From 6bc005ce5945dd2ba664d07fef62ec9108649eee Mon Sep 17 00:00:00 2001
From: Juergen Lock <nox@FreeBSD.org>
Date: Sun, 2 Nov 2008 22:59:10 +0000
Subject: Fix heap overflow in Cirrus emulation

Obtained from:	qemu svn
Security:	http://www.vuxml.org/freebsd/07bb3bd2-a920-11dd-8503-0211060005df.html
---
 emulators/qemu-devel/Makefile                  |  2 +-
 emulators/qemu-devel/files/patch-CVE-2008-4539 | 27 ++++++++++++++++++++++++++
 emulators/qemu/Makefile                        |  2 +-
 emulators/qemu/files/patch-CVE-2008-4539       | 27 ++++++++++++++++++++++++++
 4 files changed, 56 insertions(+), 2 deletions(-)
 create mode 100644 emulators/qemu-devel/files/patch-CVE-2008-4539
 create mode 100644 emulators/qemu/files/patch-CVE-2008-4539

diff --git a/emulators/qemu-devel/Makefile b/emulators/qemu-devel/Makefile
index 3cd4951c5614..841502d644c2 100644
--- a/emulators/qemu-devel/Makefile
+++ b/emulators/qemu-devel/Makefile
@@ -7,7 +7,7 @@
 
 PORTNAME=	qemu
 PORTVERSION=	0.9.1s.20080620
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	emulators
 MASTER_SITES=	http://bellard.org/qemu/:release \
 		http://qemu-forum.ipi.fi/qemu-snapshots/:snapshot \
diff --git a/emulators/qemu-devel/files/patch-CVE-2008-4539 b/emulators/qemu-devel/files/patch-CVE-2008-4539
new file mode 100644
index 000000000000..c2348bd4cf91
--- /dev/null
+++ b/emulators/qemu-devel/files/patch-CVE-2008-4539
@@ -0,0 +1,27 @@
+Index: qemu/hw/cirrus_vga.c
+===================================================================
+--- trunk/hw/cirrus_vga.c	2008-11-01 00:53:30 UTC (rev 5586)
++++ trunk/hw/cirrus_vga.c	2008-11-01 00:53:39 UTC (rev 5587)
+@@ -785,15 +785,14 @@
+ 
+ static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
+ {
++    if (BLTUNSAFE(s))
++        return 0;
++
+     if (s->ds->dpy_copy) {
+ 	cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->start_addr,
+ 		       s->cirrus_blt_srcaddr - s->start_addr,
+ 		       s->cirrus_blt_width, s->cirrus_blt_height);
+     } else {
+-
+-    if (BLTUNSAFE(s))
+-        return 0;
+-
+ 	(*s->cirrus_rop) (s, s->vram_ptr +
+                 (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
+ 			  s->vram_ptr +
+
+
+
+
diff --git a/emulators/qemu/Makefile b/emulators/qemu/Makefile
index 9a9a35992272..d9cb1d2439c4 100644
--- a/emulators/qemu/Makefile
+++ b/emulators/qemu/Makefile
@@ -7,7 +7,7 @@
 
 PORTNAME=	qemu
 PORTVERSION=	0.9.1
-PORTREVISION=	9
+PORTREVISION=	10
 CATEGORIES=	emulators
 MASTER_SITES=	http://bellard.org/qemu/:release \
 		http://qemu.org/:release \
diff --git a/emulators/qemu/files/patch-CVE-2008-4539 b/emulators/qemu/files/patch-CVE-2008-4539
new file mode 100644
index 000000000000..c2348bd4cf91
--- /dev/null
+++ b/emulators/qemu/files/patch-CVE-2008-4539
@@ -0,0 +1,27 @@
+Index: qemu/hw/cirrus_vga.c
+===================================================================
+--- trunk/hw/cirrus_vga.c	2008-11-01 00:53:30 UTC (rev 5586)
++++ trunk/hw/cirrus_vga.c	2008-11-01 00:53:39 UTC (rev 5587)
+@@ -785,15 +785,14 @@
+ 
+ static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
+ {
++    if (BLTUNSAFE(s))
++        return 0;
++
+     if (s->ds->dpy_copy) {
+ 	cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->start_addr,
+ 		       s->cirrus_blt_srcaddr - s->start_addr,
+ 		       s->cirrus_blt_width, s->cirrus_blt_height);
+     } else {
+-
+-    if (BLTUNSAFE(s))
+-        return 0;
+-
+ 	(*s->cirrus_rop) (s, s->vram_ptr +
+                 (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
+ 			  s->vram_ptr +
+
+
+
+
-- 
cgit v1.2.3