CVE-2008-4539: fix a heap overflow in Cirrus emulation

The code in hw/cirrus_vga.c has changed a lot between CVE-2007-1320 has been announced and the patch has been applied. As a consequence it has wrongly applied and QEMU is still vulnerable to this bug if using VNC. (noticed by Jan Niehusmann) Signed-off-by: N Aurelien Jarno <aurelien@aurel32.net> git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@5587 c046a42c-6fe2-441c-8c8c-71466251a162

CVE-2008-4539: fix a heap overflow in Cirrus emulation
The code in hw/cirrus_vga.c has changed a lot between CVE-2007-1320 has been announced and the patch has been applied. As a consequence it has wrongly applied and QEMU is still vulnerable to this bug if using VNC. (noticed by Jan Niehusmann) Signed-off-by: N Aurelien Jarno <aurelien@aurel32.net> git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@5587 c046a42c-6fe2-441c-8c8c-71466251a162
65d35a09 · aurel32 · 6d17c604 · 65d35a09
隐藏空白更改
内联并排

Showing with 3 addition and 4 deletion

hw/cirrus_vga.c hw/cirrus_vga.c +3 -4

未找到文件。
--- a/hw/cirrus_vga.c
+++ b/hw/cirrus_vga.c
@@ -785,15 +785,14 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)

 static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
 {
+    if (BLTUNSAFE(s))
+        return 0;
+
    if (s->ds->dpy_copy) {
 	cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->start_addr,
 		       s->cirrus_blt_srcaddr - s->start_addr,
 		       s->cirrus_blt_width, s->cirrus_blt_height);
    } else {
-
-    if (BLTUNSAFE(s))
-        return 0;
-
 	(*s->cirrus_rop) (s, s->vram_ptr +
                (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
 			  s->vram_ptr +