cirrus: fix oob access issue (CVE-2017-2615)

When doing bitblt copy in backward mode, we should minus the blt width first just like the adding in the forward mode. This can avoid the oob access of the front of vga's vram. Signed-off-by: Li Qiang <liqiang6-s@360.cn> { kraxel: with backward blits (negative pitch) addr is the topmost address, so check it as-is against vram size ] Cc: qemu-stable@nongnu.org Cc: P J P <ppandit@redhat.com> Cc: Laszlo Ersek <lersek@redhat.com> Cc: Paolo Bonzini <pbonzini@redhat.com> Cc: Wolfgang Bumiller <w.bumiller@proxmox.com> Fixes: d3532a0db0 (CVE-2014-8106) Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com Reviewed-by: Laszlo Ersek <lersek@redhat.com>
2017-02-01 09:35:01 +01:00 · 2017-02-01 09:35:01 +01:00 · 62d4c6bd52
commit 62d4c6bd52
parent 60cd23e851
1 changed files with 3 additions and 4 deletions
--- a/hw/display/cirrus_vga.c
+++ b/hw/display/cirrus_vga.c
@ -274,10 +274,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
 {
    if (pitch < 0) {
        int64_t min = addr
-            + ((int64_t)s->cirrus_blt_height-1) * pitch;
-        int32_t max = addr
-            + s->cirrus_blt_width;
-        if (min < 0 || max > s->vga.vram_size) {
+            + ((int64_t)s->cirrus_blt_height - 1) * pitch
+            - s->cirrus_blt_width;
+        if (min < -1 || addr >= s->vga.vram_size) {
            return true;
        }
    } else {