+-- On Mon, 25 Dec 2017, linzhecheng wrote --+
| --- a/hw/display/vga.c
| +++ b/hw/display/vga.c
| @@ -1279,6 +1279,10 @@ static void vga_draw_text(VGACommonState *s, int
full_update)
| cx_min = width;
| cx_max = -1;
| for(cx = 0; cx < width; cx++) {
| + if (src + sizeof(uint16_t) > s->vram_ptr + s->vram_size) {
| + printf("src is out of the range of vga ram.\n");
| + return;
| + }
| ch_attr = *(uint16_t *)src;
This does fix the OOB access and segfault issue. Maybe it could 'break;'
instead of 'return;' with no printf(...)?
Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
