From nobody Thu May 2 15:22:36 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1486050348422544.4704885320464; Thu, 2 Feb 2017 07:45:48 -0800 (PST) Received: from localhost ([::1]:57366 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cZJZy-0004Zh-HJ for importer@patchew.org; Thu, 02 Feb 2017 10:45:46 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:43430) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cZIwk-00006v-H3 for qemu-devel@nongnu.org; Thu, 02 Feb 2017 10:05:19 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cZIwh-0002r4-G5 for qemu-devel@nongnu.org; Thu, 02 Feb 2017 10:05:14 -0500 Received: from mx1.redhat.com ([209.132.183.28]:55830) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cZIwh-0002qh-BG for qemu-devel@nongnu.org; Thu, 02 Feb 2017 10:05:11 -0500 Received: from int-mx13.intmail.prod.int.phx2.redhat.com (int-mx13.intmail.prod.int.phx2.redhat.com [10.5.11.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 891F83A768F; Thu, 2 Feb 2017 15:05:11 +0000 (UTC) Received: from nilsson.home.kraxel.org (ovpn-116-68.ams2.redhat.com [10.36.116.68]) by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v12F5AtB021436; Thu, 2 Feb 2017 10:05:10 -0500 Received: by nilsson.home.kraxel.org (Postfix, from userid 500) id D7A67805BC; Thu, 2 Feb 2017 16:05:08 +0100 (CET) From: Gerd Hoffmann To: qemu-devel@nongnu.org Date: Thu, 2 Feb 2017 16:05:04 +0100 Message-Id: <1486047907-26685-2-git-send-email-kraxel@redhat.com> In-Reply-To: <1486047907-26685-1-git-send-email-kraxel@redhat.com> References: <1486047907-26685-1-git-send-email-kraxel@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.26 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Thu, 02 Feb 2017 15:05:11 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PULL 1/4] cirrus: handle negative pitch in cirrus_invalidate_region() X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Wolfgang Bumiller , Gerd Hoffmann Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Wolfgang Bumiller cirrus_invalidate_region() calls memory_region_set_dirty() on a per-line basis, always ranging from off_begin to off_begin+bytesperline. With a negative pitch off_begin marks the top most used address and thus we need to do an initial shift backwards by a line for negative pitches of backward blits, otherwise the first iteration covers the line going from the start offset forwards instead of backwards. Additionally since the start address is inclusive, if we shift by a full `bytesperline` we move to the first address *not* included in the blit, so we only shift by one less than bytesperline. Signed-off-by: Wolfgang Bumiller Message-id: 1485352137-29367-1-git-send-email-w.bumiller@proxmox.com [ kraxel: codestyle fixes ] Signed-off-by: Gerd Hoffmann --- hw/display/cirrus_vga.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c index 379910d..0f05e45 100644 --- a/hw/display/cirrus_vga.c +++ b/hw/display/cirrus_vga.c @@ -661,9 +661,14 @@ static void cirrus_invalidate_region(CirrusVGAState * = s, int off_begin, int off_cur; int off_cur_end; =20 + if (off_pitch < 0) { + off_begin -=3D bytesperline - 1; + } + for (y =3D 0; y < lines; y++) { off_cur =3D off_begin; off_cur_end =3D (off_cur + bytesperline) & s->cirrus_addr_mask; + assert(off_cur_end >=3D off_cur); memory_region_set_dirty(&s->vga.vram, off_cur, off_cur_end - off_c= ur); off_begin +=3D off_pitch; } --=20 1.8.3.1 From nobody Thu May 2 15:22:36 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1486050625672865.6515756782889; Thu, 2 Feb 2017 07:50:25 -0800 (PST) Received: from localhost ([::1]:57392 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cZJeR-0000W8-Ux for importer@patchew.org; Thu, 02 Feb 2017 10:50:23 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:43431) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cZIwk-00006y-HY for qemu-devel@nongnu.org; Thu, 02 Feb 2017 10:05:20 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cZIwh-0002rA-Gq for qemu-devel@nongnu.org; Thu, 02 Feb 2017 10:05:14 -0500 Received: from mx1.redhat.com ([209.132.183.28]:44584) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cZIwh-0002qe-9Z for qemu-devel@nongnu.org; Thu, 02 Feb 2017 10:05:11 -0500 Received: from smtp.corp.redhat.com (int-mx16.intmail.prod.int.phx2.redhat.com [10.5.11.