Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12:Update
xen.10697
CVE-2014-3689-qemuu-vmware-vga-vmsvga_update_re...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2014-3689-qemuu-vmware-vga-vmsvga_update_rect.patch of Package xen.10697
References: bsc#962611 CVE-2014-3689 Subject: vmware-vga: use vmsvga_verify_rect in vmsvga_update_rect From: Gerd Hoffmann kraxel@redhat.com Mon Oct 6 11:58:22 2014 +0200 Date: Tue Oct 28 10:40:08 2014 +0100: Git: 1735fe1edba9cc86bc0f26937ed5a62d3cb47c9c Switch vmsvga_update_rect over to use vmsvga_verify_rect. Slight change in behavior: We don't try to automatically fixup rectangles any more. In case we find invalid update requests we'll do a full-screen update instead. Cc: qemu-stable@nongnu.org Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Don Koch <dkoch@verizon.com> Index: xen-4.4.3-testing/tools/qemu-xen-dir-remote/hw/display/vmware_vga.c =================================================================== --- xen-4.4.3-testing.orig/tools/qemu-xen-dir-remote/hw/display/vmware_vga.c +++ xen-4.4.3-testing/tools/qemu-xen-dir-remote/hw/display/vmware_vga.c @@ -355,36 +355,12 @@ static inline void vmsvga_update_rect(st uint8_t *src; uint8_t *dst; - if (x < 0) { - fprintf(stderr, "%s: update x was < 0 (%d)\n", __func__, x); - w += x; + if (!vmsvga_verify_rect(surface, __func__, x, y, w, h)) { + /* go for a fullscreen update as fallback */ x = 0; - } - if (w < 0) { - fprintf(stderr, "%s: update w was < 0 (%d)\n", __func__, w); - w = 0; - } - if (x + w > surface_width(surface)) { - fprintf(stderr, "%s: update width too large x: %d, w: %d\n", - __func__, x, w); - x = MIN(x, surface_width(surface)); - w = surface_width(surface) - x; - } - - if (y < 0) { - fprintf(stderr, "%s: update y was < 0 (%d)\n", __func__, y); - h += y; y = 0; - } - if (h < 0) { - fprintf(stderr, "%s: update h was < 0 (%d)\n", __func__, h); - h = 0; - } - if (y + h > surface_height(surface)) { - fprintf(stderr, "%s: update height too large y: %d, h: %d\n", - __func__, y, h); - y = MIN(y, surface_height(surface)); - h = surface_height(surface) - y; + w = surface_width(surface); + h = surface_height(surface); } bypl = surface_stride(surface);
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor