summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools/qemu
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-devtools/qemu')
-rw-r--r--meta/recipes-devtools/qemu/qemu.inc17
-rw-r--r--meta/recipes-devtools/qemu/qemu/0011-linux-user-remove-host-stime-syscall.patch61
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2019-20382.patch1018
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-10702.patch52
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-10756.patch40
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-11869.patch97
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-13765.patch48
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-14364.patch93
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch64
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-16092.patch49
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-1711.patch64
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-7039-1.patch44
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-7039-2.patch59
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-7039-3.patch64
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-7211.patch46
15 files changed, 1815 insertions, 1 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index bb444b63d9..ec32c90ad5 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -27,9 +27,23 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
27 file://0008-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch \ 27 file://0008-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch \
28 file://0009-Fix-webkitgtk-builds.patch \ 28 file://0009-Fix-webkitgtk-builds.patch \
29 file://0010-configure-Add-pkg-config-handling-for-libgcrypt.patch \ 29 file://0010-configure-Add-pkg-config-handling-for-libgcrypt.patch \
30 file://0011-linux-user-remove-host-stime-syscall.patch \
30 file://CVE-2019-15890.patch \ 31 file://CVE-2019-15890.patch \
31 file://CVE-2019-12068.patch \ 32 file://CVE-2019-12068.patch \
32 " 33 file://CVE-2020-1711.patch \
34 file://CVE-2019-20382.patch \
35 file://CVE-2020-7039-1.patch \
36 file://CVE-2020-7039-2.patch \
37 file://CVE-2020-7039-3.patch \
38 file://CVE-2020-7211.patch \
39 file://CVE-2020-11869.patch \
40 file://CVE-2020-13765.patch \
41 file://CVE-2020-10702.patch \
42 file://CVE-2020-16092.patch \
43 file://CVE-2020-10756.patch \
44 file://CVE-2020-15863.patch \
45 file://CVE-2020-14364.patch \
46 "
33UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" 47UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
34 48
35SRC_URI[md5sum] = "cdf2b5ca52b9abac9bacb5842fa420f8" 49SRC_URI[md5sum] = "cdf2b5ca52b9abac9bacb5842fa420f8"
@@ -164,6 +178,7 @@ PACKAGECONFIG[spice] = "--enable-spice,--disable-spice,spice"
164# usbredir will be in meta-networking layer 178# usbredir will be in meta-networking layer
165PACKAGECONFIG[usb-redir] = "--enable-usb-redir,--disable-usb-redir,usbredir" 179PACKAGECONFIG[usb-redir] = "--enable-usb-redir,--disable-usb-redir,usbredir"
166PACKAGECONFIG[snappy] = "--enable-snappy,--disable-snappy,snappy" 180PACKAGECONFIG[snappy] = "--enable-snappy,--disable-snappy,snappy"
181PACKAGECONFIG[glusterfs] = "--enable-glusterfs,--disable-glusterfs,glusterfs"
167 182
168INSANE_SKIP_${PN} = "arch" 183INSANE_SKIP_${PN} = "arch"
169 184
diff --git a/meta/recipes-devtools/qemu/qemu/0011-linux-user-remove-host-stime-syscall.patch b/meta/recipes-devtools/qemu/qemu/0011-linux-user-remove-host-stime-syscall.patch
new file mode 100644
index 0000000000..659e6be45d
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0011-linux-user-remove-host-stime-syscall.patch
@@ -0,0 +1,61 @@
1From 0f1f2d4596aee037d3ccbcf10592466daa54107f Mon Sep 17 00:00:00 2001
2From: Laurent Vivier <laurent@vivier.eu>
3Date: Tue, 12 Nov 2019 15:25:56 +0100
4Subject: [PATCH] linux-user: remove host stime() syscall
5
6stime() has been withdrawn from glibc
7(12cbde1dae6f "Use clock_settime to implement stime; withdraw stime.")
8
9Implement the target stime() syscall using host
10clock_settime(CLOCK_REALTIME, ...) as it is done internally in glibc.
11
12Tested qemu-ppc/x86_64 with:
13
14 #include <time.h>
15 #include <stdio.h>
16
17 int main(void)
18 {
19 time_t t;
20 int ret;
21
22 /* date -u -d"2019-11-12T15:11:00" "+%s" */
23 t = 1573571460;
24 ret = stime(&t);
25 printf("ret %d\n", ret);
26 return 0;
27 }
28
29 # date; ./stime; date
30 Tue Nov 12 14:18:32 UTC 2019
31 ret 0
32 Tue Nov 12 15:11:00 UTC 2019
33
34Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=0f1f2d4596aee037d3ccbcf10592466daa54107f]
35Buglink: https://bugs.launchpad.net/qemu/+bug/1852115
36Reported-by: Cole Robinson <crobinso@redhat.com>
37Signed-off-by: Laurent Vivier <laurent@vivier.eu>
38Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
39Message-Id: <20191112142556.6335-1-laurent@vivier.eu>
40---
41 linux-user/syscall.c | 8 +++++---
42 1 file changed, 5 insertions(+), 3 deletions(-)
43
44--- a/linux-user/syscall.c
45+++ b/linux-user/syscall.c
46@@ -7651,10 +7651,12 @@ static abi_long do_syscall1(void *cpu_en
47 #ifdef TARGET_NR_stime /* not on alpha */
48 case TARGET_NR_stime:
49 {
50- time_t host_time;
51- if (get_user_sal(host_time, arg1))
52+ struct timespec ts;
53+ ts.tv_nsec = 0;
54+ if (get_user_sal(ts.tv_sec, arg1)) {
55 return -TARGET_EFAULT;
56- return get_errno(stime(&host_time));
57+ }
58+ return get_errno(clock_settime(CLOCK_REALTIME, &ts));
59 }
60 #endif
61 #ifdef TARGET_NR_alarm /* not on alpha */
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2019-20382.patch b/meta/recipes-devtools/qemu/qemu/CVE-2019-20382.patch
new file mode 100644
index 0000000000..183d100398
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2019-20382.patch
@@ -0,0 +1,1018 @@
1From 6bf21f3d83e95bcc4ba35a7a07cc6655e8b010b0 Mon Sep 17 00:00:00 2001
2From: Li Qiang <liq3ea@163.com>
3Date: Sat, 31 Aug 2019 08:39:22 -0700
4Subject: [PATCH] vnc: fix memory leak when vnc disconnect
5
6Currently when qemu receives a vnc connect, it creates a 'VncState' to
7represent this connection. In 'vnc_worker_thread_loop' it creates a
8local 'VncState'. The connection 'VcnState' and local 'VncState' exchange
9data in 'vnc_async_encoding_start' and 'vnc_async_encoding_end'.
10In 'zrle_compress_data' it calls 'deflateInit2' to allocate the libz library
11opaque data. The 'VncState' used in 'zrle_compress_data' is the local
12'VncState'. In 'vnc_zrle_clear' it calls 'deflateEnd' to free the libz
13library opaque data. The 'VncState' used in 'vnc_zrle_clear' is the connection
14'VncState'. In currently implementation there will be a memory leak when the
15vnc disconnect. Following is the asan output backtrack:
16
17Direct leak of 29760 byte(s) in 5 object(s) allocated from:
18 0 0xffffa67ef3c3 in __interceptor_calloc (/lib64/libasan.so.4+0xd33c3)
19 1 0xffffa65071cb in g_malloc0 (/lib64/libglib-2.0.so.0+0x571cb)
20 2 0xffffa5e968f7 in deflateInit2_ (/lib64/libz.so.1+0x78f7)
21 3 0xaaaacec58613 in zrle_compress_data ui/vnc-enc-zrle.c:87
22 4 0xaaaacec58613 in zrle_send_framebuffer_update ui/vnc-enc-zrle.c:344
23 5 0xaaaacec34e77 in vnc_send_framebuffer_update ui/vnc.c:919
24 6 0xaaaacec5e023 in vnc_worker_thread_loop ui/vnc-jobs.c:271
25 7 0xaaaacec5e5e7 in vnc_worker_thread ui/vnc-jobs.c:340
26 8 0xaaaacee4d3c3 in qemu_thread_start util/qemu-thread-posix.c:502
27 9 0xffffa544e8bb in start_thread (/lib64/libpthread.so.0+0x78bb)
28 10 0xffffa53965cb in thread_start (/lib64/libc.so.6+0xd55cb)
29
30This is because the opaque allocated in 'deflateInit2' is not freed in
31'deflateEnd'. The reason is that the 'deflateEnd' calls 'deflateStateCheck'
32and in the latter will check whether 's->strm != strm'(libz's data structure).
33This check will be true so in 'deflateEnd' it just return 'Z_STREAM_ERROR' and
34not free the data allocated in 'deflateInit2'.
35
36The reason this happens is that the 'VncState' contains the whole 'VncZrle',
37so when calling 'deflateInit2', the 's->strm' will be the local address.
38So 's->strm != strm' will be true.
39
40To fix this issue, we need to make 'zrle' of 'VncState' to be a pointer.
41Then the connection 'VncState' and local 'VncState' exchange mechanism will
42work as expection. The 'tight' of 'VncState' has the same issue, let's also turn
43it to a pointer.
