CVE-2007-1320 - Cirrus LGD-54XX "bitblt" heap overflow

I have just noticed that patch for CVE-2007-1320 has never been applied to the QEMU CVS. Please find it below. | Multiple heap-based buffer overflows in the cirrus_invalidate_region | function in the Cirrus VGA extension in QEMU 0.8.2, as used in Xen and | possibly other products, might allow local users to execute arbitrary | code via unspecified vectors related to "attempting to mark | non-existent regions as dirty," aka the "bitblt" heap overflow. git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@4340 c046a42c-6fe2-441c-8c8c-71466251a162
author: aurel32 <aurel32@c046a42c-6fe2-441c-8c8c-71466251a162> 2008-05-05 21:26:31 +0000
committer: aurel32 <aurel32@c046a42c-6fe2-441c-8c8c-71466251a162> 2008-05-05 21:26:31 +0000
commit: b2eb849d4b1fdb6f35d5c46958c7f703cf64cfef (patch)
tree: ef4496074c346e25170b4209c0f337a0d406f57f /hw/cirrus_vga_rop.h
parent: cbf5c748e202c6f02e63d1ba45757925e65a64fa (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/hw/cirrus_vga_rop.h b/hw/cirrus_vga_rop.h
index 3d6a1fef1f..0079d12701 100644
--- a/hw/cirrus_vga_rop.h
+++ b/hw/cirrus_vga_rop.h
@@ -31,6 +31,12 @@ glue(cirrus_bitblt_rop_fwd_, ROP_NAME)(CirrusVGAState *s,
     int x,y;
     dstpitch -= bltwidth;
     srcpitch -= bltwidth;
+
+    if (dstpitch < 0 || srcpitch < 0) {
+        /* is 0 valid? srcpitch == 0 could be useful */
+        return;
+    }
+
     for (y = 0; y < bltheight; y++) {
         for (x = 0; x < bltwidth; x++) {
             ROP_OP(*dst, *src);
author	aurel32 <aurel32@c046a42c-6fe2-441c-8c8c-71466251a162>	2008-05-05 21:26:31 +0000
committer	aurel32 <aurel32@c046a42c-6fe2-441c-8c8c-71466251a162>	2008-05-05 21:26:31 +0000
commit	b2eb849d4b1fdb6f35d5c46958c7f703cf64cfef (patch)
tree	ef4496074c346e25170b4209c0f337a0d406f57f /hw/cirrus_vga_rop.h
parent	cbf5c748e202c6f02e63d1ba45757925e65a64fa (diff)