[deb_xorg-server.git] / debian / patches / CVE-2014-8xxx / 0037-CVE-2014-8092-additional-2.patch

From 1559a94395258fd73e369f1a2c98a44bfe21a486 Mon Sep 17 00:00:00 2001
From: Keith Packard <keithp@keithp.com>
Date: Tue, 9 Dec 2014 09:31:00 -0800
Subject: dix: GetHosts bounds check using wrong pointer value [CVE-2014-8092
 pt. 6]

GetHosts saves the pointer to allocated memory in *data, and then
wants to bounds-check writes to that region, but was mistakenly using
a bare 'data' instead of '*data'. Also, data is declared as void **,
so we need a cast to turn it into a byte pointer so we can actually do
pointer comparisons.

Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

Index: xorg-server-1.15.1/os/access.c
===================================================================
--- xorg-server-1.15.1.orig/os/access.c	2014-12-09 17:12:07.880851371 -0500
+++ xorg-server-1.15.1/os/access.c	2014-12-09 17:12:07.880851371 -0500
@@ -1335,7 +1335,7 @@
         }
         for (host = validhosts; host; host = host->next) {
             len = host->len;
-            if ((ptr + sizeof(xHostEntry) + len) > (data + n))
+            if ((ptr + sizeof(xHostEntry) + len) > ((unsigned char *) *data + n))
                 break;
             ((xHostEntry *) ptr)->family = host->family;
             ((xHostEntry *) ptr)->length = len;
Commit	Line	Data
7217e0ca ML	1	From 1559a94395258fd73e369f1a2c98a44bfe21a486 Mon Sep 17 00:00:00 2001
	2	From: Keith Packard <keithp@keithp.com>
	3	Date: Tue, 9 Dec 2014 09:31:00 -0800
	4	Subject: dix: GetHosts bounds check using wrong pointer value [CVE-2014-8092
	5	pt. 6]
	6
	7	GetHosts saves the pointer to allocated memory in *data, and then
	8	wants to bounds-check writes to that region, but was mistakenly using
	9	a bare 'data' instead of 'data'. Also, data is declared as void *,
	10	so we need a cast to turn it into a byte pointer so we can actually do
	11	pointer comparisons.
	12
	13	Signed-off-by: Keith Packard <keithp@keithp.com>
	14	Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
	15	Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
	16
	17	Index: xorg-server-1.15.1/os/access.c
	18	===================================================================
	19	--- xorg-server-1.15.1.orig/os/access.c 2014-12-09 17:12:07.880851371 -0500
	20	+++ xorg-server-1.15.1/os/access.c 2014-12-09 17:12:07.880851371 -0500
	21	@@ -1335,7 +1335,7 @@
	22	}
	23	for (host = validhosts; host; host = host->next) {
	24	len = host->len;
	25	- if ((ptr + sizeof(xHostEntry) + len) > (data + n))
	26	+ if ((ptr + sizeof(xHostEntry) + len) > ((unsigned char ) data + n))
	27	break;
	28	((xHostEntry *) ptr)->family = host->family;
	29	((xHostEntry *) ptr)->length = len;