1. Patchew
  2. QEMU
  3. View series

[PATCH] ati-vga: Fix check for overflowing vram

BALATON Zoltan posted 1 patch 3 days, 15 hours ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20260408012853.2A9F15969F6@zero.eik.bme.hu
There is a newer version of this series
hw/display/ati_2d.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
[PATCH] ati-vga: Fix check for overflowing vram
Posted by BALATON Zoltan 3 days, 15 hours ago 
Take into account the bytes per pixels when checking for accessing
beyond end of vram area.

Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
---
 hw/display/ati_2d.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/hw/display/ati_2d.c b/hw/display/ati_2d.c
index f0f77cecc6..2450bb5e74 100644
--- a/hw/display/ati_2d.c
+++ b/hw/display/ati_2d.c
@@ -146,6 +146,7 @@ static uint32_t make_filler(int bpp, uint32_t color)
 static bool ati_2d_do_blt(ATI2DCtx *ctx, uint8_t use_pixman)
 {
     QemuRect vis_src, vis_dst;
+    unsigned int x, y, i, j, bypp = ctx->bpp / 8;
 
     if (!ctx->bpp) {
         qemu_log_mask(LOG_GUEST_ERROR, "Invalid bpp\n");
@@ -156,7 +157,7 @@ static bool ati_2d_do_blt(ATI2DCtx *ctx, uint8_t use_pixman)
         return false;
     }
     if (ctx->dst.x > 0x3fff || ctx->dst.y > 0x3fff ||
-        ctx->dst_bits >= ctx->vram_end || ctx->dst_bits + ctx->dst.x +
+        ctx->dst_bits >= ctx->vram_end || ctx->dst_bits + ctx->dst.x * bypp +
         (ctx->dst.y + ctx->dst.height) * ctx->dst_stride >= ctx->vram_end) {
         qemu_log_mask(LOG_UNIMP, "blt outside vram not implemented\n");
         return false;
@@ -194,7 +195,7 @@ static bool ati_2d_do_blt(ATI2DCtx *ctx, uint8_t use_pixman)
         }
         if (!ctx->host_data_active &&
             (vis_src.x > 0x3fff || vis_src.y > 0x3fff ||
-            ctx->src_bits >= ctx->vram_end || ctx->src_bits + vis_src.x +
+            ctx->src_bits >= ctx->vram_end || ctx->src_bits + vis_src.x * bypp +
             (vis_src.y + vis_dst.height) * ctx->src_stride >= ctx->vram_end)) {
             qemu_log_mask(LOG_UNIMP, "blt outside vram not implemented\n");
             return false;
@@ -240,7 +241,6 @@ static bool ati_2d_do_blt(ATI2DCtx *ctx, uint8_t use_pixman)
             fallback = true;
         }
         if (fallback) {
-            unsigned int y, i, j, bypp = ctx->bpp / 8;
             for (y = 0; y < vis_dst.height; y++) {
                 i = vis_dst.x * bypp;
                 j = vis_src.x * bypp;
@@ -299,7 +299,6 @@ static bool ati_2d_do_blt(ATI2DCtx *ctx, uint8_t use_pixman)
 #endif
         {
             /* fallback when pixman failed or we don't want to call it */
-            unsigned int x, y, i, bypp = ctx->bpp / 8;
             for (y = 0; y < vis_dst.height; y++) {
                 i = vis_dst.x * bypp + (vis_dst.y + y) * ctx->dst_stride;
                 for (x = 0; x < vis_dst.width; x++, i += bypp) {
-- 
2.41.3
Re: [PATCH] ati-vga: Fix check for overflowing vram
Posted by Marc-André Lureau 2 days, 22 hours ago 
On Wed, Apr 8, 2026 at 5:29 AM BALATON Zoltan <balaton@eik.bme.hu> wrote:
>
> Take into account the bytes per pixels when checking for accessing
> beyond end of vram area.
>
> Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>

Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>

> ---
>  hw/display/ati_2d.c | 7 +++----
>  1 file changed, 3 insertions(+), 4 deletions(-)
>
> diff --git a/hw/display/ati_2d.c b/hw/display/ati_2d.c
> index f0f77cecc6..2450bb5e74 100644
> --- a/hw/display/ati_2d.c
> +++ b/hw/display/ati_2d.c
> @@ -146,6 +146,7 @@ static uint32_t make_filler(int bpp, uint32_t color)
>  static bool ati_2d_do_blt(ATI2DCtx *ctx, uint8_t use_pixman)
>  {
>      QemuRect vis_src, vis_dst;
> +    unsigned int x, y, i, j, bypp = ctx->bpp / 8;
>
>      if (!ctx->bpp) {
>          qemu_log_mask(LOG_GUEST_ERROR, "Invalid bpp\n");
> @@ -156,7 +157,7 @@ static bool ati_2d_do_blt(ATI2DCtx *ctx, uint8_t use_pixman)
>          return false;
>      }
>      if (ctx->dst.x > 0x3fff || ctx->dst.y > 0x3fff ||
> -        ctx->dst_bits >= ctx->vram_end || ctx->dst_bits + ctx->dst.x +
> +        ctx->dst_bits >= ctx->vram_end || ctx->dst_bits + ctx->dst.x * bypp +
>          (ctx->dst.y + ctx->dst.height) * ctx->dst_stride >= ctx->vram_end) {
>          qemu_log_mask(LOG_UNIMP, "blt outside vram not implemented\n");
>          return false;
> @@ -194,7 +195,7 @@ static bool ati_2d_do_blt(ATI2DCtx *ctx, uint8_t use_pixman)
>          }
>          if (!ctx->host_data_active &&
>              (vis_src.x > 0x3fff || vis_src.y > 0x3fff ||
> -            ctx->src_bits >= ctx->vram_end || ctx->src_bits + vis_src.x +
> +            ctx->src_bits >= ctx->vram_end || ctx->src_bits + vis_src.x * bypp +
>              (vis_src.y + vis_dst.height) * ctx->src_stride >= ctx->vram_end)) {
>              qemu_log_mask(LOG_UNIMP, "blt outside vram not implemented\n");
>              return false;
> @@ -240,7 +241,6 @@ static bool ati_2d_do_blt(ATI2DCtx *ctx, uint8_t use_pixman)
>              fallback = true;
>          }
>          if (fallback) {
> -            unsigned int y, i, j, bypp = ctx->bpp / 8;
>              for (y = 0; y < vis_dst.height; y++) {
>                  i = vis_dst.x * bypp;
>                  j = vis_src.x * bypp;
> @@ -299,7 +299,6 @@ static bool ati_2d_do_blt(ATI2DCtx *ctx, uint8_t use_pixman)
>  #endif
>          {
>              /* fallback when pixman failed or we don't want to call it */
> -            unsigned int x, y, i, bypp = ctx->bpp / 8;
>              for (y = 0; y < vis_dst.height; y++) {
>                  i = vis_dst.x * bypp + (vis_dst.y + y) * ctx->dst_stride;
>                  for (x = 0; x < vis_dst.width; x++, i += bypp) {
> --
> 2.41.3
>

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.