xkb: length-check XkbListComponents before accessing the fields

Each string length field was accessed before checking whether that byte was actually part of the client request. No real harm here since it would immediately fail with BadLength anyway, but let's be correct here. Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
2022-07-13 11:38:16 +10:00 · 2022-07-13 11:38:16 +10:00 · 1bb7767f19
parent 44ae6f4419
commit 1bb7767f19
1 changed files with 2 additions and 0 deletions
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
@ -5870,6 +5870,8 @@ ProcXkbListComponents(ClientPtr client)
     * length wrong. */
    str = (unsigned char *) &stuff[1];
    for (i = 0; i < 6; i++) {
+        if (!_XkbCheckRequestBounds(client, stuff, str, str + 1))
+            return BadLength;
        size = *((uint8_t *)str);
        len = (str + size + 1) - ((unsigned char *) stuff);
        if ((XkbPaddedSize(len) / 4) > stuff->length)