4c93ce54e7
Although not actually exploitable at the moment, a negative width/height could make datasize wrap around and potentially lead to buffer overflow. Since there is no reason a negative width/height is ever appropriate, modify QEMUCursor struct and cursor_alloc prototype to accept uint16_t. This protects us against accidentally introducing future bugs. Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> Reported-by: Jacek Halon <jacek.halon@gmail.com> Reported-by: Yair Mizrahi <yairh33@gmail.com> Reported-by: Elsayed El-Refa'ei <e.elrefaei99@gmail.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Message-Id: <20230523163023.608121-1-mcascell@redhat.com>
6.9 KiB
6.9 KiB