+-- On Thu, 8 Sep 2016, P J P wrote --+
| From: Prasad J Pandit <p...@fedoraproject.org>
|
| When processing svga command DEFINE_CURSOR in vmsvga_fifo_run,
| the computed BITMAP and PIXMAP size are checked against the
| 'cursor.mask[]' and 'cursor.image[]' array sizes in bytes.
| Correct these checks to avoid OOB memory access.
|
| Reported-by: Qinghao Tang <luodalon...@gmail.com>
| Reported-by: Li Qiang <liqiang...@360.cn>
| Signed-off-by: Prasad J Pandit <p...@fedoraproject.org>
| ---
| hw/display/vmware_vga.c | 12 +++++++-----
| 1 file changed, 7 insertions(+), 5 deletions(-)
|
| diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
| index e51a05e..6599cf0 100644
| --- a/hw/display/vmware_vga.c
| +++ b/hw/display/vmware_vga.c
| @@ -676,11 +676,13 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
| cursor.bpp = vmsvga_fifo_read(s);
|
| args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y,
cursor.bpp);
| - if (cursor.width > 256 ||
| - cursor.height > 256 ||
| - cursor.bpp > 32 ||
| - SVGA_BITMAP_SIZE(x, y) > sizeof cursor.mask ||
| - SVGA_PIXMAP_SIZE(x, y, cursor.bpp) > sizeof cursor.image) {
| + if (cursor.width > 256
| + || cursor.height > 256
| + || cursor.bpp > 32
| + || SVGA_BITMAP_SIZE(x, y)
| + > sizeof(cursor.mask) / sizeof(cursor.mask[0])
| + || SVGA_PIXMAP_SIZE(x, y, cursor.bpp)
| + > sizeof(cursor.image) / sizeof(cursor.image[0])) {
| goto badcmd;
| }
Ping...!
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
