| commit | a501bfc91763d4642390090dd4e6039d67b63702 | |
| author | Helge Deller <deller@gmx.de> | |
| Sun, 9 Aug 2020 13:35:38 +0000 (9 15:35 +0200) | ||
| committer | Helge Deller <deller@gmx.de> | |
| Wed, 26 Aug 2020 21:04:00 +0000 (26 23:04 +0200) | ||
| tree | 9f08327c2140d275764971be59ad6511b69a15eb | treesnapshot (tar.gz zip) |
| parent | 8bd0d5b5ef0552d66968a8fdefc5a9080eb358e3 | commitdiff |
hw/display/artist: Prevent out of VRAM buffer accesses
Simplify various bounds checks by changing parameters like row and column
numbers to become unsigned instead of signed.
With that we can check if the calculated offset is bigger than the size of the
VRAM region and bail out if not.
Reported-by: LLVM libFuzzer
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Buglink: https://bugs.launchpad.net/qemu/+bug/1880326
Buglink: https://bugs.launchpad.net/qemu/+bug/1890310
Buglink: https://bugs.launchpad.net/qemu/+bug/1890311
Buglink: https://bugs.launchpad.net/qemu/+bug/1890312
Buglink: https://bugs.launchpad.net/qemu/+bug/1890370
Acked-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Helge Deller <deller@gmx.de>
Simplify various bounds checks by changing parameters like row and column
numbers to become unsigned instead of signed.
With that we can check if the calculated offset is bigger than the size of the
VRAM region and bail out if not.
Reported-by: LLVM libFuzzer
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Buglink: https://bugs.launchpad.net/qemu/+bug/1880326
Buglink: https://bugs.launchpad.net/qemu/+bug/1890310
Buglink: https://bugs.launchpad.net/qemu/+bug/1890311
Buglink: https://bugs.launchpad.net/qemu/+bug/1890312
Buglink: https://bugs.launchpad.net/qemu/+bug/1890370
Acked-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Helge Deller <deller@gmx.de>
| hw/display/artist.c | diffblobblamehistory |