qemu/ui
Gerd Hoffmann eb8934b041 vnc: fix memory corruption (CVE-2015-5225)
The _cmp_bytes variable added by commit "bea60dd ui/vnc: fix potential
memory corruption issues" can become negative.  Result is (possibly
exploitable) memory corruption.  Reason for that is it uses the stride
instead of bytes per scanline to apply limits.

For the server surface is is actually fine.  vnc creates that itself,
there is never any padding and thus scanline length always equals stride.

For the guest surface scanline length and stride are typically identical
too, but it doesn't has to be that way.  So add and use a new variable
(guest_ll) for the guest scanline length.  Also rename min_stride to
line_bytes to make more clear what it actually is.  Finally sprinkle
in an assert() to make sure we never use a negative _cmp_bytes again.

Reported-by: 范祚至(库特) <zuozhi.fzz@alibaba-inc.com>
Reviewed-by: P J P <ppandit@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-08-26 17:54:33 +02:00
..
shader console-gl: add opengl rendering helper functions 2015-05-05 10:48:22 +02:00
cocoa.m ui/cocoa.m: Add machine menu items to change and eject removable drive media 2015-06-19 11:22:31 +01:00
console-gl.c console-gl: add opengl rendering helper functions 2015-05-05 10:48:22 +02:00
console.c ui/console: remove dpy_gfx_update_dirty 2015-06-05 17:09:59 +02:00
curses_keys.h janitor: add guards to headers 2012-12-19 08:31:31 +01:00
curses.c input/curses: add kbd delay between keydown and keyup events 2014-06-04 08:40:42 +02:00
cursor_hidden.xpm ui: move files to ui/ and include/ui/ 2012-12-19 08:31:30 +01:00
cursor_left_ptr.xpm ui: move files to ui/ and include/ui/ 2012-12-19 08:31:30 +01:00
cursor.c ui: move files to ui/ and include/ui/ 2012-12-19 08:31:30 +01:00
egl-helpers.c ui: add egl-helpers 2015-05-29 11:11:38 +02:00
gtk-egl.c gtk: add opengl support, using egl 2015-05-29 11:43:29 +02:00
gtk.c gtk: don't exit early in case gtk init fails 2015-06-11 11:37:56 +02:00
input-keymap.c kbd: add brazil kbd keys to qemu 2015-05-29 10:30:06 +02:00
input-legacy.c Include monitor/monitor.h exactly where needed 2015-06-22 18:20:41 +02:00
input.c qerror: Move #include out of qerror.h 2015-06-22 18:20:40 +02:00
keymaps.c keymaps: correct keymaps.c following Qemu coding style 2014-12-10 10:08:12 +01:00
keymaps.h
Makefile.objs ui: convert VNC websockets to use crypto APIs 2015-07-08 13:11:01 +02:00
qemu-pixman.c ui/pixman: add qemu_pixman_check_format 2015-01-19 13:33:26 +01:00
qemu-x509.h ui: move files to ui/ and include/ui/ 2012-12-19 08:31:30 +01:00
sdl2-2d.c sdl2: Fix RGB555 2015-05-05 10:48:26 +02:00
sdl2-gl.c sdl2: add support for display rendering using opengl. 2015-05-05 10:48:26 +02:00
sdl2-input.c sdl2: move SDL_* includes to sdl2.h 2015-05-05 10:48:26 +02:00
sdl2-keymap.h sdl2: keymap fixups 2014-09-16 08:07:05 +02:00
sdl2.c sdl2: fix crash in handle_windowevent() when restoring the screen size 2015-06-09 10:25:21 +02:00
sdl_keysym.h ui/sdl2 : initial port to SDL 2.0 (v2.0) 2014-03-05 09:52:05 +01:00
sdl_zoom_template.h sdl: Fix heap smash in sdl_zoom_rgb{16,32} for int > 32 bits 2013-01-15 18:25:30 -06:00
sdl_zoom.c sdl: Fix heap smash in sdl_zoom_rgb{16,32} for int > 32 bits 2013-01-15 18:25:30 -06:00
sdl_zoom.h
sdl.c sdl2: add support for display rendering using opengl. 2015-05-05 10:48:26 +02:00
shader.c console-gl: add opengl rendering helper functions 2015-05-05 10:48:22 +02:00
spice-core.c qerror: Move #include out of qerror.h 2015-06-22 18:20:40 +02:00
spice-display.c Include monitor/monitor.h exactly where needed 2015-06-22 18:20:41 +02:00
spice-input.c spice: input: Fix absolute mouse y coordinates 2014-03-24 08:41:21 +01:00
vgafont.h ui: move files to ui/ and include/ui/ 2012-12-19 08:31:30 +01:00
vnc_keysym.h qemu-char: add cyrillic characters 'numerosign' to VNC keysyms 2015-03-10 08:15:34 +03:00
vnc-auth-sasl.c Change qemu_set_fd_handler2(..., NULL, ...) to qemu_set_fd_handler 2015-06-12 13:26:21 +01:00
vnc-auth-sasl.h aio / timers: Untangle include files 2013-08-22 19:10:27 +02:00
vnc-auth-vencrypt.c Change qemu_set_fd_handler2(..., NULL, ...) to qemu_set_fd_handler 2015-06-12 13:26:21 +01:00
vnc-auth-vencrypt.h
vnc-enc-hextile-template.h pixman/vnc: use pixman images in vnc. 2012-11-01 14:00:04 +01:00
vnc-enc-hextile.c pixman/vnc: remove dead code. 2012-11-01 14:00:05 +01:00
vnc-enc-tight.c vnc-enc-tight: fix Arguments in wrong order 2014-12-10 10:08:12 +01:00
vnc-enc-tight.h
vnc-enc-zlib.c
vnc-enc-zrle-template.c
vnc-enc-zrle.c pixman/vnc: use pixman images in vnc. 2012-11-01 14:00:04 +01:00
vnc-enc-zrle.h
vnc-enc-zywrle-template.c
vnc-enc-zywrle.h misc: Spelling and grammar fixes in comments 2013-10-26 13:06:45 +04:00
vnc-jobs.c Include monitor/monitor.h exactly where needed 2015-06-22 18:20:41 +02:00
vnc-jobs.h ui/vnc: Remove vnc_stop_worker_thread() 2015-03-10 08:15:33 +03:00
vnc-palette.c ui/vnc-palette.c: Include headers it needs 2012-12-06 09:17:05 +01:00
vnc-palette.h misc: move include files to include/qemu/ 2012-12-19 08:32:39 +01:00
vnc-tls.c ui/vnc : remove 'struct' of 'typedef struct' 2015-04-30 16:05:48 +03:00
vnc-tls.h ui: remove unused 'wiremode' variable in VncState struct 2015-03-18 09:25:13 +01:00
vnc-ws.c ui: convert VNC websockets to use crypto APIs 2015-07-08 13:11:01 +02:00
vnc-ws.h ui: convert VNC websockets to use crypto APIs 2015-07-08 13:11:01 +02:00
vnc.c vnc: fix memory corruption (CVE-2015-5225) 2015-08-26 17:54:33 +02:00
vnc.h ui: convert VNC websockets to use crypto APIs 2015-07-08 13:11:01 +02:00
x_keymap.c kbd: add brazil kbd keys to x11 evdev map 2015-05-29 10:30:06 +02:00
x_keymap.h