[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [5587] CVE-2008-4539: fix a heap overflow in Cirrus emulati
From: |
Aurelien Jarno |
Subject: |
[Qemu-devel] [5587] CVE-2008-4539: fix a heap overflow in Cirrus emulation |
Date: |
Sat, 01 Nov 2008 00:53:39 +0000 |
Revision: 5587
http://svn.sv.gnu.org/viewvc/?view=rev&root=qemu&revision=5587
Author: aurel32
Date: 2008-11-01 00:53:39 +0000 (Sat, 01 Nov 2008)
Log Message:
-----------
CVE-2008-4539: fix a heap overflow in Cirrus emulation
The code in hw/cirrus_vga.c has changed a lot between CVE-2007-1320 has
been announced and the patch has been applied. As a consequence it has
wrongly applied and QEMU is still vulnerable to this bug if using VNC.
(noticed by Jan Niehusmann)
Signed-off-by: Aurelien Jarno <address@hidden>
Modified Paths:
--------------
trunk/hw/cirrus_vga.c
Modified: trunk/hw/cirrus_vga.c
===================================================================
--- trunk/hw/cirrus_vga.c 2008-11-01 00:53:30 UTC (rev 5586)
+++ trunk/hw/cirrus_vga.c 2008-11-01 00:53:39 UTC (rev 5587)
@@ -785,15 +785,14 @@
static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
{
+ if (BLTUNSAFE(s))
+ return 0;
+
if (s->ds->dpy_copy) {
cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->start_addr,
s->cirrus_blt_srcaddr - s->start_addr,
s->cirrus_blt_width, s->cirrus_blt_height);
} else {
-
- if (BLTUNSAFE(s))
- return 0;
-
(*s->cirrus_rop) (s, s->vram_ptr +
(s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
s->vram_ptr +
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Qemu-devel] [5587] CVE-2008-4539: fix a heap overflow in Cirrus emulation,
Aurelien Jarno <=