Commit 65d35a09979e63541afc5bfc595b9f1b1b4ae069
1 parent
6d17c604
CVE-2008-4539: fix a heap overflow in Cirrus emulation
The code in hw/cirrus_vga.c has changed a lot between CVE-2007-1320 has been announced and the patch has been applied. As a consequence it has wrongly applied and QEMU is still vulnerable to this bug if using VNC. (noticed by Jan Niehusmann) Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@5587 c046a42c-6fe2-441c-8c8c-71466251a162
Showing
1 changed file
with
3 additions
and
4 deletions
hw/cirrus_vga.c
| @@ -785,15 +785,14 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h) | @@ -785,15 +785,14 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h) | ||
| 785 | 785 | ||
| 786 | static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s) | 786 | static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s) |
| 787 | { | 787 | { |
| 788 | + if (BLTUNSAFE(s)) | ||
| 789 | + return 0; | ||
| 790 | + | ||
| 788 | if (s->ds->dpy_copy) { | 791 | if (s->ds->dpy_copy) { |
| 789 | cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->start_addr, | 792 | cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->start_addr, |
| 790 | s->cirrus_blt_srcaddr - s->start_addr, | 793 | s->cirrus_blt_srcaddr - s->start_addr, |
| 791 | s->cirrus_blt_width, s->cirrus_blt_height); | 794 | s->cirrus_blt_width, s->cirrus_blt_height); |
| 792 | } else { | 795 | } else { |
| 793 | - | ||
| 794 | - if (BLTUNSAFE(s)) | ||
| 795 | - return 0; | ||
| 796 | - | ||
| 797 | (*s->cirrus_rop) (s, s->vram_ptr + | 796 | (*s->cirrus_rop) (s, s->vram_ptr + |
| 798 | (s->cirrus_blt_dstaddr & s->cirrus_addr_mask), | 797 | (s->cirrus_blt_dstaddr & s->cirrus_addr_mask), |
| 799 | s->vram_ptr + | 798 | s->vram_ptr + |