From eee8427a1c7a7e8015559a97ea76bac776cc3966 Mon Sep 17 00:00:00 2001
From: Ilias Stamatis <stamatis.iliass@gmail.com>
Date: Sat, 1 Jun 2019 14:40:12 +0200
Subject: [PATCH] virDomainSendKey: validate codeset argument

This argument wasn't validated anywhere, neither in the generic
implementation nor in the individual drivers. As a result a call to this
function with a large enough codeset value prior to this change causes
libvirtd to crash.

This happens because all drivers call virKeycodeValueTranslate which
uses codeset as an index to the virKeymapValues array, causing an
out-of-bounds error.

Signed-off-by: Ilias Stamatis <stamatis.iliass@gmail.com>
Reviewed-by: Erik Skultety <eskultet@redhat.com>
---
 src/libvirt-domain.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c
index df7e405b3e..509ce5ac8b 100644
--- a/src/libvirt-domain.c
+++ b/src/libvirt-domain.c
@@ -6837,6 +6837,13 @@ virDomainSendKey(virDomainPtr domain,
     virCheckNonNullArgGoto(keycodes, error);
     virCheckPositiveArgGoto(nkeycodes, error);
 
+    if (codeset >= VIR_KEYCODE_SET_LAST) {
+        virReportInvalidArg(codeset,
+                            _("Unsupported codeset '%d'"),
+                            codeset);
+        goto error;
+    }
+
     if (nkeycodes > VIR_DOMAIN_SEND_KEY_MAX_KEYS) {
         virReportInvalidArg(nkeycodes,
                             _("nkeycodes must be <= %d"),