display/qxl-render: fix race condition in qxl_cursor (CVE-2021-4207)

author Mauro Matteo Cascella <mcascell@redhat.com>

Thu, 7 Apr 2022 08:11:06 +0000 (10:11 +0200)

committer Gerd Hoffmann <kraxel@redhat.com>

Thu, 7 Apr 2022 10:30:54 +0000 (12:30 +0200)
author Mauro Matteo Cascella <mcascell@redhat.com>
Thu, 7 Apr 2022 08:11:06 +0000 (10:11 +0200)
committer Gerd Hoffmann <kraxel@redhat.com>
Thu, 7 Apr 2022 10:30:54 +0000 (12:30 +0200)
diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c

index d28849b121763600d219623213801ee02a847856..237ed293baaea76e9602e50a97eeaadf778c1839 100644 (file)
--- a/hw/display/qxl-render.c
+++ b/hw/display/qxl-render.c
@@ -266,7 +266,7 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor,
          }
          break;
      case SPICE_CURSOR_TYPE_ALPHA:
-        size = sizeof(uint32_t) * cursor->header.width * cursor->header.height;
+        size = sizeof(uint32_t) * c->width * c->height;
          qxl_unpack_chunks(c->data, size, qxl, &cursor->chunk, group_id);
          if (qxl->debug > 2) {
              cursor_print_ascii_art(c, "qxl/alpha");
author	Mauro Matteo Cascella <mcascell@redhat.com>
	Thu, 7 Apr 2022 08:11:06 +0000 (10:11 +0200)
committer	Gerd Hoffmann <kraxel@redhat.com>
	Thu, 7 Apr 2022 10:30:54 +0000 (12:30 +0200)