mirrors/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

vmware_vga: Check cursor dimensions passed from guest to avoid buffer overflow

Browse Source 
Check that the cursor dimensions passed from the guest for the
DEFINE_CURSOR command don't overflow the available space in the
cursor.image[] or cursor.mask[] arrays before copying data from the
guest into those arrays.

Signed-off-by: Roland Dreier <rolandd@cisco.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
This commit is contained in:
Roland Dreier 2010-01-05 20:43:34 -08:00 committed by Anthony Liguori
parent e73223a584
commit f2d928d44e
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
hw/vmware_vga.c
View File

@ -562,6 +562,13 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
cursor.height = y = vmsvga_fifo_read(s); cursor.height = y = vmsvga_fifo_read(s);
vmsvga_fifo_read(s); vmsvga_fifo_read(s);
cursor.bpp = vmsvga_fifo_read(s); cursor.bpp = vmsvga_fifo_read(s);
if (SVGA_BITMAP_SIZE(x, y) > sizeof cursor.mask ||
SVGA_PIXMAP_SIZE(x, y, cursor.bpp) > sizeof cursor.image) {
args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y, cursor.bpp);
goto badcmd;
}
for (args = 0; args < SVGA_BITMAP_SIZE(x, y); args ++) for (args = 0; args < SVGA_BITMAP_SIZE(x, y); args ++)
cursor.mask[args] = vmsvga_fifo_read_raw(s); cursor.mask[args] = vmsvga_fifo_read_raw(s);
for (args = 0; args < SVGA_PIXMAP_SIZE(x, y, cursor.bpp); args ++) for (args = 0; args < SVGA_PIXMAP_SIZE(x, y, cursor.bpp); args ++)