[PATCH] ui/cursor: fix integer overflow in cursor

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH] ui/cursor: fix integer overflow in cursor_alloc (CVE-2022-4206)

From:	Mauro Matteo Cascella
Subject:	[PATCH] ui/cursor: fix integer overflow in cursor_alloc (CVE-2022-4206)
Date:	Tue, 5 Apr 2022 12:32:58 +0200

Prevent potential integer overflow by limiting 'width' and 'height' to
512x512. Also change 'datasize' type to size_t. Refer to security
advisory https://starlabs.sg/advisories/22-4206/ for more information.

Fixes: CVE-2022-4206
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
---
 hw/display/qxl-render.c |  7 +++++++
 ui/cursor.c             | 12 +++++++++++-
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c
index d28849b121..dc3c4edd05 100644
--- a/hw/display/qxl-render.c
+++ b/hw/display/qxl-render.c
@@ -247,6 +247,13 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor 
*cursor,
     size_t size;
 
     c = cursor_alloc(cursor->header.width, cursor->header.height);
+
+    if (!c) {
+        qxl_set_guest_bug(qxl, "%s: cursor %ux%u alloc error", __func__,
+                cursor->header.width, cursor->header.height);
+        goto fail;
+    }
+
     c->hot_x = cursor->header.hot_spot_x;
     c->hot_y = cursor->header.hot_spot_y;
     switch (cursor->header.type) {
diff --git a/ui/cursor.c b/ui/cursor.c
index 1d62ddd4d0..7cfb08a030 100644
--- a/ui/cursor.c
+++ b/ui/cursor.c
@@ -46,6 +46,13 @@ static QEMUCursor *cursor_parse_xpm(const char *xpm[])
 
     /* parse pixel data */
     c = cursor_alloc(width, height);
+
+    if (!c) {
+        fprintf(stderr, "%s: cursor %ux%u alloc error\n",
+                __func__, width, height);
+        return NULL;
+    }
+
     for (pixel = 0, y = 0; y < height; y++, line++) {
         for (x = 0; x < height; x++, pixel++) {
             idx = xpm[line][x];
@@ -91,7 +98,10 @@ QEMUCursor *cursor_builtin_left_ptr(void)
 QEMUCursor *cursor_alloc(int width, int height)
 {
     QEMUCursor *c;
-    int datasize = width * height * sizeof(uint32_t);
+    size_t datasize = width * height * sizeof(uint32_t);
+
+    if (width > 512 || height > 512)
+        return NULL;
 
     c = g_malloc0(sizeof(QEMUCursor) + datasize);
     c->width  = width;
-- 
2.35.1

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH] ui/cursor: fix integer overflow in cursor_alloc (CVE-2022-4206), Mauro Matteo Cascella <=
- Re: [PATCH] ui/cursor: fix integer overflow in cursor_alloc (CVE-2022-4206), Marc-André Lureau, 2022/04/05
  - Re: [PATCH] ui/cursor: fix integer overflow in cursor_alloc (CVE-2022-4206), Gerd Hoffmann, 2022/04/05
    - Re: [PATCH] ui/cursor: fix integer overflow in cursor_alloc (CVE-2022-4206), Mauro Matteo Cascella, 2022/04/05
    - Re: [PATCH] ui/cursor: fix integer overflow in cursor_alloc (CVE-2022-4206), Gerd Hoffmann, 2022/04/06
- Re: [PATCH] ui/cursor: fix integer overflow in cursor_alloc (CVE-2022-4206), Peter Maydell, 2022/04/05

Prev by Date: Re: [PATCH v3] hw/pvrdma: Protect against buggy or malicious guest driver
Next by Date: [PULL 05/10] qapi: fix example of query-vnc command
Previous by thread: Re: [PATCH] block/stream: Drain subtree around graph change
Next by thread: Re: [PATCH] ui/cursor: fix integer overflow in cursor_alloc (CVE-2022-4206)
Index(es):
- Date
- Thread