dix: GetHosts bounds check using wrong pointer value [CVE-2014-8092 pt. 6]

GetHosts saves the pointer to allocated memory in *data, and then wants to bounds-check writes to that region, but was mistakenly using a bare 'data' instead of '*data'. Also, data is declared as void **, so we need a cast to turn it into a byte pointer so we can actually do pointer comparisons. Signed-off-by: Keith Packard <keithp@keithp.com> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> v1: Keith Packard v2: backport to nx-libs 3.6.x (Ulrich Sibiller)

dix: GetHosts bounds check using wrong pointer value [CVE-2014-8092 pt. 6]
057cdafd · Keith Packard · Ulrich Sibiller · da5da209 · 057cdafd
Commit 057cdafd authored Dec 09, 2014 by Keith Packard Committed by Ulrich Sibiller Oct 06, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

access.c nx-X11/programs/Xserver/os/access.c +1 -1

No files found.
--- a/nx-X11/programs/Xserver/os/access.c
+++ b/nx-X11/programs/Xserver/os/access.c
@@ -1699,7 +1699,7 @@ GetHosts (
        for (host = validhosts; host; host = host->next)
 	{
 	    len = host->len;
-            if ((ptr + sizeof(xHostEntry) + len) > (data + n))
+            if ((ptr + sizeof(xHostEntry) + len) > ((unsigned char *) *data + n))
                break;
 	    ((xHostEntry *)ptr)->family = host->family;
 	    ((xHostEntry *)ptr)->length = len;