44
45Reported-by: Ying Fang <fangying1@huawei.com>
46Signed-off-by: Li Qiang <liq3ea@163.com>
47Message-id: 20190831153922.121308-1-liq3ea@163.com
48Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
49
50Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=6bf21f3d83e95bcc4ba35a7a07cc6655e8b010b0]
51CVE: CVE-2019-20382
52Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
53
54---
55 ui/vnc-enc-tight.c | 219 +++++++++++++++++++++++++-------------------------
56 ui/vnc-enc-zlib.c | 11 +--
57 ui/vnc-enc-zrle.c | 68 ++++++++--------
58 ui/vnc-enc-zrle.inc.c | 2 +-
59 ui/vnc.c | 28 ++++---
60 ui/vnc.h | 4 +-
61 6 files changed, 170 insertions(+), 162 deletions(-)
62
63diff --git a/ui/vnc-enc-tight.c b/ui/vnc-enc-tight.c
64index 9084c22..1e08518 100644
65--- a/ui/vnc-enc-tight.c
66+++ b/ui/vnc-enc-tight.c
67@@ -116,7 +116,7 @@ static int send_png_rect(VncState *vs, int x, int y, int w, int h,
68
69 static bool tight_can_send_png_rect(VncState *vs, int w, int h)
70 {
71- if (vs->tight.type != VNC_ENCODING_TIGHT_PNG) {
72+ if (vs->tight->type != VNC_ENCODING_TIGHT_PNG) {
73 return false;
74 }
75
76@@ -144,7 +144,7 @@ tight_detect_smooth_image24(VncState *vs, int w, int h)
77 int pixels = 0;
78 int pix, left[3];
79 unsigned int errors;
80- unsigned char *buf = vs->tight.tight.buffer;
81+ unsigned char *buf = vs->tight->tight.buffer;
82
83 /*
84 * If client is big-endian, color samples begin from the second
85@@ -215,7 +215,7 @@ tight_detect_smooth_image24(VncState *vs, int w, int h)
86 int pixels = 0; \
87 int sample, sum, left[3]; \
88 unsigned int errors; \
89- unsigned char *buf = vs->tight.tight.buffer; \
90+ unsigned char *buf = vs->tight->tight.buffer; \
91 \
92 endian = 0; /* FIXME */ \
93 \
94@@ -296,8 +296,8 @@ static int
95 tight_detect_smooth_image(VncState *vs, int w, int h)
96 {
97 unsigned int errors;
98- int compression = vs->tight.compression;
99- int quality = vs->tight.quality;
100+ int compression = vs->tight->compression;
101+ int quality = vs->tight->quality;
102
103 if (!vs->vd->lossy) {
104 return 0;
105@@ -309,7 +309,7 @@ tight_detect_smooth_image(VncState *vs, int w, int h)
106 return 0;
107 }
108
109- if (vs->tight.quality != (uint8_t)-1) {
110+ if (vs->tight->quality != (uint8_t)-1) {
111 if (w * h < VNC_TIGHT_JPEG_MIN_RECT_SIZE) {
112 return 0;
113 }
114@@ -320,9 +320,9 @@ tight_detect_smooth_image(VncState *vs, int w, int h)
115 }
116
117 if (vs->client_pf.bytes_per_pixel == 4) {
118- if (vs->tight.pixel24) {
119+ if (vs->tight->pixel24) {
120 errors = tight_detect_smooth_image24(vs, w, h);
121- if (vs->tight.quality != (uint8_t)-1) {
122+ if (vs->tight->quality != (uint8_t)-1) {
123 return (errors < tight_conf[quality].jpeg_threshold24);
124 }
125 return (errors < tight_conf[compression].gradient_threshold24);
126@@ -352,7 +352,7 @@ tight_detect_smooth_image(VncState *vs, int w, int h)
127 uint##bpp##_t c0, c1, ci; \
128 int i, n0, n1; \
129 \
130- data = (uint##bpp##_t *)vs->tight.tight.buffer; \
131+ data = (uint##bpp##_t *)vs->tight->tight.buffer; \
132 \
133 c0 = data[0]; \
134 i = 1; \
135@@ -423,9 +423,9 @@ static int tight_fill_palette(VncState *vs, int x, int y,
136 {
137 int max;
138
139- max = count / tight_conf[vs->tight.compression].idx_max_colors_divisor;
140+ max = count / tight_conf[vs->tight->compression].idx_max_colors_divisor;
141 if (max < 2 &&
142- count >= tight_conf[vs->tight.compression].mono_min_rect_size) {
143+ count >= tight_conf[vs->tight->compression].mono_min_rect_size) {
144 max = 2;
145 }
146 if (max >= 256) {
147@@ -558,7 +558,7 @@ tight_filter_gradient24(VncState *vs, uint8_t *buf, int w, int h)
148 int x, y, c;
149
150 buf32 = (uint32_t *)buf;
151- memset(vs->tight.gradient.buffer, 0, w * 3 * sizeof(int));
152+ memset(vs->tight->gradient.buffer, 0, w * 3 * sizeof(int));
153
154 if (1 /* FIXME */) {
155 shift[0] = vs->client_pf.rshift;
156@@ -575,7 +575,7 @@ tight_filter_gradient24(VncState *vs, uint8_t *buf, int w, int h)
157 upper[c] = 0;
158 here[c] = 0;
159 }
160- prev = (int *)vs->tight.gradient.buffer;
161+ prev = (int *)vs->tight->gradient.buffer;
162 for (x = 0; x < w; x++) {
163 pix32 = *buf32++;
164 for (c = 0; c < 3; c++) {
165@@ -615,7 +615,7 @@ tight_filter_gradient24(VncState *vs, uint8_t *buf, int w, int h)
166 int prediction; \
167 int x, y, c; \
168 \
169- memset (vs->tight.gradient.buffer, 0, w * 3 * sizeof(int)); \
170+ memset(vs->tight->gradient.buffer, 0, w * 3 * sizeof(int)); \
171 \
172 endian = 0; /* FIXME */ \
173 \
174@@ -631,7 +631,7 @@ tight_filter_gradient24(VncState *vs, uint8_t *buf, int w, int h)
175 upper[c] = 0; \
176 here[c] = 0; \
177 } \
178- prev = (int *)vs->tight.gradient.buffer; \
179+ prev = (int *)vs->tight->gradient.buffer; \
180 for (x = 0; x < w; x++) { \
181 pix = *buf; \
182 if (endian) { \
183@@ -785,7 +785,7 @@ static void extend_solid_area(VncState *vs, int x, int y, int w, int h,
184 static int tight_init_stream(VncState *vs, int stream_id,
185 int level, int strategy)
186 {
187- z_streamp zstream = &vs->tight.stream[stream_id];
188+ z_streamp zstream = &vs->tight->stream[stream_id];
189
190 if (zstream->opaque == NULL) {
191 int err;
192@@ -803,15 +803,15 @@ static int tight_init_stream(VncState *vs, int stream_id,
193 return -1;
194 }
195
196- vs->tight.levels[stream_id] = level;
197+ vs->tight->levels[stream_id] = level;
198 zstream->opaque = vs;
199 }
200
201- if (vs->tight.levels[stream_id] != level) {
202+ if (vs->tight->levels[stream_id] != level) {
203 if (deflateParams(zstream, level, strategy) != Z_OK) {
204 return -1;
205 }
206- vs->tight.levels[stream_id] = level;
207+ vs->tight->levels[stream_id] = level;
208 }
209 return 0;
210 }
211@@ -839,11 +839,11 @@ static void tight_send_compact_size(VncState *vs, size_t len)
212 static int tight_compress_data(VncState *vs, int stream_id, size_t bytes,
213 int level, int strategy)
214 {
215- z_streamp zstream = &vs->tight.stream[stream_id];
216+ z_streamp zstream = &vs->tight->stream[stream_id];
217 int previous_out;
218
219 if (bytes < VNC_TIGHT_MIN_TO_COMPRESS) {
220- vnc_write(vs, vs->tight.tight.buffer, vs->tight.tight.offset);
221+ vnc_write(vs, vs->tight->tight.buffer, vs->tight->tight.offset);
222 return bytes;
223 }
224
225@@ -852,13 +852,13 @@ static int tight_compress_data(VncState *vs, int stream_id, size_t bytes,
226 }
227
228 /* reserve memory in output buffer */
229- buffer_reserve(&vs->tight.zlib, bytes + 64);
230+ buffer_reserve(&vs->tight->zlib, bytes + 64);
231
232 /* set pointers */
233- zstream->next_in = vs->tight.tight.buffer;
234- zstream->avail_in = vs->tight.tight.offset;
235- zstream->next_out = vs->tight.zlib.buffer + vs->tight.zlib.offset;
236- zstream->avail_out = vs->tight.zlib.capacity - vs->tight.zlib.offset;
237+ zstream->next_in = vs->tight->tight.buffer;
238+ zstream->avail_in = vs->tight->tight.offset;
239+ zstream->next_out = vs->tight->zlib.buffer + vs->tight->zlib.offset;
240+ zstream->avail_out = vs->tight->zlib.capacity - vs->tight->zlib.offset;
241 previous_out = zstream->avail_out;
242 zstream->data_type = Z_BINARY;
243
244@@ -868,14 +868,14 @@ static int tight_compress_data(VncState *vs, int stream_id, size_t bytes,
245 return -1;
246 }
247
248- vs->tight.zlib.offset = vs->tight.zlib.capacity - zstream->avail_out;
249+ vs->tight->zlib.offset = vs->tight->zlib.capacity - zstream->avail_out;
250 /* ...how much data has actually been produced by deflate() */
251 bytes = previous_out - zstream->avail_out;
252
253 tight_send_compact_size(vs, bytes);
254- vnc_write(vs, vs->tight.zlib.buffer, bytes);
255+ vnc_write(vs, vs->tight->zlib.buffer, bytes);
256
257- buffer_reset(&vs->tight.zlib);
258+ buffer_reset(&vs->tight->zlib);
259
260 return bytes;
261 }
262@@ -927,16 +927,17 @@ static int send_full_color_rect(VncState *vs, int x, int y, int w, int h)
263
264 vnc_write_u8(vs, stream << 4); /* no flushing, no filter */
265
266- if (vs->tight.pixel24) {
267- tight_pack24(vs, vs->tight.tight.buffer, w * h, &vs->tight.tight.offset);
268+ if (vs->tight->pixel24) {
269+ tight_pack24(vs, vs->tight->tight.buffer, w * h,
270+ &vs->tight->tight.offset);
271 bytes = 3;
272 } else {
273 bytes = vs->client_pf.bytes_per_pixel;
274 }
275
276 bytes = tight_compress_data(vs, stream, w * h * bytes,
277- tight_conf[vs->tight.compression].raw_zlib_level,
278- Z_DEFAULT_STRATEGY);
279+ tight_conf[vs->tight->compression].raw_zlib_level,
280+ Z_DEFAULT_STRATEGY);
281
282 return (bytes >= 0);
283 }
284@@ -947,14 +948,14 @@ static int send_solid_rect(VncState *vs)
285
286 vnc_write_u8(vs, VNC_TIGHT_FILL << 4); /* no flushing, no filter */
287
288- if (vs->tight.pixel24) {
289- tight_pack24(vs, vs->tight.tight.buffer, 1, &vs->tight.tight.offset);
290+ if (vs->tight->pixel24) {
291+ tight_pack24(vs, vs->tight->tight.buffer, 1, &vs->tight->tight.offset);
292 bytes = 3;
293 } else {
294 bytes = vs->client_pf.bytes_per_pixel;
295 }
296
297- vnc_write(vs, vs->tight.tight.buffer, bytes);
298+ vnc_write(vs, vs->tight->tight.buffer, bytes);
299 return 1;
300 }
301
