yeahuh / rpms / qemu-kvm

Forked from rpms/qemu-kvm 2 years ago
Clone

Blame SOURCES/kvm-cirrus_vga-fix-off-by-one-in-blit_region_is_unsafe.patch

4f5da8
From 900ccf5cf6497234e1d3b1e80f4dfa8a60bcfb06 Mon Sep 17 00:00:00 2001
4f5da8
From: Gerd Hoffmann <kraxel@redhat.com>
4f5da8
Date: Tue, 7 Feb 2017 10:07:46 +0100
4f5da8
Subject: [PATCH 2/8] cirrus_vga: fix off-by-one in blit_region_is_unsafe
4f5da8
4f5da8
RH-Author: Gerd Hoffmann <kraxel@redhat.com>
4f5da8
Message-id: <1486462072-32174-2-git-send-email-kraxel@redhat.com>
4f5da8
Patchwork-id: 73564
4f5da8
O-Subject: [RHEL-7.4 qemu-kvm PATCH 1/7] cirrus_vga: fix off-by-one in blit_region_is_unsafe
4f5da8
Bugzilla: 1418232
4f5da8
RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
4f5da8
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
4f5da8
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
4f5da8
4f5da8
From: Paolo Bonzini <pbonzini@redhat.com>
4f5da8
4f5da8
The "max" value is being compared with >=, but addr + width points to
4f5da8
the first byte that will _not_ be copied.  Laszlo suggested using a
4f5da8
"greater than" comparison, instead of subtracting one like it is
4f5da8
already done above for the height, so that max remains always positive.
4f5da8
4f5da8
The mistake is "safe"---it will reject some blits, but will never cause
4f5da8
out-of-bounds writes.
4f5da8
4f5da8
Cc: Gerd Hoffmann <kraxel@redhat.com>
4f5da8
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
4f5da8
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
4f5da8
Message-id: 1455121059-18280-1-git-send-email-pbonzini@redhat.com
4f5da8
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
4f5da8
(cherry picked from commit d2ba7ecb348d3b996fcd920cf1ca7b72722c1dfd)
4f5da8
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
4f5da8
---
4f5da8
 hw/display/cirrus_vga.c | 4 ++--
4f5da8
 1 file changed, 2 insertions(+), 2 deletions(-)
4f5da8
4f5da8
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
4f5da8
index 717ecdb..c42dfcf 100644
4f5da8
--- a/hw/display/cirrus_vga.c
4f5da8
+++ b/hw/display/cirrus_vga.c
4f5da8
@@ -272,14 +272,14 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
4f5da8
             + ((int64_t)s->cirrus_blt_height-1) * pitch;
4f5da8
         int32_t max = addr
4f5da8
             + s->cirrus_blt_width;
4f5da8
-        if (min < 0 || max >= s->vga.vram_size) {
4f5da8
+        if (min < 0 || max > s->vga.vram_size) {
4f5da8
             return true;
4f5da8
         }
4f5da8
     } else {
4f5da8
         int64_t max = addr
4f5da8
             + ((int64_t)s->cirrus_blt_height-1) * pitch
4f5da8
             + s->cirrus_blt_width;
4f5da8
-        if (max >= s->vga.vram_size) {
4f5da8
+        if (max > s->vga.vram_size) {
4f5da8
             return true;
4f5da8
         }
4f5da8
     }
4f5da8
-- 
4f5da8
1.8.3.1
4f5da8