ui/cursor: fix integer overflow in cursor_alloc (CVE-2021-4206) Prevent potential integer overflow by limiting 'width' and 'height' to 512x512. Also change 'datasize' type to size_t. Refer to security advisory https://starlabs.sg/advisories/22-4206/ for more information. Fixes: CVE-2021-4206 Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <20220407081712.345609-1-mcascell@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

commit: fa892e9abb728e76afcf27323ab29c57fb0fe7aa [log] [tgz]
author: Mauro Matteo Cascella <mcascell@redhat.com> Thu Apr 07 10:17:12 2022 +0200
committer: Gerd Hoffmann <kraxel@redhat.com> Thu Apr 07 12:30:54 2022 +0200
tree: 2e3db9e407e4559f313700a8912e431cf96a5880
parent: 9569f5cb5b4bffa9d3ebc8ba7da1e03830a9a895 [diff] [blame]
diff --git a/ui/cursor.c b/ui/cursor.c
index 1d62ddd..835f080 100644
--- a/ui/cursor.c
+++ b/ui/cursor.c

@@ -46,6 +46,8 @@
 
     /* parse pixel data */
     c = cursor_alloc(width, height);
+    assert(c != NULL);
+
     for (pixel = 0, y = 0; y < height; y++, line++) {
         for (x = 0; x < height; x++, pixel++) {
             idx = xpm[line][x];
@@ -91,7 +93,11 @@
 QEMUCursor *cursor_alloc(int width, int height)
 {
     QEMUCursor *c;
-    int datasize = width * height * sizeof(uint32_t);
+    size_t datasize = width * height * sizeof(uint32_t);
+
+    if (width > 512 || height > 512) {
+        return NULL;
+    }
 
     c = g_malloc0(sizeof(QEMUCursor) + datasize);
     c->width  = width;
commit	fa892e9abb728e76afcf27323ab29c57fb0fe7aa	[log] [tgz]
author	Mauro Matteo Cascella <mcascell@redhat.com>	Thu Apr 07 10:17:12 2022 +0200
committer	Gerd Hoffmann <kraxel@redhat.com>	Thu Apr 07 12:30:54 2022 +0200
tree	2e3db9e407e4559f313700a8912e431cf96a5880
parent	9569f5cb5b4bffa9d3ebc8ba7da1e03830a9a895 [diff] [blame]