302@@ -963,7 +964,7 @@ static int send_mono_rect(VncState *vs, int x, int y,
303 {
304 ssize_t bytes;
305 int stream = 1;
306- int level = tight_conf[vs->tight.compression].mono_zlib_level;
307+ int level = tight_conf[vs->tight->compression].mono_zlib_level;
308
309 #ifdef CONFIG_VNC_PNG
310 if (tight_can_send_png_rect(vs, w, h)) {
311@@ -991,26 +992,26 @@ static int send_mono_rect(VncState *vs, int x, int y,
312 uint32_t buf[2] = {bg, fg};
313 size_t ret = sizeof (buf);
314
315- if (vs->tight.pixel24) {
316+ if (vs->tight->pixel24) {
317 tight_pack24(vs, (unsigned char*)buf, 2, &ret);
318 }
319 vnc_write(vs, buf, ret);
320
321- tight_encode_mono_rect32(vs->tight.tight.buffer, w, h, bg, fg);
322+ tight_encode_mono_rect32(vs->tight->tight.buffer, w, h, bg, fg);
323 break;
324 }
325 case 2:
326 vnc_write(vs, &bg, 2);
327 vnc_write(vs, &fg, 2);
328- tight_encode_mono_rect16(vs->tight.tight.buffer, w, h, bg, fg);
329+ tight_encode_mono_rect16(vs->tight->tight.buffer, w, h, bg, fg);
330 break;
331 default:
332 vnc_write_u8(vs, bg);
333 vnc_write_u8(vs, fg);
334- tight_encode_mono_rect8(vs->tight.tight.buffer, w, h, bg, fg);
335+ tight_encode_mono_rect8(vs->tight->tight.buffer, w, h, bg, fg);
336 break;
337 }
338- vs->tight.tight.offset = bytes;
339+ vs->tight->tight.offset = bytes;
340
341 bytes = tight_compress_data(vs, stream, bytes, level, Z_DEFAULT_STRATEGY);
342 return (bytes >= 0);
343@@ -1040,7 +1041,7 @@ static void write_palette(int idx, uint32_t color, void *opaque)
344 static bool send_gradient_rect(VncState *vs, int x, int y, int w, int h)
345 {
346 int stream = 3;
347- int level = tight_conf[vs->tight.compression].gradient_zlib_level;
348+ int level = tight_conf[vs->tight->compression].gradient_zlib_level;
349 ssize_t bytes;
350
351 if (vs->client_pf.bytes_per_pixel == 1) {
352@@ -1050,23 +1051,23 @@ static bool send_gradient_rect(VncState *vs, int x, int y, int w, int h)
353 vnc_write_u8(vs, (stream | VNC_TIGHT_EXPLICIT_FILTER) << 4);
354 vnc_write_u8(vs, VNC_TIGHT_FILTER_GRADIENT);
355
356- buffer_reserve(&vs->tight.gradient, w * 3 * sizeof (int));
357+ buffer_reserve(&vs->tight->gradient, w * 3 * sizeof(int));
358
359- if (vs->tight.pixel24) {
360- tight_filter_gradient24(vs, vs->tight.tight.buffer, w, h);
361+ if (vs->tight->pixel24) {
362+ tight_filter_gradient24(vs, vs->tight->tight.buffer, w, h);
363 bytes = 3;
364 } else if (vs->client_pf.bytes_per_pixel == 4) {
365- tight_filter_gradient32(vs, (uint32_t *)vs->tight.tight.buffer, w, h);
366+ tight_filter_gradient32(vs, (uint32_t *)vs->tight->tight.buffer, w, h);
367 bytes = 4;
368 } else {
369- tight_filter_gradient16(vs, (uint16_t *)vs->tight.tight.buffer, w, h);
370+ tight_filter_gradient16(vs, (uint16_t *)vs->tight->tight.buffer, w, h);
371 bytes = 2;
372 }
373
374- buffer_reset(&vs->tight.gradient);
375+ buffer_reset(&vs->tight->gradient);
376
377 bytes = w * h * bytes;
378- vs->tight.tight.offset = bytes;
379+ vs->tight->tight.offset = bytes;
380
381 bytes = tight_compress_data(vs, stream, bytes,
382 level, Z_FILTERED);
383@@ -1077,7 +1078,7 @@ static int send_palette_rect(VncState *vs, int x, int y,
384 int w, int h, VncPalette *palette)
385 {
386 int stream = 2;
387- int level = tight_conf[vs->tight.compression].idx_zlib_level;
388+ int level = tight_conf[vs->tight->compression].idx_zlib_level;
389 int colors;
390 ssize_t bytes;
391
392@@ -1104,12 +1105,12 @@ static int send_palette_rect(VncState *vs, int x, int y,
393 palette_iter(palette, write_palette, &priv);
394 vnc_write(vs, header, sizeof(header));
395
396- if (vs->tight.pixel24) {
397+ if (vs->tight->pixel24) {
398 tight_pack24(vs, vs->output.buffer + old_offset, colors, &offset);
399 vs->output.offset = old_offset + offset;
400 }
401
402- tight_encode_indexed_rect32(vs->tight.tight.buffer, w * h, palette);
403+ tight_encode_indexed_rect32(vs->tight->tight.buffer, w * h, palette);
404 break;
405 }
406 case 2:
407@@ -1119,7 +1120,7 @@ static int send_palette_rect(VncState *vs, int x, int y,
408
409 palette_iter(palette, write_palette, &priv);
410 vnc_write(vs, header, sizeof(header));
411- tight_encode_indexed_rect16(vs->tight.tight.buffer, w * h, palette);
412+ tight_encode_indexed_rect16(vs->tight->tight.buffer, w * h, palette);
413 break;
414 }
415 default:
416@@ -1127,7 +1128,7 @@ static int send_palette_rect(VncState *vs, int x, int y,
417 break;
418 }
419 bytes = w * h;
420- vs->tight.tight.offset = bytes;
421+ vs->tight->tight.offset = bytes;
422
423 bytes = tight_compress_data(vs, stream, bytes,
424 level, Z_DEFAULT_STRATEGY);
425@@ -1146,7 +1147,7 @@ static int send_palette_rect(VncState *vs, int x, int y,
426 static void jpeg_init_destination(j_compress_ptr cinfo)
427 {
428 VncState *vs = cinfo->client_data;
429- Buffer *buffer = &vs->tight.jpeg;
430+ Buffer *buffer = &vs->tight->jpeg;
431
432 cinfo->dest->next_output_byte = (JOCTET *)buffer->buffer + buffer->offset;
433 cinfo->dest->free_in_buffer = (size_t)(buffer->capacity - buffer->offset);
434@@ -1156,7 +1157,7 @@ static void jpeg_init_destination(j_compress_ptr cinfo)
435 static boolean jpeg_empty_output_buffer(j_compress_ptr cinfo)
436 {
437 VncState *vs = cinfo->client_data;
438- Buffer *buffer = &vs->tight.jpeg;
439+ Buffer *buffer = &vs->tight->jpeg;
440
441 buffer->offset = buffer->capacity;
442 buffer_reserve(buffer, 2048);
443@@ -1168,7 +1169,7 @@ static boolean jpeg_empty_output_buffer(j_compress_ptr cinfo)
444 static void jpeg_term_destination(j_compress_ptr cinfo)
445 {
446 VncState *vs = cinfo->client_data;
447- Buffer *buffer = &vs->tight.jpeg;
448+ Buffer *buffer = &vs->tight->jpeg;
449
450 buffer->offset = buffer->capacity - cinfo->dest->free_in_buffer;
451 }
452@@ -1187,7 +1188,7 @@ static int send_jpeg_rect(VncState *vs, int x, int y, int w, int h, int quality)
453 return send_full_color_rect(vs, x, y, w, h);
454 }
455
456- buffer_reserve(&vs->tight.jpeg, 2048);
457+ buffer_reserve(&vs->tight->jpeg, 2048);
458
459 cinfo.err = jpeg_std_error(&jerr);
460 jpeg_create_compress(&cinfo);
461@@ -1222,9 +1223,9 @@ static int send_jpeg_rect(VncState *vs, int x, int y, int w, int h, int quality)
462
463 vnc_write_u8(vs, VNC_TIGHT_JPEG << 4);
464
465- tight_send_compact_size(vs, vs->tight.jpeg.offset);
466- vnc_write(vs, vs->tight.jpeg.buffer, vs->tight.jpeg.offset);
467- buffer_reset(&vs->tight.jpeg);
468+ tight_send_compact_size(vs, vs->tight->jpeg.offset);
469+ vnc_write(vs, vs->tight->jpeg.buffer, vs->tight->jpeg.offset);
470+ buffer_reset(&vs->tight->jpeg);
471
472 return 1;
473 }
474@@ -1240,7 +1241,7 @@ static void write_png_palette(int idx, uint32_t pix, void *opaque)
475 VncState *vs = priv->vs;
476 png_colorp color = &priv->png_palette[idx];
477
478- if (vs->tight.pixel24)
479+ if (vs->tight->pixel24)
480 {
481 color->red = (pix >> vs->client_pf.rshift) & vs->client_pf.rmax;
482 color->green = (pix >> vs->client_pf.gshift) & vs->client_pf.gmax;
483@@ -1267,10 +1268,10 @@ static void png_write_data(png_structp png_ptr, png_bytep data,
484 {
485 VncState *vs = png_get_io_ptr(png_ptr);
486
487- buffer_reserve(&vs->tight.png, vs->tight.png.offset + length);
488- memcpy(vs->tight.png.buffer + vs->tight.png.offset, data, length);
489+ buffer_reserve(&vs->tight->png, vs->tight->png.offset + length);
490+ memcpy(vs->tight->png.buffer + vs->tight->png.offset, data, length);
491
492- vs->tight.png.offset += length;
493+ vs->tight->png.offset += length;
494 }
495
496 static void png_flush_data(png_structp png_ptr)
497@@ -1295,8 +1296,8 @@ static int send_png_rect(VncState *vs, int x, int y, int w, int h,
498 png_infop info_ptr;
499 png_colorp png_palette = NULL;
500 pixman_image_t *linebuf;
501- int level = tight_png_conf[vs->tight.compression].png_zlib_level;
502- int filters = tight_png_conf[vs->tight.compression].png_filters;
503+ int level = tight_png_conf[vs->tight->compression].png_zlib_level;
504+ int filters = tight_png_conf[vs->tight->compression].png_filters;
505 uint8_t *buf;
506 int dy;
507
508@@ -1340,21 +1341,23 @@ static int send_png_rect(VncState *vs, int x, int y, int w, int h,
509 png_set_PLTE(png_ptr, info_ptr, png_palette, palette_size(palette));
510
511 if (vs->client_pf.bytes_per_pixel == 4) {
512- tight_encode_indexed_rect32(vs->tight.tight.buffer, w * h, palette);
513+ tight_encode_indexed_rect32(vs->tight->tight.buffer, w * h,
514+ palette);
515 } else {
516- tight_encode_indexed_rect16(vs->tight.tight.buffer, w * h, palette);
517+ tight_encode_indexed_rect16(vs->tight->tight.buffer, w * h,
518+ palette);
519 }
520 }
521
522 png_write_info(png_ptr, info_ptr);
523
524- buffer_reserve(&vs->tight.png, 2048);
525+ buffer_reserve(&vs->tight->png, 2048);
526 linebuf = qemu_pixman_linebuf_create(PIXMAN_BE_r8g8b8, w);
527 buf = (uint8_t *)pixman_image_get_data(linebuf);
528 for (dy = 0; dy < h; dy++)
529 {
530 if (color_type == PNG_COLOR_TYPE_PALETTE) {
531- memcpy(buf, vs->tight.tight.buffer + (dy * w), w);
532+ memcpy(buf, vs->tight->tight.buffer + (dy * w), w);
533 } else {
534 qemu_pixman_linebuf_fill(linebuf, vs->vd->server, w, x, y + dy);
