From nobody Sat Apr 11 17:08:59 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=linaro.org ARC-Seal: i=1; a=rsa-sha256; t=1775846018; cv=none; d=zohomail.com; s=zohoarc; b=DvRZ+/kqaedyyeR5z4BzeqPwKz4CTcyikWcfvB1Yv/nM7Q6MKhDUNC01Qk0uWHKLc35XAji8gmEpMC8GxNr5JMiZ4sRXgO1h/ekor6dTPasQwlbSfB5pjeuQzyJ+NLCRDcnYo6+LYNnF4YIzLOW+pMS3lavPbXUKJPR+w70Adto= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1775846018; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=SU2AVvFa5Q7oPg8IgegmSYKlHHXfypWTPcMMS/P4M7M=; b=a3HZTu7LsJKWsZwYJiIEqwXT3Gvq7qdeIG/7y4dD6chkYERNaV9LZQZHcDd5Li8HmlLZhEevfceRnfiscuoryAWt8b6o9k8lWvnHZWe/jj2HXKyAdx11rqB6pn4BYyiqgrUJ5jjg43sSRCdFMELpZ7ehvuxX0iwvD6Ns3SadRiw= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1775846018201564.6494758241229; Fri, 10 Apr 2026 11:33:38 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wBGf5-0003De-MS; Fri, 10 Apr 2026 14:32:59 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wBGf2-0003D7-Un for qemu-devel@nongnu.org; Fri, 10 Apr 2026 14:32:57 -0400 Received: from mail-wr1-x42c.google.com ([2a00:1450:4864:20::42c]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1wBGf0-000521-QP for qemu-devel@nongnu.org; Fri, 10 Apr 2026 14:32:56 -0400 Received: by mail-wr1-x42c.google.com with SMTP id ffacd0b85a97d-43cf73bbfbdso1447416f8f.1 for ; Fri, 10 Apr 2026 11:32:52 -0700 (PDT) Received: from lanath.. (wildly.archaic.org.uk. [81.2.115.145]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43d63e46a85sm9344714f8f.24.2026.04.10.11.32.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 10 Apr 2026 11:32:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1775845972; x=1776450772; darn=nongnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=SU2AVvFa5Q7oPg8IgegmSYKlHHXfypWTPcMMS/P4M7M=; b=X9BMtu1nLCurOHOTC8wC8QXT4pHz5/6/u4ubtxKPV9YO5LqaI96DuuOv7GV0oQPBHV NHr3Rze+/egdHI7uyZXmCbTXE70C3nPaOqTF92cWxklq82lsqd3noZ5/wQmPyvCy53jW AHv69x1MTo+Q6g8R+6BHWDAsgx1exgtqYHD6lSHCVbzIXYHERn0M9hl+gTM3SNzHrJ1l zJ5pcjEJel7J/g4vfTwGKC2EQvGlWOzOmD/chltMzBK/bjbNBaFkjZCpCID6ckqRiRht C6UOkliIrEptRNMGmCs9krUWljz06tVJ4TtiZIdS9TRm42P0tps5TidjiyI0ppudGWRI 5kGw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775845972; x=1776450772; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=SU2AVvFa5Q7oPg8IgegmSYKlHHXfypWTPcMMS/P4M7M=; b=duWhoggsCf5MpaSNu0UhF3v0KIqzkTDr6o1bkPLgnU34sIBpALrVZPgJGXSsxi9ELM riU0GKz7z04SNlcyxI9h+pod6zHa2Yaz3UItlDUEilU1wvh4VO1BCIWVEBIsZHW8hucs Iyx5gfACYS/44KIq337cMhJhcjidBoZbrZ2Q/80UoCP5u7eZcKZ3udPqLhvHOY020TZf k9XHbuAE1xjKR8rNCWwxMW0LDz0AaQlUSqqnC4fL1oYDlqLTb0Gc/I5yd5Krpg8nEd7b vP7chHQ7aSzuTBR1GRv5oKURfGq/NYQTvlhZq3uc7+FXxR63ynoB9sk6GnPPa0kj0LHL kl4g== X-Gm-Message-State: AOJu0YzBsQqWTHV6iWZSwlTY8Jo0rpVJwx9eewsMZIFqtK4QjRH+XzQI KyAb2ZoEPWq+Q+t9umaWeAWHpu1XryQNsXY2zjkL1zCkfn5XtgwoHBZe9vV4b1F441i7jgYZXFF wbSH+2tI= X-Gm-Gg: AeBDievSwcEsmxvN9Gw+ZK8evt3Z+wwW8cyO4loVXQ2BfvynBXFWPuBb7LIwNKNWAiG ql1YKApy43FZGVJyf/rvJaQNOgNw+0zT0p8MBFlBzfmNQknTPXDPccRrZEoACJhJkL7ubd0sNjv