From: aurel32 Date: Sat, 1 Nov 2008 00:53:39 +0000 (+0000) Subject: CVE-2008-4539: fix a heap overflow in Cirrus emulation X-Git-Tag: Tizen_Studio_1.3_Release_p2.3.1~10771 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=9a38ff41bbdd9443afaf8b14da8fde1dd06bb15d;p=sdk%2Femulator%2Fqemu.git CVE-2008-4539: fix a heap overflow in Cirrus emulation The code in hw/cirrus_vga.c has changed a lot between CVE-2007-1320 has been announced and the patch has been applied. As a consequence it has wrongly applied and QEMU is still vulnerable to this bug if using VNC. (noticed by Jan Niehusmann) Signed-off-by: Aurelien Jarno git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@5587 c046a42c-6fe2-441c-8c8c-71466251a162 --- diff --git a/hw/cirrus_vga.c b/hw/cirrus_vga.c index 55f3ced340..af9c9e6a8d 100644 --- a/hw/cirrus_vga.c +++ b/hw/cirrus_vga.c @@ -785,15 +785,14 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h) static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s) { + if (BLTUNSAFE(s)) + return 0; + if (s->ds->dpy_copy) { cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->start_addr, s->cirrus_blt_srcaddr - s->start_addr, s->cirrus_blt_width, s->cirrus_blt_height); } else { - - if (BLTUNSAFE(s)) - return 0; - (*s->cirrus_rop) (s, s->vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask), s->vram_ptr +