1. Patchew
  2. QEMU
  3. [PATCH v5 0/8] ati-vga fixes
  4. View patch

[PATCH v5 8/8] ati-vga: Make sure hardware cursor data is within vram

BALATON Zoltan posted 8 patches 1 day, 13 hours ago
Maintainers: Huacai Chen <chenhuacai@kernel.org>, "Philippe Mathieu-Daudé" <philmd@linaro.org>, Jiaxun Yang <jiaxun.yang@flygoat.com>
There is a newer version of this series
[PATCH v5 8/8] ati-vga: Make sure hardware cursor data is within vram
Posted by BALATON Zoltan 1 day, 13 hours ago 
Add check to make sure we don't read past the end of vram when getting
mouse pointer image.

Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
---
 hw/display/ati.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/hw/display/ati.c b/hw/display/ati.c
index c278d11d34..12ef180828 100644
--- a/hw/display/ati.c
+++ b/hw/display/ati.c
@@ -151,6 +151,9 @@ static void ati_cursor_define(ATIVGAState *s)
     /* FIXME handle cur_hv_offs correctly */
     srcoff = s->regs.cur_offset - (s->regs.cur_hv_offs >> 16) -
              (s->regs.cur_hv_offs & 0xffff) * 16;
+    if (srcoff + 64 * 16 > s->vga.vram_size) {
+        return;
+    }
     for (int i = 0; i < 64; i++, srcoff += 16) {
         if (s->vga.big_endian_fb) {
             data[i] = wswap64(ldq_be_p(&s->vga.vram_ptr[srcoff]));
@@ -210,6 +213,9 @@ static void ati_cursor_draw_line(VGACommonState *vga, uint8_t *d, int scr_y)
     }
     /* FIXME handle cur_hv_offs correctly */
     srcoff = s->cursor_offset + (scr_y - vga->hw_cursor_y) * 16;
+    if (srcoff + 16 > s->vga.vram_size) {
+        return;
+    }
     dp = &dp[vga->hw_cursor_x];
     h = ((s->regs.crtc_h_total_disp >> 16) + 1) * 8;
     abits = ldq_le_p(&vga->vram_ptr[srcoff]);
-- 
2.41.3

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.