d8856ef465f9ab973026236df15d975e9cb069 (diff)
download	nx-libs-0bf09b4bb1e469f37b75a088b1a5ba093ab36252.tar.gz nx-libs-0bf09b4bb1e469f37b75a088b1a5ba093ab36252.tar.bz2 nx-libs-0bf09b4bb1e469f37b75a088b1a5ba093ab36252.zip