File 0438-vnc-fix-overflow-in-vnc_update_stat.patch of Package qemu

Overview Repositories Revisions Requests Users Attributes Meta

File 0438-vnc-fix-overflow-in-vnc_update_stat.patch of Package qemu

From e0ba59816dfa2f294d822870a4f8d39ddeec4875 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Tue, 24 Jan 2017 10:00:28 +0100
Subject: [PATCH] vnc: fix overflow in vnc_update_stats
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Commit "bea60dd ui/vnc: fix potential memory corruption issues" is
incomplete.  vnc_update_stats must calculate width and height the same
way vnc_refresh_server_surface does it, to make sure we don't use width
and height values larger than the qemu vnc server can handle.

Commit "e22492d ui/vnc: disable adaptive update calculations if not
needed" masks the issue in the default configuration.  It triggers only
in case the "lossy" option is set to "on" (default is "off").

Cc: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 1485248428-575-1-git-send-email-kraxel@redhat.com
(cherry picked from commit eebe0b7905642a986cbce7406d6ab7bf78f3e210)
[BR: BSC#1026612 CVE-2017-2633 (this fix fixes first fix)]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
 ui/vnc.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/ui/vnc.c b/ui/vnc.c
index 4230931571..233cfbfc59 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -2513,8 +2513,10 @@ static int vnc_refresh_lossy_rect(VncDisplay *vd, int x, int y)
 
 static int vnc_update_stats(VncDisplay *vd,  struct timeval * tv)
 {
-    int width = pixman_image_get_width(vd->guest.fb);
-    int height = pixman_image_get_height(vd->guest.fb);
+    int width = MIN(pixman_image_get_width(vd->guest.fb),
+                    pixman_image_get_width(vd->server));
+    int height = MIN(pixman_image_get_height(vd->guest.fb),
+                     pixman_image_get_height(vd->server));
     int x, y;
     struct timeval res;
     int has_dirty = 0;

Places

File 0438-vnc-fix-overflow-in-vnc_update_stat.patch of Package qemu

Places