Headline
CVE-2016-9922: [Qemu-devel] [PULL 4/4] display: cirrus: check vga bits per pixel(bpp) v
CVE-2016-9921 CVE-2016-9922 Qemu: display: cirrus_vga: a divide by zero in cirrus_do_copy
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
From:
Gerd Hoffmann
Subject:
[Qemu-devel] [PULL 4/4] display: cirrus: check vga bits per pixel(bpp) value
Date:
Mon, 5 Dec 2016 12:04:00 +0100
From: Prasad J Pandit address@hidden
In Cirrus CLGD 54xx VGA Emulator, if cirrus graphics mode is VGA, ‘cirrus_get_bpp’ returns zero(0), which could lead to a divide by zero error in while copying pixel data. The same could occur via blit pitch values. Add check to avoid it.
Reported-by: Huawei PSIRT address@hidden Signed-off-by: Prasad J Pandit address@hidden Message-id: address@hidden Signed-off-by: Gerd Hoffmann address@hidden
hw/display/cirrus_vga.c | 14 +++++++++±— 1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c index 3d712d5…bdb092e 100644 — a/hw/display/cirrus_vga.c +++ b/hw/display/cirrus_vga.c @@ -272,6 +272,9 @@ static void cirrus_update_memory_access(CirrusVGAState *s); static bool blit_region_is_unsafe(struct CirrusVGAState *s, int32_t pitch, int32_t addr) {
- if (!pitch) {
return true;- } if (pitch < 0) { int64_t min = addr + ((int64_t)s->cirrus_blt_height-1) * pitch; @@ -715,7 +718,7 @@ static int cirrus_bitblt_videotovideo_patterncopy(CirrusVGAState * s) s->cirrus_addr_mask)); }
-static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h) +static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h) { int sx = 0, sy = 0; int dx = 0, dy = 0; @@ -729,6 +732,9 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h) int width, height;
depth = s->vga.get\_bpp(&s->vga) / 8;
if (!depth) {return 0;} s->vga.get\_resolution(&s->vga, &width, &height); /\* extra x, y \*/
@@ -783,6 +789,8 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h) cirrus_invalidate_region(s, s->cirrus_blt_dstaddr, s->cirrus_blt_dstpitch, s->cirrus_blt_width, s->cirrus_blt_height);
- return 1; }
static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s) @@ -790,11 +798,9 @@ static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s) if (blit_is_unsafe(s)) return 0;
- cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr,
- return cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr, s->cirrus_blt_srcaddr - s->vga.start_addr, s->cirrus_blt_width, s->cirrus_blt_height);
- return 1; }
/***************************************
1.8.3.1
[Qemu-devel] [PULL for-2.8 0/4] vga fixes, Gerd Hoffmann, 2016/12/05
- [Qemu-devel] [PULL 3/4] virtio-gpu: fix memory leak in update_cursor_data_virgl, Gerd Hoffmann, 2016/12/05
- [Qemu-devel] [PULL 1/4] qxl: Only emit QXL_INTERRUPT_CLIENT_MONITORS_CONFIG on config changes, Gerd Hoffmann, 2016/12/05
- [Qemu-devel] [PULL 2/4] virtio-gpu: fix information leak in getting capset info dispatch, Gerd Hoffmann, 2016/12/05
- [Qemu-devel] [PULL 4/4] display: cirrus: check vga bits per pixel(bpp) value, Gerd Hoffmann <=
- Re: [Qemu-devel] [PULL for-2.8 0/4] vga fixes, Stefan Hajnoczi, 2016/12/06
Prev by Date: [Qemu-devel] [PULL for-2.8 0/4] vga fixes
Next by Date: Re: [Qemu-devel] [PATCH for-2.8] target-arm/translate-a64: fix gen_load_exclusive
Previous by thread: [Qemu-devel] [PULL 2/4] virtio-gpu: fix information leak in getting capset info dispatch
Next by thread: Re: [Qemu-devel] [PULL for-2.8 0/4] vga fixes
Index(es):
- Date
- Thread