From 1bb7767f19969ee6b109f7424ff97738752d18c9 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Wed, 13 Jul 2022 11:38:16 +1000
Subject: [PATCH] xkb: length-check XkbListComponents before accessing the
 fields

Each string length field was accessed before checking whether that byte
was actually part of the client request. No real harm here since it
would immediately fail with BadLength anyway, but let's be correct here.

Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
---
 xkb/xkb.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/xkb/xkb.c b/xkb/xkb.c
index 0c920393d..f42f59ef3 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
@@ -5870,6 +5870,8 @@ ProcXkbListComponents(ClientPtr client)
      * length wrong. */
     str = (unsigned char *) &stuff[1];
     for (i = 0; i < 6; i++) {
+        if (!_XkbCheckRequestBounds(client, stuff, str, str + 1))
+            return BadLength;
         size = *((uint8_t *)str);
         len = (str + size + 1) - ((unsigned char *) stuff);
         if ((XkbPaddedSize(len) / 4) > stuff->length)