summaryrefslogtreecommitdiff
path: root/hw/cirrus_vga_rop.h
diff options
context:
space:
mode:
authoraurel32 <aurel32@c046a42c-6fe2-441c-8c8c-71466251a162>2008-05-05 21:26:31 +0000
committeraurel32 <aurel32@c046a42c-6fe2-441c-8c8c-71466251a162>2008-05-05 21:26:31 +0000
commitb2eb849d4b1fdb6f35d5c46958c7f703cf64cfef (patch)
treeef4496074c346e25170b4209c0f337a0d406f57f /hw/cirrus_vga_rop.h
parentcbf5c748e202c6f02e63d1ba45757925e65a64fa (diff)
CVE-2007-1320 - Cirrus LGD-54XX "bitblt" heap overflow
I have just noticed that patch for CVE-2007-1320 has never been applied to the QEMU CVS. Please find it below. | Multiple heap-based buffer overflows in the cirrus_invalidate_region | function in the Cirrus VGA extension in QEMU 0.8.2, as used in Xen and | possibly other products, might allow local users to execute arbitrary | code via unspecified vectors related to "attempting to mark | non-existent regions as dirty," aka the "bitblt" heap overflow. git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@4340 c046a42c-6fe2-441c-8c8c-71466251a162
Diffstat (limited to 'hw/cirrus_vga_rop.h')
-rw-r--r--hw/cirrus_vga_rop.h6
1 files changed, 6 insertions, 0 deletions
diff --git a/hw/cirrus_vga_rop.h b/hw/cirrus_vga_rop.h
index 3d6a1fef1..0079d1270 100644
--- a/hw/cirrus_vga_rop.h
+++ b/hw/cirrus_vga_rop.h
@@ -31,6 +31,12 @@ glue(cirrus_bitblt_rop_fwd_, ROP_NAME)(CirrusVGAState *s,
int x,y;
dstpitch -= bltwidth;
srcpitch -= bltwidth;
+
+ if (dstpitch < 0 || srcpitch < 0) {
+ /* is 0 valid? srcpitch == 0 could be useful */
+ return;
+ }
+
for (y = 0; y < bltheight; y++) {
for (x = 0; x < bltwidth; x++) {
ROP_OP(*dst, *src);