Skip to content
Snippets Groups Projects
Commit dde8689d authored by Peter Maydell's avatar Peter Maydell
Browse files

Merge tag 'fixes-20220408-pull-request' of git://git.kraxel.org/qemu into staging

two cursor/qxl related security fixes.

# gpg: Signature made Fri 08 Apr 2022 05:37:16 BST
# gpg:                using RSA key A0328CFFB93A17A79901FE7D4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" [full]
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>" [full]
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>" [full]
# Primary key fingerprint: A032 8CFF B93A 17A7 9901  FE7D 4CB6 D8EE D3E8 7138

* tag 'fixes-20220408-pull-request' of git://git.kraxel.org/qemu

:
  ui/cursor: fix integer overflow in cursor_alloc (CVE-2021-4206)
  display/qxl-render: fix race condition in qxl_cursor (CVE-2021-4207)

Signed-off-by: default avatarPeter Maydell <peter.maydell@linaro.org>
parents 95a3fcc7 fa892e9a
No related branches found
No related tags found
No related merge requests found
......@@ -247,6 +247,13 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor,
size_t size;
c = cursor_alloc(cursor->header.width, cursor->header.height);
if (!c) {
qxl_set_guest_bug(qxl, "%s: cursor %ux%u alloc error", __func__,
cursor->header.width, cursor->header.height);
goto fail;
}
c->hot_x = cursor->header.hot_spot_x;
c->hot_y = cursor->header.hot_spot_y;
switch (cursor->header.type) {
......@@ -266,7 +273,7 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor,
}
break;
case SPICE_CURSOR_TYPE_ALPHA:
size = sizeof(uint32_t) * cursor->header.width * cursor->header.height;
size = sizeof(uint32_t) * c->width * c->height;
qxl_unpack_chunks(c->data, size, qxl, &cursor->chunk, group_id);
if (qxl->debug > 2) {
cursor_print_ascii_art(c, "qxl/alpha");
......
......@@ -515,6 +515,8 @@ static inline void vmsvga_cursor_define(struct vmsvga_state_s *s,
int i, pixels;
qc = cursor_alloc(c->width, c->height);
assert(qc != NULL);
qc->hot_x = c->hot_x;
qc->hot_y = c->hot_y;
switch (c->bpp) {
......
......@@ -46,6 +46,8 @@ static QEMUCursor *cursor_parse_xpm(const char *xpm[])
/* parse pixel data */
c = cursor_alloc(width, height);
assert(c != NULL);
for (pixel = 0, y = 0; y < height; y++, line++) {
for (x = 0; x < height; x++, pixel++) {
idx = xpm[line][x];
......@@ -91,7 +93,11 @@ QEMUCursor *cursor_builtin_left_ptr(void)
QEMUCursor *cursor_alloc(int width, int height)
{
QEMUCursor *c;
int datasize = width * height * sizeof(uint32_t);
size_t datasize = width * height * sizeof(uint32_t);
if (width > 512 || height > 512) {
return NULL;
}
c = g_malloc0(sizeof(QEMUCursor) + datasize);
c->width = width;
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment