diff options
author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-03-02 09:40:22 -0800 |
---|---|---|
committer | Ulrich Sibiller <uli42@gmx.de> | 2016-10-12 09:34:39 +0200 |
commit | 4c19cd0c73c769d70125e08e6351bc98134bb058 (patch) | |
tree | a345665483d87752fac7aac6cef675183f9053c4 | |
parent | 5dae1d3f4bcbc1a5c3869e04bdbdd0c7198bd3c7 (diff) | |
download | nx-libs-4c19cd0c73c769d70125e08e6351bc98134bb058.tar.gz nx-libs-4c19cd0c73c769d70125e08e6351bc98134bb058.tar.bz2 nx-libs-4c19cd0c73c769d70125e08e6351bc98134bb058.zip |
unvalidated index in _XkbReadKeyActions() [CVE-2013-1997 6/15]
If the X server returns key action indexes outside the range of the number
of keys it told us to allocate, out of bounds memory access could occur.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Signed-off-by: Julien Cristau <jcristau@debian.org>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
-rw-r--r-- | nx-X11/lib/X11/XKBGetMap.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/nx-X11/lib/X11/XKBGetMap.c b/nx-X11/lib/X11/XKBGetMap.c index 440cc818d..8f99625b0 100644 --- a/nx-X11/lib/X11/XKBGetMap.c +++ b/nx-X11/lib/X11/XKBGetMap.c @@ -270,6 +270,10 @@ Status ret = Success; symMap = &info->map->key_sym_map[rep->firstKeyAct]; for (i=0;i<(int)rep->nKeyActs;i++,symMap++) { if (numDesc[i]==0) { + if ((i + rep->firstKeyAct) > (info->max_key_code + 1)) { + ret = BadLength; + goto done; + } info->server->key_acts[i+rep->firstKeyAct]= 0; } else { |