diff options
Diffstat (limited to '')
-rw-r--r-- | patches/source/xorg-server/patch/xorg-server/0002-dix-GetHosts-bounds-check-using-wrong-pointer-value-.patch | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/patches/source/xorg-server/patch/xorg-server/0002-dix-GetHosts-bounds-check-using-wrong-pointer-value-.patch b/patches/source/xorg-server/patch/xorg-server/0002-dix-GetHosts-bounds-check-using-wrong-pointer-value-.patch new file mode 100644 index 000000000..c75c0a8f4 --- /dev/null +++ b/patches/source/xorg-server/patch/xorg-server/0002-dix-GetHosts-bounds-check-using-wrong-pointer-value-.patch @@ -0,0 +1,35 @@ +From 1559a94395258fd73e369f1a2c98a44bfe21a486 Mon Sep 17 00:00:00 2001 +From: Keith Packard <keithp@keithp.com> +Date: Tue, 9 Dec 2014 09:31:00 -0800 +Subject: [PATCH 2/2] dix: GetHosts bounds check using wrong pointer value + [CVE-2014-8092 pt. 6] + +GetHosts saves the pointer to allocated memory in *data, and then +wants to bounds-check writes to that region, but was mistakenly using +a bare 'data' instead of '*data'. Also, data is declared as void **, +so we need a cast to turn it into a byte pointer so we can actually do +pointer comparisons. + +Signed-off-by: Keith Packard <keithp@keithp.com> +Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + os/access.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/os/access.c b/os/access.c +index f393c8d..28f2d32 100644 +--- a/os/access.c ++++ b/os/access.c +@@ -1308,7 +1308,7 @@ GetHosts(void **data, int *pnHosts, int *pLen, BOOL * pEnabled) + } + for (host = validhosts; host; host = host->next) { + len = host->len; +- if ((ptr + sizeof(xHostEntry) + len) > (data + n)) ++ if ((ptr + sizeof(xHostEntry) + len) > ((unsigned char *) *data + n)) + break; + ((xHostEntry *) ptr)->family = host->family; + ((xHostEntry *) ptr)->length = len; +-- +2.1.0 + |