535 }
536@@ -1372,27 +1375,27 @@ static int send_png_rect(VncState *vs, int x, int y, int w, int h,
537
538 vnc_write_u8(vs, VNC_TIGHT_PNG << 4);
539
540- tight_send_compact_size(vs, vs->tight.png.offset);
541- vnc_write(vs, vs->tight.png.buffer, vs->tight.png.offset);
542- buffer_reset(&vs->tight.png);
543+ tight_send_compact_size(vs, vs->tight->png.offset);
544+ vnc_write(vs, vs->tight->png.buffer, vs->tight->png.offset);
545+ buffer_reset(&vs->tight->png);
546 return 1;
547 }
548 #endif /* CONFIG_VNC_PNG */
549
550 static void vnc_tight_start(VncState *vs)
551 {
552- buffer_reset(&vs->tight.tight);
553+ buffer_reset(&vs->tight->tight);
554
555 // make the output buffer be the zlib buffer, so we can compress it later
556- vs->tight.tmp = vs->output;
557- vs->output = vs->tight.tight;
558+ vs->tight->tmp = vs->output;
559+ vs->output = vs->tight->tight;
560 }
561
562 static void vnc_tight_stop(VncState *vs)
563 {
564 // switch back to normal output/zlib buffers
565- vs->tight.tight = vs->output;
566- vs->output = vs->tight.tmp;
567+ vs->tight->tight = vs->output;
568+ vs->output = vs->tight->tmp;
569 }
570
571 static int send_sub_rect_nojpeg(VncState *vs, int x, int y, int w, int h,
572@@ -1426,9 +1429,9 @@ static int send_sub_rect_jpeg(VncState *vs, int x, int y, int w, int h,
573 int ret;
574
575 if (colors == 0) {
576- if (force || (tight_jpeg_conf[vs->tight.quality].jpeg_full &&
577+ if (force || (tight_jpeg_conf[vs->tight->quality].jpeg_full &&
578 tight_detect_smooth_image(vs, w, h))) {
579- int quality = tight_conf[vs->tight.quality].jpeg_quality;
580+ int quality = tight_conf[vs->tight->quality].jpeg_quality;
581
582 ret = send_jpeg_rect(vs, x, y, w, h, quality);
583 } else {
584@@ -1440,9 +1443,9 @@ static int send_sub_rect_jpeg(VncState *vs, int x, int y, int w, int h,
585 ret = send_mono_rect(vs, x, y, w, h, bg, fg);
586 } else if (colors <= 256) {
587 if (force || (colors > 96 &&
588- tight_jpeg_conf[vs->tight.quality].jpeg_idx &&
589+ tight_jpeg_conf[vs->tight->quality].jpeg_idx &&
590 tight_detect_smooth_image(vs, w, h))) {
591- int quality = tight_conf[vs->tight.quality].jpeg_quality;
592+ int quality = tight_conf[vs->tight->quality].jpeg_quality;
593
594 ret = send_jpeg_rect(vs, x, y, w, h, quality);
595 } else {
596@@ -1480,20 +1483,20 @@ static int send_sub_rect(VncState *vs, int x, int y, int w, int h)
597 qemu_thread_atexit_add(&vnc_tight_cleanup_notifier);
598 }
599
600- vnc_framebuffer_update(vs, x, y, w, h, vs->tight.type);
601+ vnc_framebuffer_update(vs, x, y, w, h, vs->tight->type);
602
603 vnc_tight_start(vs);
604 vnc_raw_send_framebuffer_update(vs, x, y, w, h);
605 vnc_tight_stop(vs);
606
607 #ifdef CONFIG_VNC_JPEG
608- if (!vs->vd->non_adaptive && vs->tight.quality != (uint8_t)-1) {
609+ if (!vs->vd->non_adaptive && vs->tight->quality != (uint8_t)-1) {
610 double freq = vnc_update_freq(vs, x, y, w, h);
611
612- if (freq < tight_jpeg_conf[vs->tight.quality].jpeg_freq_min) {
613+ if (freq < tight_jpeg_conf[vs->tight->quality].jpeg_freq_min) {
614 allow_jpeg = false;
615 }
616- if (freq >= tight_jpeg_conf[vs->tight.quality].jpeg_freq_threshold) {
617+ if (freq >= tight_jpeg_conf[vs->tight->quality].jpeg_freq_threshold) {
618 force_jpeg = true;
619 vnc_sent_lossy_rect(vs, x, y, w, h);
620 }
621@@ -1503,7 +1506,7 @@ static int send_sub_rect(VncState *vs, int x, int y, int w, int h)
622 colors = tight_fill_palette(vs, x, y, w * h, &bg, &fg, color_count_palette);
623
624 #ifdef CONFIG_VNC_JPEG
625- if (allow_jpeg && vs->tight.quality != (uint8_t)-1) {
626+ if (allow_jpeg && vs->tight->quality != (uint8_t)-1) {
627 ret = send_sub_rect_jpeg(vs, x, y, w, h, bg, fg, colors,
628 color_count_palette, force_jpeg);
629 } else {
630@@ -1520,7 +1523,7 @@ static int send_sub_rect(VncState *vs, int x, int y, int w, int h)
631
632 static int send_sub_rect_solid(VncState *vs, int x, int y, int w, int h)
633 {
634- vnc_framebuffer_update(vs, x, y, w, h, vs->tight.type);
635+ vnc_framebuffer_update(vs, x, y, w, h, vs->tight->type);
636
637 vnc_tight_start(vs);
638 vnc_raw_send_framebuffer_update(vs, x, y, w, h);
639@@ -1538,8 +1541,8 @@ static int send_rect_simple(VncState *vs, int x, int y, int w, int h,
640 int rw, rh;
641 int n = 0;
642
643- max_size = tight_conf[vs->tight.compression].max_rect_size;
644- max_width = tight_conf[vs->tight.compression].max_rect_width;
645+ max_size = tight_conf[vs->tight->compression].max_rect_size;
646+ max_width = tight_conf[vs->tight->compression].max_rect_width;
647
648 if (split && (w > max_width || w * h > max_size)) {
649 max_sub_width = (w > max_width) ? max_width : w;
650@@ -1648,16 +1651,16 @@ static int tight_send_framebuffer_update(VncState *vs, int x, int y,
651
652 if (vs->client_pf.bytes_per_pixel == 4 && vs->client_pf.rmax == 0xFF &&
653 vs->client_pf.bmax == 0xFF && vs->client_pf.gmax == 0xFF) {
654- vs->tight.pixel24 = true;
655+ vs->tight->pixel24 = true;
656 } else {
657- vs->tight.pixel24 = false;
658+ vs->tight->pixel24 = false;
659 }
660
661 #ifdef CONFIG_VNC_JPEG
662- if (vs->tight.quality != (uint8_t)-1) {
663+ if (vs->tight->quality != (uint8_t)-1) {
664 double freq = vnc_update_freq(vs, x, y, w, h);
665
666- if (freq > tight_jpeg_conf[vs->tight.quality].jpeg_freq_threshold) {
667+ if (freq > tight_jpeg_conf[vs->tight->quality].jpeg_freq_threshold) {
668 return send_rect_simple(vs, x, y, w, h, false);
669 }
670 }
671@@ -1669,8 +1672,8 @@ static int tight_send_framebuffer_update(VncState *vs, int x, int y,
672
673 /* Calculate maximum number of rows in one non-solid rectangle. */
674
675- max_rows = tight_conf[vs->tight.compression].max_rect_size;
676- max_rows /= MIN(tight_conf[vs->tight.compression].max_rect_width, w);
677+ max_rows = tight_conf[vs->tight->compression].max_rect_size;
678+ max_rows /= MIN(tight_conf[vs->tight->compression].max_rect_width, w);
679
680 return find_large_solid_color_rect(vs, x, y, w, h, max_rows);
681 }
682@@ -1678,33 +1681,33 @@ static int tight_send_framebuffer_update(VncState *vs, int x, int y,
683 int vnc_tight_send_framebuffer_update(VncState *vs, int x, int y,
684 int w, int h)
685 {
686- vs->tight.type = VNC_ENCODING_TIGHT;
687+ vs->tight->type = VNC_ENCODING_TIGHT;
688 return tight_send_framebuffer_update(vs, x, y, w, h);
689 }
690
691 int vnc_tight_png_send_framebuffer_update(VncState *vs, int x, int y,
692 int w, int h)
693 {
694- vs->tight.type = VNC_ENCODING_TIGHT_PNG;
695+ vs->tight->type = VNC_ENCODING_TIGHT_PNG;
696 return tight_send_framebuffer_update(vs, x, y, w, h);
697 }
698
699 void vnc_tight_clear(VncState *vs)
700 {
701 int i;
702- for (i=0; i<ARRAY_SIZE(vs->tight.stream); i++) {
703- if (vs->tight.stream[i].opaque) {
704- deflateEnd(&vs->tight.stream[i]);
705+ for (i = 0; i < ARRAY_SIZE(vs->tight->stream); i++) {
706+ if (vs->tight->stream[i].opaque) {
707+ deflateEnd(&vs->tight->stream[i]);
708 }
709 }
710
711- buffer_free(&vs->tight.tight);
712- buffer_free(&vs->tight.zlib);
713- buffer_free(&vs->tight.gradient);
714+ buffer_free(&vs->tight->tight);
715+ buffer_free(&vs->tight->zlib);
716+ buffer_free(&vs->tight->gradient);
717 #ifdef CONFIG_VNC_JPEG
718- buffer_free(&vs->tight.jpeg);
719+ buffer_free(&vs->tight->jpeg);
720 #endif
721 #ifdef CONFIG_VNC_PNG
722- buffer_free(&vs->tight.png);
723+ buffer_free(&vs->tight->png);
724 #endif
725 }
726diff --git a/ui/vnc-enc-zlib.c b/ui/vnc-enc-zlib.c
727index 33e9df2..900ae5b 100644
728--- a/ui/vnc-enc-zlib.c
729+++ b/ui/vnc-enc-zlib.c
730@@ -76,7 +76,8 @@ static int vnc_zlib_stop(VncState *vs)
731 zstream->zalloc = vnc_zlib_zalloc;
732 zstream->zfree = vnc_zlib_zfree;
733
734- err = deflateInit2(zstream, vs->tight.compression, Z_DEFLATED, MAX_WBITS,
735+ err = deflateInit2(zstream, vs->tight->compression, Z_DEFLATED,
736+ MAX_WBITS,
737 MAX_MEM_LEVEL, Z_DEFAULT_STRATEGY);
738
739 if (err != Z_OK) {
740@@ -84,16 +85,16 @@ static int vnc_zlib_stop(VncState *vs)
741 return -1;
742 }
743
744- vs->zlib.level = vs->tight.compression;
745+ vs->zlib.level = vs->tight->compression;
746 zstream->opaque = vs;
747 }
748
749- if (vs->tight.compression != vs->zlib.level) {
750- if (deflateParams(zstream, vs->tight.compression,
751+ if (vs->tight->compression != vs->zlib.level) {
752+ if (deflateParams(zstream, vs->tight->compression,
753 Z_DEFAULT_STRATEGY) != Z_OK) {
754 return -1;
755 }
756- vs->zlib.level = vs->tight.compression;
757+ vs->zlib.level = vs->tight->compression;
758 }
759
760 // reserve memory in output buffer
761diff --git a/ui/vnc-enc-zrle.c b/ui/vnc-enc-zrle.c
762index 7493a84..17fd28a 100644
763--- a/ui/vnc-enc-zrle.c
764+++ b/ui/vnc-enc-zrle.c
765@@ -37,18 +37,18 @@ static const int bits_per_packed_pixel[] = {
766
767 static void vnc_zrle_start(VncState *vs)
768 {
769- buffer_reset(&vs->zrle.zrle);
770+ buffer_reset(&vs->zrle->zrle);
771
772 /* make the output buffer be the zlib buffer, so we can compress it later */
773- vs->zrle.tmp = vs->output;
774- vs->output = vs->zrle.zrle;
775+ vs->zrle->tmp = vs->output;
776+ vs->output = vs->zrle->zrle;
777 }
778
