08.05.2023 17:18, Mauro Matteo Cascella wrote:
The cursor_alloc function still accepts a signed integer for both the cursor width and height. A specially crafted negative width/height could make datasize wrap around and cause the next allocation to be 0, potentially leading to a heap buffer overflow. Modify QEMUCursor struct and cursor_alloc prototype to accept unsigned ints.Fixes: CVE-2023-1601 Fixes: fa892e9a ("ui/cursor: fix integer overflow in cursor_alloc (CVE-2021-4206)")
Looks like -stable material too? Thanks, /mjt
