785 xkb->max_key_code = rep->maxKeyCode; |
785 xkb->max_key_code = rep->maxKeyCode; |
786 |
786 |
787 -- |
787 -- |
788 1.7.9.2 |
788 1.7.9.2 |
789 |
789 |
|
790 From a3bdd2b090915fe0163b062f0e6576fe05dd332e Mon Sep 17 00:00:00 2001 |
|
791 From: Julien Cristau <[email protected]> |
|
792 Date: Thu, 23 May 2013 20:39:46 +0200 |
|
793 Subject: [PATCH:libX11] xkb: fix off-by-one in _XkbReadGetNamesReply and |
|
794 _XkbReadVirtualModMap |
|
795 |
|
796 The size of the arrays is max_key_code + 1. This makes these functions |
|
797 consistent with the other checks added for CVE-2013-1997. |
|
798 |
|
799 Also check the XkbGetNames reply when names->keys was just allocated. |
|
800 |
|
801 Signed-off-by: Julien Cristau <[email protected]> |
|
802 Tested-by: Colin Walters <[email protected]> |
|
803 Reviewed-by: Alan Coopersmith <[email protected]> |
|
804 --- |
|
805 src/xkb/XKBGetMap.c | 2 +- |
|
806 src/xkb/XKBNames.c | 2 +- |
|
807 2 files changed, 2 insertions(+), 2 deletions(-) |
|
808 |
|
809 diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c |
|
810 index 0875dfd..c73e655 100644 |
|
811 --- a/src/xkb/XKBGetMap.c |
|
812 +++ b/src/xkb/XKBGetMap.c |
|
813 @@ -426,7 +426,7 @@ XkbServerMapPtr srv; |
|
814 |
|
815 if ( rep->totalVModMapKeys>0 ) { |
|
816 if (((int) rep->firstVModMapKey + rep->nVModMapKeys) |
|
817 - > xkb->max_key_code) |
|
818 + > xkb->max_key_code + 1) |
|
819 return BadLength; |
|
820 if (((xkb->server==NULL)||(xkb->server->vmodmap==NULL))&& |
|
821 (XkbAllocServerMap(xkb,XkbVirtualModMapMask,0)!=Success)) { |
|
822 diff --git a/src/xkb/XKBNames.c b/src/xkb/XKBNames.c |
|
823 index 0f1e48e..3a8860b 100644 |
|
824 --- a/src/xkb/XKBNames.c |
|
825 +++ b/src/xkb/XKBNames.c |
|
826 @@ -180,7 +180,7 @@ _XkbReadGetNamesReply( Display * dpy, |
|
827 nKeys= xkb->max_key_code+1; |
|
828 names->keys= _XkbTypedCalloc(nKeys,XkbKeyNameRec); |
|
829 } |
|
830 - else if ( ((int)rep->firstKey + rep->nKeys) > xkb->max_key_code) |
|
831 + if ( ((int)rep->firstKey + rep->nKeys) > xkb->max_key_code + 1) |
|
832 goto BAILOUT; |
|
833 if (names->keys!=NULL) { |
|
834 if (!_XkbCopyFromReadBuffer(&buf, |
|
835 -- |
|
836 1.7.9.2 |
|
837 |