From: Tim Deegan <Tim.Deegan@xensource.com>
Date: Wed, 25 Oct 2006 10:39:57 +0000 (+0100)
Subject: [HVM] Avoid buffer overrun in qemu-dm
X-Git-Tag: archive/raspbian/4.8.0-1+rpi1~1^2~15584^2~31^2~1
X-Git-Url: https://dgit.raspbian.org/%22http://www.example.com/cgi/success//%22http:/www.example.com/cgi/success/?a=commitdiff_plain;h=e481cc001d138a5247287c05624933a392568de4;p=xen.git

[HVM] Avoid buffer overrun in qemu-dm
The array offset in set_bits_in_row here comes from an otherwise un-checked
VNC client request.
Signed-off-by: Tim Deegan <Tim.Deegan@xensource.com>
---

diff --git a/tools/ioemu/vnc.c b/tools/ioemu/vnc.c
index 9b8bcffa37..631754ca03 100644
--- a/tools/ioemu/vnc.c
+++ b/tools/ioemu/vnc.c
@@ -203,6 +203,8 @@ static void set_bits_in_row(VncState *vs, uint64_t *row,
 	mask = ~(0ULL);
 
     h += y;
+    if (h > vs->ds->height)
+        h = vs->ds->height;
     for (; y < h; y++)
 	row[y] |= mask;
 }