diff options
| author | Peter Maydell <peter.maydell@linaro.org> | 2018-01-25 15:28:56 +0000 |
|---|---|---|
| committer | Peter Maydell <peter.maydell@linaro.org> | 2018-01-25 15:28:56 +0000 |
| commit | b3bbe959b5dc3bf07041946455cc8e8d562bfd1f (patch) | |
| tree | c16b6653e6479d22a5d9289d28c757095541a91e | |
| parent | 0f79bfe38a2cf0f43c7ea4959da7f8ebd7858f3d (diff) | |
| parent | 191f59dc17396bb5a8da50f8c59b6e0a430711a4 (diff) | |
| download | focaccia-qemu-b3bbe959b5dc3bf07041946455cc8e8d562bfd1f.tar.gz focaccia-qemu-b3bbe959b5dc3bf07041946455cc8e8d562bfd1f.zip | |
Merge remote-tracking branch 'remotes/kraxel/tags/vga-20180125-pull-request' into staging
vga: fix for CVE-2018-5683 # gpg: Signature made Thu 25 Jan 2018 09:33:23 GMT # gpg: using RSA key 0x4CB6D8EED3E87138 # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" # gpg: aka "Gerd Hoffmann <gerd@kraxel.org>" # gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>" # Primary key fingerprint: A032 8CFF B93A 17A7 9901 FE7D 4CB6 D8EE D3E8 7138 * remotes/kraxel/tags/vga-20180125-pull-request: vga: check the validation of memory addr when draw text Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
| -rw-r--r-- | hw/display/vga.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/hw/display/vga.c b/hw/display/vga.c index a0412000a5..6e78a4e156 100644 --- a/hw/display/vga.c +++ b/hw/display/vga.c @@ -1279,6 +1279,9 @@ static void vga_draw_text(VGACommonState *s, int full_update) cx_min = width; cx_max = -1; for(cx = 0; cx < width; cx++) { + if (src + sizeof(uint16_t) > s->vram_ptr + s->vram_size) { + break; + } ch_attr = *(uint16_t *)src; if (full_update || ch_attr != *ch_attr_ptr || src == cursor_ptr) { if (cx < cx_min) |