cirrus: fix oob access issue (CVE-2017-2615)

When doing bitblt copy in backward mode, we should minus the
blt width first just like the adding in the forward mode. This
can avoid the oob access of the front of vga's vram.

Signed-off-by: Li Qiang <liqiang6-s@360.cn>

{ kraxel: with backward blits (negative pitch) addr is the topmost
          address, so check it as-is against vram size ]

Cc: qemu-stable@nongnu.org
Cc: P J P <ppandit@redhat.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106)
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
1 file changed
tree: aa25a3b95608e0f825c312751b11bf7039080b2d
  1. audio/
  2. backends/
  3. block/
  4. bsd-user/
  5. contrib/
  6. crypto/
  7. default-configs/
  8. disas/
  9. docs/
  10. fpu/
  11. fsdev/
  12. gdb-xml/
  13. hw/
  14. include/
  15. io/
  16. libdecnumber/
  17. linux-headers/
  18. linux-user/
  19. migration/
  20. nbd/
  21. net/
  22. pc-bios/
  23. po/
  24. qapi/
  25. qga/
  26. qobject/
  27. qom/
  28. replay/
  29. roms/
  30. scripts/
  31. slirp/
  32. stubs/
  33. target/
  34. tcg/
  35. tests/
  36. trace/
  37. ui/
  38. util/
  39. .dir-locals.el
  40. .exrc
  41. .gitignore
  42. .gitmodules
  43. .mailmap
  44. .travis.yml
  45. accel.c
  46. aio-posix.c
  47. aio-win32.c
  48. arch_init.c
  49. async.c
  50. atomic_template.h
  51. balloon.c
  52. block.c
  53. blockdev-nbd.c
  54. blockdev.c
  55. blockjob.c
  56. bootdevice.c
  57. bt-host.c
  58. bt-vhci.c
  59. Changelog
  60. CODING_STYLE
  61. configure
  62. COPYING
  63. COPYING.LIB
  64. cpu-exec-common.c
  65. cpu-exec.c
  66. cpus-common.c
  67. cpus.c
  68. cputlb.c
  69. device-hotplug.c
  70. device_tree.c
  71. disas.c
  72. dma-helpers.c
  73. dump.c
  74. exec.c
  75. gdbstub.c
  76. HACKING
  77. hax-stub.c
  78. hmp-commands-info.hx
  79. hmp-commands.hx
  80. hmp.c
  81. hmp.h
  82. iohandler.c
  83. ioport.c
  84. iothread.c
  85. kvm-all.c
  86. kvm-stub.c
  87. LICENSE
  88. main-loop.c
  89. MAINTAINERS
  90. Makefile
  91. Makefile.objs
  92. Makefile.target
  93. memory.c
  94. memory_ldst.inc.c
  95. memory_mapping.c
  96. module-common.c
  97. monitor.c
  98. numa.c
  99. os-posix.c
  100. os-win32.c
  101. page_cache.c
  102. qapi-schema.json
  103. qdev-monitor.c
  104. qdict-test-data.txt
  105. qemu-bridge-helper.c
  106. qemu-char.c
  107. qemu-doc.texi
  108. qemu-ga.texi
  109. qemu-img-cmds.hx
  110. qemu-img.c
  111. qemu-img.texi
  112. qemu-io-cmds.c
  113. qemu-io.c
  114. qemu-nbd.c
  115. qemu-nbd.texi
  116. qemu-option-trace.texi
  117. qemu-options-wrapper.h
  118. qemu-options.h
  119. qemu-options.hx
  120. qemu-seccomp.c
  121. qemu-tech.texi
  122. qemu-timer.c
  123. qemu.nsi
  124. qemu.sasl
  125. qmp.c
  126. qtest.c
  127. README
  128. replication.c
  129. replication.h
  130. rules.mak
  131. softmmu_template.h
  132. spice-qemu-char.c
  133. tcg-runtime.c
  134. tci.c
  135. thread-pool.c
  136. thunk.c
  137. tpm.c
  138. trace-events
  139. translate-all.c
  140. translate-all.h
  141. translate-common.c
  142. user-exec-stub.c
  143. user-exec.c
  144. VERSION
  145. version.rc
  146. vl.c
  147. xen-common-stub.c
  148. xen-common.c
  149. xen-hvm-stub.c
  150. xen-hvm.c
  151. xen-mapcache.c