Fix heap overflow in Cirrus emulation

Obtained from: qemu svn Security: http://www.vuxml.org/freebsd/07bb3bd2-a920-11dd-8503-0211060005df.html
author: Juergen Lock <nox@FreeBSD.org> 2008-11-02 22:59:10 +0000
committer: Juergen Lock <nox@FreeBSD.org> 2008-11-02 22:59:10 +0000
commit: 6bc005ce5945dd2ba664d07fef62ec9108649eee (patch)
tree: bdb6b8c354826a397a1598e9d5906b1b585dff7f /emulators/qemu-devel/files
parent: Document qemu -- Heap overflow in Cirrus emulation (diff)
1 files changed, 27 insertions, 0 deletions
diff --git a/emulators/qemu-devel/files/patch-CVE-2008-4539 b/emulators/qemu-devel/files/patch-CVE-2008-4539
new file mode 100644
index 000000000000..c2348bd4cf91
--- /dev/null
+++ b/emulators/qemu-devel/files/patch-CVE-2008-4539
@@ -0,0 +1,27 @@
+Index: qemu/hw/cirrus_vga.c
+===================================================================
+--- trunk/hw/cirrus_vga.c	2008-11-01 00:53:30 UTC (rev 5586)
++++ trunk/hw/cirrus_vga.c	2008-11-01 00:53:39 UTC (rev 5587)
+@@ -785,15 +785,14 @@
+ 
+ static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
+ {
++    if (BLTUNSAFE(s))
++        return 0;
++
+     if (s->ds->dpy_copy) {
+ 	cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->start_addr,
+ 		       s->cirrus_blt_srcaddr - s->start_addr,
+ 		       s->cirrus_blt_width, s->cirrus_blt_height);
+     } else {
+-
+-    if (BLTUNSAFE(s))
+-        return 0;
+-
+ 	(*s->cirrus_rop) (s, s->vram_ptr +
+                 (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
+ 			  s->vram_ptr +
+
+
+
+
author	Juergen Lock <nox@FreeBSD.org>	2008-11-02 22:59:10 +0000
committer	Juergen Lock <nox@FreeBSD.org>	2008-11-02 22:59:10 +0000
commit	6bc005ce5945dd2ba664d07fef62ec9108649eee (patch)
tree	bdb6b8c354826a397a1598e9d5906b1b585dff7f /emulators/qemu-devel/files
parent	Document qemu -- Heap overflow in Cirrus emulation (diff)