Commit c2e3c54d authored by Gerd Hoffmann's avatar Gerd Hoffmann
Browse files

vmsvga: add more fifo checks 



Make sure all fifo ptrs are within range.

Fixes: CVE-2016-4454
Cc: qemu-stable@nongnu.org
Cc: P J P <ppandit@redhat.com>
Reported-by: default avatar李强 <liqiang6-s@360.cn>
Signed-off-by: default avatarGerd Hoffmann <kraxel@redhat.com>
Message-id: 1464592161-18348-3-git-send-email-kraxel@redhat.com
parent 52136026

hw/display/vmware_vga.c

+4 −1
Original line number Diff line number Diff line
@@ -563,7 +563,10 @@ static inline int vmsvga_fifo_length(struct vmsvga_state_s *s) 
    if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) {

        return 0;

    }

    if (CMD(max) > SVGA_FIFO_SIZE) {

    if (CMD(max) > SVGA_FIFO_SIZE ||

        CMD(min) >= SVGA_FIFO_SIZE ||

        CMD(stop) >= SVGA_FIFO_SIZE ||

        CMD(next_cmd) >= SVGA_FIFO_SIZE) {

        return 0;

    }

    if (CMD(max) < CMD(min) + 10 * 1024) {