Overview

File CVE-2017-13672-qemuu-fix.patch of Package xen.11298

Index: xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/display/vga_template.h
===================================================================
--- xen-4.5.5-testing.orig/tools/qemu-xen-dir-remote/hw/display/vga_template.h
+++ xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/display/vga_template.h
@@ -354,7 +354,10 @@ static void glue(vga_draw_line15_, PIXEL
                                           uint32_t addr, int width)
 {
 #if DEPTH == 15 && defined(HOST_WORDS_BIGENDIAN) == defined(TARGET_WORDS_BIGENDIAN)
-    memcpy(d, (uint8_t *)addr, width * 2);
+    uint32_t offset = addr & vga->vbe_size_mask & ~1;
+    uint16_t *ptr = (uint16_t *)(vga->vram_ptr + offset);
+
+    memcpy(d, ptr, width * 2);
 #else
     int w;
     uint32_t v, r, g, b;
@@ -379,7 +382,10 @@ static void glue(vga_draw_line16_, PIXEL
                                           uint32_t addr, int width)
 {
 #if DEPTH == 16 && defined(HOST_WORDS_BIGENDIAN) == defined(TARGET_WORDS_BIGENDIAN)
-    memcpy(d, (uint8_t *)addr, width * 2);
+    uint32_t offset = addr & vga->vbe_size_mask & ~1;
+    uint16_t *ptr = (uint16_t *)(vga->vram_ptr + offset);
+
+    memcpy(d, ptr, width * 2);
 #else
     int w;
     uint32_t v, r, g, b;
@@ -430,7 +436,10 @@ static void glue(vga_draw_line32_, PIXEL
                                           uint32_t addr, int width)
 {
 #if DEPTH == 32 && defined(HOST_WORDS_BIGENDIAN) == defined(TARGET_WORDS_BIGENDIAN) && !defined(BGR_FORMAT)
-    memcpy(d, (uint8_t *)addr, width * 4);
+    uint32_t offset = addr & vga->vbe_size_mask & ~3;
+    uint32_t *ptr = (uint32_t *)(vga->vram_ptr + offset);
+
+    memcpy(d, ptr, width * 4);
 #else
     int w;
     uint32_t r, g, b;
openSUSE Build Service is sponsored by
Places