|
| From: | Michael Tokarev |
| Subject: | Re: [PATCH] ui/cursor: incomplete check for integer overflow in cursor_alloc |
| Date: | Wed, 10 May 2023 21:23:39 +0300 |
| User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.10.0 |
08.05.2023 17:18, Mauro Matteo Cascella wrote:
The cursor_alloc function still accepts a signed integer for both the cursor
width and height. A specially crafted negative width/height could make datasize
wrap around and cause the next allocation to be 0, potentially leading to a
heap buffer overflow. Modify QEMUCursor struct and cursor_alloc prototype to
accept unsigned ints.
Fixes: CVE-2023-1601
Fixes: fa892e9a ("ui/cursor: fix integer overflow in cursor_alloc
(CVE-2021-4206)")
Looks like -stable material too? Thanks, /mjt
| [Prev in Thread] | Current Thread | [Next in Thread] |