repositories / deb_xorg-server.git / blame
| Commit | Line | Data |
|---|---|---|
| 7217e0ca ML |
1 | From 1559a94395258fd73e369f1a2c98a44bfe21a486 Mon Sep 17 00:00:00 2001 |
| 2 | From: Keith Packard <keithp@keithp.com> | |
| 3 | Date: Tue, 9 Dec 2014 09:31:00 -0800 | |
| 4 | Subject: dix: GetHosts bounds check using wrong pointer value [CVE-2014-8092 | |
| 5 | pt. 6] | |
| 6 | ||
| 7 | GetHosts saves the pointer to allocated memory in *data, and then | |
| 8 | wants to bounds-check writes to that region, but was mistakenly using | |
| 9 | a bare 'data' instead of '*data'. Also, data is declared as void **, | |
| 10 | so we need a cast to turn it into a byte pointer so we can actually do | |
| 11 | pointer comparisons. | |
| 12 | ||
| 13 | Signed-off-by: Keith Packard <keithp@keithp.com> | |
| 14 | Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> | |
| 15 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | |
| 16 | ||
| 4db25562 JB |
17 | --- a/os/access.c |
| 18 | +++ b/os/access.c | |
| 19 | @@ -1335,7 +1335,7 @@ GetHosts(pointer *data, int *pnHosts, in | |
| 7217e0ca ML |
20 | } |
| 21 | for (host = validhosts; host; host = host->next) { | |
| 22 | len = host->len; | |
| 23 | - if ((ptr + sizeof(xHostEntry) + len) > (data + n)) | |
| 24 | + if ((ptr + sizeof(xHostEntry) + len) > ((unsigned char *) *data + n)) | |
| 25 | break; | |
| 26 | ((xHostEntry *) ptr)->family = host->family; | |
| 27 | ((xHostEntry *) ptr)->length = len; |