Re: [PATCH] ui/cursor: fix integer overflow in cursor_alloc (CVE-2022-4206)

Tue, 05 Apr 2022 04:12:39 -0700 

Hi

On Tue, Apr 5, 2022 at 2:43 PM Mauro Matteo Cascella <mcasc...@redhat.com>
wrote:

> Prevent potential integer overflow by limiting 'width' and 'height' to
> 512x512. Also change 'datasize' type to size_t. Refer to security
> advisory https://starlabs.sg/advisories/22-4206/ for more information.
>
> Fixes: CVE-2022-4206
> Signed-off-by: Mauro Matteo Cascella <mcasc...@redhat.com>
> ---
>  hw/display/qxl-render.c |  7 +++++++
>  ui/cursor.c             | 12 +++++++++++-
>  2 files changed, 18 insertions(+), 1 deletion(-)
>
> diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c
> index d28849b121..dc3c4edd05 100644
> --- a/hw/display/qxl-render.c
> +++ b/hw/display/qxl-render.c
> @@ -247,6 +247,13 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl,
> QXLCursor *cursor,
>      size_t size;
>
>      c = cursor_alloc(cursor->header.width, cursor->header.height);
> +
> +    if (!c) {
> +        qxl_set_guest_bug(qxl, "%s: cursor %ux%u alloc error", __func__,
> +                cursor->header.width, cursor->header.height);
> +        goto fail;
> +    }
> +
>      c->hot_x = cursor->header.hot_spot_x;
>      c->hot_y = cursor->header.hot_spot_y;
>      switch (cursor->header.type) {
> diff --git a/ui/cursor.c b/ui/cursor.c
> index 1d62ddd4d0..7cfb08a030 100644
> --- a/ui/cursor.c
> +++ b/ui/cursor.c
> @@ -46,6 +46,13 @@ static QEMUCursor *cursor_parse_xpm(const char *xpm[])
>
>      /* parse pixel data */
>      c = cursor_alloc(width, height);
> +
> +    if (!c) {
> +        fprintf(stderr, "%s: cursor %ux%u alloc error\n",
> +                __func__, width, height);
> +        return NULL;
> +    }
>

I think you could simply abort() in this function. It is used with static
data (ui/cursor*.xpm)

+
>      for (pixel = 0, y = 0; y < height; y++, line++) {
>          for (x = 0; x < height; x++, pixel++) {
>              idx = xpm[line][x];
> @@ -91,7 +98,10 @@ QEMUCursor *cursor_builtin_left_ptr(void)
>  QEMUCursor *cursor_alloc(int width, int height)
>  {
>      QEMUCursor *c;
> -    int datasize = width * height * sizeof(uint32_t);
> +    size_t datasize = width * height * sizeof(uint32_t);
> +
> +    if (width > 512 || height > 512)
> +        return NULL;
>
>      c = g_malloc0(sizeof(QEMUCursor) + datasize);
>      c->width  = width;
> --
> 2.35.1
>
>
>
lgtm otherwise

-- 
Marc-André Lureau

Reply via email to