On Mi, 2017-01-25 at 08:07 +0100, Gerd Hoffmann wrote:
> From: Li Qiang <liqiang...@360.cn>
>
> When doing bitblt copy in backward mode, we should minus the
> blt width first just like the adding in the forward mode. This
> can avoid the oob access of the front of vga's vram.
>
> Signed-off-by: Li Qiang <liqiang...@360.cn>
> Message-id: 5887254f.863a240a.2c122.5...@mx.google.com
>
> { kraxel: with backward blits (negative pitch) addr is the topmost
> address, so check it as-is against vram size ]
>
> Cc: qemu-sta...@nongnu.org
> Cc: P J P <ppan...@redhat.com>
> Cc: Laszlo Ersek <ler...@redhat.com>
> Cc: Paolo Bonzini <pbonz...@redhat.com>
> Cc: Wolfgang Bumiller <w.bumil...@proxmox.com>
> Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106)
> Signed-off-by: Gerd Hoffmann <kra...@redhat.com>
For testers: All pending cirrus fixes are now pushed to:
git://git.kraxel.org/qemu queue/vga
Gerd Hoffmann (1):
cirrus: fix blit address mask handling
Li Qiang (1):
cirrus: fix oob access issue (CVE-2017-TODO)
Wolfgang Bumiller (1):
cirrus: allow zero source pitch in pattern fill rops
cheers,
Gerd
