1369de9828
CVE-2014-3689 vmware_vga: insufficient parameter validation in rectangle functions (bz #1153038, bz #1153035)
73 lines
2.0 KiB
Diff
73 lines
2.0 KiB
Diff
From: Gerd Hoffmann <kraxel@redhat.com>
|
|
Date: Wed, 29 Oct 2014 12:56:10 +0100
|
|
Subject: [PATCH] vmware-vga: use vmsvga_verify_rect in vmsvga_fill_rect
|
|
|
|
Add verification to vmsvga_fill_rect, re-enable HW_FILL_ACCEL.
|
|
|
|
Cc: qemu-stable@nongnu.org
|
|
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
Reviewed-by: Don Koch <dkoch@verizon.com>
|
|
---
|
|
hw/display/vmware_vga.c | 17 ++++++++++-------
|
|
1 file changed, 10 insertions(+), 7 deletions(-)
|
|
|
|
diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
|
|
index d18a1eb..5c254b9 100644
|
|
--- a/hw/display/vmware_vga.c
|
|
+++ b/hw/display/vmware_vga.c
|
|
@@ -28,9 +28,7 @@
|
|
|
|
#undef VERBOSE
|
|
#define HW_RECT_ACCEL
|
|
-#if 0
|
|
#define HW_FILL_ACCEL
|
|
-#endif
|
|
#define HW_MOUSE_ACCEL
|
|
|
|
#include "vga_int.h"
|
|
@@ -442,7 +440,7 @@ static inline int vmsvga_copy_rect(struct vmsvga_state_s *s,
|
|
#endif
|
|
|
|
#ifdef HW_FILL_ACCEL
|
|
-static inline void vmsvga_fill_rect(struct vmsvga_state_s *s,
|
|
+static inline int vmsvga_fill_rect(struct vmsvga_state_s *s,
|
|
uint32_t c, int x, int y, int w, int h)
|
|
{
|
|
DisplaySurface *surface = qemu_console_surface(s->vga.con);
|
|
@@ -455,6 +453,10 @@ static inline void vmsvga_fill_rect(struct vmsvga_state_s *s,
|
|
uint8_t *src;
|
|
uint8_t col[4];
|
|
|
|
+ if (!vmsvga_verify_rect(surface, __func__, x, y, w, h)) {
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
col[0] = c;
|
|
col[1] = c >> 8;
|
|
col[2] = c >> 16;
|
|
@@ -479,6 +481,7 @@ static inline void vmsvga_fill_rect(struct vmsvga_state_s *s,
|
|
}
|
|
|
|
vmsvga_update_rect_delayed(s, x, y, w, h);
|
|
+ return 0;
|
|
}
|
|
#endif
|
|
|
|
@@ -611,12 +614,12 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
|
|
width = vmsvga_fifo_read(s);
|
|
height = vmsvga_fifo_read(s);
|
|
#ifdef HW_FILL_ACCEL
|
|
- vmsvga_fill_rect(s, colour, x, y, width, height);
|
|
- break;
|
|
-#else
|
|
+ if (vmsvga_fill_rect(s, colour, x, y, width, height) == 0) {
|
|
+ break;
|
|
+ }
|
|
+#endif
|
|
args = 0;
|
|
goto badcmd;
|
|
-#endif
|
|
|
|
case SVGA_CMD_RECT_COPY:
|
|
len -= 7;
|