From: DJ Delorie <dj@delorie.com>
Date: Sat, 7 Oct 2017 11:32:00 +0000 (+0200)
Subject: Fix cast-after-dereference
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b70f43dcef0ca638d2d550ead8007f7c9bb7e4bb;p=thirdparty%2Fglibc.git

Fix cast-after-dereference

Original code was dereferencing a char*, then casting the value
to size_t.  Should cast the pointer to size_t* then deference.

(cherry picked from commit f8cef4d07d9641e27629bd3ce2d13f5d702fb251)
---

diff --git a/ChangeLog b/ChangeLog
index fe5103f03e6..80cb667dd2c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2017-07-19  DJ Delorie  <dj@delorie.com>
+
+	[BZ #21654]
+	* grp/grp-merge.c (libc_hidden_def): Fix cast-after-dereference.
+
 2017-07-14  DJ Delorie  <dj@redhat.com>
 
 	[BZ #21654]
diff --git a/NEWS b/NEWS
index f60077bee57..f03910105af 100644
--- a/NEWS
+++ b/NEWS
@@ -28,6 +28,7 @@ The following bugs are resolved with this release:
   [21386] Assertion in fork for distinct parent PID is incorrect
   [21609] x86-64: Align the stack in __tls_get_addr
   [21624] Unsafe alloca allows local attackers to alias stack and heap (CVE-2017-1000366)
+  [21654] nss: Fix invalid cast in group merging
 
 Version 2.24
 
diff --git a/grp/grp-merge.c b/grp/grp-merge.c
index 50573b89862..5f79755798b 100644
--- a/grp/grp-merge.c
+++ b/grp/grp-merge.c
@@ -137,7 +137,7 @@ __merge_grp (struct group *savedgrp, char *savedbuf, char *savedend,
 
   /* Get the count of group members from the last sizeof (size_t) bytes in the
      mergegrp buffer.  */
-  savedmemcount = (size_t) *(savedend - sizeof (size_t));
+  savedmemcount = *(size_t *) (savedend - sizeof (size_t));
 
   /* Get the count of new members to add.  */
   for (memcount = 0; mergegrp->gr_mem[memcount]; memcount++)