[Qemu-devel] [PATCH 27/56] vmsvga: add more fifo checks

Mon, 08 Aug 2016 14:29:10 -0700 

From: Gerd Hoffmann <[email protected]>

Make sure all fifo ptrs are within range.

Fixes: CVE-2016-4454
Cc: [email protected]
Cc: P J P <[email protected]>
Reported-by: 李强 <[email protected]>
Signed-off-by: Gerd Hoffmann <[email protected]>
Message-id: [email protected]
(cherry picked from commit c2e3c54d3960bc53bfa3a5ce7ea7a050b9be267e)
Signed-off-by: Michael Roth <[email protected]>
---
 hw/display/vmware_vga.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
index 63a7c05..a26e62e 100644
--- a/hw/display/vmware_vga.c
+++ b/hw/display/vmware_vga.c
@@ -563,7 +563,10 @@ static inline int vmsvga_fifo_length(struct vmsvga_state_s 
*s)
     if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) {
         return 0;
     }
-    if (CMD(max) > SVGA_FIFO_SIZE) {
+    if (CMD(max) > SVGA_FIFO_SIZE ||
+        CMD(min) >= SVGA_FIFO_SIZE ||
+        CMD(stop) >= SVGA_FIFO_SIZE ||
+        CMD(next_cmd) >= SVGA_FIFO_SIZE) {
         return 0;
     }
     if (CMD(max) < CMD(min) + 10 * 1024) {
-- 
1.9.1

Reply via email to