summaryrefslogtreecommitdiff
path: root/hw/vmware_vga.c
diff options
context:
space:
mode:
authorRoland Dreier <rdreier@cisco.com>2010-01-05 20:43:34 -0800
committerAnthony Liguori <aliguori@us.ibm.com>2010-01-11 09:56:30 -0600
commitf2d928d44ebc918750c94f3605c1417f1f653ec9 (patch)
tree7f1e6940b95b59320d1aea373681f7138be1d985 /hw/vmware_vga.c
parente73223a5849d9e695b5f3b5a4a2a812e68e3735d (diff)
vmware_vga: Check cursor dimensions passed from guest to avoid buffer overflow
Check that the cursor dimensions passed from the guest for the DEFINE_CURSOR command don't overflow the available space in the cursor.image[] or cursor.mask[] arrays before copying data from the guest into those arrays. Signed-off-by: Roland Dreier <rolandd@cisco.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Diffstat (limited to 'hw/vmware_vga.c')
-rw-r--r--hw/vmware_vga.c7
1 files changed, 7 insertions, 0 deletions
diff --git a/hw/vmware_vga.c b/hw/vmware_vga.c
index cdc1a05b0..e70936913 100644
--- a/hw/vmware_vga.c
+++ b/hw/vmware_vga.c
@@ -562,6 +562,13 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
cursor.height = y = vmsvga_fifo_read(s);
vmsvga_fifo_read(s);
cursor.bpp = vmsvga_fifo_read(s);
+
+ if (SVGA_BITMAP_SIZE(x, y) > sizeof cursor.mask ||
+ SVGA_PIXMAP_SIZE(x, y, cursor.bpp) > sizeof cursor.image) {
+ args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y, cursor.bpp);
+ goto badcmd;
+ }
+
for (args = 0; args < SVGA_BITMAP_SIZE(x, y); args ++)
cursor.mask[args] = vmsvga_fifo_read_raw(s);
for (args = 0; args < SVGA_PIXMAP_SIZE(x, y, cursor.bpp); args ++)