[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH 3/3] hw/display/artist: Check offset in block_move to avoid buffe
|
From: |
Philippe Mathieu-Daudé |
|
Subject: |
[PATCH 3/3] hw/display/artist: Check offset in block_move to avoid buffer over-read |
|
Date: |
Sat, 23 May 2020 21:15:17 +0200 |
Invalid I/O writes can craft an offset out of the vram_buffer
range.
We avoid:
Program terminated with signal SIGSEGV, Segmentation fault.
519 artist_rop8(s, buf, dst + column, buf->data[src +
column]);
(gdb) bt
#0 0x000055fa83b05e0a in block_move (s=0x55fa8647e510, source_x=0,
source_y=0, dest_x=255, dest_y=-5, width=22, height=16705) at
hw/display/artist.c:519
#1 0x000055fa83b071da in artist_reg_write (opaque=0x55fa8647e510,
addr=1051392, val=16777211, size=4) at hw/display/artist.c:954
Reported-by: LLVM libFuzzer
Signed-off-by: Philippe Mathieu-Daudé <address@hidden>
---
hw/display/artist.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/hw/display/artist.c b/hw/display/artist.c
index 6f61b85a24..320e3c5050 100644
--- a/hw/display/artist.c
+++ b/hw/display/artist.c
@@ -513,6 +513,11 @@ static void block_move(ARTISTState *s, int source_x, int
source_y, int dest_x,
dst = dest_x + ((line + dest_y) * buf->width);
for (column = startcolumn; column != endcolumn; column += columnincr) {
+ if ((int)src + column < 0 || src + column >= buf->size) {
+ qemu_log_mask(LOG_GUEST_ERROR,
+ "block_move src:%d column:%d\n", src, column);
+ continue; /* FIXME */
+ }
if (dst + column > buf->size || src + column > buf->size) {
continue;
}
--
2.21.3