1369de9828
CVE-2014-3689 vmware_vga: insufficient parameter validation in rectangle functions (bz #1153038, bz #1153035)
76 lines
2.2 KiB
Diff
76 lines
2.2 KiB
Diff
From: Gerd Hoffmann <kraxel@redhat.com>
|
|
Date: Wed, 29 Oct 2014 12:56:09 +0100
|
|
Subject: [PATCH] vmware-vga: use vmsvga_verify_rect in vmsvga_copy_rect
|
|
|
|
Add verification to vmsvga_copy_rect, re-enable HW_RECT_ACCEL.
|
|
|
|
Cc: qemu-stable@nongnu.org
|
|
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
Reviewed-by: Don Koch <dkoch@verizon.com>
|
|
---
|
|
hw/display/vmware_vga.c | 20 ++++++++++++++------
|
|
1 file changed, 14 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
|
|
index 19c9bd3..d18a1eb 100644
|
|
--- a/hw/display/vmware_vga.c
|
|
+++ b/hw/display/vmware_vga.c
|
|
@@ -27,8 +27,8 @@
|
|
#include "hw/pci/pci.h"
|
|
|
|
#undef VERBOSE
|
|
-#if 0
|
|
#define HW_RECT_ACCEL
|
|
+#if 0
|
|
#define HW_FILL_ACCEL
|
|
#endif
|
|
#define HW_MOUSE_ACCEL
|
|
@@ -404,7 +404,7 @@ static inline void vmsvga_update_rect_flush(struct vmsvga_state_s *s)
|
|
}
|
|
|
|
#ifdef HW_RECT_ACCEL
|
|
-static inline void vmsvga_copy_rect(struct vmsvga_state_s *s,
|
|
+static inline int vmsvga_copy_rect(struct vmsvga_state_s *s,
|
|
int x0, int y0, int x1, int y1, int w, int h)
|
|
{
|
|
DisplaySurface *surface = qemu_console_surface(s->vga.con);
|
|
@@ -415,6 +415,13 @@ static inline void vmsvga_copy_rect(struct vmsvga_state_s *s,
|
|
int line = h;
|
|
uint8_t *ptr[2];
|
|
|
|
+ if (!vmsvga_verify_rect(surface, "vmsvga_copy_rect/src", x0, y0, w, h)) {
|
|
+ return -1;
|
|
+ }
|
|
+ if (!vmsvga_verify_rect(surface, "vmsvga_copy_rect/dst", x1, y1, w, h)) {
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
if (y1 > y0) {
|
|
ptr[0] = vram + bypp * x0 + bypl * (y0 + h - 1);
|
|
ptr[1] = vram + bypp * x1 + bypl * (y1 + h - 1);
|
|
@@ -430,6 +437,7 @@ static inline void vmsvga_copy_rect(struct vmsvga_state_s *s,
|
|
}
|
|
|
|
vmsvga_update_rect_delayed(s, x1, y1, w, h);
|
|
+ return 0;
|
|
}
|
|
#endif
|
|
|
|
@@ -623,12 +631,12 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
|
|
width = vmsvga_fifo_read(s);
|
|
height = vmsvga_fifo_read(s);
|
|
#ifdef HW_RECT_ACCEL
|
|
- vmsvga_copy_rect(s, x, y, dx, dy, width, height);
|
|
- break;
|
|
-#else
|
|
+ if (vmsvga_copy_rect(s, x, y, dx, dy, width, height) == 0) {
|
|
+ break;
|
|
+ }
|
|
+#endif
|
|
args = 0;
|
|
goto badcmd;
|
|
-#endif
|
|
|
|
case SVGA_CMD_DEFINE_CURSOR:
|
|
len -= 8;
|