From: Mauro Matteo Cascella <mcascell@redhat.com>
To: qemu-devel@nongnu.org
Cc: mcascell@redhat.com, kraxel@redhat.com,
marcandre.lureau@redhat.com, jacek.halon@gmail.com
Subject: [PATCH] ui/cursor: incomplete check for integer overflow in cursor_alloc
Date: Mon, 8 May 2023 16:18:13 +0200 [thread overview]
Message-ID: <20230508141813.1086562-1-mcascell@redhat.com> (raw)
The cursor_alloc function still accepts a signed integer for both the cursor
width and height. A specially crafted negative width/height could make datasize
wrap around and cause the next allocation to be 0, potentially leading to a
heap buffer overflow. Modify QEMUCursor struct and cursor_alloc prototype to
accept unsigned ints.
Fixes: CVE-2023-1601
Fixes: fa892e9a ("ui/cursor: fix integer overflow in cursor_alloc (CVE-2021-4206)")
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
Reported-by: Jacek Halon <jacek.halon@gmail.com>
---
include/ui/console.h | 4 ++--
ui/cursor.c | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/include/ui/console.h b/include/ui/console.h
index 2a8fab091f..92a4d90a1b 100644
--- a/include/ui/console.h
+++ b/include/ui/console.h
@@ -144,13 +144,13 @@ typedef struct QemuUIInfo {
/* cursor data format is 32bit RGBA */
typedef struct QEMUCursor {
- int width, height;
+ uint32_t width, height;
int hot_x, hot_y;
int refcount;
uint32_t data[];
} QEMUCursor;
-QEMUCursor *cursor_alloc(int width, int height);
+QEMUCursor *cursor_alloc(uint32_t width, uint32_t height);
QEMUCursor *cursor_ref(QEMUCursor *c);
void cursor_unref(QEMUCursor *c);
QEMUCursor *cursor_builtin_hidden(void);
diff --git a/ui/cursor.c b/ui/cursor.c
index 6fe67990e2..b5fcb64839 100644
--- a/ui/cursor.c
+++ b/ui/cursor.c
@@ -90,7 +90,7 @@ QEMUCursor *cursor_builtin_left_ptr(void)
return cursor_parse_xpm(cursor_left_ptr_xpm);
}
-QEMUCursor *cursor_alloc(int width, int height)
+QEMUCursor *cursor_alloc(uint32_t width, uint32_t height)
{
QEMUCursor *c;
size_t datasize = width * height * sizeof(uint32_t);
--
2.40.1
next reply other threads:[~2023-05-08 14:20 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-08 14:18 Mauro Matteo Cascella [this message]
2023-05-09 7:13 ` [PATCH] ui/cursor: incomplete check for integer overflow in cursor_alloc Marc-André Lureau
2023-05-22 18:55 ` Philippe Mathieu-Daudé
2023-05-22 19:14 ` Mauro Matteo Cascella
2023-05-23 4:53 ` Gerd Hoffmann
2023-05-23 8:09 ` Daniel P. Berrangé
2023-05-23 8:37 ` Philippe Mathieu-Daudé
2023-05-23 12:57 ` Mauro Matteo Cascella
2023-05-23 14:06 ` Philippe Mathieu-Daudé
2023-05-23 15:17 ` Mauro Matteo Cascella
2023-05-10 18:23 ` Michael Tokarev
2023-05-22 18:05 ` Mauro Matteo Cascella
2023-05-23 8:16 ` Daniel P. Berrangé
2023-05-23 12:50 ` Mauro Matteo Cascella
2023-05-23 13:02 ` Daniel P. Berrangé
2023-05-23 15:02 ` Mauro Matteo Cascella
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230508141813.1086562-1-mcascell@redhat.com \
--to=mcascell@redhat.com \
--cc=jacek.halon@gmail.com \
--cc=kraxel@redhat.com \
--cc=marcandre.lureau@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).