diff options
author | Keith Packard <keithp@keithp.com> | 2014-12-09 09:31:00 -0800 |
---|---|---|
committer | Ulrich Sibiller <uli42@gmx.de> | 2016-10-06 21:16:17 +0200 |
commit | 057cdafdc25c9c82989304ad0427c0038b40c521 (patch) | |
tree | 347ce7a52104d5a76c1e7a7ff80983c4ec0e186f | |
parent | da5da2091dc47b031926c791135c83468f557e9d (diff) | |
download | nx-libs-057cdafdc25c9c82989304ad0427c0038b40c521.tar.gz nx-libs-057cdafdc25c9c82989304ad0427c0038b40c521.tar.bz2 nx-libs-057cdafdc25c9c82989304ad0427c0038b40c521.zip |
dix: GetHosts bounds check using wrong pointer value [CVE-2014-8092 pt. 6]
GetHosts saves the pointer to allocated memory in *data, and then
wants to bounds-check writes to that region, but was mistakenly using
a bare 'data' instead of '*data'. Also, data is declared as void **,
so we need a cast to turn it into a byte pointer so we can actually do
pointer comparisons.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
v1: Keith Packard
v2: backport to nx-libs 3.6.x (Ulrich Sibiller)
-rw-r--r-- | nx-X11/programs/Xserver/os/access.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/nx-X11/programs/Xserver/os/access.c b/nx-X11/programs/Xserver/os/access.c index f9b9953bc..1f64366dd 100644 --- a/nx-X11/programs/Xserver/os/access.c +++ b/nx-X11/programs/Xserver/os/access.c @@ -1699,7 +1699,7 @@ GetHosts ( for (host = validhosts; host; host = host->next) { len = host->len; - if ((ptr + sizeof(xHostEntry) + len) > (data + n)) + if ((ptr + sizeof(xHostEntry) + len) > ((unsigned char *) *data + n)) break; ((xHostEntry *)ptr)->family = host->family; ((xHostEntry *)ptr)->length = len; |