From b17557f9f0cd0ba992415411040e20390fa881f0 Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Sun, 25 Sep 2016 21:22:57 +0200
Subject: The validation of server responses avoids out of boundary accesses.

v2: FontNames.c  return a NULL list whenever a single
length field from the server is incohent.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
---
 nx-X11/lib/X11/ModMap.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'nx-X11/lib/X11/ModMap.c')

diff --git a/nx-X11/lib/X11/ModMap.c b/nx-X11/lib/X11/ModMap.c
index a809aa291..49a5d08e8 100644
--- a/nx-X11/lib/X11/ModMap.c
+++ b/nx-X11/lib/X11/ModMap.c
@@ -42,7 +42,8 @@ XGetModifierMapping(register Display *dpy)
     GetEmptyReq(GetModifierMapping, req);
     (void) _XReply (dpy, (xReply *)&rep, 0, xFalse);
 
-    if (rep.length < (INT_MAX >> 2)) {
+    if (rep.length < (INT_MAX >> 2) &&
+	(rep.length >> 1) == rep.numKeyPerModifier) {
 	nbytes = (unsigned long)rep.length << 2;
 	res = Xmalloc(sizeof (XModifierKeymap));
 	if (res)
-- 
cgit v1.2.3