Misc HW patches for 2026-03-31

[PULL 08/11] ati-vga: Add upper limit to x-linear-aper-size property

Philippe Mathieu-Daudé posted 11 patches 1 day, 9 hours ago

Download mbox

Maintainers: Gerd Hoffmann <kraxel@redhat.com>, Stefano Garzarella <sgarzare@redhat.com>, Ani Sinha <anisinha@redhat.com>, Richard Henderson <richard.henderson@linaro.org>, Helge Deller <deller@gmx.de>, Nicholas Piggin <npiggin@gmail.com>, Aditya Gupta <adityag@linux.ibm.com>, Glenn Miles <milesg@linux.ibm.com>, Paolo Bonzini <pbonzini@redhat.com>, Zhao Liu <zhao1.liu@intel.com>, Huacai Chen <chenhuacai@kernel.org>, "Philippe Mathieu-Daudé" <philmd@linaro.org>, Aurelien Jarno <aurelien@aurel32.net>, Jiaxun Yang <jiaxun.yang@flygoat.com>, Aleksandar Rikalo <arikalo@gmail.com>

Expand all Fold all

[PULL 08/11] ati-vga: Add upper limit to x-linear-aper-size property

Posted by Philippe Mathieu-Daudé 1 day, 9 hours ago

From: BALATON Zoltan <balaton@eik.bme.hu>

Coverity warns in CID 1645968 about possible integer overflow. This
should never happen but to ensure that, add an upper limit on the
x-linear-aper-size. This may not silence the warning but makes sure
users cannot cause an overflow.

Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <541ffffdaa4c67b9dcbca6c2498e69b137bce95d.1774904832.git.balaton@eik.bme.hu>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
---
 hw/display/ati.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/hw/display/ati.c b/hw/display/ati.c
index fc19737d1f0..97d871b1e22 100644
--- a/hw/display/ati.c
+++ b/hw/display/ati.c
@@ -1130,6 +1130,10 @@ static void ati_vga_realize(PCIDevice *dev, Error **errp)
             s->linear_aper_sz = ATI_R100_LINEAR_APER_SIZE;
         }
     }
+    if (s->linear_aper_sz > 256 * MiB) {
+        error_setg(errp, "x-linear-aper-size is too large (maximum 256 MiB)");
+        return;
+    }
     if (s->linear_aper_sz < 16 * MiB) {
         error_setg(errp, "x-linear-aper-size is too small (minimum 16 MiB)");
         return;
-- 
2.53.0