Commit 63f495be authored Feb 24, 2017 by Peter Maydell

Merge remote-tracking branch 'remotes/kraxel/tags/pull-cve-2017-2620-20170224-1' into staging



cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo (CVE-2017-2620)

# gpg: Signature made Fri 24 Feb 2017 13:42:39 GMT
# gpg:                using RSA key 0x4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"
# Primary key fingerprint: A032 8CFF B93A 17A7 9901  FE7D 4CB6 D8EE D3E8 7138

* remotes/kraxel/tags/pull-cve-2017-2620-20170224-1:
  cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo (CVE-2017-2620)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

parents 5842b55f 92f2b88c

hw/display/cirrus_vga.c

+8 −0

Original line number	Diff line number	Diff line
		@@ -900,6 +900,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s)
		{
		int w;

		if (blit_is_unsafe(s, true)) {
		return 0;
		}

		s->cirrus_blt_mode &= ~CIRRUS_BLTMODE_MEMSYSSRC;
		s->cirrus_srcptr = &s->cirrus_bltbuf[0];
		s->cirrus_srcptr_end = &s->cirrus_bltbuf[0];
		@@ -925,6 +929,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s)
		}
		s->cirrus_srccounter = s->cirrus_blt_srcpitch * s->cirrus_blt_height;
		}

		/* the blit_is_unsafe call above should catch this */
		assert(s->cirrus_blt_srcpitch <= CIRRUS_BLTBUFSIZE);

		s->cirrus_srcptr = s->cirrus_bltbuf;
		s->cirrus_srcptr_end = s->cirrus_bltbuf + s->cirrus_blt_srcpitch;
		cirrus_update_memory_access(s);