Commit 7cdc61be authored Mar 09, 2018 by Gerd Hoffmann

vga: fix region calculation



Typically the scanline length and the line offset are identical.  But
in case they are not our calculation for region_end is incorrect.  Using
line_offset is fine for all scanlines, except the last one where we have
to use the actual scanline length.

Fixes: CVE-2018-7550
Reported-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
Tested-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Message-id: 20180309143704.13420-1-kraxel@redhat.com

parent e4ae62b8

hw/display/vga.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -1483,6 +1483,8 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)

		region_start = (s->start_addr * 4);
		region_end = region_start + (ram_addr_t)s->line_offset * height;
		region_end += width * s->get_bpp(s) / 8; /* scanline length */
		region_end -= s->line_offset;
		if (region_end > s->vbe_size) {
		/* wraps around (can happen with cirrus vbe modes) */
		region_start = 0;