779 static void vnc_zrle_stop(VncState *vs)
780 {
781 /* switch back to normal output/zlib buffers */
782- vs->zrle.zrle = vs->output;
783- vs->output = vs->zrle.tmp;
784+ vs->zrle->zrle = vs->output;
785+ vs->output = vs->zrle->tmp;
786 }
787
788 static void *zrle_convert_fb(VncState *vs, int x, int y, int w, int h,
789@@ -56,24 +56,24 @@ static void *zrle_convert_fb(VncState *vs, int x, int y, int w, int h,
790 {
791 Buffer tmp;
792
793- buffer_reset(&vs->zrle.fb);
794- buffer_reserve(&vs->zrle.fb, w * h * bpp + bpp);
795+ buffer_reset(&vs->zrle->fb);
796+ buffer_reserve(&vs->zrle->fb, w * h * bpp + bpp);
797
798 tmp = vs->output;
799- vs->output = vs->zrle.fb;
800+ vs->output = vs->zrle->fb;
801
802 vnc_raw_send_framebuffer_update(vs, x, y, w, h);
803
804- vs->zrle.fb = vs->output;
805+ vs->zrle->fb = vs->output;
806 vs->output = tmp;
807- return vs->zrle.fb.buffer;
808+ return vs->zrle->fb.buffer;
809 }
810
811 static int zrle_compress_data(VncState *vs, int level)
812 {
813- z_streamp zstream = &vs->zrle.stream;
814+ z_streamp zstream = &vs->zrle->stream;
815
816- buffer_reset(&vs->zrle.zlib);
817+ buffer_reset(&vs->zrle->zlib);
818
819 if (zstream->opaque != vs) {
820 int err;
821@@ -93,13 +93,13 @@ static int zrle_compress_data(VncState *vs, int level)
822 }
823
824 /* reserve memory in output buffer */
825- buffer_reserve(&vs->zrle.zlib, vs->zrle.zrle.offset + 64);
826+ buffer_reserve(&vs->zrle->zlib, vs->zrle->zrle.offset + 64);
827
828 /* set pointers */
829- zstream->next_in = vs->zrle.zrle.buffer;
830- zstream->avail_in = vs->zrle.zrle.offset;
831- zstream->next_out = vs->zrle.zlib.buffer + vs->zrle.zlib.offset;
832- zstream->avail_out = vs->zrle.zlib.capacity - vs->zrle.zlib.offset;
833+ zstream->next_in = vs->zrle->zrle.buffer;
834+ zstream->avail_in = vs->zrle->zrle.offset;
835+ zstream->next_out = vs->zrle->zlib.buffer + vs->zrle->zlib.offset;
836+ zstream->avail_out = vs->zrle->zlib.capacity - vs->zrle->zlib.offset;
837 zstream->data_type = Z_BINARY;
838
839 /* start encoding */
840@@ -108,8 +108,8 @@ static int zrle_compress_data(VncState *vs, int level)
841 return -1;
842 }
843
844- vs->zrle.zlib.offset = vs->zrle.zlib.capacity - zstream->avail_out;
845- return vs->zrle.zlib.offset;
846+ vs->zrle->zlib.offset = vs->zrle->zlib.capacity - zstream->avail_out;
847+ return vs->zrle->zlib.offset;
848 }
849
850 /* Try to work out whether to use RLE and/or a palette. We do this by
851@@ -259,14 +259,14 @@ static int zrle_send_framebuffer_update(VncState *vs, int x, int y,
852 size_t bytes;
853 int zywrle_level;
854
855- if (vs->zrle.type == VNC_ENCODING_ZYWRLE) {
856- if (!vs->vd->lossy || vs->tight.quality == (uint8_t)-1
857- || vs->tight.quality == 9) {
858+ if (vs->zrle->type == VNC_ENCODING_ZYWRLE) {
859+ if (!vs->vd->lossy || vs->tight->quality == (uint8_t)-1
860+ || vs->tight->quality == 9) {
861 zywrle_level = 0;
862- vs->zrle.type = VNC_ENCODING_ZRLE;
863- } else if (vs->tight.quality < 3) {
864+ vs->zrle->type = VNC_ENCODING_ZRLE;
865+ } else if (vs->tight->quality < 3) {
866 zywrle_level = 3;
867- } else if (vs->tight.quality < 6) {
868+ } else if (vs->tight->quality < 6) {
869 zywrle_level = 2;
870 } else {
871 zywrle_level = 1;
872@@ -337,30 +337,30 @@ static int zrle_send_framebuffer_update(VncState *vs, int x, int y,
873
874 vnc_zrle_stop(vs);
875 bytes = zrle_compress_data(vs, Z_DEFAULT_COMPRESSION);
876- vnc_framebuffer_update(vs, x, y, w, h, vs->zrle.type);
877+ vnc_framebuffer_update(vs, x, y, w, h, vs->zrle->type);
878 vnc_write_u32(vs, bytes);
879- vnc_write(vs, vs->zrle.zlib.buffer, vs->zrle.zlib.offset);
880+ vnc_write(vs, vs->zrle->zlib.buffer, vs->zrle->zlib.offset);
881 return 1;
882 }
883
884 int vnc_zrle_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
885 {
886- vs->zrle.type = VNC_ENCODING_ZRLE;
887+ vs->zrle->type = VNC_ENCODING_ZRLE;
888 return zrle_send_framebuffer_update(vs, x, y, w, h);
889 }
890
891 int vnc_zywrle_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
892 {
893- vs->zrle.type = VNC_ENCODING_ZYWRLE;
894+ vs->zrle->type = VNC_ENCODING_ZYWRLE;
895 return zrle_send_framebuffer_update(vs, x, y, w, h);
896 }
897
898 void vnc_zrle_clear(VncState *vs)
899 {
900- if (vs->zrle.stream.opaque) {
901- deflateEnd(&vs->zrle.stream);
902+ if (vs->zrle->stream.opaque) {
903+ deflateEnd(&vs->zrle->stream);
904 }
905- buffer_free(&vs->zrle.zrle);
906- buffer_free(&vs->zrle.fb);
907- buffer_free(&vs->zrle.zlib);
908+ buffer_free(&vs->zrle->zrle);
909+ buffer_free(&vs->zrle->fb);
910+ buffer_free(&vs->zrle->zlib);
911 }
912diff --git a/ui/vnc-enc-zrle.inc.c b/ui/vnc-enc-zrle.inc.c
913index abf6b86..c107d8a 100644
914--- a/ui/vnc-enc-zrle.inc.c
915+++ b/ui/vnc-enc-zrle.inc.c
916@@ -96,7 +96,7 @@ static void ZRLE_ENCODE(VncState *vs, int x, int y, int w, int h,
917 static void ZRLE_ENCODE_TILE(VncState *vs, ZRLE_PIXEL *data, int w, int h,
918 int zywrle_level)
919 {
920- VncPalette *palette = &vs->zrle.palette;
921+ VncPalette *palette = &vs->zrle->palette;
922
923 int runs = 0;
924 int single_pixels = 0;
925diff --git a/ui/vnc.c b/ui/vnc.c
926index bc43c4c..87b8045 100644
927--- a/ui/vnc.c
928+++ b/ui/vnc.c
929@@ -1307,6 +1307,8 @@ void vnc_disconnect_finish(VncState *vs)
930 object_unref(OBJECT(vs->sioc));
931 vs->sioc = NULL;
932 vs->magic = 0;
933+ g_free(vs->zrle);
934+ g_free(vs->tight);
935 g_free(vs);
936 }
937
938@@ -2058,8 +2060,8 @@ static void set_encodings(VncState *vs, int32_t *encodings, size_t n_encodings)
939
940 vs->features = 0;
941 vs->vnc_encoding = 0;
942- vs->tight.compression = 9;
943- vs->tight.quality = -1; /* Lossless by default */
944+ vs->tight->compression = 9;
945+ vs->tight->quality = -1; /* Lossless by default */
946 vs->absolute = -1;
947
948 /*
949@@ -2127,11 +2129,11 @@ static void set_encodings(VncState *vs, int32_t *encodings, size_t n_encodings)
950 vs->features |= VNC_FEATURE_LED_STATE_MASK;
951 break;
952 case VNC_ENCODING_COMPRESSLEVEL0 ... VNC_ENCODING_COMPRESSLEVEL0 + 9:
953- vs->tight.compression = (enc & 0x0F);
954+ vs->tight->compression = (enc & 0x0F);
955 break;
956 case VNC_ENCODING_QUALITYLEVEL0 ... VNC_ENCODING_QUALITYLEVEL0 + 9:
957 if (vs->vd->lossy) {
958- vs->tight.quality = (enc & 0x0F);
959+ vs->tight->quality = (enc & 0x0F);
960 }
961 break;
962 default:
963@@ -3034,6 +3036,8 @@ static void vnc_connect(VncDisplay *vd, QIOChannelSocket *sioc,
964 int i;
965
966 trace_vnc_client_connect(vs, sioc);
967+ vs->zrle = g_new0(VncZrle, 1);
968+ vs->tight = g_new0(VncTight, 1);
969 vs->magic = VNC_MAGIC;
970 vs->sioc = sioc;
971 object_ref(OBJECT(vs->sioc));
972@@ -3045,19 +3049,19 @@ static void vnc_connect(VncDisplay *vd, QIOChannelSocket *sioc,
973 buffer_init(&vs->output, "vnc-output/%p", sioc);
974 buffer_init(&vs->jobs_buffer, "vnc-jobs_buffer/%p", sioc);
975
976- buffer_init(&vs->tight.tight, "vnc-tight/%p", sioc);
977- buffer_init(&vs->tight.zlib, "vnc-tight-zlib/%p", sioc);
978- buffer_init(&vs->tight.gradient, "vnc-tight-gradient/%p", sioc);
979+ buffer_init(&vs->tight->tight, "vnc-tight/%p", sioc);
980+ buffer_init(&vs->tight->zlib, "vnc-tight-zlib/%p", sioc);
981+ buffer_init(&vs->tight->gradient, "vnc-tight-gradient/%p", sioc);
982 #ifdef CONFIG_VNC_JPEG
983- buffer_init(&vs->tight.jpeg, "vnc-tight-jpeg/%p", sioc);
984+ buffer_init(&vs->tight->jpeg, "vnc-tight-jpeg/%p", sioc);
985 #endif
986 #ifdef CONFIG_VNC_PNG
987- buffer_init(&vs->tight.png, "vnc-tight-png/%p", sioc);
988+ buffer_init(&vs->tight->png, "vnc-tight-png/%p", sioc);
989 #endif
990 buffer_init(&vs->zlib.zlib, "vnc-zlib/%p", sioc);
991- buffer_init(&vs->zrle.zrle, "vnc-zrle/%p", sioc);
992- buffer_init(&vs->zrle.fb, "vnc-zrle-fb/%p", sioc);
993- buffer_init(&vs->zrle.zlib, "vnc-zrle-zlib/%p", sioc);
994+ buffer_init(&vs->zrle->zrle, "vnc-zrle/%p", sioc);
995+ buffer_init(&vs->zrle->fb, "vnc-zrle-fb/%p", sioc);
996+ buffer_init(&vs->zrle->zlib, "vnc-zrle-zlib/%p", sioc);
997
998 if (skipauth) {
999 vs->auth = VNC_AUTH_NONE;
1000diff --git a/ui/vnc.h b/ui/vnc.h
1001index 8643860..fea79c2 100644
1002--- a/ui/vnc.h
1003+++ b/ui/vnc.h
1004@@ -338,10 +338,10 @@ struct VncState
1005 /* Encoding specific, if you add something here, don't forget to
1006 * update vnc_async_encoding_start()
1007 */
1008- VncTight tight;
1009+ VncTight *tight;
1010 VncZlib zlib;
1011 VncHextile hextile;
1012- VncZrle zrle;
1013+ VncZrle *zrle;
1014 VncZywrle zywrle;
1015
1016 Notifier mouse_mode_notifier;
1017--
10181.8.3.1
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-10702.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-10702.patch
new file mode 100644
index 0000000000..21a3ceb30d
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-10702.patch
@@ -0,0 +1,52 @@
1From de0b1bae6461f67243282555475f88b2384a1eb9 Mon Sep 17 00:00:00 2001
2From: Vincent Dehors <vincent.dehors@smile.fr>
3Date: Thu, 23 Jan 2020 15:22:38 +0000
4Subject: [PATCH] target/arm: Fix PAuth sbox functions
5
6In the PAC computation, sbox was applied over wrong bits.
7As this is a 4-bit sbox, bit index should be incremented by 4 instead of 16.
8
9Test vector from QARMA paper (https://eprint.iacr.org/2016/444.pdf) was
10used to verify one computation of the pauth_computepac() function which
11uses sbox2.
12
13Launchpad: https://bugs.launchpad.net/bugs/1859713
14Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
15Signed-off-by: Vincent DEHORS <vincent.dehors@smile.fr>
16Signed-off-by: Adrien GRASSEIN <adrien.grassein@smile.fr>
17Message-id: 20200116230809.19078-2-richard.henderson@linaro.org
18Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
19Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
20
21Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=patch;h=de0b1bae6461f67243282555475f88b2384a1eb9]
22CVE: CVE-2020-10702
23Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
24---
25 target/arm/pauth_helper.c | 4 ++--
26 1 file changed, 2 insertions(+), 2 deletions(-)
27
28diff --git a/target/arm/pauth_helper.c b/target/arm/pauth_helper.c
29index d3194f2..0a5f41e 100644
30--- a/target/arm/pauth_helper.c
31+++ b/target/arm/pauth_helper.c
32@@ -89,7 +89,7 @@ static uint64_t pac_sub(uint64_t i)
33 uint64_t o = 0;
34 int b;
35
36- for (b = 0; b < 64; b += 16) {
37+ for (b = 0; b < 64; b += 4) {
38 o |= (uint64_t)sub[(i >> b) & 0xf] << b;
39 }
40 return o;
41@@ -104,7 +104,7 @@ static uint64_t pac_inv_sub(uint64_t i)
42 uint64_t o = 0;
43 int b;
44
45- for (b = 0; b < 64; b += 16) {
46+ for (b = 0; b < 64; b += 4) {
47 o |= (uint64_t)inv_sub[(i >> b) & 0xf] << b;
48 }
49 return o;
50--
511.8.3.1
52
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-10756.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-10756.patch
new file mode 100644
index 0000000000..306aef061b
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-10756.patch
@@ -0,0 +1,40 @@
1From c7ede54cbd2e2b25385325600958ba0124e31cc0 Mon Sep 17 00:00:00 2001
2From: Ralf Haferkamp <rhafer@suse.com>
3Date: Fri, 3 Jul 2020 14:51:16 +0200
4Subject: [PATCH] Drop bogus IPv6 messages
5
6Drop IPv6 message shorter than what's mentioned in the payload
7length header (+ the size of the IPv6 header). They're invalid an could
8lead to data leakage in icmp6_send_echoreply().
9
10CVE: CVE-2020-10756
11Upstream-Status: Backport
12https://gitlab.freedesktop.org/slirp/libslirp/-/commit/c7ede54cbd2e2b25385325600958ba0124e31cc0
13
14[SG: Based on libslirp commit c7ede54cbd2e2b25385325600958ba0124e31cc0 and adjusted context]
15Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
16---
17 slirp/src/ip6_input.c | 7 +++++++
18 1 file changed, 7 insertions(+)
19
20diff --git a/slirp/src/ip6_input.c b/slirp/src/ip6_input.c
21index d9d2b7e9..0f2b1785 100644
22--- a/slirp/src/ip6_input.c
23+++ b/slirp/src/ip6_input.c
24@@ -49,6 +49,13 @@ void ip6_input(struct mbuf *m)
25 goto bad;
26 }
27
28+ // Check if the message size is big enough to hold what's
29+ // set in the payload length header. If not this is an invalid
30+ // packet
31+ if (m->m_len < ntohs(ip6->ip_pl) + sizeof(struct ip6)) {
32+ goto bad;
33+ }
34+
35 /* check ip_ttl for a correct ICMP reply */
36 if (ip6->ip_hl == 0) {
37 icmp6_send_error(m, ICMP6_TIMXCEED, ICMP6_TIMXCEED_INTRANS);
38--
392.17.1
40
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-11869.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-11869.patch
new file mode 100644
index 0000000000..ca7ffed934
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-11869.patch
@@ -0,0 +1,97 @@
1From ac2071c3791b67fc7af78b8ceb320c01ca1b5df7 Mon Sep 17 00:00:00 2001
2From: BALATON Zoltan <balaton@eik.bme.hu>
3Date: Mon, 6 Apr 2020 22:34:26 +0200
4Subject: [PATCH] ati-vga: Fix checks in ati_2d_blt() to avoid crash
5
6In some corner cases (that never happen during normal operation but a
7malicious guest could program wrong values) pixman functions were
8called with parameters that result in a crash. Fix this and add more
9checks to disallow such cases.
10
11Reported-by: Ziming Zhang <ezrakiez@gmail.com>
12Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
13Message-id: 20200406204029.19559747D5D@zero.eik.bme.hu
14Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
15
16Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=ac2071c3791b67fc7af78b8ceb320c01ca1b5df7]
17CVE: CVE-2020-11869
18Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
19---
20 hw/display/ati_2d.c | 37 ++++++++++++++++++++++++++-----------
21 1 file changed, 26 insertions(+), 11 deletions(-)
22
23diff --git a/hw/display/ati_2d.c b/hw/display/ati_2d.c
24index 42e8231..23a8ae0 100644
25--- a/hw/display/ati_2d.c
26+++ b/hw/display/ati_2d.c
27@@ -53,12 +53,20 @@ void ati_2d_blt(ATIVGAState *s)
28 s->vga.vbe_start_addr, surface_data(ds), surface_stride(ds),
29 surface_bits_per_pixel(ds),
30 (s->regs.dp_mix & GMC_ROP3_MASK) >> 16);
31- int dst_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ?
32- s->regs.dst_x : s->regs.dst_x + 1 - s->regs.dst_width);
33- int dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ?
34- s->regs.dst_y : s->regs.dst_y + 1 - s->regs.dst_height);
35+ unsigned dst_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ?
36+ s->regs.dst_x : s->regs.dst_x + 1 - s->regs.dst_width);
37+ unsigned dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ?
38+ s->regs.dst_y : s->regs.dst_y + 1 - s->regs.dst_height);
39 int bpp = ati_bpp_from_datatype(s);
40+ if (!bpp) {
41+ qemu_log_mask(LOG_GUEST_ERROR, "Invalid bpp\n");
42+ return;
43+ }
44 int dst_stride = DEFAULT_CNTL ? s->regs.dst_pitch : s->regs.default_pitch;
45+ if (!dst_stride) {
46+ qemu_log_mask(LOG_GUEST_ERROR, "Zero dest pitch\n");
47+ return;
48+ }
49 uint8_t *dst_bits = s->vga.vram_ptr + (DEFAULT_CNTL ?
50 s->regs.dst_offset : s->regs.default_offset);
51
52@@ -82,12 +90,16 @@ void ati_2d_blt(ATIVGAState *s)
53 switch (s->regs.dp_mix & GMC_ROP3_MASK) {
54 case ROP3_SRCCOPY:
55 {
56- int src_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ?
57- s->regs.src_x : s->regs.src_x + 1 - s->regs.dst_width);
58- int src_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ?
59- s->regs.src_y : s->regs.src_y + 1 - s->regs.dst_height);
60+ unsigned src_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ?
61+ s->regs.src_x : s->regs.src_x + 1 - s->regs.dst_width);
62+ unsigned src_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ?
63+ s->regs.src_y : s->regs.src_y + 1 - s->regs.dst_height);
64 int src_stride = DEFAULT_CNTL ?
65 s->regs.src_pitch : s->regs.default_pitch;
66+ if (!src_stride) {
67+ qemu_log_mask(LOG_GUEST_ERROR, "Zero source pitch\n");
68+ return;
69+ }
70 uint8_t *src_bits = s->vga.vram_ptr + (DEFAULT_CNTL ?
71 s->regs.src_offset : s->regs.default_offset);
72
73@@ -137,8 +149,10 @@ void ati_2d_blt(ATIVGAState *s)
74 dst_y * surface_stride(ds),
75 s->regs.dst_height * surface_stride(ds));
76 }
77- s->regs.dst_x += s->regs.dst_width;
78- s->regs.dst_y += s->regs.dst_height;
79+ s->regs.dst_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ?
80+ dst_x + s->regs.dst_width : dst_x);
81+ s->regs.dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ?
82+ dst_y + s->regs.dst_height : dst_y);
83 break;
84 }
85 case ROP3_PATCOPY:
86@@ -179,7 +193,8 @@ void ati_2d_blt(ATIVGAState *s)
87 dst_y * surface_stride(ds),
88 s->regs.dst_height * surface_stride(ds));
89 }
90- s->regs.dst_y += s->regs.dst_height;
91+ s->regs.dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ?
92+ dst_y + s->regs.dst_height : dst_y);
93 break;
94 }
95 default:
96--
971.8.3.1
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13765.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13765.patch
new file mode 100644
index 0000000000..9014ba0f13
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13765.patch
@@ -0,0 +1,48 @@
1From e423455c4f23a1a828901c78fe6d03b7dde79319 Mon Sep 17 00:00:00 2001
2From: Thomas Huth <thuth@redhat.com>
3Date: Wed, 25 Sep 2019 14:16:43 +0200
4Subject: [PATCH] hw/core/loader: Fix possible crash in rom_copy()
5
6Both, "rom->addr" and "addr" are derived from the binary image
7that can be loaded with the "-kernel" paramer. The code in
8rom_copy() then calculates:
9
10 d = dest + (rom->addr - addr);
11
12and uses "d" as destination in a memcpy() some lines later. Now with
13bad kernel images, it is possible that rom->addr is smaller than addr,
14thus "rom->addr - addr" gets negative and the memcpy() then tries to
15copy contents from the image to a bad memory location. This could
16maybe be used to inject code from a kernel image into the QEMU binary,
17so we better fix it with an additional sanity check here.
18
19Cc: qemu-stable@nongnu.org
20Reported-by: Guangming Liu
21Buglink: https://bugs.launchpad.net/qemu/+bug/1844635
22Message-Id: <20190925130331.27825-1-thuth@redhat.com>
23Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
24Signed-off-by: Thomas Huth <thuth@redhat.com>
25
26Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=patch;h=e423455c4f23a1a828901c78fe6d03b7dde79319]
27CVE: CVE-2020-13765
28Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
29---
30 hw/core/loader.c | 2 +-
31 1 file changed, 1 insertion(+), 1 deletion(-)
32
33diff --git a/hw/core/loader.c b/hw/core/loader.c
34index 0d60219..5099f27 100644
35--- a/hw/core/loader.c
36+++ b/hw/core/loader.c
37@@ -1281,7 +1281,7 @@ int rom_copy(uint8_t *dest, hwaddr addr, size_t size)
38 if (rom->addr + rom->romsize < addr) {
39 continue;
40 }
41- if (rom->addr > end) {
42+ if (rom->addr > end || rom->addr < addr) {
43 break;
44 }
45
46--
471.8.3.1
48
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-14364.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-14364.patch
new file mode 100644
index 0000000000..a109ac08d6
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-14364.patch
@@ -0,0 +1,93 @@
1From b946434f2659a182afc17e155be6791ebfb302eb Mon Sep 17 00:00:00 2001
2From: Gerd Hoffmann <kraxel@redhat.com>
3Date: Tue, 25 Aug 2020 07:36:36 +0200
4Subject: [PATCH] usb: fix setup_len init (CVE-2020-14364)
5
6Store calculated setup_len in a local variable, verify it, and only
7write it to the struct (USBDevice->setup_len) in case it passed the
8sanity checks.
9
10This prevents other code (do_token_{in,out} functions specifically)
11from working with invalid USBDevice->setup_len values and overrunning
12the USBDevice->setup_buf[] buffer.
