diff options
| author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-03-02 09:18:26 -0800 |
|---|---|---|
| committer | Ulrich Sibiller <uli42@gmx.de> | 2016-10-12 09:34:39 +0200 |
| commit | e6fbdea84a23ab88ff1ec98ba179273cab09adfb (patch) | |
| tree | 35ec3f6f78e22a67efc027e6ff5530c63e0cc38c | |
| parent | 0445730b1396dd21c4908373599c7197c0bfc5a6 (diff) | |
| download | nx-libs-e6fbdea84a23ab88ff1ec98ba179273cab09adfb.tar.gz nx-libs-e6fbdea84a23ab88ff1ec98ba179273cab09adfb.tar.bz2 nx-libs-e6fbdea84a23ab88ff1ec98ba179273cab09adfb.zip | |
unvalidated indexes in _XkbReadGetGeometryReply() [CVE-2013-1997 4/15]
If the X server returns color indexes outside the range of the number of
colors it told us to allocate, out of bounds memory access could occur.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Signed-off-by: Julien Cristau <jcristau@debian.org>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
| -rw-r--r-- | nx-X11/lib/X11/XKBGeom.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/nx-X11/lib/X11/XKBGeom.c b/nx-X11/lib/X11/XKBGeom.c index b145e7eda..1f9628bea 100644 --- a/nx-X11/lib/X11/XKBGeom.c +++ b/nx-X11/lib/X11/XKBGeom.c @@ -619,6 +619,9 @@ XkbGeometryPtr geom; if (status==Success) status= _XkbReadGeomKeyAliases(&buf,geom,rep); left= _XkbFreeReadBuffer(&buf); + if ((rep->baseColorNdx > geom->num_colors) || + (rep->labelColorNdx > geom->num_colors)) + status = BadLength; if ((status!=Success) || left || buf.error) { if (status==Success) status= BadLength; |