diff options
author | Gerd Hoffmann <kraxel@redhat.com> | 2014-11-19 13:27:28 +0100 |
---|---|---|
committer | Gerd Hoffmann <kraxel@redhat.com> | 2014-12-01 10:25:46 +0100 |
commit | bf25983345ca44aec3dd92c57142be45452bd38a (patch) | |
tree | 2e2b151748b5be8420cb97b7b75ff05e80b9954c | |
parent | d3532a0db02296e687711b8cdc7791924efccea0 (diff) | |
download | qemu-bf25983345ca44aec3dd92c57142be45452bd38a.zip |
cirrus: don't overflow CirrusVGAState->cirrus_bltbuf
This is CVE-2014-8106.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-rw-r--r-- | hw/display/cirrus_vga.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c index d54fb06461..27252646bc 100644 --- a/hw/display/cirrus_vga.c +++ b/hw/display/cirrus_vga.c @@ -293,6 +293,10 @@ static bool blit_is_unsafe(struct CirrusVGAState *s) assert(s->cirrus_blt_width > 0); assert(s->cirrus_blt_height > 0); + if (s->cirrus_blt_width > CIRRUS_BLTBUFSIZE) { + return true; + } + if (blit_region_is_unsafe(s, s->cirrus_blt_dstpitch, s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) { return true; |