ia64/xen-unstable

changeset 11967:72ce74a680d7

[HVM] Avoid buffer overrun in qemu-dm
The array offset in set_bits_in_row here comes from an otherwise un-checked
VNC client request.
Signed-off-by: Tim Deegan <Tim.Deegan@xensource.com>
author Tim Deegan <Tim.Deegan@xensource.com>
date Wed Oct 25 11:39:57 2006 +0100 (2006-10-25)
parents ffbd9e4668a6
children 08158fadf543
files tools/ioemu/vnc.c
line diff
     1.1 --- a/tools/ioemu/vnc.c	Wed Oct 25 10:59:00 2006 +0100
     1.2 +++ b/tools/ioemu/vnc.c	Wed Oct 25 11:39:57 2006 +0100
     1.3 @@ -203,6 +203,8 @@ static void set_bits_in_row(VncState *vs
     1.4  	mask = ~(0ULL);
     1.5  
     1.6      h += y;
     1.7 +    if (h > vs->ds->height)
     1.8 +        h = vs->ds->height;
     1.9      for (; y < h; y++)
    1.10  	row[y] |= mask;
    1.11  }