From eed7f2b1c8f6744546bbc92f1d90205b19c8d707 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Wed, 13 Jul 2022 11:38:16 +1000
Subject: [PATCH] xkb: length-check XkbListComponents before accessing the
 fields

Each string length field was accessed before checking whether that byte
was actually part of the client request. No real harm here since it
would immediately fail with BadLength anyway, but let's be correct here.

Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 1bb7767f19969ee6b109f7424ff97738752d18c9)
---
 xkb/xkb.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/xkb/xkb.c b/xkb/xkb.c
index 887d30f6d..3084a535b 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
@@ -5871,6 +5871,8 @@ ProcXkbListComponents(ClientPtr client)
      * length wrong. */
     str = (unsigned char *) &stuff[1];
     for (i = 0; i < 6; i++) {
+        if (!_XkbCheckRequestBounds(client, stuff, str, str + 1))
+            return BadLength;
         size = *((uint8_t *)str);
         len = (str + size + 1) - ((unsigned char *) stuff);
         if ((XkbPaddedSize(len) / 4) > stuff->length)