13
14Fixes: CVE-2020-14364
15Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
16Tested-by: Gonglei <arei.gonglei@huawei.com>
17Reviewed-by: Li Qiang <liq3ea@gmail.com>
18Message-id: 20200825053636.29648-1-kraxel@redhat.com
19
20Upstream-Status: Backport
21CVE: CVE-2020-14364
22[https://git.qemu.org/?p=qemu.git;a=patch;h=b946434f2659a182afc17e155be6791ebfb302eb]
23Signed-off-by: Li Wang <li.wang@windriver.com>
24---
25 hw/usb/core.c | 16 ++++++++++------
26 1 file changed, 10 insertions(+), 6 deletions(-)
27
28diff --git a/hw/usb/core.c b/hw/usb/core.c
29index 5abd128..5234dcc 100644
30--- a/hw/usb/core.c
31+++ b/hw/usb/core.c
32@@ -129,6 +129,7 @@ void usb_wakeup(USBEndpoint *ep, unsigned int stream)
33 static void do_token_setup(USBDevice *s, USBPacket *p)
34 {
35 int request, value, index;
36+ unsigned int setup_len;
37
38 if (p->iov.size != 8) {
39 p->status = USB_RET_STALL;
40@@ -138,14 +139,15 @@ static void do_token_setup(USBDevice *s, USBPacket *p)
41 usb_packet_copy(p, s->setup_buf, p->iov.size);
42 s->setup_index = 0;
43 p->actual_length = 0;
44- s->setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
45- if (s->setup_len > sizeof(s->data_buf)) {
46+ setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
47+ if (setup_len > sizeof(s->data_buf)) {
48 fprintf(stderr,
49 "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
50- s->setup_len, sizeof(s->data_buf));
51+ setup_len, sizeof(s->data_buf));
52 p->status = USB_RET_STALL;
53 return;
54 }
55+ s->setup_len = setup_len;
56
57 request = (s->setup_buf[0] << 8) | s->setup_buf[1];
58 value = (s->setup_buf[3] << 8) | s->setup_buf[2];
59@@ -259,26 +261,28 @@ static void do_token_out(USBDevice *s, USBPacket *p)
60 static void do_parameter(USBDevice *s, USBPacket *p)
61 {
62 int i, request, value, index;
63+ unsigned int setup_len;
64
65 for (i = 0; i < 8; i++) {
66 s->setup_buf[i] = p->parameter >> (i*8);
67 }
68
69 s->setup_state = SETUP_STATE_PARAM;
70- s->setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
71 s->setup_index = 0;
72
73 request = (s->setup_buf[0] << 8) | s->setup_buf[1];
74 value = (s->setup_buf[3] << 8) | s->setup_buf[2];
75 index = (s->setup_buf[5] << 8) | s->setup_buf[4];
76
77- if (s->setup_len > sizeof(s->data_buf)) {
78+ setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
79+ if (setup_len > sizeof(s->data_buf)) {
80 fprintf(stderr,
81 "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
82- s->setup_len, sizeof(s->data_buf));
83+ setup_len, sizeof(s->data_buf));
84 p->status = USB_RET_STALL;
85 return;
86 }
87+ s->setup_len = setup_len;
88
89 if (p->pid == USB_TOKEN_OUT) {
90 usb_packet_copy(p, s->data_buf, s->setup_len);
91--
922.17.1
93
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch
new file mode 100644
index 0000000000..9927584d11
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch
@@ -0,0 +1,64 @@
1From 5519724a13664b43e225ca05351c60b4468e4555 Mon Sep 17 00:00:00 2001
2From: Mauro Matteo Cascella <mcascell@redhat.com>
3Date: Fri, 10 Jul 2020 11:19:41 +0200
4Subject: [PATCH] hw/net/xgmac: Fix buffer overflow in xgmac_enet_send()
5
6A buffer overflow issue was reported by Mr. Ziming Zhang, CC'd here. It
7occurs while sending an Ethernet frame due to missing break statements
8and improper checking of the buffer size.
9
10Reported-by: Ziming Zhang <ezrakiez@gmail.com>
11Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
12Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
13Signed-off-by: Jason Wang <jasowang@redhat.com>
14
15CVE: CVE-2020-15863
16Upstream-Status: Backport
17[https://git.qemu.org/?p=qemu.git;a=commit;h=5519724a13664b43e225ca05351c60b4468e4555]
18Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
19Signed-off-by: Li Wang <li.wang@windriver.com>
20---
21 hw/net/xgmac.c | 14 ++++++++++++--
22 1 file changed, 12 insertions(+), 2 deletions(-)
23
24diff --git a/hw/net/xgmac.c b/hw/net/xgmac.c
25index f49df95..f496f7e 100644
26--- a/hw/net/xgmac.c
27+++ b/hw/net/xgmac.c
28@@ -217,21 +217,31 @@ static void xgmac_enet_send(XgmacState *s)
29 }
30 len = (bd.buffer1_size & 0xfff) + (bd.buffer2_size & 0xfff);
31
32+ /*
33+ * FIXME: these cases of malformed tx descriptors (bad sizes)
34+ * should probably be reported back to the guest somehow
35+ * rather than simply silently stopping processing, but we
36+ * don't know what the hardware does in this situation.
37+ * This will only happen for buggy guests anyway.
38+ */
39 if ((bd.buffer1_size & 0xfff) > 2048) {
40 DEBUGF_BRK("qemu:%s:ERROR...ERROR...ERROR... -- "
41 "xgmac buffer 1 len on send > 2048 (0x%x)\n",
42 __func__, bd.buffer1_size & 0xfff);
43+ break;
44 }
45 if ((bd.buffer2_size & 0xfff) != 0) {
46 DEBUGF_BRK("qemu:%s:ERROR...ERROR...ERROR... -- "
47 "xgmac buffer 2 len on send != 0 (0x%x)\n",
48 __func__, bd.buffer2_size & 0xfff);
49+ break;
50 }
51- if (len >= sizeof(frame)) {
52+ if (frame_size + len >= sizeof(frame)) {
53 DEBUGF_BRK("qemu:%s: buffer overflow %d read into %zu "
54- "buffer\n" , __func__, len, sizeof(frame));
55+ "buffer\n" , __func__, frame_size + len, sizeof(frame));
56 DEBUGF_BRK("qemu:%s: buffer1.size=%d; buffer2.size=%d\n",
57 __func__, bd.buffer1_size, bd.buffer2_size);
58+ break;
59 }
60
61 cpu_physical_memory_read(bd.buffer1_addr, ptr, len);
62--
631.9.1
64
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-16092.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-16092.patch
new file mode 100644
index 0000000000..8ce01e26ad
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-16092.patch
@@ -0,0 +1,49 @@
1From 035e69b063835a5fd23cacabd63690a3d84532a8 Mon Sep 17 00:00:00 2001
2From: Mauro Matteo Cascella <mcascell@redhat.com>
3Date: Sat, 1 Aug 2020 18:42:38 +0200
4Subject: [PATCH] hw/net/net_tx_pkt: fix assertion failure in
5 net_tx_pkt_add_raw_fragment()
6
7An assertion failure issue was found in the code that processes network
8packets
9while adding data fragments into the packet context. It could be abused
10by a
11malicious guest to abort the QEMU process on the host. This patch
12replaces the
13affected assert() with a conditional statement, returning false if the
14current
15data fragment exceeds max_raw_frags.
16
17Reported-by: Alexander Bulekov <alxndr@bu.edu>
18Reported-by: Ziming Zhang <ezrakiez@gmail.com>
19Reviewed-by: Dmitry Fleytman <dmitry.fleytman@gmail.com>
20Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
21Signed-off-by: Jason Wang <jasowang@redhat.com>
22
23Upstream-Status: Backport
24CVE: CVE-2020-16092
25[https://git.qemu.org/?p=qemu.git;a=commit;h=035e69b063835a5fd23cacabd63690a3d84532a8]
26Signed-off-by: Li Wang <li.wang@windriver.com>
27---
28 hw/net/net_tx_pkt.c | 5 ++++-
29 1 file changed, 4 insertions(+), 1 deletion(-)
30
31diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c
32index 162f802..54d4c3b 100644
33--- a/hw/net/net_tx_pkt.c
34+++ b/hw/net/net_tx_pkt.c
35@@ -379,7 +379,10 @@ bool net_tx_pkt_add_raw_fragment(struct NetTxPkt *pkt, hwaddr pa,
36 hwaddr mapped_len = 0;
37 struct iovec *ventry;
38 assert(pkt);
39- assert(pkt->max_raw_frags > pkt->raw_frags);
40+
41+ if (pkt->raw_frags >= pkt->max_raw_frags) {
42+ return false;
43+ }
44
45 if (!len) {
46 return true;
47--
482.17.1
49
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-1711.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-1711.patch
new file mode 100644
index 0000000000..aa7bc82329
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-1711.patch
@@ -0,0 +1,64 @@
1From 693fd2acdf14dd86c0bf852610f1c2cca80a74dc Mon Sep 17 00:00:00 2001
2From: Felipe Franciosi <felipe@nutanix.com>
3Date: Thu, 23 Jan 2020 12:44:59 +0000
4Subject: [PATCH] iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711)
5
6When querying an iSCSI server for the provisioning status of blocks (via
7GET LBA STATUS), Qemu only validates that the response descriptor zero's
8LBA matches the one requested. Given the SCSI spec allows servers to
9respond with the status of blocks beyond the end of the LUN, Qemu may
10have its heap corrupted by clearing/setting too many bits at the end of
11its allocmap for the LUN.
12
13A malicious guest in control of the iSCSI server could carefully program
14Qemu's heap (by selectively setting the bitmap) and then smash it.
15
16This limits the number of bits that iscsi_co_block_status() will try to
17update in the allocmap so it can't overflow the bitmap.
18
19Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=patch;h=693fd2acdf14dd86c0bf852610f1c2cca80a74dc]
20CVE: CVE-2020-1711
21
22Fixes: CVE-2020-1711
23Cc: qemu-stable@nongnu.org
24Signed-off-by: Felipe Franciosi <felipe@nutanix.com>
25Signed-off-by: Peter Turschmid <peter.turschm@nutanix.com>
26Signed-off-by: Raphael Norwitz <raphael.norwitz@nutanix.com>
27Signed-off-by: Kevin Wolf <kwolf@redhat.com>
28Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
29---
30 block/iscsi.c | 5 +++--
31 1 file changed, 3 insertions(+), 2 deletions(-)
32
33diff --git a/block/iscsi.c b/block/iscsi.c
34index 2aea7e3..cbd5729 100644
35--- a/block/iscsi.c
36+++ b/block/iscsi.c
37@@ -701,7 +701,7 @@ static int coroutine_fn iscsi_co_block_status(BlockDriverState *bs,
38 struct scsi_get_lba_status *lbas = NULL;
39 struct scsi_lba_status_descriptor *lbasd = NULL;
40 struct IscsiTask iTask;
41- uint64_t lba;
42+ uint64_t lba, max_bytes;
43 int ret;
44
45 iscsi_co_init_iscsitask(iscsilun, &iTask);
46@@ -721,6 +721,7 @@ static int coroutine_fn iscsi_co_block_status(BlockDriverState *bs,
47 }
48
49 lba = offset / iscsilun->block_size;
50+ max_bytes = (iscsilun->num_blocks - lba) * iscsilun->block_size;
51
52 qemu_mutex_lock(&iscsilun->mutex);
53 retry:
54@@ -764,7 +765,7 @@ retry:
55 goto out_unlock;
56 }
57
58- *pnum = (int64_t) lbasd->num_blocks * iscsilun->block_size;
59+ *pnum = MIN((int64_t) lbasd->num_blocks * iscsilun->block_size, max_bytes);
60
61 if (lbasd->provisioning == SCSI_PROVISIONING_TYPE_DEALLOCATED ||
62 lbasd->provisioning == SCSI_PROVISIONING_TYPE_ANCHORED) {
63--
641.8.3.1
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-1.patch
new file mode 100644
index 0000000000..df6bca6db6
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-1.patch
@@ -0,0 +1,44 @@
1From b2663d527a1992ba98c0266458b21ada3b9d0d2e Mon Sep 17 00:00:00 2001
2From: Changqing Li <changqing.li@windriver.com>
3Date: Thu, 27 Feb 2020 12:07:35 +0800
4Subject: [PATCH] tcp_emu: Fix oob access
5
6The main loop only checks for one available byte, while we sometimes
7need two bytes.
