xkb: length-check XkbListComponents before accessing the fields

Each string length field was accessed before checking whether that byte was actually part of the client request. No real harm here since it would immediately fail with BadLength anyway, but let's be correct here. Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
author: Peter Hutterer <peter.hutterer@who-t.net> 2022-07-13 11:38:16 +1000
committer: Peter Hutterer <peter.hutterer@who-t.net> 2022-07-13 11:38:16 +1000
commit: 1bb7767f19969ee6b109f7424ff97738752d18c9 (patch)
tree: 08174e92ae8f7c8e70679918d80e65f9d51fda0a
parent: 44ae6f44192f5edeaf5ac082870bbdf3262071ef (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/xkb/xkb.c b/xkb/xkb.c
index 0c920393d..f42f59ef3 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
@@ -5870,6 +5870,8 @@ ProcXkbListComponents(ClientPtr client)
      * length wrong. */
     str = (unsigned char *) &stuff[1];
     for (i = 0; i < 6; i++) {
+        if (!_XkbCheckRequestBounds(client, stuff, str, str + 1))
+            return BadLength;
         size = *((uint8_t *)str);
         len = (str + size + 1) - ((unsigned char *) stuff);
         if ((XkbPaddedSize(len) / 4) > stuff->length)
author	Peter Hutterer <peter.hutterer@who-t.net>	2022-07-13 11:38:16 +1000
committer	Peter Hutterer <peter.hutterer@who-t.net>	2022-07-13 11:38:16 +1000
commit	1bb7767f19969ee6b109f7424ff97738752d18c9 (patch)
tree	08174e92ae8f7c8e70679918d80e65f9d51fda0a
parent	44ae6f44192f5edeaf5ac082870bbdf3262071ef (diff)