mirrors/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

cirrus: don't overflow CirrusVGAState->cirrus_bltbuf

Browse Source 
This is CVE-2014-8106.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
This commit is contained in:
Gerd Hoffmann 2014-11-19 13:27:28 +01:00
parent d3532a0db0
commit bf25983345
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
hw/display/cirrus_vga.c
View File

@ -293,6 +293,10 @@ static bool blit_is_unsafe(struct CirrusVGAState *s)
assert(s->cirrus_blt_width > 0);
assert(s->cirrus_blt_height > 0);
if (s->cirrus_blt_width > CIRRUS_BLTBUFSIZE) {
return true;
}
if (blit_region_is_unsafe(s, s->cirrus_blt_dstpitch,
s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) {
return true;