Fix heap overflow in Cirrus emulation

Obtained from: qemu svn Security: http://www.vuxml.org/freebsd/07bb3bd2-a920-11dd-8503-0211060005df.html
svn path=/head/; revision=222341
2008-11-02 22:59:10 +00:00 · 2008-11-02 22:59:10 +00:00 · 6bc005ce59 · 2021-03-31 03:12:20 +00:00
commit 6bc005ce59
parent f512263469
4 changed files with 56 additions and 2 deletions
--- a/emulators/qemu-devel/Makefile
+++ b/emulators/qemu-devel/Makefile
@ -7,7 +7,7 @@

 PORTNAME=	qemu
 PORTVERSION=	0.9.1s.20080620
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	emulators
 MASTER_SITES=	http://bellard.org/qemu/:release \
 		http://qemu-forum.ipi.fi/qemu-snapshots/:snapshot \
--- a/emulators/qemu-devel/files/patch-CVE-2008-4539
+++ b/emulators/qemu-devel/files/patch-CVE-2008-4539
@ -0,0 +1,27 @@
+Index: qemu/hw/cirrus_vga.c
+===================================================================
+--- trunk/hw/cirrus_vga.c	2008-11-01 00:53:30 UTC (rev 5586)
+++ trunk/hw/cirrus_vga.c	2008-11-01 00:53:39 UTC (rev 5587)
+@@ -785,15 +785,14 @@
+ 
+ static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
+ {
+    if (BLTUNSAFE(s))
+        return 0;
+
+     if (s->ds->dpy_copy) {
+ 	cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->start_addr,
+ 		       s->cirrus_blt_srcaddr - s->start_addr,
+ 		       s->cirrus_blt_width, s->cirrus_blt_height);
+     } else {
+-
+-    if (BLTUNSAFE(s))
+-        return 0;
+-
+ 	(*s->cirrus_rop) (s, s->vram_ptr +
+                 (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
+ 			  s->vram_ptr +
+
+
+
+
--- a/emulators/qemu/Makefile
+++ b/emulators/qemu/Makefile
@ -7,7 +7,7 @@

 PORTNAME=	qemu
 PORTVERSION=	0.9.1
-PORTREVISION=	9
+PORTREVISION=	10
 CATEGORIES=	emulators
 MASTER_SITES=	http://bellard.org/qemu/:release \
 		http://qemu.org/:release \
--- a/emulators/qemu/files/patch-CVE-2008-4539
+++ b/emulators/qemu/files/patch-CVE-2008-4539
@ -0,0 +1,27 @@
+Index: qemu/hw/cirrus_vga.c
+===================================================================
+--- trunk/hw/cirrus_vga.c	2008-11-01 00:53:30 UTC (rev 5586)
+++ trunk/hw/cirrus_vga.c	2008-11-01 00:53:39 UTC (rev 5587)
+@@ -785,15 +785,14 @@
+ 
+ static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
+ {
+    if (BLTUNSAFE(s))
+        return 0;
+
+     if (s->ds->dpy_copy) {
+ 	cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->start_addr,
+ 		       s->cirrus_blt_srcaddr - s->start_addr,
+ 		       s->cirrus_blt_width, s->cirrus_blt_height);
+     } else {
+-
+-    if (BLTUNSAFE(s))
+-        return 0;
+-
+ 	(*s->cirrus_rop) (s, s->vram_ptr +
+                 (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
+ 			  s->vram_ptr +
+
+
+
+