debian/patches/CVE-2014-8xxx/0037-CVE-2014-8092-additional-2.patch

   1 From 1559a94395258fd73e369f1a2c98a44bfe21a486 Mon Sep 17 00:00:00 2001
   2 From: Keith Packard <keithp@keithp.com>
   3 Date: Tue, 9 Dec 2014 09:31:00 -0800
   4 Subject: dix: GetHosts bounds check using wrong pointer value [CVE-2014-8092
   5  pt. 6]
   6
   7 GetHosts saves the pointer to allocated memory in *data, and then
   8 wants to bounds-check writes to that region, but was mistakenly using
   9 a bare 'data' instead of '*data'. Also, data is declared as void **,
  10 so we need a cast to turn it into a byte pointer so we can actually do
  11 pointer comparisons.
  12
  13 Signed-off-by: Keith Packard <keithp@keithp.com>
  14 Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
  15 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
  16
  17 Index: xorg-server-1.15.1/os/access.c
  18 ===================================================================
  19 --- xorg-server-1.15.1.orig/os/access.c 2014-12-09 17:12:07.880851371 -0500
  20 +++ xorg-server-1.15.1/os/access.c      2014-12-09 17:12:07.880851371 -0500
  21 @@ -1335,7 +1335,7 @@
  22          }
  23          for (host = validhosts; host; host = host->next) {
  24              len = host->len;
  25 -            if ((ptr + sizeof(xHostEntry) + len) > (data + n))
  26 +            if ((ptr + sizeof(xHostEntry) + len) > ((unsigned char *) *data + n))
  27                  break;
  28              ((xHostEntry *) ptr)->family = host->family;
  29              ((xHostEntry *) ptr)->length = len;