From 65d35a09979e63541afc5bfc595b9f1b1b4ae069 Mon Sep 17 00:00:00 2001
From: aurel32 <aurel32@c046a42c-6fe2-441c-8c8c-71466251a162>
Date: Sat, 1 Nov 2008 00:53:39 +0000
Subject: [PATCH] CVE-2008-4539: fix a heap overflow in Cirrus emulation

The code in hw/cirrus_vga.c has changed a lot between CVE-2007-1320 has
been announced and the patch has been applied. As a consequence it has
wrongly applied and QEMU is still vulnerable to this bug if using VNC.

(noticed by Jan Niehusmann)

Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>

git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@5587 c046a42c-6fe2-441c-8c8c-71466251a162
---
 hw/cirrus_vga.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/hw/cirrus_vga.c b/hw/cirrus_vga.c
index 55f3ced340..af9c9e6a8d 100644
--- a/hw/cirrus_vga.c
+++ b/hw/cirrus_vga.c
@@ -785,15 +785,14 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
 
 static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
 {
+    if (BLTUNSAFE(s))
+        return 0;
+
     if (s->ds->dpy_copy) {
 	cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->start_addr,
 		       s->cirrus_blt_srcaddr - s->start_addr,
 		       s->cirrus_blt_width, s->cirrus_blt_height);
     } else {
-
-    if (BLTUNSAFE(s))
-        return 0;
-
 	(*s->cirrus_rop) (s, s->vram_ptr +
                 (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
 			  s->vram_ptr +