aboutsummaryrefslogtreecommitdiff
path: root/hw
diff options
context:
space:
mode:
authorPeter Maydell <peter.maydell@linaro.org>2018-01-25 15:28:56 +0000
committerPeter Maydell <peter.maydell@linaro.org>2018-01-25 15:28:56 +0000
commitb3bbe959b5dc3bf07041946455cc8e8d562bfd1f (patch)
treec16b6653e6479d22a5d9289d28c757095541a91e /hw
parent0f79bfe38a2cf0f43c7ea4959da7f8ebd7858f3d (diff)
parent191f59dc17396bb5a8da50f8c59b6e0a430711a4 (diff)
downloadqemu-b3bbe959b5dc3bf07041946455cc8e8d562bfd1f.zip
qemu-b3bbe959b5dc3bf07041946455cc8e8d562bfd1f.tar.gz
qemu-b3bbe959b5dc3bf07041946455cc8e8d562bfd1f.tar.bz2
Merge remote-tracking branch 'remotes/kraxel/tags/vga-20180125-pull-request' into staging
vga: fix for CVE-2018-5683 # gpg: Signature made Thu 25 Jan 2018 09:33:23 GMT # gpg: using RSA key 0x4CB6D8EED3E87138 # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" # gpg: aka "Gerd Hoffmann <gerd@kraxel.org>" # gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>" # Primary key fingerprint: A032 8CFF B93A 17A7 9901 FE7D 4CB6 D8EE D3E8 7138 * remotes/kraxel/tags/vga-20180125-pull-request: vga: check the validation of memory addr when draw text Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Diffstat (limited to 'hw')
-rw-r--r--hw/display/vga.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/hw/display/vga.c b/hw/display/vga.c
index a041200..6e78a4e 100644
--- a/hw/display/vga.c
+++ b/hw/display/vga.c
@@ -1279,6 +1279,9 @@ static void vga_draw_text(VGACommonState *s, int full_update)
cx_min = width;
cx_max = -1;
for(cx = 0; cx < width; cx++) {
+ if (src + sizeof(uint16_t) > s->vram_ptr + s->vram_size) {
+ break;
+ }
ch_attr = *(uint16_t *)src;
if (full_update || ch_attr != *ch_attr_ptr || src == cursor_ptr) {
if (cx < cx_min)