ui/cursor: fix integer overflow in cursor_alloc (CVE-2021-4206)

Prevent potential integer overflow by limiting 'width' and 'height' to 512x512. Also change 'datasize' type to size_t. Refer to security advisory https://starlabs.sg/advisories/22-4206/ for more information. Fixes: CVE-2021-4206 Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <20220407081712.345609-1-mcascell@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
author: Mauro Matteo Cascella <mcascell@redhat.com> 2022-04-07 10:17:12 +0200
committer: Gerd Hoffmann <kraxel@redhat.com> 2022-04-07 12:30:54 +0200
commit: fa892e9abb728e76afcf27323ab29c57fb0fe7aa (patch)
tree: 2e3db9e407e4559f313700a8912e431cf96a5880 /ui
parent: 9569f5cb5b4bffa9d3ebc8ba7da1e03830a9a895 (diff)
1 files changed, 7 insertions, 1 deletions
diff --git a/ui/cursor.c b/ui/cursor.c
index 1d62ddd4d0..835f0802f9 100644
--- a/ui/cursor.c
+++ b/ui/cursor.c
@@ -46,6 +46,8 @@ static QEMUCursor *cursor_parse_xpm(const char *xpm[])
 
     /* parse pixel data */
     c = cursor_alloc(width, height);
+    assert(c != NULL);
+
     for (pixel = 0, y = 0; y < height; y++, line++) {
         for (x = 0; x < height; x++, pixel++) {
             idx = xpm[line][x];
@@ -91,7 +93,11 @@ QEMUCursor *cursor_builtin_left_ptr(void)
 QEMUCursor *cursor_alloc(int width, int height)
 {
     QEMUCursor *c;
-    int datasize = width * height * sizeof(uint32_t);
+    size_t datasize = width * height * sizeof(uint32_t);
+
+    if (width > 512 || height > 512) {
+        return NULL;
+    }
 
     c = g_malloc0(sizeof(QEMUCursor) + datasize);
     c->width  = width;
author	Mauro Matteo Cascella <mcascell@redhat.com>	2022-04-07 10:17:12 +0200
committer	Gerd Hoffmann <kraxel@redhat.com>	2022-04-07 12:30:54 +0200
commit	fa892e9abb728e76afcf27323ab29c57fb0fe7aa (patch)
tree	2e3db9e407e4559f313700a8912e431cf96a5880 /ui
parent	9569f5cb5b4bffa9d3ebc8ba7da1e03830a9a895 (diff)