gpoycDMpM+wzKRPV8sQM0o8Xe7ByBZeOBVQMpIE3kpomhVwCOCxSciP1fq82zV/ZqZWPRajtWtm dybr8KaVzj8SaMKio5RPdlQUjrd9b9a2WmVHd1QUqFgovbvOO+Rb3iWVpQ0V1COzsrLKRVhOTUi 9X35VIx1SFC1TVFs48ce/DN5P1QukqWfg/VAE8Y5Jj7NQdshrCm3v4QuW1/aYws3HoF6xZOdRrN HqZe+TkQckTjY1uy8mkR+ayQ80JLNmqsxsaFT/Dg16e0iuLFpyiHq6ATn+8KkgQaG9M8sHgQLFQ MN6WzDVDf7k+H8FthIFnAc3oWuAo7T8jzaYZ38hgDRTFatHMmZw32+Z/0NFYrsv7q3dFi7tE5Dc yux0LUZzu15URhgeJKYM6VcI0+T+Geu/9gXw9C1OA== X-Received: by 2002:a05:6000:24c2:b0:43b:8f30:39bb with SMTP id ffacd0b85a97d-43d642ab9a7mr6288988f8f.24.1775845971658; Fri, 10 Apr 2026 11:32:51 -0700 (PDT) From: Peter Maydell To: qemu-devel@nongnu.org Cc: Gerd Hoffmann Subject: [PATCH 1/2] hw/display/cirrus_vga: Fix packed-24 color-expansion transparent pattern fills Date: Fri, 10 Apr 2026 19:32:48 +0100 Message-ID: <20260410183249.4046456-2-peter.maydell@linaro.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260410183249.4046456-1-peter.maydell@linaro.org> References: <20260410183249.4046456-1-peter.maydell@linaro.org> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2a00:1450:4864:20::42c; envelope-from=peter.maydell@linaro.org; helo=mail-wr1-x42c.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @linaro.org) X-ZM-MESSAGEID: 1775846021923158500 Content-Type: text/plain; charset="utf-8" The Cirrus Logic VGA card has "pattern fill" blit modes where it repeatedly copies an 8x8 source pattern to the display. For the "color expansion" subtype of these, the source pixel format is an 8x8 monochrome bitmap, and the destination can be any of 8, 16, 24 or 32bpp. We implemented these wrong for the 24bpp case, in a way that results in a complaint from the undefined-behavior sanitizer about a shift by a negative value. For these pattern fills, the GR2F register includes a field which specifies how much to skip at the start of each scanline. In the 8, 16 and 32 bit cases, this field is 3 bits and is a count of pixels to skip. We get this case right. However, for the 24 bit case, the field is 5 bits and is a count of destination bytes to skip. We tried to add support for 24-bits in commit ad81218e40e27 ("depth=3D24 write mask fix (Volker Ruppert)") in 2005. However we got this wrong, because when we need to skip, for example, 30 bytes in the destination, this is 10 input pixels but the whole pattern is only 8 pixels wide, and we ended up with a negative bitpos for the first bit to use in the pattern. Fix the bug by masking srcskipleft in the 24-bit case so that it correctly gives the first pixel to use in the pattern even if we skip so many pixels that we have wrapped around to what would have been the second copy of the pattern to the destination. This patch was produced based on the information in the CL-GD5446 Technical Reference Manual, specifically sections 5.8 "GR2F: BLT Destination Left-Side Clipping" and 9.4.8 "Pattern Fills". Cc: qemu-stable@nongnu.org Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3377 Fixes: ad81218e40e27 ("depth=3D24 write mask fix (Volker Ruppert)") Signed-off-by: Peter Maydell --- hw/display/cirrus_vga_rop2.h | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/hw/display/cirrus_vga_rop2.h b/hw/display/cirrus_vga_rop2.h index b208b7348a..8be35ec6e2 100644 --- a/hw/display/cirrus_vga_rop2.h +++ b/hw/display/cirrus_vga_rop2.h @@ -191,10 +191,29 @@ glue(glue(glue(cirrus_colorexpand_pattern_transp_, RO= P_NAME), _),DEPTH) int x, y, bitpos, pattern_y; unsigned int bits, bits_xor; unsigned int col; + + /* + * Copy from an 8x8 monochrome pattern with color expansion. + */ + #if DEPTH =3D=3D 24 + /* + * For packed-24 modes, GR2F bits [4:0] are a count of destination + * bytes to be suppressed for each scanline, which we keep in + * dstskipleft. Our srcskipleft is the number of pixels to skip + * within the 8x8 source pattern to match up with that number + * of suppressed bytes. As the pattern repeats every 8 bits we + * take the number of pixels mod 8. + */ int dstskipleft =3D s->vga.gr[0x2f] & 0x1f; - int srcskipleft =3D dstskipleft / 3; + int srcskipleft =3D (dstskipleft / 3) & 0x7; #else + /* + * In all other modes, GR2F bits [2:0] are a count of how many + * destination pixels to suppress for each scanline, which is our + * srcskipleft. We get dstskipleft, the number of bytes to skip, + * by multiplying this by the bytes-per-pixel. + */ int srcskipleft =3D s->vga.gr[0x2f] & 0x07; int dstskipleft =3D srcskipleft * (DEPTH / 8); #endif --=20 2.43.0 From nobody Sat Apr 11 17:08:59 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=linaro.org ARC-Seal: i=1; a=rsa-sha256; t=1775846017; cv=none; d=zohomail.com; s=zohoarc; b=I7DgISHFm8KnMHZ7ZTC99UTH2ryQ6uQEgGkw2Y9ChlZF/pLEEOxXxvlgDPiXpJxCJ8gCgVpRMgi7obRFveF4x1zcK+gY4g9nJAzgdMiXMGSwY630R8sro8BiTgtwopR0wKb3BjLDG/qin0EsAk9MaJ2NClAAj9G1X80KG7EMcKA= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1775846017; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=W9eezskDYP8au4TA0u/saRPDrZUnsxGoUmThaVieUzw=; b=mN3AfZ//7tLovpjP/NjW77RdnS6Q7tNDUNXn71t7nlpmE8h6DUZZwwL7RlE4lp0K0pT8DEQxasgvuHw9GwSTvNQ3pGYfQDDTGBmN/LMrVkvQf0GPzNhhzyKMQBmJXUTj7guWE9OB42C2HJAklkJNTba2zLEytvzeAEefEtbwJiw= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1775846017298598.3917382256049; Fri, 10 Apr 2026 11:33:37 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wBGf6-0003E6-Lr; Fri, 10 Apr 2026 14:33:00 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wBGf2-0003D6-Uk for qemu-devel@nongnu.org; Fri, 10 Apr 2026 14:32:56 -0400 Received: from mail-wr1-x431.google.com ([2a00:1450:4864:20::431]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1wBGf0-00052D-Ry for qemu-devel@nongnu.org; Fri, 10 Apr 2026 14:32:56 -0400 Received: by mail-wr1-x431.google.com with SMTP id ffacd0b85a97d-43d01d6b50cso2356128f8f.1 for ; Fri, 10 Apr 2026 11:32:53 -0700 (PDT) Received: from lanath.. (wildly.archaic.org.uk. [81.2.115.145]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43d63e46a85sm9344714f8f.24.2026.04.10.11.32.