[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PULL 5/6] vmsvga: don't process more than 1024 fifo comman
From: |
Gerd Hoffmann |
Subject: |
[Qemu-devel] [PULL 5/6] vmsvga: don't process more than 1024 fifo commands at once |
Date: |
Mon, 6 Jun 2016 09:06:21 +0200 |
vmsvga_fifo_run is called in regular intervals (on each display update)
and will resume where it left off. So we can simply exit the loop,
without having to worry about how processing will continue.
Fixes: CVE-2016-4453
Cc: address@hidden
Cc: P J P <address@hidden>
Reported-by: 李强 <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
Message-id: address@hidden
---
hw/display/vmware_vga.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
index de2567b..e51a05e 100644
--- a/hw/display/vmware_vga.c
+++ b/hw/display/vmware_vga.c
@@ -597,13 +597,13 @@ static inline uint32_t vmsvga_fifo_read(struct
vmsvga_state_s *s)
static void vmsvga_fifo_run(struct vmsvga_state_s *s)
{
uint32_t cmd, colour;
- int args, len;
+ int args, len, maxloop = 1024;
int x, y, dx, dy, width, height;
struct vmsvga_cursor_definition_s cursor;
uint32_t cmd_start;
len = vmsvga_fifo_length(s);
- while (len > 0) {
+ while (len > 0 && --maxloop > 0) {
/* May need to go back to the start of the command if incomplete */
cmd_start = s->fifo_stop;
--
1.8.3.1
- [Qemu-devel] [PULL v2 0/6] vga patch queue, Gerd Hoffmann, 2016/06/06
- [Qemu-devel] [PULL 4/6] vmsvga: shadow fifo registers, Gerd Hoffmann, 2016/06/06
- [Qemu-devel] [PULL 3/6] vmsvga: add more fifo checks, Gerd Hoffmann, 2016/06/06
- [Qemu-devel] [PULL 5/6] vmsvga: don't process more than 1024 fifo commands at once,
Gerd Hoffmann <=
- [Qemu-devel] [PULL 1/6] virtio-gpu: fix scanout rectangles, Gerd Hoffmann, 2016/06/06
- [Qemu-devel] [PULL 2/6] vmsvga: move fifo sanity checks to vmsvga_fifo_length, Gerd Hoffmann, 2016/06/06
- [Qemu-devel] [PULL 6/6] virtio-gpu: add live migration support, Gerd Hoffmann, 2016/06/06
- Re: [Qemu-devel] [PULL v2 0/6] vga patch queue, Peter Maydell, 2016/06/06