An integer overflow issue was found in the CCID Passthru card device emulation, while reading card data in ccid_card_vscard_read() function. The ccid_card_vscard_read() function accepts a signed integer 'size' argument, which is subsequently used as unsigned size_t value in memcpy(), copying large amounts of memory.
A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
Name: Arash Tohidi
The overflowed argument in ccid_card_vscard_read() is "int size". Another memory corruption may happen if a specially crafted buffer is fed to buf which will be passed to ccid_card_vscard_handle_message() and eventually will result in another memory overwrite by calling memcpy().
Created qemu tracking bugs for this issue:
Affects: fedora-all [bug 1640019]
The maintainer audited the code and can not find that memory corruption happens (see bug 1640020#c9).
Since there is no known reproducer (see bug 1640020#c7), all those issues have been closed as NOTABUG.