The calc_image_hostmem() comment says pixman_image_create_bits() checks for
overflow. However, this relied on the facts that "bits" was NULL and it
performed it when it was introduced. Since commit 9462ff4695aa, the "bits"
argument can be provided and the check is no longer applied. This can lead to
OOB access.

Thanks Trend Micro's Zero Day Initiative for identifying the vulnerability.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
---
Marc-André Lureau (2):
      virtio-gpu: fix overflow check when allocating 2d image
      virtio-gpu: use computed rowstride instead of deriving it from hostmem

 hw/display/virtio-gpu.c | 43 ++++++++++++++++++++++++++++++-------------
 1 file changed, 30 insertions(+), 13 deletions(-)
---
base-commit: ae56950eac7b61b1abf42003329ee0f3ce111711
change-id: 20260311-cve-af8a6cabf312

Best regards,
-- 
Marc-André Lureau <marcandre.lureau@redhat.com>

On 2026/03/11 6:26, Marc-André Lureau wrote:
> The calc_image_hostmem() comment says pixman_image_create_bits() checks for
> overflow. However, this relied on the facts that "bits" was NULL and it
> performed it when it was introduced. Since commit 9462ff4695aa, the "bits"
> argument can be provided and the check is no longer applied. This can lead to
> OOB access.
> 
> Thanks Trend Micro's Zero Day Initiative for identifying the vulnerability.
> 
> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>

For the whole series,

Reviewed-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>