* [Qemu-devel] [5587] CVE-2008-4539: fix a heap overflow in Cirrus emulation
@ 2008-11-01 0:53 Aurelien Jarno
0 siblings, 0 replies; only message in thread
From: Aurelien Jarno @ 2008-11-01 0:53 UTC (permalink / raw)
To: qemu-devel
Revision: 5587
http://svn.sv.gnu.org/viewvc/?view=rev&root=qemu&revision=5587
Author: aurel32
Date: 2008-11-01 00:53:39 +0000 (Sat, 01 Nov 2008)
Log Message:
-----------
CVE-2008-4539: fix a heap overflow in Cirrus emulation
The code in hw/cirrus_vga.c has changed a lot between CVE-2007-1320 has
been announced and the patch has been applied. As a consequence it has
wrongly applied and QEMU is still vulnerable to this bug if using VNC.
(noticed by Jan Niehusmann)
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Modified Paths:
--------------
trunk/hw/cirrus_vga.c
Modified: trunk/hw/cirrus_vga.c
===================================================================
--- trunk/hw/cirrus_vga.c 2008-11-01 00:53:30 UTC (rev 5586)
+++ trunk/hw/cirrus_vga.c 2008-11-01 00:53:39 UTC (rev 5587)
@@ -785,15 +785,14 @@
static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
{
+ if (BLTUNSAFE(s))
+ return 0;
+
if (s->ds->dpy_copy) {
cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->start_addr,
s->cirrus_blt_srcaddr - s->start_addr,
s->cirrus_blt_width, s->cirrus_blt_height);
} else {
-
- if (BLTUNSAFE(s))
- return 0;
-
(*s->cirrus_rop) (s, s->vram_ptr +
(s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
s->vram_ptr +
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2008-11-01 0:53 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-11-01 0:53 [Qemu-devel] [5587] CVE-2008-4539: fix a heap overflow in Cirrus emulation Aurelien Jarno
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).