vmware_vga: Check cursor dimensions passed from guest to avoid buffer overflow
Check that the cursor dimensions passed from the guest for the DEFINE_CURSOR command don't overflow the available space in the cursor.image[] or cursor.mask[] arrays before copying data from the guest into those arrays. Signed-off-by: Roland Dreier <rolandd@cisco.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
This commit is contained in:
parent
e73223a584
commit
f2d928d44e
@ -562,6 +562,13 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
|
||||
cursor.height = y = vmsvga_fifo_read(s);
|
||||
vmsvga_fifo_read(s);
|
||||
cursor.bpp = vmsvga_fifo_read(s);
|
||||
|
||||
if (SVGA_BITMAP_SIZE(x, y) > sizeof cursor.mask ||
|
||||
SVGA_PIXMAP_SIZE(x, y, cursor.bpp) > sizeof cursor.image) {
|
||||
args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y, cursor.bpp);
|
||||
goto badcmd;
|
||||
}
|
||||
|
||||
for (args = 0; args < SVGA_BITMAP_SIZE(x, y); args ++)
|
||||
cursor.mask[args] = vmsvga_fifo_read_raw(s);
|
||||
for (args = 0; args < SVGA_PIXMAP_SIZE(x, y, cursor.bpp); args ++)
|
||||
|
Loading…
Reference in New Issue
Block a user