Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:GA
xen.4698
CVE-2014-3689-qemuu-vmware-vga-vmsvga_fill_rect...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2014-3689-qemuu-vmware-vga-vmsvga_fill_rect.patch of Package xen.4698
References: bsc#962611 CVE-2014-3689 Subject: vmware-vga: use vmsvga_verify_rect in vmsvga_fill_rect From: Gerd Hoffmann kraxel@redhat.com Mon Oct 6 11:59:51 2014 +0200 Date: Wed Oct 29 12:01:30 2014 +0100: Git: bd9ccd8517e83b7c33a9167815dbfffb30d70b13 Add verification to vmsvga_fill_rect, re-enable HW_FILL_ACCEL. Cc: qemu-stable@nongnu.org Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Don Koch <dkoch@verizon.com> Index: xen-4.4.3-testing/tools/qemu-xen-dir-remote/hw/display/vmware_vga.c =================================================================== --- xen-4.4.3-testing.orig/tools/qemu-xen-dir-remote/hw/display/vmware_vga.c +++ xen-4.4.3-testing/tools/qemu-xen-dir-remote/hw/display/vmware_vga.c @@ -29,9 +29,7 @@ #undef VERBOSE #pragma GCC diagnostic ignored "-Wunused-but-set-variable" #define HW_RECT_ACCEL -#if 0 #define HW_FILL_ACCEL -#endif #define HW_MOUSE_ACCEL #include "vga_int.h" @@ -443,7 +441,7 @@ static inline int vmsvga_copy_rect(struc #endif #ifdef HW_FILL_ACCEL -static inline void vmsvga_fill_rect(struct vmsvga_state_s *s, +static inline int vmsvga_fill_rect(struct vmsvga_state_s *s, uint32_t c, int x, int y, int w, int h) { DisplaySurface *surface = qemu_console_surface(s->vga.con); @@ -456,6 +454,10 @@ static inline void vmsvga_fill_rect(stru uint8_t *src; uint8_t col[4]; + if (!vmsvga_verify_rect(surface, __func__, x, y, w, h)) { + return -1; + } + col[0] = c; col[1] = c >> 8; col[2] = c >> 16; @@ -480,6 +482,7 @@ static inline void vmsvga_fill_rect(stru } vmsvga_update_rect_delayed(s, x, y, w, h); + return 0; } #endif @@ -612,12 +615,12 @@ static void vmsvga_fifo_run(struct vmsvg width = vmsvga_fifo_read(s); height = vmsvga_fifo_read(s); #ifdef HW_FILL_ACCEL - vmsvga_fill_rect(s, colour, x, y, width, height); - break; -#else + if (vmsvga_fill_rect(s, colour, x, y, width, height) == 0) { + break; + } +#endif args = 0; goto badcmd; -#endif case SVGA_CMD_RECT_COPY: len -= 7;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor