diff options
author | Peter Maydell <peter.maydell@linaro.org> | 2018-01-25 15:28:56 +0000 |
---|---|---|
committer | Peter Maydell <peter.maydell@linaro.org> | 2018-01-25 15:28:56 +0000 |
commit | b3bbe959b5dc3bf07041946455cc8e8d562bfd1f (patch) | |
tree | c16b6653e6479d22a5d9289d28c757095541a91e /hw | |
parent | 0f79bfe38a2cf0f43c7ea4959da7f8ebd7858f3d (diff) | |
parent | 191f59dc17396bb5a8da50f8c59b6e0a430711a4 (diff) | |
download | qemu-b3bbe959b5dc3bf07041946455cc8e8d562bfd1f.zip qemu-b3bbe959b5dc3bf07041946455cc8e8d562bfd1f.tar.gz qemu-b3bbe959b5dc3bf07041946455cc8e8d562bfd1f.tar.bz2 |
Merge remote-tracking branch 'remotes/kraxel/tags/vga-20180125-pull-request' into staging
vga: fix for CVE-2018-5683
# gpg: Signature made Thu 25 Jan 2018 09:33:23 GMT
# gpg: using RSA key 0x4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg: aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>"
# Primary key fingerprint: A032 8CFF B93A 17A7 9901 FE7D 4CB6 D8EE D3E8 7138
* remotes/kraxel/tags/vga-20180125-pull-request:
vga: check the validation of memory addr when draw text
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Diffstat (limited to 'hw')
-rw-r--r-- | hw/display/vga.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/hw/display/vga.c b/hw/display/vga.c index a041200..6e78a4e 100644 --- a/hw/display/vga.c +++ b/hw/display/vga.c @@ -1279,6 +1279,9 @@ static void vga_draw_text(VGACommonState *s, int full_update) cx_min = width; cx_max = -1; for(cx = 0; cx < width; cx++) { + if (src + sizeof(uint16_t) > s->vram_ptr + s->vram_size) { + break; + } ch_attr = *(uint16_t *)src; if (full_update || ch_attr != *ch_attr_ptr || src == cursor_ptr) { if (cx < cx_min) |