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 10 Apr 2026 11:32:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1775845972; x=1776450772; darn=nongnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=W9eezskDYP8au4TA0u/saRPDrZUnsxGoUmThaVieUzw=; b=HIqJrVb/eErryRweJT+pEdgZWR7pXjecGJf6hnNYKPd463dquLSalrKON0A5r1BaDI 9wqAGQIuAlQw9MxwISit7oy7Ty1klH/tmdQUZgPz4cJW3ZK0anVn8/1K0WV6r1yHsDcr DqYQua3x5xiAV3zvG6YFM/O+v4BglvrLpAXyLkm1yTpWqCAhUvU1X08r8XbY1b5hg6Xy AYaIZ/vOIQQ2NvuQkfj9TqDT8cN1gIcmVKiYA37DC85Mlloj2X821bts18K5T0kDy/XZ /W6qQTCTWfyPXiM8ScQTW6PK6hEDhMnpEGoaoLV/e258YNOOMD5ngnp+UwZj+chvG1VO dV1Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775845972; x=1776450772; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=W9eezskDYP8au4TA0u/saRPDrZUnsxGoUmThaVieUzw=; b=PHIQDB72hbueon3YV1zxMO3p9ZnXvpnWYOdmr+L9PGZHvp4u8wkOAE8PWpBcnVxYfZ RqceoqwA3Hgn+hyxbX1gfwCAw9M5sEeXqJ9EtR8W3XmWDmWSSp6ifBMccFmWOq2rGG4d jdEeSadlLFxc3jLkhF4vm+iKdk9LG0Z2rqlHIquk0Zw9CaeLlMzyxrXP3UXhO6wPrPf1 Bd7Y3GAcMg2YKjz0ykEmH0qopQp7/wOdYrS7LrgQmov18IA0QSuwtj82czjqHt3jhx5O hqDBHDMqpQIZT+iWw7R3Smg7t8mJSQMaaUjpWujuLa1AOsi+MMieTzgILwFgEFfdCjE0 4lbA== X-Gm-Message-State: AOJu0YzcAJ1vTMOw3ztMRsSy6ejGrwXDYGvWmvl4hn/48qroCzuSl6UB MGKaoiPDQHNg3F+/vmS2aD4JP1MWSlF+xi1heLhxG+MQlgja+lRwUxCXfLVYJTBeJZjIZevNM8o 9WG3j84M= X-Gm-Gg: AeBDiesZSkQnVdH47MK172DbDStno7U2EOCxo8rL17ZskbuJ1FPvylizTocVQmu4CqS ppg7gd80M/a5MINxrvySrbtd4hh9PwKLZUJP589W4n2G5xCDdw6v9xyM5cGSQaH7FLYwzw7U9ll X4nOVbS5gTnsMKvf3BmX/46UWsnEjJJcf9TqBlBGjmUlaH9NRGBvU/TuYWi9noVigzZ2CRD1lj9 LhSfg0lx0pLdJUWMs/VxFpDJy1TVVwCNwHXcL+zOLflViE7sGFeu1YhXL5NxctS9L7LkwxAoiTQ 9w1XiPFSql6HWGbdBBDh0zDFx9Z5mfCtFZ0HzPmUCjEKJ/EscWqdH5U90vAFx4fGbep9xWu/fPw j9cAQb5VS4+deLDxXVZTofEczxSrhk9u5A3nWt70cNrar7uU40/HSl6ydkCWRcDftoGkNjrr7O9 G1mLE/CzkY9QmZYkYNMHzjW3ejFncqCL9dk96cVcIdSu3nQZ4FDKNGUECwgXvCTg4ugorfFjc1E zlYgDJAjPjDC/GcuZ+Yic2S5dXZPsw= X-Received: by 2002:a05:6000:2586:b0:43c:f925:8fc0 with SMTP id ffacd0b85a97d-43d642dd84fmr6449431f8f.50.1775845972488; Fri, 10 Apr 2026 11:32:52 -0700 (PDT) From: Peter Maydell To: qemu-devel@nongnu.org Cc: Gerd Hoffmann Subject: [PATCH 2/2] hw/display/cirrus_vga: Fix packed-24 color-expansion transparent copies Date: Fri, 10 Apr 2026 19:32:49 +0100 Message-ID: <20260410183249.4046456-3-peter.maydell@linaro.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260410183249.4046456-1-peter.maydell@linaro.org> References: <20260410183249.4046456-1-peter.maydell@linaro.org> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2a00:1450:4864:20::431; envelope-from=peter.maydell@linaro.org; helo=mail-wr1-x431.