From nobody Thu Mar 28 12:25:28 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (208.118.235.17 [208.118.235.17]) by mx.zohomail.com with SMTPS id 1507711501541115.63567499462317; Wed, 11 Oct 2017 01:45:01 -0700 (PDT) Received: from localhost ([::1]:39375 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1e2CdM-0002rQ-Ol for importer@patchew.org; Wed, 11 Oct 2017 04:44:56 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:35001) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1e2Cbw-0001xH-PD for qemu-devel@nongnu.org; Wed, 11 Oct 2017 04:43:29 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1e2Cbs-0004Mn-L3 for qemu-devel@nongnu.org; Wed, 11 Oct 2017 04:43:28 -0400 Received: from mx1.redhat.com ([209.132.183.28]:27425) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1e2Cbs-0004MS-EF for qemu-devel@nongnu.org; Wed, 11 Oct 2017 04:43:24 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 6FF35C058ECD; Wed, 11 Oct 2017 08:43:23 +0000 (UTC) Received: from sirius.home.kraxel.org (ovpn-116-239.ams2.redhat.com [10.36.116.239]) by smtp.corp.redhat.com (Postfix) with ESMTP id 04CE662929; Wed, 11 Oct 2017 08:43:21 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id 386BA16A880; Wed, 11 Oct 2017 10:43:20 +0200 (CEST) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 6FF35C058ECD Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=kraxel@redhat.com From: Gerd Hoffmann To: qemu-devel@nongnu.org Date: Wed, 11 Oct 2017 10:43:14 +0200 Message-Id: <20171011084314.21752-1-kraxel@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Wed, 11 Oct 2017 08:43:23 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH v2] cirrus: fix oob access in mode4and5 write functions X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Gerd Hoffmann , niuguoxiang@huawei.com, Prasad J Pandit Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Move dst calculation into the loop, so we apply the mask on each interation and will not overflow vga memory. Cc: Prasad J Pandit Reported-by: Niu Guoxiang Signed-off-by: Gerd Hoffmann --- hw/display/cirrus_vga.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c index afc290ab91..077a8cb74f 100644 --- a/hw/display/cirrus_vga.c +++ b/hw/display/cirrus_vga.c @@ -2038,15 +2038,14 @@ static void cirrus_mem_writeb_mode4and5_8bpp(Cirrus= VGAState * s, unsigned val =3D mem_value; uint8_t *dst; =20 - dst =3D s->vga.vram_ptr + (offset &=3D s->cirrus_addr_mask); for (x =3D 0; x < 8; x++) { + dst =3D s->vga.vram_ptr + ((offset + x) & s->cirrus_addr_mask); if (val & 0x80) { *dst =3D s->cirrus_shadow_gr1; } else if (mode =3D=3D 5) { *dst =3D s->cirrus_shadow_gr0; } val <<=3D 1; - dst++; } memory_region_set_dirty(&s->vga.vram, offset, 8); } @@ -2060,8 +2059,8 @@ static void cirrus_mem_writeb_mode4and5_16bpp(CirrusV= GAState * s, unsigned val =3D mem_value; uint8_t *dst; =20 - dst =3D s->vga.vram_ptr + (offset &=3D s->cirrus_addr_mask); for (x =3D 0; x < 8; x++) { + dst =3D s->vga.vram_ptr + ((offset + 2 * x) & s->cirrus_addr_mask = & ~1); if (val & 0x80) { *dst =3D s->cirrus_shadow_gr1; *(dst + 1) =3D s->vga.gr[0x11]; @@ -2070,7 +2069,6 @@ static void cirrus_mem_writeb_mode4and5_16bpp(CirrusV= GAState * s, *(dst + 1) =3D s->vga.gr[0x10]; } val <<=3D 1; - dst +=3D 2; } memory_region_set_dirty(&s->vga.vram, offset, 16); } --=20 2.9.3