CVS commit: [netbsd-6-1] xsrc/external/mit/libX11/dist/src/xkb

Wed, 18 Sep 2013 12:55:45 -0700 

Module Name:    xsrc
Committed By:   bouyer
Date:           Wed Sep 18 19:54:17 UTC 2013

Modified Files:
        xsrc/external/mit/libX11/dist/src/xkb [netbsd-6-1]: XKBGetMap.c
            XKBNames.c

Log Message:
Apply patch, requested by riz in ticket #945
        xsrc/external/mit/libX11/dist/src/xkb/XKBNames.c        patch
        xsrc/external/mit/libX11/dist/src/xkb/XKBGetMap.c       patch

The size of the arrays is max_key_code + 1. This makes these functions
consistent with the other checks added for CVE-2013-1997.
Check the XkbGetNames reply when names->keys was just allocated
Should fix PR lib/48170.


To generate a diff of this commit:
cvs rdiff -u -r1.1.1.4.6.1 -r1.1.1.4.6.2 \
    xsrc/external/mit/libX11/dist/src/xkb/XKBGetMap.c \
    xsrc/external/mit/libX11/dist/src/xkb/XKBNames.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: xsrc/external/mit/libX11/dist/src/xkb/XKBGetMap.c
diff -u xsrc/external/mit/libX11/dist/src/xkb/XKBGetMap.c:1.1.1.4.6.1 xsrc/external/mit/libX11/dist/src/xkb/XKBGetMap.c:1.1.1.4.6.2
--- xsrc/external/mit/libX11/dist/src/xkb/XKBGetMap.c:1.1.1.4.6.1	Thu Jun  6 03:50:17 2013
+++ xsrc/external/mit/libX11/dist/src/xkb/XKBGetMap.c	Wed Sep 18 19:54:17 2013
@@ -426,7 +426,7 @@ XkbServerMapPtr		srv;
 
     if ( rep->totalVModMapKeys>0 ) {
 	if (((int) rep->firstVModMapKey + rep->nVModMapKeys)
-	     > xkb->max_key_code)
+	     > xkb->max_key_code + 1)
 	    return BadLength;
 	if (((xkb->server==NULL)||(xkb->server->vmodmap==NULL))&&
 	    (XkbAllocServerMap(xkb,XkbVirtualModMapMask,0)!=Success)) {
Index: xsrc/external/mit/libX11/dist/src/xkb/XKBNames.c
diff -u xsrc/external/mit/libX11/dist/src/xkb/XKBNames.c:1.1.1.4.6.1 xsrc/external/mit/libX11/dist/src/xkb/XKBNames.c:1.1.1.4.6.2
--- xsrc/external/mit/libX11/dist/src/xkb/XKBNames.c:1.1.1.4.6.1	Thu Jun  6 03:50:17 2013
+++ xsrc/external/mit/libX11/dist/src/xkb/XKBNames.c	Wed Sep 18 19:54:17 2013
@@ -180,7 +180,7 @@ _XkbReadGetNamesReply(	Display *		dpy,
 	    nKeys= xkb->max_key_code+1;
 	    names->keys= _XkbTypedCalloc(nKeys,XkbKeyNameRec);
 	}
-	else if ( ((int)rep->firstKey + rep->nKeys) > xkb->max_key_code)
+	if ( ((int)rep->firstKey + rep->nKeys) > xkb->max_key_code + 1)
 	    goto BAILOUT;
 	if (names->keys!=NULL) {
 	    if (!_XkbCopyFromReadBuffer(&buf,

Reply via email to