diff options
Diffstat (limited to 'nx-X11/lib/X11/XKBGetMap.c')
-rw-r--r-- | nx-X11/lib/X11/XKBGetMap.c | 33 |
1 files changed, 29 insertions, 4 deletions
diff --git a/nx-X11/lib/X11/XKBGetMap.c b/nx-X11/lib/X11/XKBGetMap.c index a38907671..391d7aa89 100644 --- a/nx-X11/lib/X11/XKBGetMap.c +++ b/nx-X11/lib/X11/XKBGetMap.c @@ -152,9 +152,12 @@ XkbClientMapPtr map; map= xkb->map; if (map->key_sym_map==NULL) { register int offset; + int size = xkb->max_key_code + 1; XkbSymMapPtr oldMap; xkbSymMapWireDesc *newMap; - map->key_sym_map= _XkbTypedCalloc((xkb->max_key_code+1),XkbSymMapRec); + if (((unsigned short)rep->firstKeySym + rep->nKeySyms) > size) + return BadLength; + map->key_sym_map= _XkbTypedCalloc(size,XkbSymMapRec); if (map->key_sym_map==NULL) return BadAlloc; if (map->syms==NULL) { @@ -210,6 +213,8 @@ XkbClientMapPtr map; KeySym * newSyms; int tmp; + if (((unsigned short)rep->firstKeySym + rep->nKeySyms) > map->num_syms) + return BadLength; oldMap = &map->key_sym_map[rep->firstKeySym]; for (i=0;i<(int)rep->nKeySyms;i++,oldMap++) { newMap= (xkbSymMapWireDesc *) @@ -265,6 +270,10 @@ Status ret = Success; symMap = &info->map->key_sym_map[rep->firstKeyAct]; for (i=0;i<(int)rep->nKeyActs;i++,symMap++) { if (numDesc[i]==0) { + if ((i + rep->firstKeyAct) > (info->max_key_code + 1)) { + ret = BadLength; + goto done; + } info->server->key_acts[i+rep->firstKeyAct]= 0; } else { @@ -297,8 +306,10 @@ register int i; xkbBehaviorWireDesc *wire; if ( rep->totalKeyBehaviors>0 ) { + int size = xkb->max_key_code + 1; + if ( ((int) rep->firstKeyBehavior + rep->nKeyBehaviors) > size) + return BadLength; if ( xkb->server->behaviors == NULL ) { - int size = xkb->max_key_code+1; xkb->server->behaviors = _XkbTypedCalloc(size,XkbBehavior); if (xkb->server->behaviors==NULL) return BadAlloc; @@ -310,7 +321,7 @@ xkbBehaviorWireDesc *wire; for (i=0;i<rep->totalKeyBehaviors;i++) { wire= (xkbBehaviorWireDesc *)_XkbGetReadBufferPtr(buf, SIZEOF(xkbBehaviorWireDesc)); - if (wire==NULL) + if (wire==NULL || wire->key >= size) return BadLength; xkb->server->behaviors[wire->key].type= wire->type; xkb->server->behaviors[wire->key].data= wire->data; @@ -352,8 +363,10 @@ register int i; unsigned char *wire; if ( rep->totalKeyExplicit>0 ) { + int size = xkb->max_key_code + 1; + if ( ((int) rep->firstKeyExplicit + rep->nKeyExplicit) > size) + return BadLength; if ( xkb->server->explicit == NULL ) { - int size = xkb->max_key_code+1; xkb->server->explicit = _XkbTypedCalloc(size,unsigned char); if (xkb->server->explicit==NULL) return BadAlloc; @@ -367,6 +380,8 @@ unsigned char *wire; if (!wire) return BadLength; for (i=0;i<rep->totalKeyExplicit;i++,wire+=2) { + if (wire[0] > xkb->max_key_code || wire[1] > xkb->max_key_code) + return BadLength; xkb->server->explicit[wire[0]]= wire[1]; } } @@ -380,6 +395,9 @@ register int i; unsigned char *wire; if ( rep->totalModMapKeys>0 ) { + if ( ((int)rep->firstModMapKey + rep->nModMapKeys) > + (xkb->max_key_code + 1)) + return BadLength; if ((xkb->map->modmap==NULL)&& (XkbAllocClientMap(xkb,XkbModifierMapMask,0)!=Success)) { return BadAlloc; @@ -392,6 +410,8 @@ unsigned char *wire; if (!wire) return BadLength; for (i=0;i<rep->totalModMapKeys;i++,wire+=2) { + if (wire[0] > xkb->max_key_code || wire[1] > xkb->max_key_code) + return BadLength; xkb->map->modmap[wire[0]]= wire[1]; } } @@ -406,6 +426,9 @@ xkbVModMapWireDesc * wire; XkbServerMapPtr srv; if ( rep->totalVModMapKeys>0 ) { + if (((int) rep->firstVModMapKey + rep->nVModMapKeys) + > xkb->max_key_code + 1) + return BadLength; if (((xkb->server==NULL)||(xkb->server->vmodmap==NULL))&& (XkbAllocServerMap(xkb,XkbVirtualModMapMask,0)!=Success)) { return BadAlloc; @@ -462,6 +485,8 @@ unsigned mask; if ( xkb->device_spec == XkbUseCoreKbd ) xkb->device_spec= rep->deviceID; + if ( rep->maxKeyCode < rep->minKeyCode ) + return BadImplementation; xkb->min_key_code = rep->minKeyCode; xkb->max_key_code = rep->maxKeyCode; |