aboutsummaryrefslogtreecommitdiff
path: root/hw/cirrus_vga.c
diff options
context:
space:
mode:
authoraurel32 <aurel32@c046a42c-6fe2-441c-8c8c-71466251a162>2008-11-01 00:53:39 +0000
committeraurel32 <aurel32@c046a42c-6fe2-441c-8c8c-71466251a162>2008-11-01 00:53:39 +0000
commit65d35a09979e63541afc5bfc595b9f1b1b4ae069 (patch)
tree5098bbe7aae32fcc729cb89a77ed75a1f9773045 /hw/cirrus_vga.c
parent6d17c604c0fb35dd7d02b60dd99ce882264e68e5 (diff)
downloadqemu-65d35a09979e63541afc5bfc595b9f1b1b4ae069.zip
qemu-65d35a09979e63541afc5bfc595b9f1b1b4ae069.tar.gz
qemu-65d35a09979e63541afc5bfc595b9f1b1b4ae069.tar.bz2
CVE-2008-4539: fix a heap overflow in Cirrus emulation
The code in hw/cirrus_vga.c has changed a lot between CVE-2007-1320 has been announced and the patch has been applied. As a consequence it has wrongly applied and QEMU is still vulnerable to this bug if using VNC. (noticed by Jan Niehusmann) Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@5587 c046a42c-6fe2-441c-8c8c-71466251a162
Diffstat (limited to 'hw/cirrus_vga.c')
-rw-r--r--hw/cirrus_vga.c7
1 files changed, 3 insertions, 4 deletions
diff --git a/hw/cirrus_vga.c b/hw/cirrus_vga.c
index 55f3ced..af9c9e6 100644
--- a/hw/cirrus_vga.c
+++ b/hw/cirrus_vga.c
@@ -785,15 +785,14 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
{
+ if (BLTUNSAFE(s))
+ return 0;
+
if (s->ds->dpy_copy) {
cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->start_addr,
s->cirrus_blt_srcaddr - s->start_addr,
s->cirrus_blt_width, s->cirrus_blt_height);
} else {
-
- if (BLTUNSAFE(s))
- return 0;
-
(*s->cirrus_rop) (s, s->vram_ptr +
(s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
s->vram_ptr +