debian/patches/extra/0007-vmsvga-don-t-process-more-than-1024-fifo-commands-at.patch

   1 From 6e964a410da04c4519a4e1e3e7196bc7dcfd59b7 Mon Sep 17 00:00:00 2001
   2 From: Gerd Hoffmann <kraxel@redhat.com>
   3 Date: Mon, 30 May 2016 09:09:21 +0200
   4 Subject: [PATCH 7/9] vmsvga: don't process more than 1024 fifo commands at
   5  once
   6 MIME-Version: 1.0
   7 Content-Type: text/plain; charset=UTF-8
   8 Content-Transfer-Encoding: 8bit
   9
  10 vmsvga_fifo_run is called in regular intervals (on each display update)
  11 and will resume where it left off.  So we can simply exit the loop,
  12 without having to worry about how processing will continue.
  13
  14 Fixes: CVE-2016-4453
  15 Cc: P J P <ppandit@redhat.com>
  16 Reported-by: 李强 <liqiang6-s@360.cn>
  17 Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
  18 ---
  19  hw/display/vmware_vga.c | 4 ++--
  20  1 file changed, 2 insertions(+), 2 deletions(-)
  21
  22 diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
  23 index 99e128b..b143a86 100644
  24 --- a/hw/display/vmware_vga.c
  25 +++ b/hw/display/vmware_vga.c
  26 @@ -595,13 +595,13 @@ static inline uint32_t vmsvga_fifo_read(struct vmsvga_state_s *s)
  27  static void vmsvga_fifo_run(struct vmsvga_state_s *s)
  28  {
  29      uint32_t cmd, colour;
  30 -    int args, len;
  31 +    int args, len, maxloop = 1024;
  32      int x, y, dx, dy, width, height;
  33      struct vmsvga_cursor_definition_s cursor;
  34      uint32_t cmd_start;
  35
  36      len = vmsvga_fifo_length(s);
  37 -    while (len > 0) {
  38 +    while (len > 0 && --maxloop > 0) {
  39          /* May need to go back to the start of the command if incomplete */
  40          cmd_start = s->fifo_stop;
  41
  42 --
  43 2.1.4
  44