[Qemu-devel] [PATCH] cirrus: fix oob access in mode4and5 write functions

Gerd Hoffmann posted 1 patch 49 weeks ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20171011071423.20179-1-kraxel@redhat.com
Test checkpatch failed
Test docker passed
Test s390x passed
hw/display/cirrus_vga.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)

[Qemu-devel] [PATCH] cirrus: fix oob access in mode4and5 write functions

Posted by Gerd Hoffmann 49 weeks ago
Move dst calculation into the loop, so we apply the mask on each
interation and will not overflow vga memory.

Cc: Prasad J Pandit <pjp@fedoraproject.org>
Reported-by: Niu Guoxiang <niuguoxiang@huawei.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 hw/display/cirrus_vga.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
index afc290ab91..cf096df90f 100644
--- a/hw/display/cirrus_vga.c
+++ b/hw/display/cirrus_vga.c
@@ -2038,15 +2038,14 @@ static void cirrus_mem_writeb_mode4and5_8bpp(CirrusVGAState * s,
     unsigned val = mem_value;
     uint8_t *dst;
 
-    dst = s->vga.vram_ptr + (offset &= s->cirrus_addr_mask);
     for (x = 0; x < 8; x++) {
+	dst = s->vga.vram_ptr + ((offset+x) & s->cirrus_addr_mask);
 	if (val & 0x80) {
 	    *dst = s->cirrus_shadow_gr1;
 	} else if (mode == 5) {
 	    *dst = s->cirrus_shadow_gr0;
 	}
 	val <<= 1;
-	dst++;
     }
     memory_region_set_dirty(&s->vga.vram, offset, 8);
 }
@@ -2060,8 +2059,8 @@ static void cirrus_mem_writeb_mode4and5_16bpp(CirrusVGAState * s,
     unsigned val = mem_value;
     uint8_t *dst;
 
-    dst = s->vga.vram_ptr + (offset &= s->cirrus_addr_mask);
     for (x = 0; x < 8; x++) {
+	dst = s->vga.vram_ptr + ((offset + 2 * x) & s->cirrus_addr_mask & ~1);
 	if (val & 0x80) {
 	    *dst = s->cirrus_shadow_gr1;
 	    *(dst + 1) = s->vga.gr[0x11];
@@ -2070,7 +2069,6 @@ static void cirrus_mem_writeb_mode4and5_16bpp(CirrusVGAState * s,
 	    *(dst + 1) = s->vga.gr[0x10];
 	}
 	val <<= 1;
-	dst += 2;
     }
     memory_region_set_dirty(&s->vga.vram, offset, 16);
 }
-- 
2.9.3


Re: [Qemu-devel] [PATCH] cirrus: fix oob access in mode4and5 write functions

Posted by no-reply@patchew.org 49 weeks ago
Hi,

This series seems to have some coding style problems. See output below for
more information:

Type: series
Message-id: 20171011071423.20179-1-kraxel@redhat.com
Subject: [Qemu-devel] [PATCH] cirrus: fix oob access in mode4and5 write functions

=== TEST SCRIPT BEGIN ===
#!/bin/bash

BASE=base
n=1
total=$(git log --oneline $BASE.. | wc -l)
failed=0

git config --local diff.renamelimit 0
git config --local diff.renames True

commits="$(git log --format=%H --reverse $BASE..)"
for c in $commits; do
    echo "Checking PATCH $n/$total: $(git log -n 1 --format=%s $c)..."
    if ! git show $c --format=email | ./scripts/checkpatch.pl --mailback -; then
        failed=1
        echo
    fi
    n=$((n+1))
done

exit $failed
=== TEST SCRIPT END ===

Updating 3c8cf5a9c21ff8782164d1def7f44bd888713384
From https://github.com/patchew-project/qemu
 t [tag update]            patchew/20171011000649.22012-1-david@gibson.dropbear.id.au -> patchew/20171011000649.22012-1-david@gibson.dropbear.id.au
Switched to a new branch 'test'
cb458ab691 cirrus: fix oob access in mode4and5 write functions

=== OUTPUT BEGIN ===
Checking PATCH 1/1: cirrus: fix oob access in mode4and5 write functions...
ERROR: code indent should never use tabs
#24: FILE: hw/display/cirrus_vga.c:2042:
+^Idst = s->vga.vram_ptr + ((offset+x) & s->cirrus_addr_mask);$

ERROR: spaces required around that '+' (ctx:VxV)
#24: FILE: hw/display/cirrus_vga.c:2042:
+	dst = s->vga.vram_ptr + ((offset+x) & s->cirrus_addr_mask);
 	                                ^

ERROR: code indent should never use tabs
#41: FILE: hw/display/cirrus_vga.c:2063:
+^Idst = s->vga.vram_ptr + ((offset + 2 * x) & s->cirrus_addr_mask & ~1);$

total: 3 errors, 0 warnings, 32 lines checked

Your patch has style problems, please review.  If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.

=== OUTPUT END ===

Test command exited with code: 1


---
Email generated automatically by Patchew [http://patchew.org/].
Please send your feedback to patchew-devel@freelists.org