References: bsc#962335 CVE-2013-4538

s->cmd_len used as index in ssd0323_transfer() to store 32-bit field.
Possible this field might then be supplied by guest to overwrite a
return addr somewhere. Same for row/col fields, which are indicies into
framebuffer array.

To fix validate after load.

Signed-off-by: Michael S. Tsirkin <address@hidden>
---
 hw/display/ssd0323.c | 3 +++
 1 file changed, 3 insertions(+)

Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/ssd0323.c
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/ssd0323.c
+++ xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/ssd0323.c
@@ -304,6 +304,9 @@ static int ssd0323_load(QEMUFile *f, voi
         return -EINVAL;
 
     s->cmd_len = qemu_get_be32(f);
+    if (s->cmd_len < 0 || s->cmd_len > ARRAY_SIZE(s->cmd_data)) {
+        return -EINVAL;
+    }
     s->cmd = qemu_get_be32(f);
     for (i = 0; i < 8; i++)
         s->cmd_data[i] = qemu_get_be32(f);