From: Gerd Hoffmann <kraxel@redhat.com>
Date: Wed, 19 Nov 2014 12:27:28 +0000 (+0100)
Subject: cirrus: don't overflow CirrusVGAState->cirrus_bltbuf
X-Git-Tag: TizenStudio_2.0_p2.3.2~208^2~434^2
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=bf25983345ca44aec3dd92c57142be45452bd38a;p=sdk%2Femulator%2Fqemu.git

cirrus: don't overflow CirrusVGAState->cirrus_bltbuf

This is CVE-2014-8106.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---

diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
index d54fb06..2725264 100644
--- a/hw/display/cirrus_vga.c
+++ b/hw/display/cirrus_vga.c
@@ -293,6 +293,10 @@ static bool blit_is_unsafe(struct CirrusVGAState *s)
     assert(s->cirrus_blt_width > 0);
     assert(s->cirrus_blt_height > 0);
 
+    if (s->cirrus_blt_width > CIRRUS_BLTBUFSIZE) {
+        return true;
+    }
+
     if (blit_region_is_unsafe(s, s->cirrus_blt_dstpitch,
                               s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) {
         return true;