aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlan Coopersmith <alan.coopersmith@oracle.com>2013-03-01 22:49:01 -0800
committerUlrich Sibiller <uli42@gmx.de>2016-10-12 09:34:39 +0200
commitb06952603552dacb59a9808d4042bc18c48842bd (patch)
tree3fb534b3fc236b9aab3d5cf278c6eaf03d7d0f1d
parent2a1fbb1818bc56342e23e026004e0e7c4059cb6a (diff)
downloadnx-libs-b06952603552dacb59a9808d4042bc18c48842bd.tar.gz
nx-libs-b06952603552dacb59a9808d4042bc18c48842bd.tar.bz2
nx-libs-b06952603552dacb59a9808d4042bc18c48842bd.zip
unvalidated index in _XkbReadGetDeviceInfoReply() [CVE-2013-1997 2/15]
If the X server returns more buttons than are allocated in the XKB device info structures, out of bounds writes could occur. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
-rw-r--r--nx-X11/lib/X11/XKBExtDev.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/nx-X11/lib/X11/XKBExtDev.c b/nx-X11/lib/X11/XKBExtDev.c
index de5570337..47b94a3aa 100644
--- a/nx-X11/lib/X11/XKBExtDev.c
+++ b/nx-X11/lib/X11/XKBExtDev.c
@@ -181,6 +181,9 @@ int tmp;
return tmp;
}
if (rep->nBtnsWanted>0) {
+ if (((unsigned short) rep->firstBtnWanted + rep->nBtnsWanted)
+ >= devi->num_btns)
+ goto BAILOUT;
act= &devi->btn_acts[rep->firstBtnWanted];
bzero((char *)act,(rep->nBtnsWanted*sizeof(XkbAction)));
}
@@ -190,6 +193,9 @@ int tmp;
goto BAILOUT;
if (rep->nBtnsRtrn>0) {
int size;
+ if (((unsigned short) rep->firstBtnRtrn + rep->nBtnsRtrn)
+ >= devi->num_btns)
+ goto BAILOUT;
act= &devi->btn_acts[rep->firstBtnRtrn];
size= rep->nBtnsRtrn*SIZEOF(xkbActionWireDesc);
if (!_XkbCopyFromReadBuffer(&buf,(char *)act,size))