vnc: fix memory corruption (CVE-2015-5225)

-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAABAgAGBQJV3etBAAoJEEy22O7T6HE445MP/isIdq3N73GE65nVVzK8QzYb nQUYsboud6HjPepycW1acQdQECKx1LmdSA7wkHFBkYEmyO6nBnOLKclT+qCwYaZ9 EiEPldGvk3WEVizuvg/nUV622aV2mFA+HYtQgye0CxSCV4UAZGeEgwRNIv1NKqI0 37sUwp9Xh5NalkX1CtLqL9NadHHbAhxaFyj5cu7pV+fepY8RRRjXbzizLXGKnHHT Tgc3BkQoGOUkllDhUY8zFArgBACdRWzjElnBjHLAoCe9lZMqAqFALLDLU38/0nYq 2Nk5eLwMF/ya6M1A+nfe7ElNjdqC/H9SlhMj2GBO8P3Rj+7ihPQqzxqhzaaD23o7 x9pQ53W2h+R4NlEhlWqNHyCx7STF3AF9MIHCWk1nHAAvR8wGP17PvGBpmJroIajr 1X0O0mFyPzgH4EHX2Bbft6+tOxeKieLvDaxXqhMHeWEiKwiMO9B8Mp7eADKHzCSG pMd6DHVpE6xE8K5oJczHcX4A4E7kQOuNBZdZh8LX/d+/gFC0juN/V/nPw6+WRKGf cvhnADIImLWrFPz03YPPjHzakxCV7CVhBATBFyXQmBzOgCfE/cTFVM9eqcV/PWPh YmD3A6zUKR0qnJQZ0xxpgpdv4CGmVKTi1CnF0KPYUTszG7e6qm2dd7zBk3lvbu41 msz9yO/gaf5kNV76/zEO =IO67 -----END PGP SIGNATURE----- Merge remote-tracking branch 'remotes/kraxel/tags/pull-cve-2015-5225-20150826-1' into staging vnc: fix memory corruption (CVE-2015-5225) # gpg: Signature made Wed 26 Aug 2015 17:37:21 BST using RSA key ID D3E87138 # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" # gpg: aka "Gerd Hoffmann <gerd@kraxel.org>" # gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>" * remotes/kraxel/tags/pull-cve-2015-5225-20150826-1: vnc: fix memory corruption (CVE-2015-5225) Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2024-12-02 08:13:34 +08:00 · 2015-08-26 17:45:09 +01:00 · 2015-08-26 17:45:09 +01:00 · 47c9dfee80
commit 47c9dfee80
parent 7df9671989 eb8934b041
1 changed files with 10 additions and 5 deletions
--- a/ui/vnc.c
+++ b/ui/vnc.c
@ -2872,7 +2872,7 @@ static int vnc_refresh_server_surface(VncDisplay *vd)
                    pixman_image_get_width(vd->server));
    int height = MIN(pixman_image_get_height(vd->guest.fb),
                     pixman_image_get_height(vd->server));
-    int cmp_bytes, server_stride, min_stride, guest_stride, y = 0;
+    int cmp_bytes, server_stride, line_bytes, guest_ll, guest_stride, y = 0;
    uint8_t *guest_row0 = NULL, *server_row0;
    VncState *vs;
    int has_dirty = 0;
@ -2891,17 +2891,21 @@ static int vnc_refresh_server_surface(VncDisplay *vd)
     * Update server dirty map.
     */
    server_row0 = (uint8_t *)pixman_image_get_data(vd->server);
-    server_stride = guest_stride = pixman_image_get_stride(vd->server);
+    server_stride = guest_stride = guest_ll =
+        pixman_image_get_stride(vd->server);
    cmp_bytes = MIN(VNC_DIRTY_PIXELS_PER_BIT * VNC_SERVER_FB_BYTES,
                    server_stride);
    if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
        int width = pixman_image_get_width(vd->server);
        tmpbuf = qemu_pixman_linebuf_create(VNC_SERVER_FB_FORMAT, width);
    } else {
+        int guest_bpp =
+            PIXMAN_FORMAT_BPP(pixman_image_get_format(vd->guest.fb));
        guest_row0 = (uint8_t *)pixman_image_get_data(vd->guest.fb);
        guest_stride = pixman_image_get_stride(vd->guest.fb);
+        guest_ll = pixman_image_get_width(vd->guest.fb) * ((guest_bpp + 7) / 8);
    }
-    min_stride = MIN(server_stride, guest_stride);
+    line_bytes = MIN(server_stride, guest_ll);

    for (;;) {
        int x;
@ -2932,9 +2936,10 @@ static int vnc_refresh_server_surface(VncDisplay *vd)
            if (!test_and_clear_bit(x, vd->guest.dirty[y])) {
                continue;
            }
-            if ((x + 1) * cmp_bytes > min_stride) {
-                _cmp_bytes = min_stride - x * cmp_bytes;
+            if ((x + 1) * cmp_bytes > line_bytes) {
+                _cmp_bytes = line_bytes - x * cmp_bytes;
            }
+            assert(_cmp_bytes >= 0);
            if (memcmp(server_ptr, guest_ptr, _cmp_bytes) == 0) {
                continue;
            }