From 78ed233308babdeb428d9292f7e40e438e9b2efd Mon Sep 17 00:00:00 2001
From: Julien Cristau <jcristau@debian.org>
Date: Thu, 23 May 2013 20:39:46 +0200
Subject: xkb: fix off-by-one in _XkbReadGetNamesReply and
 _XkbReadVirtualModMap

The size of the arrays is max_key_code + 1.  This makes these functions
consistent with the other checks added for CVE-2013-1997.

Also check the XkbGetNames reply when names->keys was just allocated.

Signed-off-by: Julien Cristau <jcristau@debian.org>
Tested-by: Colin Walters <walters@verbum.org>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
---
 nx-X11/lib/X11/XKBGetMap.c | 2 +-
 nx-X11/lib/X11/XKBNames.c  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

(limited to 'nx-X11/lib/X11')

diff --git a/nx-X11/lib/X11/XKBGetMap.c b/nx-X11/lib/X11/XKBGetMap.c
index 5eb1d41bf..391d7aa89 100644
--- a/nx-X11/lib/X11/XKBGetMap.c
+++ b/nx-X11/lib/X11/XKBGetMap.c
@@ -427,7 +427,7 @@ XkbServerMapPtr		srv;
 
     if ( rep->totalVModMapKeys>0 ) {
 	if (((int) rep->firstVModMapKey + rep->nVModMapKeys)
-	     > xkb->max_key_code)
+	     > xkb->max_key_code + 1)
 	    return BadLength;
 	if (((xkb->server==NULL)||(xkb->server->vmodmap==NULL))&&
 	    (XkbAllocServerMap(xkb,XkbVirtualModMapMask,0)!=Success)) {
diff --git a/nx-X11/lib/X11/XKBNames.c b/nx-X11/lib/X11/XKBNames.c
index 1f5207493..dc5ef90d7 100644
--- a/nx-X11/lib/X11/XKBNames.c
+++ b/nx-X11/lib/X11/XKBNames.c
@@ -180,7 +180,7 @@ _XkbReadGetNamesReply(	Display *		dpy,
 	    nKeys= xkb->max_key_code+1;
 	    names->keys= _XkbTypedCalloc(nKeys,XkbKeyNameRec);
 	}
-	else if ( ((int)rep->firstKey + rep->nKeys) > xkb->max_key_code)
+	if ( ((int)rep->firstKey + rep->nKeys) > xkb->max_key_code + 1)
 	    goto BAILOUT;
 	if (names->keys!=NULL) {
 	    if (!_XkbCopyFromReadBuffer(&buf,
-- 
cgit v1.2.3