* [Qemu-devel] [PATCH] vmsvga: more cursor checks
@ 2015-09-30 6:57 Gerd Hoffmann
0 siblings, 0 replies; only message in thread
From: Gerd Hoffmann @ 2015-09-30 6:57 UTC (permalink / raw)
To: qemu-devel; +Cc: Gerd Hoffmann
Check the cursor size more carefully. Also switch to unsigned while
being at it, so they can't be negative.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
hw/display/vmware_vga.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
index 8e93509..9354037 100644
--- a/hw/display/vmware_vga.c
+++ b/hw/display/vmware_vga.c
@@ -488,10 +488,10 @@ static inline int vmsvga_fill_rect(struct vmsvga_state_s *s,
#endif
struct vmsvga_cursor_definition_s {
- int width;
- int height;
+ uint32_t width;
+ uint32_t height;
int id;
- int bpp;
+ uint32_t bpp;
int hot_x;
int hot_y;
uint32_t mask[1024];
@@ -658,7 +658,10 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
cursor.bpp = vmsvga_fifo_read(s);
args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y, cursor.bpp);
- if (SVGA_BITMAP_SIZE(x, y) > sizeof cursor.mask ||
+ if (cursor.width > 256 ||
+ cursor.height > 256 ||
+ cursor.bpp > 32 ||
+ SVGA_BITMAP_SIZE(x, y) > sizeof cursor.mask ||
SVGA_PIXMAP_SIZE(x, y, cursor.bpp) > sizeof cursor.image) {
goto badcmd;
}
--
1.8.3.1
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2015-09-30 6:57 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-09-30 6:57 [Qemu-devel] [PATCH] vmsvga: more cursor checks Gerd Hoffmann
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).