qemu-e2k/ui
Gerd Hoffmann eb8934b041 vnc: fix memory corruption (CVE-2015-5225)
The _cmp_bytes variable added by commit "bea60dd ui/vnc: fix potential
memory corruption issues" can become negative.  Result is (possibly
exploitable) memory corruption.  Reason for that is it uses the stride
instead of bytes per scanline to apply limits.

For the server surface is is actually fine.  vnc creates that itself,
there is never any padding and thus scanline length always equals stride.

For the guest surface scanline length and stride are typically identical
too, but it doesn't has to be that way.  So add and use a new variable
(guest_ll) for the guest scanline length.  Also rename min_stride to
line_bytes to make more clear what it actually is.  Finally sprinkle
in an assert() to make sure we never use a negative _cmp_bytes again.

Reported-by: 范祚至(库特) <zuozhi.fzz@alibaba-inc.com>
Reviewed-by: P J P <ppandit@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-08-26 17:54:33 +02:00
..
shader console-gl: add opengl rendering helper functions 2015-05-05 10:48:22 +02:00
cocoa.m ui/cocoa.m: Add machine menu items to change and eject removable drive media 2015-06-19 11:22:31 +01:00
console-gl.c console-gl: add opengl rendering helper functions 2015-05-05 10:48:22 +02:00
console.c ui/console: remove dpy_gfx_update_dirty 2015-06-05 17:09:59 +02:00
curses_keys.h
curses.c
cursor_hidden.xpm
cursor_left_ptr.xpm
cursor.c
egl-helpers.c ui: add egl-helpers 2015-05-29 11:11:38 +02:00
gtk-egl.c gtk: add opengl support, using egl 2015-05-29 11:43:29 +02:00
gtk.c gtk: don't exit early in case gtk init fails 2015-06-11 11:37:56 +02:00
input-keymap.c kbd: add brazil kbd keys to qemu 2015-05-29 10:30:06 +02:00
input-legacy.c Include monitor/monitor.h exactly where needed 2015-06-22 18:20:41 +02:00
input.c qerror: Move #include out of qerror.h 2015-06-22 18:20:40 +02:00
keymaps.c
keymaps.h
Makefile.objs ui: convert VNC websockets to use crypto APIs 2015-07-08 13:11:01 +02:00
qemu-pixman.c
qemu-x509.h
sdl2-2d.c sdl2: Fix RGB555 2015-05-05 10:48:26 +02:00
sdl2-gl.c sdl2: add support for display rendering using opengl. 2015-05-05 10:48:26 +02:00
sdl2-input.c sdl2: move SDL_* includes to sdl2.h 2015-05-05 10:48:26 +02:00
sdl2-keymap.h
sdl2.c sdl2: fix crash in handle_windowevent() when restoring the screen size 2015-06-09 10:25:21 +02:00
sdl_keysym.h
sdl_zoom_template.h
sdl_zoom.c
sdl_zoom.h
sdl.c sdl2: add support for display rendering using opengl. 2015-05-05 10:48:26 +02:00
shader.c console-gl: add opengl rendering helper functions 2015-05-05 10:48:22 +02:00
spice-core.c qerror: Move #include out of qerror.h 2015-06-22 18:20:40 +02:00
spice-display.c Include monitor/monitor.h exactly where needed 2015-06-22 18:20:41 +02:00
spice-input.c
vgafont.h
vnc_keysym.h
vnc-auth-sasl.c Change qemu_set_fd_handler2(..., NULL, ...) to qemu_set_fd_handler 2015-06-12 13:26:21 +01:00
vnc-auth-sasl.h
vnc-auth-vencrypt.c Change qemu_set_fd_handler2(..., NULL, ...) to qemu_set_fd_handler 2015-06-12 13:26:21 +01:00
vnc-auth-vencrypt.h
vnc-enc-hextile-template.h
vnc-enc-hextile.c
vnc-enc-tight.c
vnc-enc-tight.h
vnc-enc-zlib.c
vnc-enc-zrle-template.c
vnc-enc-zrle.c
vnc-enc-zrle.h
vnc-enc-zywrle-template.c
vnc-enc-zywrle.h
vnc-jobs.c Include monitor/monitor.h exactly where needed 2015-06-22 18:20:41 +02:00
vnc-jobs.h
vnc-palette.c
vnc-palette.h
vnc-tls.c ui/vnc : remove 'struct' of 'typedef struct' 2015-04-30 16:05:48 +03:00
vnc-tls.h ui: remove unused 'wiremode' variable in VncState struct 2015-03-18 09:25:13 +01:00
vnc-ws.c ui: convert VNC websockets to use crypto APIs 2015-07-08 13:11:01 +02:00
vnc-ws.h ui: convert VNC websockets to use crypto APIs 2015-07-08 13:11:01 +02:00
vnc.c vnc: fix memory corruption (CVE-2015-5225) 2015-08-26 17:54:33 +02:00
vnc.h ui: convert VNC websockets to use crypto APIs 2015-07-08 13:11:01 +02:00
x_keymap.c kbd: add brazil kbd keys to x11 evdev map 2015-05-29 10:30:06 +02:00
x_keymap.h