fdo-mirrors/xorg-libx11
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/xorg/lib/libx11.git synced 2026-05-07 06:18:04 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

unvalidated index in _XkbReadGetDeviceInfoReply() [CVE-2013-1997 2/15]

Browse source 
If the X server returns more buttons than are allocated in the XKB
device info structures, out of bounds writes could occur.

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
This commit is contained in:
Alan Coopersmith 2013-03-01 22:49:01 -08:00
parent cddc4e7e3c
commit f293659d5a
1 changed files with 6 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
src/xkb/XKBExtDev.c
View file

@ -181,6 +181,9 @@ int tmp;
return tmp;
}
if (rep->nBtnsWanted>0) {
if (((unsigned short) rep->firstBtnWanted + rep->nBtnsWanted)
>= devi->num_btns)
goto BAILOUT;
act= &devi->btn_acts[rep->firstBtnWanted];
bzero((char *)act,(rep->nBtnsWanted*sizeof(XkbAction)));
}
@ -190,6 +193,9 @@ int tmp;
goto BAILOUT;
if (rep->nBtnsRtrn>0) {
int size;
if (((unsigned short) rep->firstBtnRtrn + rep->nBtnsRtrn)
>= devi->num_btns)
goto BAILOUT;
act= &devi->btn_acts[rep->firstBtnRtrn];
size= rep->nBtnsRtrn*SIZEOF(xkbActionWireDesc);
if (!_XkbCopyFromReadBuffer(&buf,(char *)act,size))