aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKeith Packard <keithp@keithp.com>2014-12-09 09:31:00 -0800
committerUlrich Sibiller <uli42@gmx.de>2016-10-06 21:16:17 +0200
commit057cdafdc25c9c82989304ad0427c0038b40c521 (patch)
tree347ce7a52104d5a76c1e7a7ff80983c4ec0e186f
parentda5da2091dc47b031926c791135c83468f557e9d (diff)
downloadnx-libs-057cdafdc25c9c82989304ad0427c0038b40c521.tar.gz
nx-libs-057cdafdc25c9c82989304ad0427c0038b40c521.tar.bz2
nx-libs-057cdafdc25c9c82989304ad0427c0038b40c521.zip
dix: GetHosts bounds check using wrong pointer value [CVE-2014-8092 pt. 6]
GetHosts saves the pointer to allocated memory in *data, and then wants to bounds-check writes to that region, but was mistakenly using a bare 'data' instead of '*data'. Also, data is declared as void **, so we need a cast to turn it into a byte pointer so we can actually do pointer comparisons. Signed-off-by: Keith Packard <keithp@keithp.com> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> v1: Keith Packard v2: backport to nx-libs 3.6.x (Ulrich Sibiller)
-rw-r--r--nx-X11/programs/Xserver/os/access.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/nx-X11/programs/Xserver/os/access.c b/nx-X11/programs/Xserver/os/access.c
index f9b9953bc..1f64366dd 100644
--- a/nx-X11/programs/Xserver/os/access.c
+++ b/nx-X11/programs/Xserver/os/access.c
@@ -1699,7 +1699,7 @@ GetHosts (
for (host = validhosts; host; host = host->next)
{
len = host->len;
- if ((ptr + sizeof(xHostEntry) + len) > (data + n))
+ if ((ptr + sizeof(xHostEntry) + len) > ((unsigned char *) *data + n))
break;
((xHostEntry *)ptr)->family = host->family;
((xHostEntry *)ptr)->length = len;