From patchwork Thu Aug 9 11:46:22 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Liran Alon X-Patchwork-Id: 10561277 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id C84451057 for ; Thu, 9 Aug 2018 11:53:02 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B301129D99 for ; Thu, 9 Aug 2018 11:53:02 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id A70E629E43; Thu, 9 Aug 2018 11:53:02 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI,T_DKIM_INVALID,UNPARSEABLE_RELAY autolearn=ham version=3.3.1 Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 4EAC529D99 for ; Thu, 9 Aug 2018 11:53:02 +0000 (UTC) Received: from localhost ([::1]:50045 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fnjUz-00015B-IV for patchwork-qemu-devel@patchwork.kernel.org; Thu, 09 Aug 2018 07:53:01 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:56321) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fnjPb-0004tm-Uj for qemu-devel@nongnu.org; Thu, 09 Aug 2018 07:47:30 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fnjPZ-0007Cj-B0 for qemu-devel@nongnu.org; Thu, 09 Aug 2018 07:47:27 -0400 Received: from aserp2120.oracle.com ([141.146.126.78]:36856) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1fnjPZ-0007CN-0I for qemu-devel@nongnu.org; Thu, 09 Aug 2018 07:47:25 -0400 Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1]) by aserp2120.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w79BiaXW178074; Thu, 9 Aug 2018 11:47:24 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references; s=corp-2018-07-02; bh=4o//vR9K5z9omKMhR2P+s7lUP9PQqo7koT6pHEdlb8U=; b=VhJ0tNEnOvW6cytPvA0xomM7ZTuMcGMlrwqmk5RIuGFgaSDY95mgyCwVrINAiuBnrfRa j2Y8dl65dEGPJd++QFE8wU9uxVH7j6dMHGvc3nFl40wbLPsh5d3a1JxFfHHbLQ3d40eU fk4q7ioKUPzTv40BJxQbZeOif+sUwPvhpUHmYEleOCQXnKpe5iTpEwv591TxzNUxWSFA z99GPYk0pqPmvVEwmpFwd7X7gxxv6zUDIUWm2TTPQrFGAsUz8wo6fhhNvy9xdw4wR8bk qqf+jldLIRt5Un2OFWd3W4NOMp4rMcAwwYiNV5UGFJIM4I4C1cF7DZweCyqoFm/j0ikk 2g== Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by aserp2120.oracle.com with ESMTP id 2kn43p2uwm-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 09 Aug 2018 11:47:23 +0000 Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by userv0022.oracle.com (8.14.4/8.14.4) with ESMTP id w79BlNit006401 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 9 Aug 2018 11:47:23 GMT Received: from abhmp0014.oracle.com (abhmp0014.oracle.com [141.146.116.20]) by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id w79BlMHR032750; Thu, 9 Aug 2018 11:47:22 GMT Received: from liran-pc.ravello.local (/213.57.127.2) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 09 Aug 2018 04:47:22 -0700 From: Liran Alon To: qemu-devel@nongnu.org Date: Thu, 9 Aug 2018 14:46:22 +0300 Message-Id: <1533815202-11967-10-git-send-email-liran.alon@oracle.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1533815202-11967-1-git-send-email-liran.alon@oracle.com> References: <1533815202-11967-1-git-send-email-liran.alon@oracle.com> X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8979 signatures=668707 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=1 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=894 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1808090123 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 141.146.126.78 Subject: [Qemu-devel] [PATCH 09/29] vmsvga: Account for length of command word when parsing commands X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: habkost@redhat.com, mtosatti@redhat.com, Liran Alon , kraxel@redhat.com, pbonzini@redhat.com, rth@twiddle.net, Leonid Shatz Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" X-Virus-Scanned: ClamAV using ClamSMTP From: Leonid Shatz While we continue to ignore SVGA_CMD_RECT_ROP_FILL, SVGA_CMD_RECT_ROP_COPY and SVGA_CMD_FENCE commands, we should account for command length, not only arguments following command code. Signed-off-by: Leonid Shatz Reviewed-by: Darren Kenny Signed-off-by: Liran Alon --- hw/display/vmware_vga.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c index 675c8755ab48..b32a625ae9c2 100644 --- a/hw/display/vmware_vga.c +++ b/hw/display/vmware_vga.c @@ -731,9 +731,17 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s) * arguments so we can avoid FIFO desync */ case SVGA_CMD_RECT_ROP_FILL: /* deprecated */ + len -= 1; + if (len < 0) { + goto rewind; + } args = 6; goto badcmd; case SVGA_CMD_RECT_ROP_COPY: /* deprecated */ + len -= 1; + if (len < 0) { + goto rewind; + } args = 7; goto badcmd; case SVGA_CMD_DEFINE_ALPHA_CURSOR: @@ -761,6 +769,10 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s) args = 12; goto badcmd; case SVGA_CMD_FENCE: + len -= 1; + if (len < 0) { + goto rewind; + } args = 1; goto badcmd;