Module Name: xsrc Committed By: bouyer Date: Wed Sep 18 19:54:17 UTC 2013
Modified Files: xsrc/external/mit/libX11/dist/src/xkb [netbsd-6-1]: XKBGetMap.c XKBNames.c Log Message: Apply patch, requested by riz in ticket #945 xsrc/external/mit/libX11/dist/src/xkb/XKBNames.c patch xsrc/external/mit/libX11/dist/src/xkb/XKBGetMap.c patch The size of the arrays is max_key_code + 1. This makes these functions consistent with the other checks added for CVE-2013-1997. Check the XkbGetNames reply when names->keys was just allocated Should fix PR lib/48170. To generate a diff of this commit: cvs rdiff -u -r1.1.1.4.6.1 -r1.1.1.4.6.2 \ xsrc/external/mit/libX11/dist/src/xkb/XKBGetMap.c \ xsrc/external/mit/libX11/dist/src/xkb/XKBNames.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: xsrc/external/mit/libX11/dist/src/xkb/XKBGetMap.c diff -u xsrc/external/mit/libX11/dist/src/xkb/XKBGetMap.c:1.1.1.4.6.1 xsrc/external/mit/libX11/dist/src/xkb/XKBGetMap.c:1.1.1.4.6.2 --- xsrc/external/mit/libX11/dist/src/xkb/XKBGetMap.c:1.1.1.4.6.1 Thu Jun 6 03:50:17 2013 +++ xsrc/external/mit/libX11/dist/src/xkb/XKBGetMap.c Wed Sep 18 19:54:17 2013 @@ -426,7 +426,7 @@ XkbServerMapPtr srv; if ( rep->totalVModMapKeys>0 ) { if (((int) rep->firstVModMapKey + rep->nVModMapKeys) - > xkb->max_key_code) + > xkb->max_key_code + 1) return BadLength; if (((xkb->server==NULL)||(xkb->server->vmodmap==NULL))&& (XkbAllocServerMap(xkb,XkbVirtualModMapMask,0)!=Success)) { Index: xsrc/external/mit/libX11/dist/src/xkb/XKBNames.c diff -u xsrc/external/mit/libX11/dist/src/xkb/XKBNames.c:1.1.1.4.6.1 xsrc/external/mit/libX11/dist/src/xkb/XKBNames.c:1.1.1.4.6.2 --- xsrc/external/mit/libX11/dist/src/xkb/XKBNames.c:1.1.1.4.6.1 Thu Jun 6 03:50:17 2013 +++ xsrc/external/mit/libX11/dist/src/xkb/XKBNames.c Wed Sep 18 19:54:17 2013 @@ -180,7 +180,7 @@ _XkbReadGetNamesReply( Display * dpy, nKeys= xkb->max_key_code+1; names->keys= _XkbTypedCalloc(nKeys,XkbKeyNameRec); } - else if ( ((int)rep->firstKey + rep->nKeys) > xkb->max_key_code) + if ( ((int)rep->firstKey + rep->nKeys) > xkb->max_key_code + 1) goto BAILOUT; if (names->keys!=NULL) { if (!_XkbCopyFromReadBuffer(&buf,