Accepting request 132617 from home:a_faerber:branches:Virtualization
Fix buffer overflow in console VT100 emulation (bnc#777084 / CVE-2012-3515) OBS-URL: https://build.opensuse.org/request/show/132617 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=106
This commit is contained in:
parent
a9a3f56504
commit
b29d656ff3
126
0034-console-bounds-check-whenever-chang.patch
Normal file
126
0034-console-bounds-check-whenever-chang.patch
Normal file
@ -0,0 +1,126 @@
|
||||
From 0a57a3cd95bf6b0a3d4764129981f0938dbfaed3 Mon Sep 17 00:00:00 2001
|
||||
From: Ian Campbell <ian.campbell@citrix.com>
|
||||
Date: Wed, 5 Sep 2012 12:19:51 +0200
|
||||
Subject: [PATCH] console: bounds check whenever changing the cursor due to an
|
||||
escape code
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This is XSA-17 / CVE-2012-3515
|
||||
|
||||
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
|
||||
[AF: fixed Coding Style; bnc#777084]
|
||||
Signed-off-by: Andreas Färber <afaerber@suse.de>
|
||||
---
|
||||
console.c | 58 +++++++++++++++++++++++++++++-----------------------------
|
||||
1 files changed, 29 insertions(+), 29 deletions(-)
|
||||
|
||||
diff --git a/console.c b/console.c
|
||||
index f5e8814..7fa6516 100644
|
||||
--- a/console.c
|
||||
+++ b/console.c
|
||||
@@ -850,6 +850,26 @@ static void console_clear_xy(TextConsole *s, int x, int y)
|
||||
update_xy(s, x, y);
|
||||
}
|
||||
|
||||
+/* set cursor, checking bounds */
|
||||
+static void set_cursor(TextConsole *s, int x, int y)
|
||||
+{
|
||||
+ if (x < 0) {
|
||||
+ x = 0;
|
||||
+ }
|
||||
+ if (y < 0) {
|
||||
+ y = 0;
|
||||
+ }
|
||||
+ if (y >= s->height) {
|
||||
+ y = s->height - 1;
|
||||
+ }
|
||||
+ if (x >= s->width) {
|
||||
+ x = s->width - 1;
|
||||
+ }
|
||||
+
|
||||
+ s->x = x;
|
||||
+ s->y = y;
|
||||
+}
|
||||
+
|
||||
static void console_putchar(TextConsole *s, int ch)
|
||||
{
|
||||
TextCell *c;
|
||||
@@ -921,7 +941,9 @@ static void console_putchar(TextConsole *s, int ch)
|
||||
s->esc_params[s->nb_esc_params] * 10 + ch - '0';
|
||||
}
|
||||
} else {
|
||||
- s->nb_esc_params++;
|
||||
+ if (s->nb_esc_params < MAX_ESC_PARAMS) {
|
||||
+ s->nb_esc_params++;
|
||||
+ }
|
||||
if (ch == ';')
|
||||
break;
|
||||
#ifdef DEBUG_CONSOLE
|
||||
@@ -935,59 +957,37 @@ static void console_putchar(TextConsole *s, int ch)
|
||||
if (s->esc_params[0] == 0) {
|
||||
s->esc_params[0] = 1;
|
||||
}
|
||||
- s->y -= s->esc_params[0];
|
||||
- if (s->y < 0) {
|
||||
- s->y = 0;
|
||||
- }
|
||||
+ set_cursor(s, s->x, s->y - s->esc_params[0]);
|
||||
break;
|
||||
case 'B':
|
||||
/* move cursor down */
|
||||
if (s->esc_params[0] == 0) {
|
||||
s->esc_params[0] = 1;
|
||||
}
|
||||
- s->y += s->esc_params[0];
|
||||
- if (s->y >= s->height) {
|
||||
- s->y = s->height - 1;
|
||||
- }
|
||||
+ set_cursor(s, s->x, s->y + s->esc_params[0]);
|
||||
break;
|
||||
case 'C':
|
||||
/* move cursor right */
|
||||
if (s->esc_params[0] == 0) {
|
||||
s->esc_params[0] = 1;
|
||||
}
|
||||
- s->x += s->esc_params[0];
|
||||
- if (s->x >= s->width) {
|
||||
- s->x = s->width - 1;
|
||||
- }
|
||||
+ set_cursor(s, s->x + s->esc_params[0], s->y);
|
||||
break;
|
||||
case 'D':
|
||||
/* move cursor left */
|
||||
if (s->esc_params[0] == 0) {
|
||||
s->esc_params[0] = 1;
|
||||
}
|
||||
- s->x -= s->esc_params[0];
|
||||
- if (s->x < 0) {
|
||||
- s->x = 0;
|
||||
- }
|
||||
+ set_cursor(s, s->x - s->esc_params[0], s->y);
|
||||
break;
|
||||
case 'G':
|
||||
/* move cursor to column */
|
||||
- s->x = s->esc_params[0] - 1;
|
||||
- if (s->x < 0) {
|
||||
- s->x = 0;
|
||||
- }
|
||||
+ set_cursor(s, s->esc_params[0] - 1, s->y);
|
||||
break;
|
||||
case 'f':
|
||||
case 'H':
|
||||
/* move cursor to row, column */
|
||||
- s->x = s->esc_params[1] - 1;
|
||||
- if (s->x < 0) {
|
||||
- s->x = 0;
|
||||
- }
|
||||
- s->y = s->esc_params[0] - 1;
|
||||
- if (s->y < 0) {
|
||||
- s->y = 0;
|
||||
- }
|
||||
+ set_cursor(s, s->esc_params[1] - 1, s->esc_params[0] - 1);
|
||||
break;
|
||||
case 'J':
|
||||
switch (s->esc_params[0]) {
|
@ -1,3 +1,9 @@
|
||||
-------------------------------------------------------------------
|
||||
Wed Sep 5 10:26:38 UTC 2012 - afaerber@suse.de
|
||||
|
||||
- add bounds checks in console VT100 emulation (bnc#777084,
|
||||
CVE-2012-3515)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Sep 5 09:57:44 UTC 2012 - afaerber@suse.de
|
||||
|
||||
|
@ -57,6 +57,7 @@ Patch0030: 0030-linux-user-fix-statfs.patch.patch
|
||||
Patch0031: 0031-linux-user-XXX-disable-fiemap.patch.patch
|
||||
Patch0032: 0032-slirp-nooutgoing.patch.patch
|
||||
Patch0033: 0033-vnc-password-file-and-incoming-conn.patch
|
||||
Patch0034: 0034-console-bounds-check-whenever-chang.patch
|
||||
# this is to make lint happy
|
||||
Source300: rpmlintrc
|
||||
Source302: bridge.conf
|
||||
@ -201,6 +202,7 @@ run cross-architecture builds.
|
||||
%patch0031 -p1
|
||||
%patch0032 -p1
|
||||
%patch0033 -p1
|
||||
%patch0034 -p1
|
||||
|
||||
%build
|
||||
# build QEMU
|
||||
|
Loading…
Reference in New Issue
Block a user