From 8bb493c205bcdd169dc20dc862bc9753bc5becef Mon Sep 17 00:00:00 2001
Message-Id: <8bb493c205bcdd169dc20dc862bc9753bc5becef.1428439864.git.jen@redhat.com>
In-Reply-To: <c30a35e9a97acf24290d2bcdfcc7916548a0a393.1428439864.git.jen@redhat.com>
References: <c30a35e9a97acf24290d2bcdfcc7916548a0a393.1428439864.git.jen@redhat.com>
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Wed, 19 Nov 2014 13:27:28 +0100
Subject: [CHANGE 2/2] cirrus: don't overflow CirrusVGAState->cirrus_bltbuf
To: rhvirt-patches@redhat.com,
    jen@redhat.com

This is CVE-2014-8106.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit bf25983345ca44aec3dd92c57142be45452bd38a)
Signed-off-by: Jeff E. Nelson <jen@redhat.com>
---
 hw/cirrus_vga.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/hw/cirrus_vga.c b/hw/cirrus_vga.c
index 06125b3..7876531 100644
--- a/hw/cirrus_vga.c
+++ b/hw/cirrus_vga.c
@@ -281,6 +281,10 @@ static bool blit_is_unsafe(struct CirrusVGAState *s)
     assert(s->cirrus_blt_width > 0);
     assert(s->cirrus_blt_height > 0);
 
+    if (s->cirrus_blt_width > CIRRUS_BLTBUFSIZE) {
+        return true;
+    }
+
     if (blit_region_is_unsafe(s, s->cirrus_blt_dstpitch,
                               s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) {
         return true;
-- 
2.1.0