From c5e26182fedef98b73f50e9fac3ae09696e59880 Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann Date: Wed, 26 Feb 2014 11:44:47 +0100 Subject: [PATCH 2/6] qxl: add sanity check RH-Author: Gerd Hoffmann Message-id: <1393415087-3776-2-git-send-email-kraxel@redhat.com> Patchwork-id: 57815 O-Subject: [RHEL-7 qemu-kvm PATCH 1/1] qxl: add sanity check Bugzilla: 751937 RH-Acked-by: Laszlo Ersek RH-Acked-by: Dr. David Alan Gilbert (git) RH-Acked-by: Paolo Bonzini Signed-off-by: Gerd Hoffmann Reviewed-by: Laszlo Ersek (cherry picked from commit 9c70434f825fd0d2e89d1aa0f872159378d0aab3) --- hw/display/qxl.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) Signed-off-by: Miroslav Rezanina --- hw/display/qxl.c | 8 +++++++- 1 files changed, 7 insertions(+), 1 deletions(-) diff --git a/hw/display/qxl.c b/hw/display/qxl.c index 4381d97..4fe4f1b 100644 --- a/hw/display/qxl.c +++ b/hw/display/qxl.c @@ -1417,7 +1417,7 @@ static int qxl_destroy_primary(PCIQXLDevice *d, qxl_async_io async) return 1; } -static void qxl_set_mode(PCIQXLDevice *d, int modenr, int loadvm) +static void qxl_set_mode(PCIQXLDevice *d, unsigned int modenr, int loadvm) { pcibus_t start = d->pci.io_regions[QXL_RAM_RANGE_INDEX].addr; pcibus_t end = d->pci.io_regions[QXL_RAM_RANGE_INDEX].size + start; @@ -1427,6 +1427,12 @@ static void qxl_set_mode(PCIQXLDevice *d, int modenr, int loadvm) .mem_start = start, .mem_end = end }; + + if (modenr >= d->modes->n_modes) { + qxl_set_guest_bug(d, "mode number out of range"); + return; + } + QXLSurfaceCreate surface = { .width = mode->x_res, .height = mode->y_res, -- 1.7.1