[2.25 COMMITTED] Fix cast-after-dereference

[2.25 COMMITTED] Fix cast-after-dereference

[Florian Weimer]

From: DJ Delorie <dj@delorie.com>

Original code was dereferencing a char*, then casting the value
to size_t.  Should cast the pointer to size_t* then deference.

(cherry picked from commit f8cef4d07d9641e27629bd3ce2d13f5d702fb251)

2017-07-19  DJ Delorie  <dj@delorie.com>

	[BZ #21654]
	* grp/grp-merge.c (libc_hidden_def): Fix cast-after-dereference.

diff --git a/NEWS b/NEWS
index f7057710f1..11b82d2325 100644
--- a/NEWS
+++ b/NEWS
@@ -24,6 +24,7 @@ The following bugs are resolved with this release:
   [21298] rwlock can deadlock on frequent reader/writer phase switching
   [21386] Assertion in fork for distinct parent PID is incorrect
   [21624] Unsafe alloca allows local attackers to alias stack and heap (CVE-2017-1000366)
+  [21654] nss: Fix invalid cast in group merging
   [21778] Robust mutex may deadlock
   [21972] assert macro requires operator== (int) for its argument type
 \f
diff --git a/grp/grp-merge.c b/grp/grp-merge.c
index 6590e5d823..035e7a604b 100644
--- a/grp/grp-merge.c
+++ b/grp/grp-merge.c
@@ -137,7 +137,7 @@ __merge_grp (struct group *savedgrp, char *savedbuf, char *savedend,
 
   /* Get the count of group members from the last sizeof (size_t) bytes in the
      mergegrp buffer.  */
-  savedmemcount = (size_t) *(savedend - sizeof (size_t));
+  savedmemcount = *(size_t *) (savedend - sizeof (size_t));
 
   /* Get the count of new members to add.  */
   for (memcount = 0; mergegrp->gr_mem[memcount]; memcount++)