vga: fix for CVE-2018-5683

-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJaaaRjAAoJEEy22O7T6HE4OTUQAMEW5xw5yLGwsD71myJ/W8R4
 Eufa8gLGXSQ1ovc/1MkRhMN5HOstT8h4YQjEj1L1w0Fd6Ruva8LM1SdTQad6H7aj
 bwdSZh5bPbRdDBf8p7zJjl2Msj/oe+CSS4prlt32s4xQXIPFQNqvSEX/+46wol+q
 FllYBVWhwpgORVPp6IMxCUFFshZbznZpre8dbxLQmyOXXMLSCmUw/f1xevGZFVUB
 jb93AUQ4Arex65258kP0piyjnd36PgH7VyWyPAJ9MDFQibxGRv0aixVQIufm6zjm
 tqbhRmVfcykqQm0aqC2PnywehUO1EfTv6JwwnRaJPsAC+oq/P3I/gFPoP9gsFIU6
 kZuTQ5sLa+XNDmkOpz3qMIBE67tX28rPPq1W4ekHsYheIkTqg/GiEsZuzNjP63AA
 d2CEs09bVDHQMhBlhjKRrYao9yojICmp4pOt3Lb79DbB7rd57XVrQb8BDbd/utwu
 knCPYsSI3tiucLvIlBl2wgjkuwv1IVLu8TB7JQtQ8qZARgL10hUcAW34WOyriF+y
 OkA/nk/Tt8VgED2kD6ttR88fOwtByfnhS5+y2w8gxDfRwRDFsSO4MQP8nmj/rLuJ
 lX6jwr6oh0u0IJSTWUaC2MPWmRkz3kuwBDR42KWGbYp/EgLuqMSdMfv/WgC7t4+s
 3FztQ3+vPB2lZ9DWUboi
 =K9aN
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/kraxel/tags/vga-20180125-pull-request' into staging

vga: fix for CVE-2018-5683

# gpg: Signature made Thu 25 Jan 2018 09:33:23 GMT
# gpg:                using RSA key 0x4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"
# Primary key fingerprint: A032 8CFF B93A 17A7 9901  FE7D 4CB6 D8EE D3E8 7138

* remotes/kraxel/tags/vga-20180125-pull-request:
  vga: check the validation of memory addr when draw text

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

hw/display/vga.c

@@ -1279,6 +1279,9 @@ static void vga_draw_text(VGACommonState *s, int full_update)
         cx_min = width;
         cx_max = -1;
         for(cx = 0; cx < width; cx++) {
+            if (src + sizeof(uint16_t) > s->vram_ptr + s->vram_size) {
+                break;
+            }
             ch_attr = *(uint16_t *)src;
             if (full_update || ch_attr != *ch_attr_ptr || src == cursor_ptr) {
                 if (cx < cx_min)