[vbox-dev] Bug report (major)
TwoThe
twothe at web.de
Fri Apr 30 21:51:53 GMT 2010
Type: Bug
Severity: major
Component: VirtualBox OSE
Host: Ubuntu 64
In file src/VBox/Devices/Graphics/DevVGA.cpp:
794 VGAState *s = (VGAState*)opaque;
795 uint32_t val;
796
!797 if (s->vbe_index <= VBE_DISPI_INDEX_NB) {
798 if (s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_GETCAPS) {
799 switch(s->vbe_index) {
800 /* XXX: do not hardcode ? */
801 case VBE_DISPI_INDEX_XRES:
802 val = VBE_DISPI_MAX_XRES;
803 break;
804 case VBE_DISPI_INDEX_YRES:
805 val = VBE_DISPI_MAX_YRES;
806 break;
807 case VBE_DISPI_INDEX_BPP:
808 val = VBE_DISPI_MAX_BPP;
809 break;
810 default:
#811 val = s->vbe_regs[s->vbe_index];
812 break;
813 }
VGAState->vbe_regs is of size VBE_DISPI_INDEX_NB, but the index is checked <= VBE_DISPI_INDEX_NB causing an array overflow in line 811 (off by one).
The check in line 797 should be if (s->vbe_index < VBE_DISPI_INDEX_NB)
More information about the vbox-dev
mailing list