|
|
9ae3a8 |
From 8d230a5a57512c84545bd6345775e69b4b3b1983 Mon Sep 17 00:00:00 2001
|
|
|
9ae3a8 |
From: Gerd Hoffmann <kraxel@redhat.com>
|
|
|
9ae3a8 |
Date: Tue, 7 Feb 2017 10:07:46 +0100
|
|
|
9ae3a8 |
Subject: [PATCH 03/11] cirrus_vga: fix off-by-one in blit_region_is_unsafe
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
RH-Author: Gerd Hoffmann <kraxel@redhat.com>
|
|
|
9ae3a8 |
Message-id: <1486462072-32174-2-git-send-email-kraxel@redhat.com>
|
|
|
9ae3a8 |
Patchwork-id: 73564
|
|
|
9ae3a8 |
O-Subject: [RHEL-7.4 qemu-kvm PATCH 1/7] cirrus_vga: fix off-by-one in blit_region_is_unsafe
|
|
|
9ae3a8 |
Bugzilla: 1418233
|
|
|
9ae3a8 |
RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
|
|
|
9ae3a8 |
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
|
9ae3a8 |
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
From: Paolo Bonzini <pbonzini@redhat.com>
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
The "max" value is being compared with >=, but addr + width points to
|
|
|
9ae3a8 |
the first byte that will _not_ be copied. Laszlo suggested using a
|
|
|
9ae3a8 |
"greater than" comparison, instead of subtracting one like it is
|
|
|
9ae3a8 |
already done above for the height, so that max remains always positive.
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
The mistake is "safe"---it will reject some blits, but will never cause
|
|
|
9ae3a8 |
out-of-bounds writes.
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
Cc: Gerd Hoffmann <kraxel@redhat.com>
|
|
|
9ae3a8 |
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
|
9ae3a8 |
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
|
|
|
9ae3a8 |
Message-id: 1455121059-18280-1-git-send-email-pbonzini@redhat.com
|
|
|
9ae3a8 |
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
|
9ae3a8 |
(cherry picked from commit d2ba7ecb348d3b996fcd920cf1ca7b72722c1dfd)
|
|
|
9ae3a8 |
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
|
|
9ae3a8 |
---
|
|
|
9ae3a8 |
hw/display/cirrus_vga.c | 4 ++--
|
|
|
9ae3a8 |
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
|
|
|
9ae3a8 |
index 717ecdb..c42dfcf 100644
|
|
|
9ae3a8 |
--- a/hw/display/cirrus_vga.c
|
|
|
9ae3a8 |
+++ b/hw/display/cirrus_vga.c
|
|
|
9ae3a8 |
@@ -272,14 +272,14 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
|
|
|
9ae3a8 |
+ ((int64_t)s->cirrus_blt_height-1) * pitch;
|
|
|
9ae3a8 |
int32_t max = addr
|
|
|
9ae3a8 |
+ s->cirrus_blt_width;
|
|
|
9ae3a8 |
- if (min < 0 || max >= s->vga.vram_size) {
|
|
|
9ae3a8 |
+ if (min < 0 || max > s->vga.vram_size) {
|
|
|
9ae3a8 |
return true;
|
|
|
9ae3a8 |
}
|
|
|
9ae3a8 |
} else {
|
|
|
9ae3a8 |
int64_t max = addr
|
|
|
9ae3a8 |
+ ((int64_t)s->cirrus_blt_height-1) * pitch
|
|
|
9ae3a8 |
+ s->cirrus_blt_width;
|
|
|
9ae3a8 |
- if (max >= s->vga.vram_size) {
|
|
|
9ae3a8 |
+ if (max > s->vga.vram_size) {
|
|
|
9ae3a8 |
return true;
|
|
|
9ae3a8 |
}
|
|
|
9ae3a8 |
}
|
|
|
9ae3a8 |
--
|
|
|
9ae3a8 |
1.8.3.1
|
|
|
9ae3a8 |
|