File CVE-2014-3689-qemuu-vmware-vga-vmsvga_update_rect.patch of Package xen.4218
References: bsc#962611 CVE-2014-3689
Subject: vmware-vga: use vmsvga_verify_rect in vmsvga_update_rect
From: Gerd Hoffmann kraxel@redhat.com Mon Oct 6 11:58:22 2014 +0200
Date: Tue Oct 28 10:40:08 2014 +0100:
Git: 1735fe1edba9cc86bc0f26937ed5a62d3cb47c9c
Switch vmsvga_update_rect over to use vmsvga_verify_rect. Slight change
in behavior: We don't try to automatically fixup rectangles any more.
In case we find invalid update requests we'll do a full-screen update
instead.
Cc: qemu-stable@nongnu.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Don Koch <dkoch@verizon.com>
Index: xen-4.5.2-testing/tools/qemu-xen-dir-remote/hw/display/vmware_vga.c
===================================================================
--- xen-4.5.2-testing.orig/tools/qemu-xen-dir-remote/hw/display/vmware_vga.c
+++ xen-4.5.2-testing/tools/qemu-xen-dir-remote/hw/display/vmware_vga.c
@@ -357,36 +357,12 @@ static inline void vmsvga_update_rect(st
uint8_t *src;
uint8_t *dst;
- if (x < 0) {
- fprintf(stderr, "%s: update x was < 0 (%d)\n", __func__, x);
- w += x;
+ if (!vmsvga_verify_rect(surface, __func__, x, y, w, h)) {
+ /* go for a fullscreen update as fallback */
x = 0;
- }
- if (w < 0) {
- fprintf(stderr, "%s: update w was < 0 (%d)\n", __func__, w);
- w = 0;
- }
- if (x + w > surface_width(surface)) {
- fprintf(stderr, "%s: update width too large x: %d, w: %d\n",
- __func__, x, w);
- x = MIN(x, surface_width(surface));
- w = surface_width(surface) - x;
- }
-
- if (y < 0) {
- fprintf(stderr, "%s: update y was < 0 (%d)\n", __func__, y);
- h += y;
y = 0;
- }
- if (h < 0) {
- fprintf(stderr, "%s: update h was < 0 (%d)\n", __func__, h);
- h = 0;
- }
- if (y + h > surface_height(surface)) {
- fprintf(stderr, "%s: update height too large y: %d, h: %d\n",
- __func__, y, h);
- y = MIN(y, surface_height(surface));
- h = surface_height(surface) - y;
+ w = surface_width(surface);
+ h = surface_height(surface);
}
bypl = surface_stride(surface);
