On Thu, Apr 07, 2022 at 06:46:00PM +0100, Peter Maydell wrote: > On Thu, 7 Apr 2022 at 10:21, Marc-André Lureau > <marcandre.lur...@gmail.com> wrote: > > > > > > > > On Thu, Apr 7, 2022 at 12:23 PM Mauro Matteo Cascella <mcasc...@redhat.com> > > wrote: > >> > >> Prevent potential integer overflow by limiting 'width' and 'height' to > >> 512x512. Also change 'datasize' type to size_t. Refer to security > >> advisory https://starlabs.sg/advisories/22-4206/ for more information. > >> > >> Fixes: CVE-2021-4206 > > > > > > (the Starlabs advisory has 2022, I guess it's wrong then) > > > >> Signed-off-by: Mauro Matteo Cascella <mcasc...@redhat.com> > > > > > > Reviewed-by: Marc-André Lureau <marcandre.lur...@redhat.com> > > Does this fix (or any of the other cursor-related stuff I've seen > floating past) need to go into 7.0 ? (ie is it release-critical?)
Yes. The integer overflow can be triggered easily by guests. Hitting the double read race condition is harder but probably possible too. Pull request sent minutes ago. take care, Gerd