8
9CVE: CVE-2020-7039
10Upstream-Status: Backport
11[https://gitlab.freedesktop.org/slirp/libslirp/commit/2655fffed7a9e765bcb4701dd876e9dab975f289]
12
13Signed-off-by: Changqing Li <changqing.li@windriver.com>
14---
15 slirp/src/tcp_subr.c | 6 ++++++
16 1 file changed, 6 insertions(+)
17
18diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c
19index d6dd133..4bea2d4 100644
20--- a/slirp/src/tcp_subr.c
21+++ b/slirp/src/tcp_subr.c
22@@ -886,6 +886,8 @@ int tcp_emu(struct socket *so, struct mbuf *m)
23 break;
24
25 case 5:
26+ if (bptr == m->m_data + m->m_len - 1)
27+ return 1; /* We need two bytes */
28 /*
29 * The difference between versions 1.0 and
30 * 2.0 is here. For future versions of
31@@ -901,6 +903,10 @@ int tcp_emu(struct socket *so, struct mbuf *m)
32 /* This is the field containing the port
33 * number that RA-player is listening to.
34 */
35+
36+ if (bptr == m->m_data + m->m_len - 1)
37+ return 1; /* We need two bytes */
38+
39 lport = (((uint8_t *)bptr)[0] << 8) + ((uint8_t *)bptr)[1];
40 if (lport < 6970)
41 lport += 256; /* don't know why */
42--
432.7.4
44
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-2.patch
new file mode 100644
index 0000000000..4a00fa2afd
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-2.patch
@@ -0,0 +1,59 @@
1From 8f67e76e4148e37f3d8d2bcbdee7417fdedb7669 Mon Sep 17 00:00:00 2001
2From: Changqing Li <changqing.li@windriver.com>
3Date: Thu, 27 Feb 2020 12:10:34 +0800
4Subject: [PATCH] slirp: use correct size while emulating commands
5
6While emulating services in tcp_emu(), it uses 'mbuf' size
7'm->m_size' to write commands via snprintf(3). Use M_FREEROOM(m)
8size to avoid possible OOB access.
9Signed-off-by: default avatarPrasad J Pandit <pjp@fedoraproject.org>
10Signed-off-by: Samuel Thibault's avatarSamuel Thibault
11<samuel.thibault@ens-lyon.org>
12Message-Id: <20200109094228.79764-3-ppandit@redhat.com>
13
14CVE: CVE-2020-7039
15Upstream-Status: Backport
16[https://gitlab.freedesktop.org/slirp/libslirp/commit/82ebe9c370a0e2970fb5695aa19aa5214a6a1c80]
17
18Signed-off-by: Changqing Li <changqing.li@windriver.com>
19---
20 slirp/src/tcp_subr.c | 9 ++++-----
21 1 file changed, 4 insertions(+), 5 deletions(-)
22
23diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c
24index 4bea2d4..e8ed4ef 100644
25--- a/slirp/src/tcp_subr.c
26+++ b/slirp/src/tcp_subr.c
27@@ -696,7 +696,7 @@ int tcp_emu(struct socket *so, struct mbuf *m)
28 n4 = (laddr & 0xff);
29
30 m->m_len = bptr - m->m_data; /* Adjust length */
31- m->m_len += snprintf(bptr, m->m_size - m->m_len,
32+ m->m_len += snprintf(bptr, M_FREEROOM(m),
33 "ORT %d,%d,%d,%d,%d,%d\r\n%s", n1, n2, n3, n4,
34 n5, n6, x == 7 ? buff : "");
35 return 1;
36@@ -731,8 +731,7 @@ int tcp_emu(struct socket *so, struct mbuf *m)
37 n4 = (laddr & 0xff);
38
39 m->m_len = bptr - m->m_data; /* Adjust length */
40- m->m_len +=
41- snprintf(bptr, m->m_size - m->m_len,
42+ m->m_len += snprintf(bptr, M_FREEROOM(m),
43 "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s",
44 n1, n2, n3, n4, n5, n6, x == 7 ? buff : "");
45
46@@ -758,8 +757,8 @@ int tcp_emu(struct socket *so, struct mbuf *m)
47 if (m->m_data[m->m_len - 1] == '\0' && lport != 0 &&
48 (so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr,
49 htons(lport), SS_FACCEPTONCE)) != NULL)
50- m->m_len =
51- snprintf(m->m_data, m->m_size, "%d", ntohs(so->so_fport)) + 1;
52+ m->m_len = snprintf(m->m_data, M_ROOM(m),
53+ "%d", ntohs(so->so_fport)) + 1;
54 return 1;
55
56 case EMU_IRC:
57--
582.7.4
59
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-3.patch
new file mode 100644
index 0000000000..70ce480d80
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-3.patch
@@ -0,0 +1,64 @@
1From 0b03959b72036afce151783720d9e54988cf76ef Mon Sep 17 00:00:00 2001
2From: Changqing Li <changqing.li@windriver.com>
3Date: Thu, 27 Feb 2020 12:15:04 +0800
4Subject: [PATCH] slirp: use correct size while emulating IRC commands
5
6While emulating IRC DCC commands, tcp_emu() uses 'mbuf' size
7'm->m_size' to write DCC commands via snprintf(3). This may
8lead to OOB write access, because 'bptr' points somewhere in
9the middle of 'mbuf' buffer, not at the start. Use M_FREEROOM(m)
10size to avoid OOB access.
11Reported-by: default avatarVishnu Dev TJ <vishnudevtj@gmail.com>
12Signed-off-by: default avatarPrasad J Pandit <pjp@fedoraproject.org>
13Reviewed-by: Samuel Thibault's avatarSamuel Thibault
14<samuel.thibault@ens-lyon.org>
15Message-Id: <20200109094228.79764-2-ppandit@redhat.com>
16
17CVE: CVE-2020-7039
18Upstream-Status: Backport
19[https://gitlab.freedesktop.org/slirp/libslirp/commit/ce131029d6d4a405cb7d3ac6716d03e58fb4a5d9]
20
21Signed-off-by: Changqing Li <changqing.li@windriver.com>
22---
23 slirp/src/tcp_subr.c | 11 ++++++-----
24 1 file changed, 6 insertions(+), 5 deletions(-)
25
26diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c
27index e8ed4ef..3a4a8ee 100644
28--- a/slirp/src/tcp_subr.c
29+++ b/slirp/src/tcp_subr.c
30@@ -777,7 +777,8 @@ int tcp_emu(struct socket *so, struct mbuf *m)
31 return 1;
32 }
33 m->m_len = bptr - m->m_data; /* Adjust length */
34- m->m_len += snprintf(bptr, m->m_size, "DCC CHAT chat %lu %u%c\n",
35+ m->m_len += snprintf(bptr, M_FREEROOM(m),
36+ "DCC CHAT chat %lu %u%c\n",
37 (unsigned long)ntohl(so->so_faddr.s_addr),
38 ntohs(so->so_fport), 1);
39 } else if (sscanf(bptr, "DCC SEND %256s %u %u %u", buff, &laddr, &lport,
40@@ -787,8 +788,8 @@ int tcp_emu(struct socket *so, struct mbuf *m)
41 return 1;
42 }
43 m->m_len = bptr - m->m_data; /* Adjust length */
44- m->m_len +=
45- snprintf(bptr, m->m_size, "DCC SEND %s %lu %u %u%c\n", buff,
46+ m->m_len += snprintf(bptr, M_FREEROOM(m),
47+ "DCC SEND %s %lu %u %u%c\n", buff,
48 (unsigned long)ntohl(so->so_faddr.s_addr),
49 ntohs(so->so_fport), n1, 1);
50 } else if (sscanf(bptr, "DCC MOVE %256s %u %u %u", buff, &laddr, &lport,
51@@ -798,8 +799,8 @@ int tcp_emu(struct socket *so, struct mbuf *m)
52 return 1;
53 }
54 m->m_len = bptr - m->m_data; /* Adjust length */
55- m->m_len +=
56- snprintf(bptr, m->m_size, "DCC MOVE %s %lu %u %u%c\n", buff,
57+ m->m_len += snprintf(bptr, M_FREEROOM(m),
58+ "DCC MOVE %s %lu %u %u%c\n", buff,
59 (unsigned long)ntohl(so->so_faddr.s_addr),
60 ntohs(so->so_fport), n1, 1);
61 }
62--
632.7.4
64
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-7211.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-7211.patch
new file mode 100644
index 0000000000..11be4c92e7
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-7211.patch
@@ -0,0 +1,46 @@
1From 14ec36e107a8c9af7d0a80c3571fe39b291ff1d4 Mon Sep 17 00:00:00 2001
2From: Prasad J Pandit <pjp@fedoraproject.org>
3Date: Mon, 13 Jan 2020 17:44:31 +0530
4Subject: [PATCH] slirp: tftp: restrict relative path access
5
6tftp restricts relative or directory path access on Linux systems.
7Apply same restrictions on Windows systems too. It helps to avoid
8directory traversal issue.
9
10Fixes: https://bugs.launchpad.net/qemu/+bug/1812451
11Reported-by: Peter Maydell <peter.maydell@linaro.org>
12Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
13Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
14Message-Id: <20200113121431.156708-1-ppandit@redhat.com>
15
16Upstream-Status: Backport [https://gitlab.freedesktop.org/slirp/libslirp/-/commit/14ec36e107a8c9af7d0a80c3571fe39b291ff1d4.patch]
17CVE: CVE-2020-7211
18Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
19
20---
21 slirp/src/tftp.c | 9 +++++++--
22 1 file changed, 7 insertions(+), 2 deletions(-)
23
24diff --git a/slirp/src/tftp.c b/slirp/src/tftp.c
25index 093c2e0..e52e71b 100644
26--- a/slirp/src/tftp.c
27+++ b/slirp/src/tftp.c
28@@ -344,8 +344,13 @@ static void tftp_handle_rrq(Slirp *slirp, struct sockaddr_storage *srcsas,
29 k += 6; /* skipping octet */
30
31 /* do sanity checks on the filename */
32- if (!strncmp(req_fname, "../", 3) ||
33- req_fname[strlen(req_fname) - 1] == '/' || strstr(req_fname, "/../")) {
34+ if (
35+#ifdef G_OS_WIN32
36+ strstr(req_fname, "..\\") ||
37+ req_fname[strlen(req_fname) - 1] == '\\' ||
38+#endif
39+ strstr(req_fname, "../") ||
40+ req_fname[strlen(req_fname) - 1] == '/') {
41 tftp_send_error(spt, 2, "Access violation", tp);
42 return;
43 }
44--
452.24.1
46
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-04-28 05:32:45 +0000