From 6858d468d9ca55fb4c5fd70b223dbc78a3358a7f Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Sun, 17 Sep 2023 14:19:40 -0700 Subject: [PATCH] CVE-2023-43785: out-of-bounds memory access in _XkbReadKeySyms() Make sure we allocate enough memory in the first place, and also handle error returns from _XkbReadBufferCopyKeySyms() when it detects out-of-bounds issues. Reported-by: Gregory James DUCK Signed-off-by: Alan Coopersmith --- src/xkb/XKBGetMap.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c index 2891d21e..31199e4a 100644 --- a/src/xkb/XKBGetMap.c +++ b/src/xkb/XKBGetMap.c @@ -182,7 +182,8 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep) if (offset + newMap->nSyms >= map->size_syms) { register int sz; - sz = map->size_syms + 128; + sz = offset + newMap->nSyms; + sz = ((sz + (unsigned) 128) / 128) * 128; _XkbResizeArray(map->syms, map->size_syms, sz, KeySym); if (map->syms == NULL) { map->size_syms = 0; @@ -191,8 +192,9 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep) map->size_syms = sz; } if (newMap->nSyms > 0) { - _XkbReadBufferCopyKeySyms(buf, (KeySym *) &map->syms[offset], - newMap->nSyms); + if (_XkbReadBufferCopyKeySyms(buf, (KeySym *) &map->syms[offset], + newMap->nSyms) == 0) + return BadLength; offset += newMap->nSyms; } else { @@ -222,8 +224,10 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep) newSyms = XkbResizeKeySyms(xkb, i + rep->firstKeySym, tmp); if (newSyms == NULL) return BadAlloc; - if (newMap->nSyms > 0) - _XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms); + if (newMap->nSyms > 0) { + if (_XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms) == 0) + return BadLength; + } else newSyms[0] = NoSymbol; oldMap->kt_index[0] = newMap->ktIndex[0]; -- 2.41.0