CVE-2008-4539: fix a heap overflow in Cirrus emulation
The code in hw/cirrus_vga.c has changed a lot between CVE-2007-1320 has been announced and the patch has been applied. As a consequence it has wrongly applied and QEMU is still vulnerable to this bug if using VNC. (noticed by Jan Niehusmann) Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@5587 c046a42c-6fe2-441c-8c8c-71466251a162
This commit is contained in:
parent
6d17c604c0
commit
65d35a0997
@ -785,15 +785,14 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
|
|||||||
|
|
||||||
static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
|
static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
|
||||||
{
|
{
|
||||||
|
if (BLTUNSAFE(s))
|
||||||
|
return 0;
|
||||||
|
|
||||||
if (s->ds->dpy_copy) {
|
if (s->ds->dpy_copy) {
|
||||||
cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->start_addr,
|
cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->start_addr,
|
||||||
s->cirrus_blt_srcaddr - s->start_addr,
|
s->cirrus_blt_srcaddr - s->start_addr,
|
||||||
s->cirrus_blt_width, s->cirrus_blt_height);
|
s->cirrus_blt_width, s->cirrus_blt_height);
|
||||||
} else {
|
} else {
|
||||||
|
|
||||||
if (BLTUNSAFE(s))
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
(*s->cirrus_rop) (s, s->vram_ptr +
|
(*s->cirrus_rop) (s, s->vram_ptr +
|
||||||
(s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
|
(s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
|
||||||
s->vram_ptr +
|
s->vram_ptr +
|
||||||
|
Loading…
Reference in New Issue
Block a user