From 057cdafdc25c9c82989304ad0427c0038b40c521 Mon Sep 17 00:00:00 2001
From: Keith Packard <keithp@keithp.com>
Date: Tue, 9 Dec 2014 09:31:00 -0800
Subject: dix: GetHosts bounds check using wrong pointer value [CVE-2014-8092
 pt. 6]

GetHosts saves the pointer to allocated memory in *data, and then
wants to bounds-check writes to that region, but was mistakenly using
a bare 'data' instead of '*data'. Also, data is declared as void **,
so we need a cast to turn it into a byte pointer so we can actually do
pointer comparisons.

Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

v1: Keith Packard
v2: backport to nx-libs 3.6.x (Ulrich Sibiller)
---
 nx-X11/programs/Xserver/os/access.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'nx-X11/programs/Xserver/os')

diff --git a/nx-X11/programs/Xserver/os/access.c b/nx-X11/programs/Xserver/os/access.c
index f9b9953bc..1f64366dd 100644
--- a/nx-X11/programs/Xserver/os/access.c
+++ b/nx-X11/programs/Xserver/os/access.c
@@ -1699,7 +1699,7 @@ GetHosts (
         for (host = validhosts; host; host = host->next)
 	{
 	    len = host->len;
-            if ((ptr + sizeof(xHostEntry) + len) > (data + n))
+            if ((ptr + sizeof(xHostEntry) + len) > ((unsigned char *) *data + n))
                 break;
 	    ((xHostEntry *)ptr)->family = host->family;
 	    ((xHostEntry *)ptr)->length = len;
-- 
cgit v1.2.3