File U_dix_GetHosts_bounds_check_using_wrong_pointer... of Package xorg-x11-server

Overview Repositories Revisions Requests Users Attributes Meta

File U_dix_GetHosts_bounds_check_using_wrong_pointer_value.patch of Package xorg-x11-server

Subject: dix: GetHosts bounds check using wrong pointer value
References: bnc#907268, CVE-2014-8092
Patch-Mainline: Upstream
Signed-off-by: Michal Srb <msrb@suse.com>

GetHosts saves the pointer to allocated memory in *data, and then
wants to bounds-check writes to that region, but was mistakenly using
a bare 'data' instead of '*data'. Also, data is declared as void **,
so we need a cast to turn it into a byte pointer so we can actually do
pointer comparisons.

Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
 os/access.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/os/access.c b/os/access.c
index f393c8d..28f2d32 100644
--- a/os/access.c
+++ b/os/access.c
@@ -1308,7 +1308,7 @@ GetHosts(void **data, int *pnHosts, int *pLen, BOOL * pEnabled)
         }
         for (host = validhosts; host; host = host->next) {
             len = host->len;
-            if ((ptr + sizeof(xHostEntry) + len) > (data + n))
+            if ((ptr + sizeof(xHostEntry) + len) > ((unsigned char *) *data + n))
                 break;
             ((xHostEntry *) ptr)->family = host->family;
             ((xHostEntry *) ptr)->length = len;
-- 
1.8.4.5

Places

File U_dix_GetHosts_bounds_check_using_wrong_pointer_value.patch of Package xorg-x11-server

Places