On Tue, Apr 05, 2022 at 04:47:18PM +0200, Mauro Matteo Cascella wrote:
> On Tue, Apr 5, 2022 at 1:10 PM Gerd Hoffmann wrote:
> >
> > > > +++ b/ui/cursor.c
> > > > @@ -46,6 +46,13 @@ static QEMUCursor *cursor_parse_xpm(const char
> > > > *xpm[])
> > > >
> > > > /* parse pixel data */
> > > >
On Tue, Apr 5, 2022 at 1:10 PM Gerd Hoffmann wrote:
>
> > > +++ b/ui/cursor.c
> > > @@ -46,6 +46,13 @@ static QEMUCursor *cursor_parse_xpm(const char *xpm[])
> > >
> > > /* parse pixel data */
> > > c = cursor_alloc(width, height);
> > > +
> > > +if (!c) {
> > > +fprintf(stde
On Tue, 5 Apr 2022 at 11:50, Mauro Matteo Cascella wrote:
>
> Prevent potential integer overflow by limiting 'width' and 'height' to
> 512x512. Also change 'datasize' type to size_t. Refer to security
> advisory https://starlabs.sg/advisories/22-4206/ for more information.
>
> Fixes: CVE-2022-4206
Hi
On Tue, Apr 5, 2022 at 2:43 PM Mauro Matteo Cascella
wrote:
> Prevent potential integer overflow by limiting 'width' and 'height' to
> 512x512. Also change 'datasize' type to size_t. Refer to security
> advisory https://starlabs.sg/advisories/22-4206/ for more information.
>
> Fixes: CVE-2022
> > +++ b/ui/cursor.c
> > @@ -46,6 +46,13 @@ static QEMUCursor *cursor_parse_xpm(const char *xpm[])
> >
> > /* parse pixel data */
> > c = cursor_alloc(width, height);
> > +
> > +if (!c) {
> > +fprintf(stderr, "%s: cursor %ux%u alloc error\n",
> > +__func__, wi
Prevent potential integer overflow by limiting 'width' and 'height' to
512x512. Also change 'datasize' type to size_t. Refer to security
advisory https://starlabs.sg/advisories/22-4206/ for more information.
Fixes: CVE-2022-4206
Signed-off-by: Mauro Matteo Cascella
---
hw/display/qxl-render.c |
