From 0bf09b4bb1e469f37b75a088b1a5ba093ab36252 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 2 Mar 2013 11:11:08 -0800
Subject: unvalidated index/length in _XkbReadGetNamesReply() [CVE-2013-1997
 11/15]

If the X server returns key name indexes outside the range of the number
of keys it told us to allocate, out of bounds memory writes could occur.

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Signed-off-by: Julien Cristau <jcristau@debian.org>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
---
 nx-X11/lib/X11/XKBNames.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/nx-X11/lib/X11/XKBNames.c b/nx-X11/lib/X11/XKBNames.c
index 04cd6f3e3..1f5207493 100644
--- a/nx-X11/lib/X11/XKBNames.c
+++ b/nx-X11/lib/X11/XKBNames.c
@@ -180,6 +180,8 @@ _XkbReadGetNamesReply(	Display *		dpy,
 	    nKeys= xkb->max_key_code+1;
 	    names->keys= _XkbTypedCalloc(nKeys,XkbKeyNameRec);
 	}
+	else if ( ((int)rep->firstKey + rep->nKeys) > xkb->max_key_code)
+	    goto BAILOUT;
 	if (names->keys!=NULL) {
 	    if (!_XkbCopyFromReadBuffer(&buf,
 					(char *)&names->keys[rep->firstKey],
-- 
cgit v1.2.3