vmware_vga: Check cursor dimensions passed from guest to avoid buffer overflow

Check that the cursor dimensions passed from the guest for the DEFINE_CURSOR command don't overflow the available space in the cursor.image[] or cursor.mask[] arrays before copying data from the guest into those arrays. Signed-off-by: Roland Dreier <rolandd@cisco.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com> (cherry picked from commit f2d928d44ebc918750c94f3605c1417f1f653ec9)
author: Roland Dreier <rdreier@cisco.com> 2010-01-05 20:43:34 -0800
committer: Anthony Liguori <aliguori@us.ibm.com> 2010-01-11 10:03:39 -0600
commit: e1daf40e3e61537da1509236dadc23ca8c4bc0e6 (patch)
tree: 402f608ed493fa2f029e51187c57776bdaa09fe4 /hw
parent: de3ea06d59a110eb401c543b992dd85779ed8362 (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/hw/vmware_vga.c b/hw/vmware_vga.c
index 7ab1c7910b..5e969aedb4 100644
--- a/hw/vmware_vga.c
+++ b/hw/vmware_vga.c
@@ -562,6 +562,13 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
             cursor.height = y = vmsvga_fifo_read(s);
             vmsvga_fifo_read(s);
             cursor.bpp = vmsvga_fifo_read(s);
+
+	    if (SVGA_BITMAP_SIZE(x, y) > sizeof cursor.mask ||
+		SVGA_PIXMAP_SIZE(x, y, cursor.bpp) > sizeof cursor.image) {
+		    args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y, cursor.bpp);
+		    goto badcmd;
+	    }
+
             for (args = 0; args < SVGA_BITMAP_SIZE(x, y); args ++)
                 cursor.mask[args] = vmsvga_fifo_read_raw(s);
             for (args = 0; args < SVGA_PIXMAP_SIZE(x, y, cursor.bpp); args ++)
author	Roland Dreier <rdreier@cisco.com>	2010-01-05 20:43:34 -0800
committer	Anthony Liguori <aliguori@us.ibm.com>	2010-01-11 10:03:39 -0600
commit	e1daf40e3e61537da1509236dadc23ca8c4bc0e6 (patch)
tree	402f608ed493fa2f029e51187c57776bdaa09fe4 /hw
parent	de3ea06d59a110eb401c543b992dd85779ed8362 (diff)