On Friday 30 April 2010, TwoThe wrote:
> Type: Bug
> Severity: major
> Component: VirtualBox OSE
> Host: Ubuntu 64
>
> In file src/VBox/Devices/Graphics/DevVGA.cpp:
>
> 794 VGAState *s = (VGAState*)opaque;
> 795 uint32_t val;
> 796
> !797 if (s->vbe_index <= VBE_DISPI_INDEX_NB) {
> 798 if (s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_GETCAPS) {
> 799 switch(s->vbe_index) {
> 800 /* XXX: do not hardcode ? */
> 801 case VBE_DISPI_INDEX_XRES:
> 802 val = VBE_DISPI_MAX_XRES;
> 803 break;
> 804 case VBE_DISPI_INDEX_YRES:
> 805 val = VBE_DISPI_MAX_YRES;
> 806 break;
> 807 case VBE_DISPI_INDEX_BPP:
> 808 val = VBE_DISPI_MAX_BPP;
> 809 break;
> 810 default:
> #811 val = s->vbe_regs[s->vbe_index];
> 812 break;
> 813 }
>
> VGAState->vbe_regs is of size VBE_DISPI_INDEX_NB, but the index is checked
> <= VBE_DISPI_INDEX_NB causing an array overflow in line 811 (off by one).
> The check in line 797 should be if (s->vbe_index < VBE_DISPI_INDEX_NB)Confirmed. Thanks for this report! Kind regards, Frank -- Dr.-Ing. Frank Mehnert Sitz der Gesellschaft: Sun Microsystems GmbH, Sonnenallee 1, 85551 Kirchheim-Heimstetten Amtsgericht München: HRB 161028 Geschäftsführer: Jürgen Kunz
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ vbox-dev mailing list [email protected] http://vbox.innotek.de/mailman/listinfo/vbox-dev
