]> git.proxmox.com Git - pve-qemu-kvm.git/blobdiff - debian/patches/extra/CVE-2016-9921-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch
projects / pve-qemu-kvm.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
update to qemu-2.9.0-rc2
[pve-qemu-kvm.git] / debian / patches / extra / CVE-2016-9921-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch
diff --git a/debian/patches/extra/CVE-2016-9921-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch b/debian/patches/extra/CVE-2016-9921-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch
deleted file mode 100644 (file)
index acaeb95..0000000
--- a/debian/patches/extra/CVE-2016-9921-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch
+++ /dev/null
@@ -1,81 +0,0 @@
-From 9ec3cbedab41f93d2fbf742f2ca6705c2d68c3e1 Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Tue, 18 Oct 2016 13:15:17 +0530
-Subject: [PATCH 12/12] display: cirrus: check vga bits per pixel(bpp) value
-
-In Cirrus CLGD 54xx VGA Emulator, if cirrus graphics mode is VGA,
-'cirrus_get_bpp' returns zero(0), which could lead to a divide
-by zero error in while copying pixel data. The same could occur
-via blit pitch values. Add check to avoid it.
-
-Reported-by: Huawei PSIRT <psirt@huawei.com>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-id: 1476776717-24807-1-git-send-email-ppandit@redhat.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
-
-Notes:
-    CVE-2016-9921
-    CVE-2016-9922
-
- hw/display/cirrus_vga.c | 14 ++++++++++----
- 1 file changed, 10 insertions(+), 4 deletions(-)
-
-diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
-index 3d712d5..bdb092e 100644
---- a/hw/display/cirrus_vga.c
-+++ b/hw/display/cirrus_vga.c
-@@ -272,6 +272,9 @@ static void cirrus_update_memory_access(CirrusVGAState *s);
- static bool blit_region_is_unsafe(struct CirrusVGAState *s,
-                                   int32_t pitch, int32_t addr)
- {
-+    if (!pitch) {
-+        return true;
-+    }
-     if (pitch < 0) {
-         int64_t min = addr
-             + ((int64_t)s->cirrus_blt_height-1) * pitch;
-@@ -715,7 +718,7 @@ static int cirrus_bitblt_videotovideo_patterncopy(CirrusVGAState * s)
-                                             s->cirrus_addr_mask));
- }
--static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
-+static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
- {
-     int sx = 0, sy = 0;
-     int dx = 0, dy = 0;
-@@ -729,6 +732,9 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
-         int width, height;
-         depth = s->vga.get_bpp(&s->vga) / 8;
-+        if (!depth) {
-+            return 0;
-+        }
-         s->vga.get_resolution(&s->vga, &width, &height);
-         /* extra x, y */
-@@ -783,6 +789,8 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
-     cirrus_invalidate_region(s, s->cirrus_blt_dstaddr,
-                               s->cirrus_blt_dstpitch, s->cirrus_blt_width,
-                               s->cirrus_blt_height);
-+
-+    return 1;
- }
- static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
-@@ -790,11 +798,9 @@ static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
-     if (blit_is_unsafe(s))
-         return 0;
--    cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr,
-+    return cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr,
-             s->cirrus_blt_srcaddr - s->vga.start_addr,
-             s->cirrus_blt_width, s->cirrus_blt_height);
--
--    return 1;
- }
- /***************************************
--- 
-2.1.4
-
old QEMU for PVE