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @linaro.org) X-ZM-MESSAGEID: 1775846020695154100 Content-Type: text/plain; charset="utf-8" For the "color expansion" subtype of raster operations, the source pixel format is a monochrome bitmap, and the destination can be any of 8, 16, 24 or 32bpp. For these pattern operations, the GR2F register includes a field which specifies how much to skip at the start of each scanline. In the 8, 16 and 32 bit cases, this field is 3 bits and is a count of pixels to skip. We get this case right. However, for the 24 bit case, the field is 5 bits and is a count of destination bytes to skip. In commit ad81218e40e27 ("depth=3D24 write mask fix (Volker Ruppert)") in 2005, we updated the code to (attempt to) handle the 5-bit mask case. However, we don't do the right thing when the 5-bit mask indicates that we need to skip more than 8 bits of the input bitmap: we will right-shift the 0x80 constant completely off the right hand side, and will be off-by-one for all the source bitmap loads. Fix this by calculating the whole number of input bytes we need to skip and the residual number of bits. In the 8/16/32bpp case the bytes to skip is always zero. Cc: qemu-stable@nongnu.org Fixes: ad81218e40e27 ("depth=3D24 write mask fix (Volker Ruppert)") Signed-off-by: Peter Maydell --- hw/display/cirrus_vga_rop2.h | 31 +++++++++++++++++++++++++++---- 1 file changed, 27 insertions(+), 4 deletions(-) diff --git a/hw/display/cirrus_vga_rop2.h b/hw/display/cirrus_vga_rop2.h index 8be35ec6e2..33f9b3b613 100644 --- a/hw/display/cirrus_vga_rop2.h +++ b/hw/display/cirrus_vga_rop2.h @@ -108,12 +108,34 @@ glue(glue(glue(cirrus_colorexpand_transp_, ROP_NAME),= _),DEPTH) unsigned int col; unsigned bitmask; unsigned index; + + /* + * Raster ops where the source is a monochrome bitmap with + * color expansion to 8/16/24/32bpp destination. + */ + #if DEPTH =3D=3D 24 + /* + * For packed-24 modes, GR2F bits [4:0] are a count of destination + * bytes to be suppressed for each scanline, which we keep in + * dstskipleft. We want to track the number of whole bytes + * to skip in the source (always either 0 or 1) and the number + * of bits within the byte to skip. + */ int dstskipleft =3D s->vga.gr[0x2f] & 0x1f; - int srcskipleft =3D dstskipleft / 3; + int srcskipleftbits =3D (dstskipleft / 3) & 0x7; + int srcskipleftbytes =3D (dstskipleft / 3) >> 3; #else - int srcskipleft =3D s->vga.gr[0x2f] & 0x07; - int dstskipleft =3D srcskipleft * (DEPTH / 8); + /* + * In all other modes, GR2F bits [2:0] are a count of how many + * destination pixels to suppress for each scanline, which is our + * srcskipleftbits. We get dstskipleft, the number of bytes to + * skip, by multiplying this by the bytes-per-pixel. In these + * modes we never need to skip an entire source byte. + */ + int srcskipleftbits =3D s->vga.gr[0x2f] & 0x07; + int srcskipleftbytes =3D 0; + int dstskipleft =3D srcskipleftbits * (DEPTH / 8); #endif =20 if (s->cirrus_blt_modeext & CIRRUS_BLTMODEEXT_COLOREXPINV) { @@ -125,7 +147,8 @@ glue(glue(glue(cirrus_colorexpand_transp_, ROP_NAME), _= ),DEPTH) } =20 for(y =3D 0; y < bltheight; y++) { - bitmask =3D 0x80 >> srcskipleft; + bitmask =3D 0x80 >> srcskipleftbits; + srcaddr +=3D srcskipleftbytes; bits =3D cirrus_src(s, srcaddr++) ^ bits_xor; addr =3D dstaddr + dstskipleft; for (x =3D dstskipleft; x < bltwidth; x +=3D (DEPTH / 8)) { --=20 2.43.0