cirrus: fix oob access issue (CVE-2017-2615)
authorLi Qiang <liqiang6-s@360.cn>
Wed, 1 Feb 2017 08:35:01 +0000 (09:35 +0100)
committerGerd Hoffmann <kraxel@redhat.com>
Thu, 2 Feb 2017 14:58:23 +0000 (15:58 +0100)
commit62d4c6bd5263bb8413a06c80144fc678df6dfb64
treeaa25a3b95608e0f825c312751b11bf7039080b2d
parent60cd23e85151525ab26591394c4e7e06fa07d216
cirrus: fix oob access issue (CVE-2017-2615)

When doing bitblt copy in backward mode, we should minus the
blt width first just like the adding in the forward mode. This
can avoid the oob access of the front of vga's vram.

Signed-off-by: Li Qiang <liqiang6-s@360.cn>
{ kraxel: with backward blits (negative pitch) addr is the topmost
          address, so check it as-is against vram size ]

Cc: qemu-stable@nongnu.org
Cc: P J P <ppandit@redhat.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106)
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
hw/display/cirrus_vga.c