ab9509ccea
Related spice-only bug. We have a fixed 16 MB buffer here, being presented to the spice-server as qxl video memory in case spice is used with a non-qxl card. It's also used with qxl in vga mode. When using display resolutions requiring more than 16 MB of memory we are going to overflow that buffer. In theory the guest can write, indirectly via spice-server. The spice-server clears the memory after setting a new video mode though, triggering a segfault in the overflow case, so qemu crashes before the guest has a chance to do something evil. Fix that by switching to dynamic allocation for the buffer. CVE-2014-3615 Cc: qemu-stable@nongnu.org Cc: secalert@redhat.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> |
||
|---|---|---|
| .. | ||
| cocoa.m | ||
| console.c | ||
| curses_keys.h | ||
| curses.c | ||
| cursor_hidden.xpm | ||
| cursor_left_ptr.xpm | ||
| cursor.c | ||
| d3des.c | ||
| d3des.h | ||
| gtk.c | ||
| input-keymap.c | ||
| input-legacy.c | ||
| input.c | ||
| keymaps.c | ||
| keymaps.h | ||
| Makefile.objs | ||
| qemu-pixman.c | ||
| qemu-x509.h | ||
| sdl2-keymap.h | ||
| sdl2.c | ||
| sdl_keysym.h | ||
| sdl_zoom_template.h | ||
| sdl_zoom.c | ||
| sdl_zoom.h | ||
| sdl.c | ||
| spice-core.c | ||
| spice-display.c | ||
| spice-input.c | ||
| vgafont.h | ||
| vnc_keysym.h | ||
| vnc-auth-sasl.c | ||
| vnc-auth-sasl.h | ||
| vnc-auth-vencrypt.c | ||
| vnc-auth-vencrypt.h | ||
| vnc-enc-hextile-template.h | ||
| vnc-enc-hextile.c | ||
| vnc-enc-tight.c | ||
| vnc-enc-tight.h | ||
| vnc-enc-zlib.c | ||
| vnc-enc-zrle-template.c | ||
| vnc-enc-zrle.c | ||
| vnc-enc-zrle.h | ||
| vnc-enc-zywrle-template.c | ||
| vnc-enc-zywrle.h | ||
| vnc-jobs.c | ||
| vnc-jobs.h | ||
| vnc-palette.c | ||
| vnc-palette.h | ||
| vnc-tls.c | ||
| vnc-tls.h | ||
| vnc-ws.c | ||
| vnc-ws.h | ||
| vnc.c | ||
| vnc.h | ||
| x_keymap.c | ||
| x_keymap.h | ||