Commit d2ba7ecb authored Feb 10, 2016 by Paolo Bonzini Committed by Gerd Hoffmann Mar 01, 2016

cirrus_vga: fix off-by-one in blit_region_is_unsafe



The "max" value is being compared with >=, but addr + width points to
the first byte that will _not_ be copied.  Laszlo suggested using a
"greater than" comparison, instead of subtracting one like it is
already done above for the height, so that max remains always positive.

The mistake is "safe"---it will reject some blits, but will never cause
out-of-bounds writes.

Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Message-id: 1455121059-18280-1-git-send-email-pbonzini@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

parent 071608b5

hw/display/cirrus_vga.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -276,14 +276,14 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
		+ ((int64_t)s->cirrus_blt_height-1) * pitch;
		int32_t max = addr
		+ s->cirrus_blt_width;
		if (min < 0 \|\| max >= s->vga.vram_size) {
		if (min < 0 \|\| max > s->vga.vram_size) {
		return true;
		}
		} else {
		int64_t max = addr
		+ ((int64_t)s->cirrus_blt_height-1) * pitch
		+ s->cirrus_blt_width;
		if (max >= s->vga.vram_size) {
		if (max > s->vga.vram_size) {
		return true;
		}
		}