File CVE-2017-15289-qemuu-cirrus-OOB-access-issue-in... of Package xen.8005

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2017-15289-qemuu-cirrus-OOB-access-issue-in-mode4and5-write-functions.patch of Package xen.8005

Move dst calculation into the loop, so we apply the mask on each
interation and will not overflow vga memory.

Cc: Prasad J Pandit <address@hidden>
Reported-by: Niu Guoxiang <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
---
 hw/display/cirrus_vga.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/display/cirrus_vga.c
===================================================================
--- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/hw/display/cirrus_vga.c
+++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/display/cirrus_vga.c
@@ -1981,15 +1981,14 @@ static void cirrus_mem_writeb_mode4and5_
     unsigned val = mem_value;
     uint8_t *dst;
 
-    dst = s->vga.vram_ptr + (offset &= s->cirrus_addr_mask);
     for (x = 0; x < 8; x++) {
+        dst = s->vga.vram_ptr + ((offset + x) & s->cirrus_addr_mask);
 	if (val & 0x80) {
 	    *dst = s->cirrus_shadow_gr1;
 	} else if (mode == 5) {
 	    *dst = s->cirrus_shadow_gr0;
 	}
 	val <<= 1;
-	dst++;
     }
     memory_region_set_dirty(&s->vga.vram, offset, 8);
 }
@@ -2003,8 +2002,8 @@ static void cirrus_mem_writeb_mode4and5_
     unsigned val = mem_value;
     uint8_t *dst;
 
-    dst = s->vga.vram_ptr + (offset &= s->cirrus_addr_mask);
     for (x = 0; x < 8; x++) {
+        dst = s->vga.vram_ptr + ((offset + 2 * x) & s->cirrus_addr_mask & ~1);
 	if (val & 0x80) {
 	    *dst = s->cirrus_shadow_gr1;
 	    *(dst + 1) = s->vga.gr[0x11];
@@ -2013,7 +2012,6 @@ static void cirrus_mem_writeb_mode4and5_
 	    *(dst + 1) = s->vga.gr[0x10];
 	}
 	val <<= 1;
-	dst += 2;
     }
     memory_region_set_dirty(&s->vga.vram, offset, 16);
 }

Places

File CVE-2017-15289-qemuu-cirrus-OOB-access-issue-in-mode4and5-write-functions.patch of Package xen.8005

Places