aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlan Coopersmith <alan.coopersmith@oracle.com>2013-03-02 09:28:33 -0800
committerUlrich Sibiller <uli42@gmx.de>2016-10-12 09:34:39 +0200
commit5dae1d3f4bcbc1a5c3869e04bdbdd0c7198bd3c7 (patch)
treed44c0eba9f9f89863f4bcfd90a05c12371757f06
parente6fbdea84a23ab88ff1ec98ba179273cab09adfb (diff)
downloadnx-libs-5dae1d3f4bcbc1a5c3869e04bdbdd0c7198bd3c7.tar.gz
nx-libs-5dae1d3f4bcbc1a5c3869e04bdbdd0c7198bd3c7.tar.bz2
nx-libs-5dae1d3f4bcbc1a5c3869e04bdbdd0c7198bd3c7.zip
unvalidated index in _XkbReadKeySyms() [CVE-2013-1997 5/15]
If the X server returns keymap indexes outside the range of the number of keys it told us to allocate, out of bounds memory access could occur. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
-rw-r--r--nx-X11/lib/X11/XKBGetMap.c7
1 files changed, 6 insertions, 1 deletions
diff --git a/nx-X11/lib/X11/XKBGetMap.c b/nx-X11/lib/X11/XKBGetMap.c
index a38907671..440cc818d 100644
--- a/nx-X11/lib/X11/XKBGetMap.c
+++ b/nx-X11/lib/X11/XKBGetMap.c
@@ -152,9 +152,12 @@ XkbClientMapPtr map;
map= xkb->map;
if (map->key_sym_map==NULL) {
register int offset;
+ int size = xkb->max_key_code + 1;
XkbSymMapPtr oldMap;
xkbSymMapWireDesc *newMap;
- map->key_sym_map= _XkbTypedCalloc((xkb->max_key_code+1),XkbSymMapRec);
+ if (((unsigned short)rep->firstKeySym + rep->nKeySyms) > size)
+ return BadLength;
+ map->key_sym_map= _XkbTypedCalloc(size,XkbSymMapRec);
if (map->key_sym_map==NULL)
return BadAlloc;
if (map->syms==NULL) {
@@ -210,6 +213,8 @@ XkbClientMapPtr map;
KeySym * newSyms;
int tmp;
+ if (((unsigned short)rep->firstKeySym + rep->nKeySyms) > map->num_syms)
+ return BadLength;
oldMap = &map->key_sym_map[rep->firstKeySym];
for (i=0;i<(int)rep->nKeySyms;i++,oldMap++) {
newMap= (xkbSymMapWireDesc *)