vmsvga: more cursor checks

Check the cursor size more carefully. Also switch to unsigned while being at it, so they can't be negative. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
author: Gerd Hoffmann <kraxel@redhat.com> 2015-09-29 09:58:05 +0200
committer: Gerd Hoffmann <kraxel@redhat.com> 2015-10-20 09:26:36 +0200
commit: 5829b097204189c56dd1fb62c7f827360394bb39 (patch)
tree: 6dfd33e95adb029980b31f71dfdf0c02ba94d14f /hw
parent: b798c1905705e6ab44279d8a9ae41e500756eb1c (diff)
download: qemu-5829b097204189c56dd1fb62c7f827360394bb39.zip
1 files changed, 7 insertions, 4 deletions
diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
index 8e9350981c..9354037852 100644
--- a/hw/display/vmware_vga.c
+++ b/hw/display/vmware_vga.c
@@ -488,10 +488,10 @@ static inline int vmsvga_fill_rect(struct vmsvga_state_s *s,
 #endif
 
 struct vmsvga_cursor_definition_s {
-    int width;
-    int height;
+    uint32_t width;
+    uint32_t height;
     int id;
-    int bpp;
+    uint32_t bpp;
     int hot_x;
     int hot_y;
     uint32_t mask[1024];
@@ -658,7 +658,10 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
             cursor.bpp = vmsvga_fifo_read(s);
 
             args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y, cursor.bpp);
-            if (SVGA_BITMAP_SIZE(x, y) > sizeof cursor.mask ||
+            if (cursor.width > 256 ||
+                cursor.height > 256 ||
+                cursor.bpp > 32 ||
+                SVGA_BITMAP_SIZE(x, y) > sizeof cursor.mask ||
                 SVGA_PIXMAP_SIZE(x, y, cursor.bpp) > sizeof cursor.image) {
                     goto badcmd;
             }
author	Gerd Hoffmann <kraxel@redhat.com>	2015-09-29 09:58:05 +0200
committer	Gerd Hoffmann <kraxel@redhat.com>	2015-10-20 09:26:36 +0200
commit	5829b097204189c56dd1fb62c7f827360394bb39 (patch)
tree	6dfd33e95adb029980b31f71dfdf0c02ba94d14f /hw
parent	b798c1905705e6ab44279d8a9ae41e500756eb1c (diff)
download	qemu-5829b097204189c56dd1fb62c7f827360394bb39.zip