fdo-mirrors/xorg-libx11
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/xorg/lib/libx11.git synced 2026-05-07 03:58:03 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

unvalidated index in _XkbReadKeyBehaviors() [CVE-2013-1997 7/15]

Browse source 
If the X server returns key behavior indexes outside the range of the number
of keys it told us to allocate, out of bounds memory writes could occur.

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
This commit is contained in:
Alan Coopersmith 2013-03-02 10:39:21 -08:00
parent 00626c3830
commit 06c086e8a1
1 changed files with 4 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
src/xkb/XKBGetMap.c
View file

@ -305,8 +305,10 @@ register int i;
xkbBehaviorWireDesc *wire;
if ( rep->totalKeyBehaviors>0 ) {
int size = xkb->max_key_code + 1;
if ( ((int) rep->firstKeyBehavior + rep->nKeyBehaviors) > size)
return BadLength;
if ( xkb->server->behaviors == NULL ) {
int size = xkb->max_key_code+1;
xkb->server->behaviors = _XkbTypedCalloc(size,XkbBehavior);
if (xkb->server->behaviors==NULL)
return BadAlloc;
@ -318,7 +320,7 @@ xkbBehaviorWireDesc *wire;
for (i=0;i<rep->totalKeyBehaviors;i++) {
wire= (xkbBehaviorWireDesc *)_XkbGetReadBufferPtr(buf,
SIZEOF(xkbBehaviorWireDesc));
if (wire==NULL)
if (wire==NULL || wire->key >= size)
return BadLength;
xkb->server->behaviors[wire->key].type= wire->type;
xkb->server->behaviors[wire->key].data= wire->data;