Add a patch based on upstream git fixing five different CVEs in one file.

Congratulations.

Bump PKGREVISION.

3 files changed, 73 insertions, 3 deletions

diff --git a/emulators/qemu/Makefile b/emulators/qemu/Makefile
index c1270787928..693516b599e 100644
--- a/emulators/qemu/Makefile
+++ b/emulators/qemu/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.127 2014/05/09 07:37:04 wiz Exp $
+# $NetBSD: Makefile,v 1.128 2014/05/15 12:28:13 wiz Exp $
 
 DISTNAME=	qemu-2.0.0
-PKGREVISION=	1
+PKGREVISION=	2
 CATEGORIES=	emulators
 MASTER_SITES=	http://wiki.qemu.org/download/
 EXTRACT_SUFX=	.tar.bz2
diff --git a/emulators/qemu/distinfo b/emulators/qemu/distinfo
index 42233148eb9..3968d873e12 100644
--- a/emulators/qemu/distinfo
+++ b/emulators/qemu/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.94 2014/04/18 15:50:16 adam Exp $
+$NetBSD: distinfo,v 1.95 2014/05/15 12:28:13 wiz Exp $
 
 SHA1 (qemu-2.0.0.tar.bz2) = cc24a60a93ba697057a67b6a7224b95627eaf1a6
 RMD160 (qemu-2.0.0.tar.bz2) = ecd05e036431c14930ae2455a032495dd7ebaf85
@@ -10,6 +10,7 @@ SHA1 (patch-hw_net_etraxfs__eth.c) = e5dd1661d60dbcd27b332403e0843500ba9544bc
 SHA1 (patch-hw_net_xilinx__axienet.c) = ebcd2676d64ce6f31e4a8c976d4fdf530ad5e8b7
 SHA1 (patch-hw_ppc_mac__newworld.c) = 9a0ec3ba0b6da2879fdaba6a7937fb16a02685f5
 SHA1 (patch-hw_ppc_mac__oldworld.c) = 46322c77c87be6d517c43466325c344db99cd463
+SHA1 (patch-hw_virtio_virtio.c) = 9aa4553a4eda81fb014b116c2207ec4b59265fca
 SHA1 (patch-memory.c) = 14df9c835ca318fc79a8d3a46bb94d2f229277cc
 SHA1 (patch-slirp_tcp__subr.c) = cfc8289384fa987289e32b64532c13a83a890820
 SHA1 (patch-user-exec.c) = eb83832c7c9e5f69313f8cad2c2f77b304072556
diff --git a/emulators/qemu/patches/patch-hw_virtio_virtio.c b/emulators/qemu/patches/patch-hw_virtio_virtio.c
new file mode 100644
index 00000000000..94851ead760
--- /dev/null
+++ b/emulators/qemu/patches/patch-hw_virtio_virtio.c
@@ -0,0 +1,69 @@
+$NetBSD: patch-hw_virtio_virtio.c,v 1.1 2014/05/15 12:28:13 wiz Exp $
+
+Fixes for
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4151
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4535
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4536
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6399
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0182
+from upstream git.
+
+--- hw/virtio/virtio.c.orig	2014-04-17 13:44:44.000000000 +0000
++++ hw/virtio/virtio.c
+@@ -430,6 +430,12 @@ void virtqueue_map_sg(struct iovec *sg, 
+     unsigned int i;
+     hwaddr len;
+ 
++    if (num_sg >= VIRTQUEUE_MAX_SIZE) {
++        error_report("virtio: map attempt out of bounds: %zd > %d",
++                     num_sg, VIRTQUEUE_MAX_SIZE);
++        exit(1);
++    }
++
+     for (i = 0; i < num_sg; i++) {
+         len = sg[i].iov_len;
+         sg[i].iov_base = cpu_physical_memory_map(addr[i], &len, is_write);
+@@ -891,7 +897,9 @@ int virtio_set_features(VirtIODevice *vd
+ 
+ int virtio_load(VirtIODevice *vdev, QEMUFile *f)
+ {
+-    int num, i, ret;
++    int i, ret;
++    int32_t config_len;
++    uint32_t num;
+     uint32_t features;
+     uint32_t supported_features;
+     BusState *qbus = qdev_get_parent_bus(DEVICE(vdev));
+@@ -906,6 +914,9 @@ int virtio_load(VirtIODevice *vdev, QEMU
+     qemu_get_8s(f, &vdev->status);
+     qemu_get_8s(f, &vdev->isr);
+     qemu_get_be16s(f, &vdev->queue_sel);
++    if (vdev->queue_sel >= VIRTIO_PCI_QUEUE_MAX) {
++        return -1;
++    }
+     qemu_get_be32s(f, &features);
+ 
+     if (virtio_set_features(vdev, features) < 0) {
+@@ -914,11 +925,21 @@ int virtio_load(VirtIODevice *vdev, QEMU
+                      features, supported_features);
+         return -1;
+     }
+-    vdev->config_len = qemu_get_be32(f);
++    config_len = qemu_get_be32(f);
++    if (config_len != vdev->config_len) {
++        error_report("Unexpected config length 0x%x. Expected 0x%zx",
++                     config_len, vdev->config_len);
++        return -1;
++    }
+     qemu_get_buffer(f, vdev->config, vdev->config_len);
+ 
+     num = qemu_get_be32(f);
+ 
++    if (num > VIRTIO_PCI_QUEUE_MAX) {
++        error_report("Invalid number of PCI queues: 0x%x", num);
++        return -1;
++    }
++
+     for (i = 0; i < num; i++) {
+         vdev->vq[i].vring.num = qemu_get_be32(f);
+         if (k->has_variable_vring_alignment) {