frederik
/
xserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

dix: GetHosts bounds check using wrong pointer value [CVE-2014-8092 pt. 6] 

GetHosts saves the pointer to allocated memory in *data, and then
wants to bounds-check writes to that region, but was mistakenly using
a bare 'data' instead of '*data'. Also, data is declared as void **,
so we need a cast to turn it into a byte pointer so we can actually do
pointer comparisons.

Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
This commit is contained in:
Keith Packard 2014-12-09 09:31:00 -08:00 committed by Alan Coopersmith
parent 9802a0162f
commit 1559a94395
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
os/access.c
View File

@ -1308,7 +1308,7 @@ GetHosts(void **data, int *pnHosts, int *pLen, BOOL * pEnabled)
} }
for (host = validhosts; host; host = host->next) { for (host = validhosts; host; host = host->next) {
len = host->len; len = host->len;
if ((ptr + sizeof(xHostEntry) + len) > (data + n)) if ((ptr + sizeof(xHostEntry) + len) > ((unsigned char *) *data + n))
break; break;
((xHostEntry *) ptr)->family = host->family; ((xHostEntry *) ptr)->family = host->family;
((xHostEntry *) ptr)->length = len; ((xHostEntry *) ptr)->length = len;