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 78F873D94F; Thu, 2 Feb 2017 15:05:11 +0000 (UTC) Received: from nilsson.home.kraxel.org (ovpn-116-68.ams2.redhat.com [10.36.116.68]) by smtp.corp.redhat.com (Postfix) with ESMTP id EDF5E1CAE0D; Thu, 2 Feb 2017 15:05:10 +0000 (UTC) Received: by nilsson.home.kraxel.org (Postfix, from userid 500) id E8CEE806AC; Thu, 2 Feb 2017 16:05:08 +0100 (CET) From: Gerd Hoffmann To: qemu-devel@nongnu.org Date: Thu, 2 Feb 2017 16:05:05 +0100 Message-Id: <1486047907-26685-3-git-send-email-kraxel@redhat.com> In-Reply-To: <1486047907-26685-1-git-send-email-kraxel@redhat.com> References: <1486047907-26685-1-git-send-email-kraxel@redhat.com> X-Scanned-By: MIMEDefang 2.74 on 10.5.11.28 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.30]); Thu, 02 Feb 2017 15:05:11 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PULL 2/4] cirrus: allow zero source pitch in pattern fill rops X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Wolfgang Bumiller , Gerd Hoffmann Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Wolfgang Bumiller The rops used by cirrus_bitblt_common_patterncopy only use the destination pitch, so the source pitch shoul allowed to be zero and the blit with used for the range check around the source address. Signed-off-by: Wolfgang Bumiller Message-id: 1485272138-23249-1-git-send-email-w.bumiller@proxmox.com Signed-off-by: Gerd Hoffmann --- hw/display/cirrus_vga.c | 27 +++++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c index 0f05e45..98f089e 100644 --- a/hw/display/cirrus_vga.c +++ b/hw/display/cirrus_vga.c @@ -272,9 +272,6 @@ static void cirrus_update_memory_access(CirrusVGAState = *s); static bool blit_region_is_unsafe(struct CirrusVGAState *s, int32_t pitch, int32_t addr) { - if (!pitch) { - return true; - } if (pitch < 0) { int64_t min =3D addr + ((int64_t)s->cirrus_blt_height-1) * pitch; @@ -294,8 +291,11 @@ static bool blit_region_is_unsafe(struct CirrusVGAStat= e *s, return false; } =20 -static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only) +static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only, + bool zero_src_pitch_ok) { + int32_t check_pitch; + /* should be the case, see cirrus_bitblt_start */ assert(s->cirrus_blt_width > 0); assert(s->cirrus_blt_height > 0); @@ -304,6 +304,10 @@ static bool blit_is_unsafe(struct CirrusVGAState *s, b= ool dst_only) return true; } =20 + if (!s->cirrus_blt_dstpitch) { + return true; + } + if (blit_region_is_unsafe(s, s->cirrus_blt_dstpitch, s->cirrus_blt_dstaddr & s->cirrus_addr_mask)= ) { return true; @@ -311,7 +315,13 @@ static bool blit_is_unsafe(struct CirrusVGAState *s, b= ool dst_only) if (dst_only) { return false; } - if (blit_region_is_unsafe(s, s->cirrus_blt_srcpitch, + + check_pitch =3D s->cirrus_blt_srcpitch; + if (!zero_src_pitch_ok && !check_pitch) { + check_pitch =3D s->cirrus_blt_width; + } + + if (blit_region_is_unsafe(s, check_pitch, s->cirrus_blt_srcaddr & s->cirrus_addr_mask)= ) { return true; } @@ -681,8 +691,9 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGASt= ate * s, =20 dst =3D s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask= ); =20 - if (blit_is_unsafe(s, false)) + if (blit_is_unsafe(s, false, true)) { return 0; + } =20 (*s->cirrus_rop) (s, dst, src, s->cirrus_blt_dstpitch, 0, @@ -699,7 +710,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, i= nt blt_rop) { cirrus_fill_t rop_func; =20 - if (blit_is_unsafe(s, true)) { + if (blit_is_unsafe(s, true, true)) { return 0; } rop_func =3D cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwid= th - 1]; @@ -803,7 +814,7 @@ static int cirrus_do_copy(CirrusVGAState *s, int dst, i= nt src, int w, int h) =20 static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s) { - if (blit_is_unsafe(s, false)) + if (blit_is_unsafe(s, false, false)) return 0; =20 return cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr, --=20 1.8.3.1 From nobody Thu May 2 15:22:36 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1486050136144149.89835715365416; Thu, 2 Feb 2017 07:42:16 -0800 (PST) Received: from localhost ([::1]:57344 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cZJWX-0000yP-1t for importer@patchew.org; Thu, 02 Feb 2017 10:42:13 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:43455) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cZIwl-000085-V3 for qemu-devel@nongnu.org; Thu, 02 Feb 2017 10:05:21 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cZIwh-0002rP-Mp for qemu-devel@nongnu.org; Thu, 02 Feb 2017 10:05:15 -0500 Received: from mx1.redhat.com ([209.132.183.28]:54920) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cZIwh-0002qj-Fi for qemu-devel@nongnu.org; Thu, 02 Feb 2017 10:05:11 -0500 Received: from int-mx10.intmail.prod.int.phx2.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id AD6CA804E4 for ; Thu, 2 Feb 2017 15:05:11 +0000 (UTC) Received: from nilsson.home.kraxel.org (ovpn-116-68.ams2.redhat.com [10.36.116.68]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v12F5AIR000684; Thu, 2 Feb 2017 10:05:10 -0500 Received: by nilsson.home.kraxel.org (Postfix, from userid 500) id 03FE680700; Thu, 2 Feb 2017 16:05:09 +0100 (CET) From: Gerd Hoffmann To: qemu-devel@nongnu.org Date: Thu, 2 Feb 2017 16:05:06 +0100 Message-Id: <1486047907-26685-4-git-send-email-kraxel@redhat.com> In-Reply-To: <1486047907-26685-1-git-send-email-kraxel@redhat.com> References: <1486047907-26685-1-git-send-email-kraxel@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.27]); Thu, 02 Feb 2017 15:05:11 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PULL 3/4] cirrus: fix blit address mask handling X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Gerd Hoffmann Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Apply the cirrus_addr_mask to cirrus_blt_dstaddr and cirrus_blt_srcaddr right after assigning them, in cirrus_bitblt_start(), instead of having this all over the place in the cirrus code, and missing a few places. Reported-by: Wolfgang Bumiller Signed-off-by: Gerd Hoffmann Message-id: 1485338996-17095-1-git-send-email-kraxel@redhat.com --- hw/display/cirrus_vga.c | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c index 98f089e..7db6409 100644 --- a/hw/display/cirrus_vga.c +++ b/hw/display/cirrus_vga.c @@ -309,7 +309,7 @@ static bool blit_is_unsafe(struct CirrusVGAState *s, bo= ol dst_only, } =20 if (blit_region_is_unsafe(s, s->cirrus_blt_dstpitch, - s->cirrus_blt_dstaddr & s->cirrus_addr_mask)= ) { + s->cirrus_blt_dstaddr)) { return true; } if (dst_only) { @@ -322,7 +322,7 @@ static bool blit_is_unsafe(struct CirrusVGAState *s, bo= ol dst_only, } =20 if (blit_region_is_unsafe(s, check_pitch, - s->cirrus_blt_srcaddr & s->cirrus_addr_mask)= ) { + s->cirrus_blt_srcaddr)) { return true; } =20 @@ -689,7 +689,7 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGASt= ate * s, { uint8_t *dst; =20 - dst =3D s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask= ); + dst =3D s->vga.vram_ptr + s->cirrus_blt_dstaddr; =20 if (blit_is_unsafe(s, false, true)) { return 0; @@ -714,7 +714,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, i= nt blt_rop) return 0; } rop_func =3D cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwid= th - 1]; - rop_func(s, s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_= mask), + rop_func(s, s->vga.vram_ptr + s->cirrus_blt_dstaddr, s->cirrus_blt_dstpitch, s->cirrus_blt_width, s->cirrus_blt_height); cirrus_invalidate_region(s, s->cirrus_blt_dstaddr, @@ -732,9 +732,8 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, i= nt blt_rop) =20 static int cirrus_bitblt_videotovideo_patterncopy(CirrusVGAState * s) { - return cirrus_bitblt_common_patterncopy(s, - s->vga.vram_ptr + ((s->cirrus_blt_srcaddr & ~7) & - s->cirrus_addr_mask)); + return cirrus_bitblt_common_patterncopy(s, s->vga.vram_ptr + + (s->cirrus_blt_srcaddr & ~7)); } =20 static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int = h) @@ -788,10 +787,8 @@ static int cirrus_do_copy(CirrusVGAState *s, int dst, = int src, int w, int h) if (notify) graphic_hw_update(s->vga.con); =20 - (*s->cirrus_rop) (s, s->vga.vram_ptr + - (s->cirrus_blt_dstaddr & s->cirrus_addr_mask), - s->vga.vram_ptr + - (s->cirrus_blt_srcaddr & s->cirrus_addr_mask), + (*s->cirrus_rop) (s, s->vga.vram_ptr + s->cirrus_blt_dstaddr, + s->vga.vram_ptr + s->cirrus_blt_srcaddr, s->cirrus_blt_dstpitch, s->cirrus_blt_srcpitch, s->cirrus_blt_width, s->cirrus_blt_height); =20 @@ -842,8 +839,7 @@ static void cirrus_bitblt_cputovideo_next(CirrusVGAStat= e * s) } else { /* at least one scan line */ do { - (*s->cirrus_rop)(s, s->vga.vram_ptr + - (s->cirrus_blt_dstaddr & s->cirrus_addr_m= ask), + (*s->cirrus_rop)(s, s->vga.vram_ptr + s->cirrus_blt_dstadd= r, s->cirrus_bltbuf, 0, 0, s->cirrus_blt_wi= dth, 1); cirrus_invalidate_region(s, s->cirrus_blt_dstaddr, 0, s->cirrus_blt_width, 1); @@ -962,6 +958,9 @@ static void cirrus_bitblt_start(CirrusVGAState * s) s->cirrus_blt_modeext =3D s->vga.gr[0x33]; blt_rop =3D s->vga.gr[0x32]; =20 + s->cirrus_blt_dstaddr &=3D s->cirrus_addr_mask; + s->cirrus_blt_srcaddr &=3D s->cirrus_addr_mask; + #ifdef DEBUG_BITBLT printf("rop=3D0x%02x mode=3D0x%02x modeext=3D0x%02x w=3D%d h=3D%d dpit= ch=3D%d spitch=3D%d daddr=3D0x%08x saddr=3D0x%08x writemask=3D0x%02x\n", blt_rop, --=20 1.8.3.1 From nobody Thu May 2 15:22:36 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1486050090494139.45236657055955; Thu, 2 Feb 2017 07:41:30 -0800 (PST) Received: from localhost ([::1]:57342 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cZJVl-0000GU-H8 for importer@patchew.org; Thu, 02 Feb 2017 10:41:25 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:43465) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cZIwn-00009b-Np for qemu-devel@nongnu.org; Thu, 02 Feb 2017 10:05:18 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cZIwh-0002rI-KZ for qemu-devel@nongnu.org; Thu, 02 Feb 2017 10:05:17 -0500 Received: from mx1.redhat.com ([209.132.183.28]:36714) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cZIwh-0002qk-G0; Thu, 02 Feb 2017 10:05:11 -0500 Received: from int-mx13.intmail.prod.int.phx2.redhat.com (int-mx13.intmail.prod.int.phx2.redhat.com [10.5.11.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id A455285540; Thu, 2 Feb 2017 15:05:11 +0000 (UTC) Received: from nilsson.home.kraxel.org (ovpn-116-68.ams2.redhat.com [10.36.116.68]) by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v12F5AtE021438; Thu, 2 Feb 2017 10:05:10 -0500 Received: by nilsson.home.kraxel.org (Postfix, from userid 500) id 1328380756; Thu, 2 Feb 2017 16:05:09 +0100 (CET) From: Gerd Hoffmann To: qemu-devel@nongnu.org Date: Thu, 2 Feb 2017 16:05:07 +0100 Message-Id: <1486047907-26685-5-git-send-email-kraxel@redhat.com> In-Reply-To: <1486047907-26685-1-git-send-email-kraxel@redhat.com> References: <1486047907-26685-1-git-send-email-kraxel@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.26 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.28]); Thu, 02 Feb 2017 15:05:11 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PULL 4/4] cirrus: fix oob access issue (CVE-2017-2615) X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Wolfgang Bumiller , Li Qiang , qemu-stable@nongnu.org, P J P , Gerd Hoffmann , Paolo Bonzini , Laszlo Ersek Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Li Qiang When doing bitblt copy in backward mode, we should minus the blt width first just like the adding in the forward mode. This can avoid the oob access of the front of vga's vram. Signed-off-by: Li Qiang { kraxel: with backward blits (negative pitch) addr is the topmost address, so check it as-is against vram size ] Cc: qemu-stable@nongnu.org Cc: P J P Cc: Laszlo Ersek Cc: Paolo Bonzini Cc: Wolfgang Bumiller Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106) Signed-off-by: Gerd Hoffmann Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com Reviewed-by: Laszlo Ersek --- hw/display/cirrus_vga.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c index 7db6409..16f27e8 100644 --- a/hw/display/cirrus_vga.c +++ b/hw/display/cirrus_vga.c @@ -274,10 +274,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAStat= e *s, { if (pitch < 0) { int64_t min =3D addr - + ((int64_t)s->cirrus_blt_height-1) * pitch; - int32_t max =3D addr - + s->cirrus_blt_width; - if (min < 0 || max > s->vga.vram_size) { + + ((int64_t)s->cirrus_blt_height - 1) * pitch + - s->cirrus_blt_width; + if (min < -1 || addr >=3D s->vga.vram_size) { return true; } } else { --=20 1.8.3.1