Re: [PATCH] ui/cursor: incomplete check for integer overflow in cursor_alloc

On Tue, May 23, 2023 at 4:07 PM Philippe Mathieu-Daudé wrote: > > On 23/5/23 14:57, Mauro Matteo Cascella wrote: > > On Tue, May 23, 2023 at 10:37 AM Philippe Mathieu-Daudé > > wrote: > >> > >> On 23/5/23 10:09, Daniel P. Berrangé wrote: > >>> On Mon, May 22, 2023 at 08:55:02PM +0200, Philippe Ma

Re: [PATCH] ui/cursor: incomplete check for integer overflow in cursor_alloc

On Tue, May 23, 2023 at 3:03 PM Daniel P. Berrangé wrote: > > On Tue, May 23, 2023 at 02:50:09PM +0200, Mauro Matteo Cascella wrote: > > On Tue, May 23, 2023 at 10:16 AM Daniel P. Berrangé > > wrote: > > > > > > On Mon, May 08, 2023 at 04:18:13PM +0200, Mauro Matteo Cascella wrote: > > > > The c

Re: [PATCH] ui/cursor: incomplete check for integer overflow in cursor_alloc

On 23/5/23 14:57, Mauro Matteo Cascella wrote: On Tue, May 23, 2023 at 10:37 AM Philippe Mathieu-Daudé wrote: On 23/5/23 10:09, Daniel P. Berrangé wrote: On Mon, May 22, 2023 at 08:55:02PM +0200, Philippe Mathieu-Daudé wrote: On 9/5/23 09:13, Marc-André Lureau wrote: Hi On Mon, May 8, 2023

Re: [PATCH] ui/cursor: incomplete check for integer overflow in cursor_alloc

On Tue, May 23, 2023 at 02:50:09PM +0200, Mauro Matteo Cascella wrote: > On Tue, May 23, 2023 at 10:16 AM Daniel P. Berrangé > wrote: > > > > On Mon, May 08, 2023 at 04:18:13PM +0200, Mauro Matteo Cascella wrote: > > > The cursor_alloc function still accepts a signed integer for both the > > > c

Re: [PATCH] ui/cursor: incomplete check for integer overflow in cursor_alloc

On Tue, May 23, 2023 at 10:37 AM Philippe Mathieu-Daudé wrote: > > On 23/5/23 10:09, Daniel P. Berrangé wrote: > > On Mon, May 22, 2023 at 08:55:02PM +0200, Philippe Mathieu-Daudé wrote: > >> On 9/5/23 09:13, Marc-André Lureau wrote: > >>> Hi > >>> > >>> On Mon, May 8, 2023 at 6:21 PM Mauro Matteo

Re: [PATCH] ui/cursor: incomplete check for integer overflow in cursor_alloc

On Tue, May 23, 2023 at 10:16 AM Daniel P. Berrangé wrote: > > On Mon, May 08, 2023 at 04:18:13PM +0200, Mauro Matteo Cascella wrote: > > The cursor_alloc function still accepts a signed integer for both the cursor > > width and height. A specially crafted negative width/height could make > > dat

Re: [PATCH] ui/cursor: incomplete check for integer overflow in cursor_alloc

On 23/5/23 10:09, Daniel P. Berrangé wrote: On Mon, May 22, 2023 at 08:55:02PM +0200, Philippe Mathieu-Daudé wrote: On 9/5/23 09:13, Marc-André Lureau wrote: Hi On Mon, May 8, 2023 at 6:21 PM Mauro Matteo Cascella mailto:mcasc...@redhat.com>> wrote: The cursor_alloc function still accept

Re: [PATCH] ui/cursor: incomplete check for integer overflow in cursor_alloc

On Mon, May 08, 2023 at 04:18:13PM +0200, Mauro Matteo Cascella wrote: > The cursor_alloc function still accepts a signed integer for both the cursor > width and height. A specially crafted negative width/height could make > datasize > wrap around and cause the next allocation to be 0, potentially

Re: [PATCH] ui/cursor: incomplete check for integer overflow in cursor_alloc

On Mon, May 22, 2023 at 08:55:02PM +0200, Philippe Mathieu-Daudé wrote: > On 9/5/23 09:13, Marc-André Lureau wrote: > > Hi > > > > On Mon, May 8, 2023 at 6:21 PM Mauro Matteo Cascella > > mailto:mcasc...@redhat.com>> wrote: > > > > The cursor_alloc function still accepts a signed integer for

Re: [PATCH] ui/cursor: incomplete check for integer overflow in cursor_alloc

> > -QEMUCursor *cursor_alloc(int width, int height) > > +QEMUCursor *cursor_alloc(uint32_t width, uint32_t height) > >  { > >      QEMUCursor *c; > > Can't we check width/height > 0 && <= SOME_LIMIT_THAT_MAKES_SENSE? > > Maybe a 16K * 16K cursor is future proof and safe enough.

Re: [PATCH] ui/cursor: incomplete check for integer overflow in cursor_alloc

On Mon, May 22, 2023 at 8:55 PM Philippe Mathieu-Daudé wrote: > > On 9/5/23 09:13, Marc-André Lureau wrote: > > Hi > > > > On Mon, May 8, 2023 at 6:21 PM Mauro Matteo Cascella > > mailto:mcasc...@redhat.com>> wrote: > > > > The cursor_alloc function still accepts a signed integer for both > >

Re: [PATCH] ui/cursor: incomplete check for integer overflow in cursor_alloc

On 9/5/23 09:13, Marc-André Lureau wrote: Hi On Mon, May 8, 2023 at 6:21 PM Mauro Matteo Cascella mailto:mcasc...@redhat.com>> wrote: The cursor_alloc function still accepts a signed integer for both the cursor width and height. A specially crafted negative width/height could

Re: [PATCH] ui/cursor: incomplete check for integer overflow in cursor_alloc

On Mon, May 8, 2023 at 4:20 PM Mauro Matteo Cascella wrote: > > The cursor_alloc function still accepts a signed integer for both the cursor > width and height. A specially crafted negative width/height could make > datasize > wrap around and cause the next allocation to be 0, potentially leading

Re: [PATCH] ui/cursor: incomplete check for integer overflow in cursor_alloc

08.05.2023 17:18, Mauro Matteo Cascella wrote: The cursor_alloc function still accepts a signed integer for both the cursor width and height. A specially crafted negative width/height could make datasize wrap around and cause the next allocation to be 0, potentially leading to a heap buffer overf

Re: [PATCH] ui/cursor: incomplete check for integer overflow in cursor_alloc

Hi On Mon, May 8, 2023 at 6:21 PM Mauro Matteo Cascella wrote: > The cursor_alloc function still accepts a signed integer for both the > cursor > width and height. A specially crafted negative width/height could make > datasize > wrap around and cause the next allocation to be 0, potentially lea

[PATCH] ui/cursor: incomplete check for integer overflow in cursor_alloc

The cursor_alloc function still accepts a signed integer for both the cursor width and height. A specially crafted negative width/height could make datasize wrap around and cause the next allocation to be 0, potentially leading to a heap buffer overflow. Modify QEMUCursor struct and cursor_alloc pr