vmsvga: more cursor checks

Check the cursor size more carefully. Also switch to unsigned while being at it, so they can't be negative. Signed-off-by: N Gerd Hoffmann <kraxel@redhat.com>

vmsvga: more cursor checks
Check the cursor size more carefully. Also switch to unsigned while being at it, so they can't be negative. Signed-off-by: N Gerd Hoffmann <kraxel@redhat.com>
5829b097 · Gerd Hoffmann · b798c190 · 5829b097
隐藏空白更改
内联并排

Showing with 7 addition and 4 deletion

hw/display/vmware_vga.c hw/display/vmware_vga.c +7 -4

未找到文件。
--- a/hw/display/vmware_vga.c
+++ b/hw/display/vmware_vga.c
@@ -488,10 +488,10 @@ static inline int vmsvga_fill_rect(struct vmsvga_state_s *s,
 #endif

 struct vmsvga_cursor_definition_s {
-    int width;
-    int height;
+    uint32_t width;
+    uint32_t height;
    int id;
-    int bpp;
+    uint32_t bpp;
    int hot_x;
    int hot_y;
    uint32_t mask[1024];
@@ -658,7 +658,10 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
            cursor.bpp = vmsvga_fifo_read(s);

            args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y, cursor.bpp);
-            if (SVGA_BITMAP_SIZE(x, y) > sizeof cursor.mask ||
+            if (cursor.width > 256 ||
+                cursor.height > 256 ||
+                cursor.bpp > 32 ||
+                SVGA_BITMAP_SIZE(x, y) > sizeof cursor.mask ||
                SVGA_PIXMAP_SIZE(x, y, cursor.bpp) > sizeof cursor.image) {
                    goto badcmd;
            }