vmsvga: don't process more than 1024 fifo commands at once

vmsvga_fifo_run is called in regular intervals (on each display update) and will resume where it left off. So we can simply exit the loop, without having to worry about how processing will continue. Fixes: CVE-2016-4453 Cc: qemu-stable@nongnu.org Cc: P J P <ppandit@redhat.com> Reported-by: 李强 <liqiang6-s@360.cn> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Message-id: 1464592161-18348-5-git-send-email-kraxel@redhat.com
author: Gerd Hoffmann <kraxel@redhat.com> 2016-05-30 09:09:21 +0200
committer: Gerd Hoffmann <kraxel@redhat.com> 2016-06-06 09:04:29 +0200
commit: 4e68a0ee17dad7b8d870df0081d4ab2e079016c2 (patch)
tree: 0e6f8c5fd9b1fc3bb5f317e5ccf94f297862830d
parent: 7e486f7577764a07aa35588e119903c80a5c30a2 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
index de2567b009..e51a05ea7e 100644
--- a/hw/display/vmware_vga.c
+++ b/hw/display/vmware_vga.c
@@ -597,13 +597,13 @@ static inline uint32_t vmsvga_fifo_read(struct vmsvga_state_s *s)
 static void vmsvga_fifo_run(struct vmsvga_state_s *s)
 {
     uint32_t cmd, colour;
-    int args, len;
+    int args, len, maxloop = 1024;
     int x, y, dx, dy, width, height;
     struct vmsvga_cursor_definition_s cursor;
     uint32_t cmd_start;
 
     len = vmsvga_fifo_length(s);
-    while (len > 0) {
+    while (len > 0 && --maxloop > 0) {
         /* May need to go back to the start of the command if incomplete */
         cmd_start = s->fifo_stop;
author	Gerd Hoffmann <kraxel@redhat.com>	2016-05-30 09:09:21 +0200
committer	Gerd Hoffmann <kraxel@redhat.com>	2016-06-06 09:04:29 +0200
commit	4e68a0ee17dad7b8d870df0081d4ab2e079016c2 (patch)
tree	0e6f8c5fd9b1fc3bb5f317e5ccf94f297862830d
parent	7e486f7577764a07aa35588e119903c80a5c30a2 (diff)