From da2ce88946c75f7b5d96d0a758a4b67aafa5d26a Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Wed, 3 Dec 2014 08:48:02 +0100
Subject: [PATCH 3/3] cirrus: don't overflow CirrusVGAState->cirrus_bltbuf

RH-Author: Gerd Hoffmann <kraxel@redhat.com>
Message-id: <1417592882-9835-3-git-send-email-kraxel@redhat.com>
O-Subject: [RHEL-7.1 qemu-kvm-rhev PATCH 2/2] cirrus: don't overflow CirrusVGAState->cirrus_bltbuf
Bugzilla: 1169457
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>

This is CVE-2014-8106.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit bf25983345ca44aec3dd92c57142be45452bd38a)
---
 hw/display/cirrus_vga.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
index d7db6c3..dc93864 100644
--- a/hw/display/cirrus_vga.c
+++ b/hw/display/cirrus_vga.c
@@ -293,6 +293,10 @@ static bool blit_is_unsafe(struct CirrusVGAState *s)
     assert(s->cirrus_blt_width > 0);
     assert(s->cirrus_blt_height > 0);
 
+    if (s->cirrus_blt_width > CIRRUS_BLTBUFSIZE) {
+        return true;
+    }
+
     if (blit_region_is_unsafe(s, s->cirrus_blt_dstpitch,
                               s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) {
         return true;
-- 
1.8.3.1