diff options
| author | Julien Cristau <jcristau@debian.org> | 2013-05-23 20:39:46 +0200 |
|---|---|---|
| committer | Ulrich Sibiller <uli42@gmx.de> | 2016-10-19 21:40:27 +0200 |
| commit | 78ed233308babdeb428d9292f7e40e438e9b2efd (patch) | |
| tree | 72d7d6b2732b658538d1037f0060866a16bcc848 /nx-X11/lib/X11/XKBNames.c | |
| parent | 082e831303bb8c8c63ce40d79bee10855112c014 (diff) | |
| download | nx-libs-78ed233308babdeb428d9292f7e40e438e9b2efd.tar.gz nx-libs-78ed233308babdeb428d9292f7e40e438e9b2efd.tar.bz2 nx-libs-78ed233308babdeb428d9292f7e40e438e9b2efd.zip | |
xkb: fix off-by-one in _XkbReadGetNamesReply and _XkbReadVirtualModMap
The size of the arrays is max_key_code + 1. This makes these functions
consistent with the other checks added for CVE-2013-1997.
Also check the XkbGetNames reply when names->keys was just allocated.
Signed-off-by: Julien Cristau <jcristau@debian.org>
Tested-by: Colin Walters <walters@verbum.org>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
Diffstat (limited to 'nx-X11/lib/X11/XKBNames.c')
| -rw-r--r-- | nx-X11/lib/X11/XKBNames.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/nx-X11/lib/X11/XKBNames.c b/nx-X11/lib/X11/XKBNames.c index 1f5207493..dc5ef90d7 100644 --- a/nx-X11/lib/X11/XKBNames.c +++ b/nx-X11/lib/X11/XKBNames.c @@ -180,7 +180,7 @@ _XkbReadGetNamesReply( Display * dpy, nKeys= xkb->max_key_code+1; names->keys= _XkbTypedCalloc(nKeys,XkbKeyNameRec); } - else if ( ((int)rep->firstKey + rep->nKeys) > xkb->max_key_code) + if ( ((int)rep->firstKey + rep->nKeys) > xkb->max_key_code + 1) goto BAILOUT; if (names->keys!=NULL) { if (!_XkbCopyFromReadBuffer(&buf, |