cirrus: don't overflow CirrusVGAState->cirrus_bltbuf

This is CVE-2014-8106.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>

diff --git a/hw/cirrus_vga.c b/hw/cirrus_vga.c
index 3e2f1b2528b803423fd3818ba8be2fe76399abf6..a5e538f73d1e82e2c3c1ae8d35bd279080a1dc74 100644 (file)
--- a/hw/cirrus_vga.c
+++ b/hw/cirrus_vga.c
@@ -282,6 +282,10 @@ static bool blit_is_unsafe(struct CirrusVGAState *s)
     assert(s->cirrus_blt_width > 0);
     assert(s->cirrus_blt_height > 0);
 
+    if (s->cirrus_blt_width > CIRRUS_BLTBUFSIZE) {
+        return true;
+    }
+
     if (blit_region_is_unsafe(s, s->cirrus_blt_dstpitch,
                               s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) {
         return true;