unvalidated index in _XkbReadGetDeviceInfoReply() [CVE-2013-1997 2/15]

If the X server returns more buttons than are allocated in the XKB
device info structures, out of bounds writes could occur.

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Signed-off-by: Julien Cristau <jcristau@debian.org>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>

1 files changed, 6 insertions, 0 deletions

diff --git a/nx-X11/lib/X11/XKBExtDev.c b/nx-X11/lib/X11/XKBExtDev.c
index de5570337..47b94a3aa 100644
--- a/nx-X11/lib/X11/XKBExtDev.c
+++ b/nx-X11/lib/X11/XKBExtDev.c
@@ -181,6 +181,9 @@ int			tmp;
 	    return tmp;
     }
     if (rep->nBtnsWanted>0) {
+	if (((unsigned short) rep->firstBtnWanted + rep->nBtnsWanted)
+	    >= devi->num_btns)
+	    goto BAILOUT;
 	act= &devi->btn_acts[rep->firstBtnWanted];
 	bzero((char *)act,(rep->nBtnsWanted*sizeof(XkbAction)));
     }
@@ -190,6 +193,9 @@ int			tmp;
 	goto BAILOUT;
     if (rep->nBtnsRtrn>0) {
 	int size;
+	if (((unsigned short) rep->firstBtnRtrn + rep->nBtnsRtrn)
+	    >= devi->num_btns)
+	    goto BAILOUT;
 	act= &devi->btn_acts[rep->firstBtnRtrn];
 	size= rep->nBtnsRtrn*SIZEOF(xkbActionWireDesc);
 	if (!_XkbCopyFromReadBuffer(&buf,(char *)act,size))