From nobody Mon Apr 29 08:37:09 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as
 permitted sender) client-ip=208.118.235.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Authentication-Results: mx.zoho.com;
	spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted
 sender)  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by
 mx.zohomail.com
	with SMTPS id 1489473653023415.7389598998318;
 Mon, 13 Mar 2017 23:40:53 -0700 (PDT)
Received: from localhost ([::1]:56676 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <qemu-devel-bounces+importer=patchew.org@nongnu.org>)
	id 1cng8Z-000080-3r
	for importer@patchew.org; Tue, 14 Mar 2017 02:40:51 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:47195)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <hangaohuai@huawei.com>) id 1cng86-00007u-2f
	for qemu-devel@nongnu.org; Tue, 14 Mar 2017 02:40:23 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <hangaohuai@huawei.com>) id 1cng82-0000Of-UV
	for qemu-devel@nongnu.org; Tue, 14 Mar 2017 02:40:22 -0400
Received: from [45.249.212.187] (port=2999 helo=dggrg01-dlp.huawei.com)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.71)
	(envelope-from <hangaohuai@huawei.com>) id 1cng81-0000Mi-LK
	for qemu-devel@nongnu.org; Tue, 14 Mar 2017 02:40:18 -0400
Received: from 172.30.72.55 (EHLO DGGEML402-HUB.china.huawei.com)
	([172.30.72.55])
	by dggrg01-dlp.huawei.com (MOS 4.4.6-GA FastPath queued)
	with ESMTP id AKT04992; Tue, 14 Mar 2017 14:40:05 +0800 (CST)
Received: from localhost (10.177.23.7) by DGGEML402-HUB.china.huawei.com
	(10.3.17.38) with Microsoft SMTP Server id 14.3.301.0; Tue, 14 Mar 2017
	14:39:54 +0800
From: hangaohuai <hangaohuai@huawei.com>
To: <qemu-devel@nongnu.org>
Date: Tue, 14 Mar 2017 14:39:19 +0800
Message-ID: <20170314063919.16200-1-hangaohuai@huawei.com>
X-Mailer: git-send-email 2.8.3.windows.1
MIME-Version: 1.0
X-Originating-IP: [10.177.23.7]
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0),
	refid=str=0001.0A090203.58C79046.00E4, ss=1, re=0.000, recu=0.000,
	reip=0.000, cl=1, cld=1, fgs=0, ip=0.0.0.0,
	so=2014-11-16 11:51:01, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: 0925c3441227fcebb00d529f4e57e35d
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.4.x-2.6.x [generic]
	[fuzzy]
X-Received-From: 45.249.212.187
Subject: [Qemu-devel] [PATCH for-2.9 v2] fix :cirrus_vga fix OOB read case
 qemu Segmentation fault
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: fangying1@huawei.com, hangaohuai@huawei.com, arei.gonglei@huawei.com,
	kraxel@redhat.com
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: "Qemu-devel" <qemu-devel-bounces+importer=patchew.org@nongnu.org>
X-ZohoMail: RSF_0  Z_629925259 SPT_0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

check the validity of parameters in cirrus_bitblt_rop_fwd_transp_xxx
and cirrus_bitblt_rop_fwd_xxx to avoid the OOB read which causes qemu Segme=
ntation fault.

After the fix, we will touch the assert in
cirrus_invalidate_region:
assert(off_cur_end >=3D off_cur);

Signed-off-by: fangying <fangying1@huawei.com>
Signed-off-by: hangaohuai <hangaohuai@huawei.com>
---
Changes from v1:
 - Add bltheight check. [Gerd Hoffmann]

 hw/display/cirrus_vga_rop.h | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/hw/display/cirrus_vga_rop.h b/hw/display/cirrus_vga_rop.h
index 0925a00..b7447f8 100644
--- a/hw/display/cirrus_vga_rop.h
+++ b/hw/display/cirrus_vga_rop.h
@@ -97,6 +97,11 @@ glue(glue(cirrus_bitblt_rop_fwd_transp_, ROP_NAME),_8)(C=
irrusVGAState *s,
     uint8_t p;
     dstpitch -=3D bltwidth;
     srcpitch -=3D bltwidth;
+
+    if (bltheight > 1 && (dstpitch < 0 || srcpitch < 0)) {
+        return;
+    }
+
     for (y =3D 0; y < bltheight; y++) {
         for (x =3D 0; x < bltwidth; x++) {
 	    p =3D *dst;
@@ -143,6 +148,11 @@ glue(glue(cirrus_bitblt_rop_fwd_transp_, ROP_NAME),_16=
)(CirrusVGAState *s,
     uint8_t p1, p2;
     dstpitch -=3D bltwidth;
     srcpitch -=3D bltwidth;
+
+    if (bltheight > 1 && (dstpitch < 0 || srcpitch < 0)) {
+        return;
+    }
+
     for (y =3D 0; y < bltheight; y++) {
         for (x =3D 0; x < bltwidth; x+=3D2) {
 	    p1 =3D *dst;
--=20
1.8.3.1