From b990e99b42e638a5719cf1cdc2881a6467886fcf Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann Date: Wed, 3 Dec 2014 09:17:56 +0100 Subject: [PATCH 3/3] cirrus: don't overflow CirrusVGAState->cirrus_bltbuf RH-Author: Gerd Hoffmann Message-id: <1417594676-5663-3-git-send-email-kraxel@redhat.com> O-Subject: [RHEL-7.1 qemu-kvm PATCH 2/2] cirrus: don't overflow CirrusVGAState->cirrus_bltbuf Bugzilla: 1169456 RH-Acked-by: Paolo Bonzini RH-Acked-by: Laszlo Ersek RH-Acked-by: Dr. David Alan Gilbert This is CVE-2014-8106. Signed-off-by: Gerd Hoffmann (cherry picked from commit bf25983345ca44aec3dd92c57142be45452bd38a) --- hw/display/cirrus_vga.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c index 9ae8313..717ecdb 100644 --- a/hw/display/cirrus_vga.c +++ b/hw/display/cirrus_vga.c @@ -292,6 +292,10 @@ static bool blit_is_unsafe(struct CirrusVGAState *s) assert(s->cirrus_blt_width > 0); assert(s->cirrus_blt_height > 0); + if (s->cirrus_blt_width > CIRRUS_BLTBUFSIZE) { + return true; + } + if (blit_region_is_unsafe(s, s->cirrus_blt_dstpitch, s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) { return true; -- 1.8.3.1