rpms / qemu-kvm

Clone
Source Code
GIT

Blame SOURCES/kvm-cirrus_vga-fix-off-by-one-in-blit_region_is_unsafe.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-armhfp c7-beta c8-beta-stream-rhel c8-sig-altarch-stream-rhel c8-stream-rhel c8s-stream-rhel c9 c9-beta
  1.   c7-beta
  2.   SOURCES
  3.   kvm-cirrus_vga-fix-off-by-one-in-blit_region_is_unsafe.patch
Blob History Raw
9ae3a8 
From 8d230a5a57512c84545bd6345775e69b4b3b1983 Mon Sep 17 00:00:00 2001
9ae3a8 
From: Gerd Hoffmann <kraxel@redhat.com>
9ae3a8 
Date: Tue, 7 Feb 2017 10:07:46 +0100
9ae3a8 
Subject: [PATCH 03/11] cirrus_vga: fix off-by-one in blit_region_is_unsafe
9ae3a8
9ae3a8 
RH-Author: Gerd Hoffmann <kraxel@redhat.com>
9ae3a8 
Message-id: <1486462072-32174-2-git-send-email-kraxel@redhat.com>
9ae3a8 
Patchwork-id: 73564
9ae3a8 
O-Subject: [RHEL-7.4 qemu-kvm PATCH 1/7] cirrus_vga: fix off-by-one in blit_region_is_unsafe
9ae3a8 
Bugzilla: 1418233
9ae3a8 
RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
9ae3a8 
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
9ae3a8 
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
9ae3a8
9ae3a8 
From: Paolo Bonzini <pbonzini@redhat.com>
9ae3a8
9ae3a8 
The "max" value is being compared with >=, but addr + width points to
9ae3a8 
the first byte that will _not_ be copied.  Laszlo suggested using a
9ae3a8 
"greater than" comparison, instead of subtracting one like it is
9ae3a8 
already done above for the height, so that max remains always positive.
9ae3a8
9ae3a8 
The mistake is "safe"---it will reject some blits, but will never cause
9ae3a8 
out-of-bounds writes.
9ae3a8
9ae3a8 
Cc: Gerd Hoffmann <kraxel@redhat.com>
9ae3a8 
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
9ae3a8 
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
9ae3a8 
Message-id: 1455121059-18280-1-git-send-email-pbonzini@redhat.com
9ae3a8 
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
9ae3a8 
(cherry picked from commit d2ba7ecb348d3b996fcd920cf1ca7b72722c1dfd)
9ae3a8 
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
9ae3a8 
---
9ae3a8 
 hw/display/cirrus_vga.c | 4 ++--
9ae3a8 
 1 file changed, 2 insertions(+), 2 deletions(-)
9ae3a8
9ae3a8 
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
9ae3a8 
index 717ecdb..c42dfcf 100644
9ae3a8 
--- a/hw/display/cirrus_vga.c
9ae3a8 
+++ b/hw/display/cirrus_vga.c
9ae3a8 
@@ -272,14 +272,14 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
9ae3a8 
             + ((int64_t)s->cirrus_blt_height-1) * pitch;
9ae3a8 
         int32_t max = addr
9ae3a8 
             + s->cirrus_blt_width;
9ae3a8 
-        if (min < 0 || max >= s->vga.vram_size) {
9ae3a8 
+        if (min < 0 || max > s->vga.vram_size) {
9ae3a8 
             return true;
9ae3a8 
         }
9ae3a8 
     } else {
9ae3a8 
         int64_t max = addr
9ae3a8 
             + ((int64_t)s->cirrus_blt_height-1) * pitch
9ae3a8 
             + s->cirrus_blt_width;
9ae3a8 
-        if (max >= s->vga.vram_size) {
9ae3a8 
+        if (max > s->vga.vram_size) {
9ae3a8 
             return true;
9ae3a8 
         }
9ae3a8 
     }
9ae3a8 
--
9ae3a8 
1.8.3.1
9ae3a8

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation