cirrus: don't overflow CirrusVGAState->cirrus_bltbuf

This is CVE-2014-8106. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
author: Gerd Hoffmann <kraxel@redhat.com> 2014-11-19 13:27:28 +0100
committer: Gerd Hoffmann <kraxel@redhat.com> 2014-12-01 10:25:46 +0100
commit: bf25983345ca44aec3dd92c57142be45452bd38a (patch)
tree: 2e2b151748b5be8420cb97b7b75ff05e80b9954c
parent: d3532a0db02296e687711b8cdc7791924efccea0 (diff)
download: qemu-bf25983345ca44aec3dd92c57142be45452bd38a.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
index d54fb06461..27252646bc 100644
--- a/hw/display/cirrus_vga.c
+++ b/hw/display/cirrus_vga.c
@@ -293,6 +293,10 @@ static bool blit_is_unsafe(struct CirrusVGAState *s)
     assert(s->cirrus_blt_width > 0);
     assert(s->cirrus_blt_height > 0);
 
+    if (s->cirrus_blt_width > CIRRUS_BLTBUFSIZE) {
+        return true;
+    }
+
     if (blit_region_is_unsafe(s, s->cirrus_blt_dstpitch,
                               s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) {
         return true;
author	Gerd Hoffmann <kraxel@redhat.com>	2014-11-19 13:27:28 +0100
committer	Gerd Hoffmann <kraxel@redhat.com>	2014-12-01 10:25:46 +0100
commit	bf25983345ca44aec3dd92c57142be45452bd38a (patch)
tree	2e2b151748b5be8420cb97b7b75ff05e80b9954c
parent	d3532a0db02296e687711b8cdc7791924efccea0 (diff)
download	qemu-bf25983345ca44aec3dd92c57142be45452bd38a.tar.gz