Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP1:GA
xen.8005
CVE-2014-3689-qemuu-vmware-vga-vmsvga_copy_rect...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2014-3689-qemuu-vmware-vga-vmsvga_copy_rect.patch of Package xen.8005
References: bsc#962611 CVE-2014-3689 Subject: vmware-vga: use vmsvga_verify_rect in vmsvga_copy_rect From: Gerd Hoffmann kraxel@redhat.com Mon Oct 6 11:58:51 2014 +0200 Date: Wed Oct 29 12:01:26 2014 +0100: Git: 61b41b4c20eba08d2185297767e69153d7f3e09d Add verification to vmsvga_copy_rect, re-enable HW_RECT_ACCEL. Cc: qemu-stable@nongnu.org Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Don Koch <dkoch@verizon.com> Index: xen-4.4.3-testing/tools/qemu-xen-dir-remote/hw/display/vmware_vga.c =================================================================== --- xen-4.4.3-testing.orig/tools/qemu-xen-dir-remote/hw/display/vmware_vga.c +++ xen-4.4.3-testing/tools/qemu-xen-dir-remote/hw/display/vmware_vga.c @@ -28,8 +28,8 @@ #undef VERBOSE #pragma GCC diagnostic ignored "-Wunused-but-set-variable" -#if 0 #define HW_RECT_ACCEL +#if 0 #define HW_FILL_ACCEL #endif #define HW_MOUSE_ACCEL @@ -405,7 +405,7 @@ static inline void vmsvga_update_rect_fl } #ifdef HW_RECT_ACCEL -static inline void vmsvga_copy_rect(struct vmsvga_state_s *s, +static inline int vmsvga_copy_rect(struct vmsvga_state_s *s, int x0, int y0, int x1, int y1, int w, int h) { DisplaySurface *surface = qemu_console_surface(s->vga.con); @@ -416,6 +416,13 @@ static inline void vmsvga_copy_rect(stru int line = h; uint8_t *ptr[2]; + if (!vmsvga_verify_rect(surface, "vmsvga_copy_rect/src", x0, y0, w, h)) { + return -1; + } + if (!vmsvga_verify_rect(surface, "vmsvga_copy_rect/dst", x1, y1, w, h)) { + return -1; + } + if (y1 > y0) { ptr[0] = vram + bypp * x0 + bypl * (y0 + h - 1); ptr[1] = vram + bypp * x1 + bypl * (y1 + h - 1); @@ -431,6 +438,7 @@ static inline void vmsvga_copy_rect(stru } vmsvga_update_rect_delayed(s, x1, y1, w, h); + return 0; } #endif @@ -624,12 +632,12 @@ static void vmsvga_fifo_run(struct vmsvg width = vmsvga_fifo_read(s); height = vmsvga_fifo_read(s); #ifdef HW_RECT_ACCEL - vmsvga_copy_rect(s, x, y, dx, dy, width, height); - break; -#else + if (vmsvga_copy_rect(s, x, y, dx, dy, width, height) == 0) { + break; + } +#endif args = 0; goto badcmd; -#endif case SVGA_CMD_DEFINE_CURSOR: len -= 8;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
