aboutsummaryrefslogtreecommitdiff
path: root/nx-X11/lib
diff options
context:
space:
mode:
authorAlan Coopersmith <alan.coopersmith@oracle.com>2013-03-02 09:40:22 -0800
committerUlrich Sibiller <uli42@gmx.de>2016-10-12 09:34:39 +0200
commit4c19cd0c73c769d70125e08e6351bc98134bb058 (patch)
treea345665483d87752fac7aac6cef675183f9053c4 /nx-X11/lib
parent5dae1d3f4bcbc1a5c3869e04bdbdd0c7198bd3c7 (diff)
downloadnx-libs-4c19cd0c73c769d70125e08e6351bc98134bb058.tar.gz
nx-libs-4c19cd0c73c769d70125e08e6351bc98134bb058.tar.bz2
nx-libs-4c19cd0c73c769d70125e08e6351bc98134bb058.zip
unvalidated index in _XkbReadKeyActions() [CVE-2013-1997 6/15]
If the X server returns key action indexes outside the range of the number of keys it told us to allocate, out of bounds memory access could occur. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
Diffstat (limited to 'nx-X11/lib')
-rw-r--r--nx-X11/lib/X11/XKBGetMap.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/nx-X11/lib/X11/XKBGetMap.c b/nx-X11/lib/X11/XKBGetMap.c
index 440cc818d..8f99625b0 100644
--- a/nx-X11/lib/X11/XKBGetMap.c
+++ b/nx-X11/lib/X11/XKBGetMap.c
@@ -270,6 +270,10 @@ Status ret = Success;
symMap = &info->map->key_sym_map[rep->firstKeyAct];
for (i=0;i<(int)rep->nKeyActs;i++,symMap++) {
if (numDesc[i]==0) {
+ if ((i + rep->firstKeyAct) > (info->max_key_code + 1)) {
+ ret = BadLength;
+ goto done;
+ }
info->server->key_acts[i+rep->firstKeyAct]= 0;
}
else {