vmware_vga: Check cursor dimensions passed from guest to avoid buffer overflow

Check that the cursor dimensions passed from the guest for the
DEFINE_CURSOR command don't overflow the available space in the
cursor.image[] or cursor.mask[] arrays before copying data from the
guest into those arrays.

Signed-off-by: Roland Dreier <rolandd@cisco.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>

diff --git a/hw/vmware_vga.c b/hw/vmware_vga.c
index cdc1a05b0c14bcae3e2a7d872017913748170eea..e70936913d0cdfec3b756a61af15e11eabe3a08f 100644 (file)
--- a/hw/vmware_vga.c
+++ b/hw/vmware_vga.c
@@ -562,6 +562,13 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
             cursor.height = y = vmsvga_fifo_read(s);
             vmsvga_fifo_read(s);
             cursor.bpp = vmsvga_fifo_read(s);
+
+           if (SVGA_BITMAP_SIZE(x, y) > sizeof cursor.mask ||
+               SVGA_PIXMAP_SIZE(x, y, cursor.bpp) > sizeof cursor.image) {
+                   args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y, cursor.bpp);
+                   goto badcmd;
+           }
+
             for (args = 0; args < SVGA_BITMAP_SIZE(x, y); args ++)
                 cursor.mask[args] = vmsvga_fifo_read_raw(s);
             for (args = 0; args < SVGA_PIXMAP_SIZE(x, y, cursor.bpp); args ++)