[Xen-changelog] [qemu-xen staging-4.10] vga: fix region calculation

[patchbot@xxxxxxx]

commit 93971e6e4813abfe3525ce6abbddcf8f71fdfca5
Author:     Gerd Hoffmann <kraxel@xxxxxxxxxx>
AuthorDate: Fri Mar 9 15:37:04 2018 +0100
Commit:     Anthony PERARD <anthony.perard@xxxxxxxxxx>
CommitDate: Mon Apr 1 17:09:57 2019 +0100

    vga: fix region calculation
    
    Typically the scanline length and the line offset are identical.  But
    in case they are not our calculation for region_end is incorrect.  Using
    line_offset is fine for all scanlines, except the last one where we have
    to use the actual scanline length.
    
    Fixes: CVE-2018-7550
    Reported-by: Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>
    Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
    Reviewed-by: Prasad J Pandit <pjp@xxxxxxxxxxxxxxxxx>
    Tested-by: Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>
    Message-id: 20180309143704.13420-1-kraxel@xxxxxxxxxx
    (cherry picked from commit 7cdc61becd095b64a786b2625f321624e7111f3d)
---
 hw/display/vga.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/hw/display/vga.c b/hw/display/vga.c
index b6a3b95c93..f060f2679f 100644
--- a/hw/display/vga.c
+++ b/hw/display/vga.c
@@ -1489,6 +1489,8 @@ static void vga_draw_graphic(VGACommonState *s, int 
full_update)
 
     region_start = (s->start_addr * 4);
     region_end = region_start + (ram_addr_t)s->line_offset * height;
+    region_end += width * s->get_bpp(s) / 8; /* scanline length */
+    region_end -= s->line_offset;
     if (region_end > s->vbe_size) {
         /* wraps around (can happen with cirrus vbe modes) */
         region_start = 0;
--
generated by git-patchbot for /home/xen/git/qemu-xen.git#staging-4.10

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/xen-changelog