diff options
author | Mauro Matteo Cascella | 2022-04-07 10:17:12 +0200 |
---|---|---|
committer | Gerd Hoffmann | 2022-04-07 12:30:54 +0200 |
commit | fa892e9abb728e76afcf27323ab29c57fb0fe7aa (patch) | |
tree | 2e3db9e407e4559f313700a8912e431cf96a5880 /ui/cursor.c | |
parent | display/qxl-render: fix race condition in qxl_cursor (CVE-2021-4207) (diff) | |
download | qemu-fa892e9abb728e76afcf27323ab29c57fb0fe7aa.tar.gz qemu-fa892e9abb728e76afcf27323ab29c57fb0fe7aa.tar.xz qemu-fa892e9abb728e76afcf27323ab29c57fb0fe7aa.zip |
ui/cursor: fix integer overflow in cursor_alloc (CVE-2021-4206)
Prevent potential integer overflow by limiting 'width' and 'height' to
512x512. Also change 'datasize' type to size_t. Refer to security
advisory https://starlabs.sg/advisories/22-4206/ for more information.
Fixes: CVE-2021-4206
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20220407081712.345609-1-mcascell@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Diffstat (limited to 'ui/cursor.c')
-rw-r--r-- | ui/cursor.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/ui/cursor.c b/ui/cursor.c index 1d62ddd4d0..835f0802f9 100644 --- a/ui/cursor.c +++ b/ui/cursor.c @@ -46,6 +46,8 @@ static QEMUCursor *cursor_parse_xpm(const char *xpm[]) /* parse pixel data */ c = cursor_alloc(width, height); + assert(c != NULL); + for (pixel = 0, y = 0; y < height; y++, line++) { for (x = 0; x < height; x++, pixel++) { idx = xpm[line][x]; @@ -91,7 +93,11 @@ QEMUCursor *cursor_builtin_left_ptr(void) QEMUCursor *cursor_alloc(int width, int height) { QEMUCursor *c; - int datasize = width * height * sizeof(uint32_t); + size_t datasize = width * height * sizeof(uint32_t); + + if (width > 512 || height > 512) { + return NULL; + } c = g_malloc0(sizeof(QEMUCursor) + datasize); c->width = width; |