From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1Kw4kH-0001FS-UE
	for qemu-devel@nongnu.org; Fri, 31 Oct 2008 20:53:41 -0400
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1Kw4kH-0001Ea-2B
	for qemu-devel@nongnu.org; Fri, 31 Oct 2008 20:53:41 -0400
Received: from [199.232.76.173] (port=48021 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1Kw4kG-0001EM-Sc
	for qemu-devel@nongnu.org; Fri, 31 Oct 2008 20:53:40 -0400
Received: from savannah.gnu.org ([199.232.41.3]:57769 helo=sv.gnu.org)
	by monty-python.gnu.org with esmtps (TLS-1.0:RSA_AES_256_CBC_SHA1:32)
	(Exim 4.60) (envelope-from <INVALID.NOREPLY@gnu.org>)
	id 1Kw4kH-0002zR-CM
	for qemu-devel@nongnu.org; Fri, 31 Oct 2008 20:53:41 -0400
Received: from cvs.savannah.gnu.org ([199.232.41.69])
	by sv.gnu.org with esmtp (Exim 4.63)
	(envelope-from <INVALID.NOREPLY@gnu.org>) id 1Kw4kF-0001N1-R2
	for qemu-devel@nongnu.org; Sat, 01 Nov 2008 00:53:39 +0000
Received: from aurel32 by cvs.savannah.gnu.org with local (Exim 4.63)
	(envelope-from <aurel32@savannah.gnu.org>) id 1Kw4kF-0001Mx-KA
	for qemu-devel@nongnu.org; Sat, 01 Nov 2008 00:53:39 +0000
MIME-Version: 1.0
Errors-To: aurel32
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
From: Aurelien Jarno <aurelien@aurel32.net>
Message-Id: <E1Kw4kF-0001Mx-KA@cvs.savannah.gnu.org>
Date: Sat, 01 Nov 2008 00:53:39 +0000
Subject: [Qemu-devel] [5587] CVE-2008-4539: fix a heap overflow in Cirrus
	emulation
Reply-To: qemu-devel@nongnu.org
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org

Revision: 5587
          http://svn.sv.gnu.org/viewvc/?view=rev&root=qemu&revision=5587
Author:   aurel32
Date:     2008-11-01 00:53:39 +0000 (Sat, 01 Nov 2008)

Log Message:
-----------
CVE-2008-4539: fix a heap overflow in Cirrus emulation

The code in hw/cirrus_vga.c has changed a lot between CVE-2007-1320 has
been announced and the patch has been applied. As a consequence it has
wrongly applied and QEMU is still vulnerable to this bug if using VNC.

(noticed by Jan Niehusmann)

Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>

Modified Paths:
--------------
    trunk/hw/cirrus_vga.c

Modified: trunk/hw/cirrus_vga.c
===================================================================
--- trunk/hw/cirrus_vga.c	2008-11-01 00:53:30 UTC (rev 5586)
+++ trunk/hw/cirrus_vga.c	2008-11-01 00:53:39 UTC (rev 5587)
@@ -785,15 +785,14 @@
 
 static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
 {
+    if (BLTUNSAFE(s))
+        return 0;
+
     if (s->ds->dpy_copy) {
 	cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->start_addr,
 		       s->cirrus_blt_srcaddr - s->start_addr,
 		       s->cirrus_blt_width, s->cirrus_blt_height);
     } else {
-
-    if (BLTUNSAFE(s))
-        return 0;
-
 	(*s->cirrus_rop) (s, s->vram_ptr +
                 (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
 			  s->vram_ptr +