The calc_image_hostmem() comment says pixman_image_create_bits() checks for overflow. However, this relied on the facts that "bits" was NULL and it performed it when it was introduced. Since commit 9462ff4695aa, the "bits" argument can be provided and the check is no longer applied. This can lead to OOB access.
Thanks Trend Micro's Zero Day Initiative for identifying the vulnerability. Signed-off-by: Marc-André Lureau <[email protected]> --- Marc-André Lureau (2): virtio-gpu: fix overflow check when allocating 2d image virtio-gpu: use computed rowstride instead of deriving it from hostmem hw/display/virtio-gpu.c | 43 ++++++++++++++++++++++++++++++------------- 1 file changed, 30 insertions(+), 13 deletions(-) --- base-commit: ae56950eac7b61b1abf42003329ee0f3ce111711 change-id: 20260311-cve-af8a6cabf312 Best regards, -- Marc-André Lureau <[email protected]>
