[vbox-dev] Bug report (major)
Frank Mehnert
Frank.Mehnert at Sun.COM
Sat May 1 07:48:19 GMT 2010
On Friday 30 April 2010, TwoThe wrote:
> Type: Bug
> Severity: major
> Component: VirtualBox OSE
> Host: Ubuntu 64
>
> In file src/VBox/Devices/Graphics/DevVGA.cpp:
>
> 794 VGAState *s = (VGAState*)opaque;
> 795 uint32_t val;
> 796
> !797 if (s->vbe_index <= VBE_DISPI_INDEX_NB) {
> 798 if (s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_GETCAPS) {
> 799 switch(s->vbe_index) {
> 800 /* XXX: do not hardcode ? */
> 801 case VBE_DISPI_INDEX_XRES:
> 802 val = VBE_DISPI_MAX_XRES;
> 803 break;
> 804 case VBE_DISPI_INDEX_YRES:
> 805 val = VBE_DISPI_MAX_YRES;
> 806 break;
> 807 case VBE_DISPI_INDEX_BPP:
> 808 val = VBE_DISPI_MAX_BPP;
> 809 break;
> 810 default:
> #811 val = s->vbe_regs[s->vbe_index];
> 812 break;
> 813 }
>
> VGAState->vbe_regs is of size VBE_DISPI_INDEX_NB, but the index is checked
> <= VBE_DISPI_INDEX_NB causing an array overflow in line 811 (off by one).
> The check in line 797 should be if (s->vbe_index < VBE_DISPI_INDEX_NB)
Confirmed. Thanks for this report!
Kind regards,
Frank
--
Dr.-Ing. Frank Mehnert
Sitz der Gesellschaft:
Sun Microsystems GmbH, Sonnenallee 1, 85551 Kirchheim-Heimstetten
Amtsgericht München: HRB 161028
Geschäftsführer: Jürgen Kunz
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
URL: <http://www.virtualbox.org/pipermail/vbox-dev/attachments/20100501/daea5613/attachment.sig>
More information about the vbox-dev
mailing list