hw/display/artist: Fix out-of-buffer accesses found while fuzzing

[PATCH 3/3] hw/display/artist: Check offset in block_move to avoid buffer over-read

Posted by Philippe Mathieu-Daudé 5 years, 8 months ago

Invalid I/O writes can craft an offset out of the vram_buffer
range.

We avoid:

  Program terminated with signal SIGSEGV, Segmentation fault.
  519                 artist_rop8(s, buf, dst + column, buf->data[src + column]);
  (gdb) bt
  #0  0x000055fa83b05e0a in block_move (s=0x55fa8647e510, source_x=0, source_y=0, dest_x=255, dest_y=-5, width=22, height=16705) at hw/display/artist.c:519
  #1  0x000055fa83b071da in artist_reg_write (opaque=0x55fa8647e510, addr=1051392, val=16777211, size=4) at hw/display/artist.c:954

Reported-by: LLVM libFuzzer
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
---
 hw/display/artist.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/hw/display/artist.c b/hw/display/artist.c
index 6f61b85a24..320e3c5050 100644
--- a/hw/display/artist.c
+++ b/hw/display/artist.c
@@ -513,6 +513,11 @@ static void block_move(ARTISTState *s, int source_x, int source_y, int dest_x,
         dst = dest_x + ((line + dest_y) * buf->width);
 
         for (column = startcolumn; column != endcolumn; column += columnincr) {
+            if ((int)src + column < 0 || src + column >= buf->size) {
+                qemu_log_mask(LOG_GUEST_ERROR,
+                              "block_move src:%d column:%d\n", src, column);
+                continue; /* FIXME */
+            }
             if (dst + column > buf->size || src + column > buf->size) {
                 continue;
             }
-- 
2.21.3

[PATCH 1/3] hw/display/artist: Check offset in draw_line to avoid buffer over-run
[PATCH 2/3] hw/display/artist: Refactor artist_rop8() to avoid buffer over-run
[PATCH 3/3] hw/display/artist: Check offset in block_move to avoid buffer over-read