upstream/oracle/x-cons/x-s11-update-clone: comparison open-src/lib/libX11/CVE-2013-1997.patch

equal deleted inserted replaced

-:375444972d0d
+:c05f6f3f5f1a
 xkb->max_key_code = rep->maxKeyCode;
 --
 1.7.9.2
+From a3bdd2b090915fe0163b062f0e6576fe05dd332e Mon Sep 17 00:00:00 2001
+From: Julien Cristau <[email protected]>
+Date: Thu, 23 May 2013 20:39:46 +0200
+Subject: [PATCH:libX11] xkb: fix off-by-one in _XkbReadGetNamesReply and
+_XkbReadVirtualModMap
+The size of the arrays is max_key_code + 1.  This makes these functions
+consistent with the other checks added for CVE-2013-1997.
+Also check the XkbGetNames reply when names->keys was just allocated.
+Signed-off-by: Julien Cristau <[email protected]>
+Tested-by: Colin Walters <[email protected]>
+Reviewed-by: Alan Coopersmith <[email protected]>
+---
+src/xkb/XKBGetMap.c |    2 +-
+src/xkb/XKBNames.c  |    2 +-
+2 files changed, 2 insertions(+), 2 deletions(-)
+diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c
+index 0875dfd..c73e655 100644
+--- a/src/xkb/XKBGetMap.c
++++ b/src/xkb/XKBGetMap.c
+@@ -426,7 +426,7 @@ XkbServerMapPtr		srv;
+if ( rep->totalVModMapKeys>0 ) {
+	if (((int) rep->firstVModMapKey + rep->nVModMapKeys)
+-	     > xkb->max_key_code)
++	     > xkb->max_key_code + 1)
+	    return BadLength;
+	if (((xkb->server==NULL)||(xkb->server->vmodmap==NULL))&&
+	    (XkbAllocServerMap(xkb,XkbVirtualModMapMask,0)!=Success)) {
+diff --git a/src/xkb/XKBNames.c b/src/xkb/XKBNames.c
+index 0f1e48e..3a8860b 100644
+--- a/src/xkb/XKBNames.c
++++ b/src/xkb/XKBNames.c
+@@ -180,7 +180,7 @@ _XkbReadGetNamesReply(	Display *		dpy,
+	    nKeys= xkb->max_key_code+1;
+	    names->keys= _XkbTypedCalloc(nKeys,XkbKeyNameRec);
+	}
+-	else if ( ((int)rep->firstKey + rep->nKeys) > xkb->max_key_code)
++	if ( ((int)rep->firstKey + rep->nKeys) > xkb->max_key_code + 1)
+	    goto BAILOUT;
+	if (names->keys!=NULL) {
+	    if (!_XkbCopyFromReadBuffer(&buf,
+--
+1.7.9.2

changeset 1348	c05f6f3f5f1a
parent 1345	d5dacbb8de2b