X-Git-Url: https://git.piment-noir.org/?p=deb_xorg-server.git;a=blobdiff_plain;f=debian%2Fpatches%2FCVE-2014-8xxx%2F0037-CVE-2014-8092-additional-2.patch;fp=debian%2Fpatches%2FCVE-2014-8xxx%2F0037-CVE-2014-8092-additional-2.patch;h=ade166183eefc284d1a50901d60be2ad9f86bfa6;hp=0000000000000000000000000000000000000000;hb=7217e0ca50bba73dad94782e67980aeeb24ab693;hpb=a09e091a5c996d46a398abb27b06fe504591673f diff --git a/debian/patches/CVE-2014-8xxx/0037-CVE-2014-8092-additional-2.patch b/debian/patches/CVE-2014-8xxx/0037-CVE-2014-8092-additional-2.patch new file mode 100644 index 0000000..ade1661 --- /dev/null +++ b/debian/patches/CVE-2014-8xxx/0037-CVE-2014-8092-additional-2.patch @@ -0,0 +1,29 @@ +From 1559a94395258fd73e369f1a2c98a44bfe21a486 Mon Sep 17 00:00:00 2001 +From: Keith Packard +Date: Tue, 9 Dec 2014 09:31:00 -0800 +Subject: dix: GetHosts bounds check using wrong pointer value [CVE-2014-8092 + pt. 6] + +GetHosts saves the pointer to allocated memory in *data, and then +wants to bounds-check writes to that region, but was mistakenly using +a bare 'data' instead of '*data'. Also, data is declared as void **, +so we need a cast to turn it into a byte pointer so we can actually do +pointer comparisons. + +Signed-off-by: Keith Packard +Reviewed-by: Alan Coopersmith +Signed-off-by: Alan Coopersmith + +Index: xorg-server-1.15.1/os/access.c +=================================================================== +--- xorg-server-1.15.1.orig/os/access.c 2014-12-09 17:12:07.880851371 -0500 ++++ xorg-server-1.15.1/os/access.c 2014-12-09 17:12:07.880851371 -0500 +@@ -1335,7 +1335,7 @@ + } + for (host = validhosts; host; host = host->next) { + len = host->len; +- if ((ptr + sizeof(xHostEntry) + len) > (data + n)) ++ if ((ptr + sizeof(xHostEntry) + len) > ((unsigned char *) *data + n)) + break; + ((xHostEntry *) ptr)->family = host->family; + ((xHostEntry *) ptr)->length = len;