summary refs log tree commit diff stats
path: root/ui/cursor.c
diff options
context:
space:
mode:
authorMauro Matteo Cascella <mcascell@redhat.com>2022-04-07 10:17:12 +0200
committerGerd Hoffmann <kraxel@redhat.com>2022-04-07 12:30:54 +0200
commitfa892e9abb728e76afcf27323ab29c57fb0fe7aa (patch)
tree2e3db9e407e4559f313700a8912e431cf96a5880 /ui/cursor.c
parent9569f5cb5b4bffa9d3ebc8ba7da1e03830a9a895 (diff)
downloadfocaccia-qemu-fa892e9abb728e76afcf27323ab29c57fb0fe7aa.tar.gz
focaccia-qemu-fa892e9abb728e76afcf27323ab29c57fb0fe7aa.zip
ui/cursor: fix integer overflow in cursor_alloc (CVE-2021-4206)
Prevent potential integer overflow by limiting 'width' and 'height' to
512x512. Also change 'datasize' type to size_t. Refer to security
advisory https://starlabs.sg/advisories/22-4206/ for more information.

Fixes: CVE-2021-4206
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20220407081712.345609-1-mcascell@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Diffstat (limited to 'ui/cursor.c')
-rw-r--r--ui/cursor.c8
1 files changed, 7 insertions, 1 deletions
diff --git a/ui/cursor.c b/ui/cursor.c
index 1d62ddd4d0..835f0802f9 100644
--- a/ui/cursor.c
+++ b/ui/cursor.c
@@ -46,6 +46,8 @@ static QEMUCursor *cursor_parse_xpm(const char *xpm[])
 
     /* parse pixel data */
     c = cursor_alloc(width, height);
+    assert(c != NULL);
+
     for (pixel = 0, y = 0; y < height; y++, line++) {
         for (x = 0; x < height; x++, pixel++) {
             idx = xpm[line][x];
@@ -91,7 +93,11 @@ QEMUCursor *cursor_builtin_left_ptr(void)
 QEMUCursor *cursor_alloc(int width, int height)
 {
     QEMUCursor *c;
-    int datasize = width * height * sizeof(uint32_t);
+    size_t datasize = width * height * sizeof(uint32_t);
+
+    if (width > 512 || height > 512) {
+        return NULL;
+    }
 
     c = g_malloc0(sizeof(QEMUCursor) + datasize);
     c->width  = width;