[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] ui/cursor: fix integer overflow in cursor_alloc (CVE-2022-42
From: |
Gerd Hoffmann |
Subject: |
Re: [PATCH] ui/cursor: fix integer overflow in cursor_alloc (CVE-2022-4206) |
Date: |
Tue, 5 Apr 2022 13:10:10 +0200 |
> > +++ b/ui/cursor.c
> > @@ -46,6 +46,13 @@ static QEMUCursor *cursor_parse_xpm(const char *xpm[])
> >
> > /* parse pixel data */
> > c = cursor_alloc(width, height);
> > +
> > + if (!c) {
> > + fprintf(stderr, "%s: cursor %ux%u alloc error\n",
> > + __func__, width, height);
> > + return NULL;
> > + }
> >
>
> I think you could simply abort() in this function. It is used with static
> data (ui/cursor*.xpm)
Yes, that should never happen.
Missing: vmsvga_cursor_define() calls cursor_alloc() with guest-supplied
values too.
take care,
Gerd