diff options
author | Philippe Mathieu-Daudé | 2022-11-28 21:27:39 +0100 |
---|---|---|
committer | Stefan Hajnoczi | 2022-11-30 00:15:26 +0100 |
commit | 8efec0ef8bbc1e75a7ebf6e325a35806ece9b39f (patch) | |
tree | 9c7f3b4dc9f8ea7aa7f207475d3aae1a25fe95f8 /dump/dump.c | |
parent | hw/display/qxl: Document qxl_phys2virt() (diff) | |
download | qemu-8efec0ef8bbc1e75a7ebf6e325a35806ece9b39f.tar.gz qemu-8efec0ef8bbc1e75a7ebf6e325a35806ece9b39f.tar.xz qemu-8efec0ef8bbc1e75a7ebf6e325a35806ece9b39f.zip |
hw/display/qxl: Pass requested buffer size to qxl_phys2virt()
Currently qxl_phys2virt() doesn't check for buffer overrun.
In order to do so in the next commit, pass the buffer size
as argument.
For QXLCursor in qxl_render_cursor() -> qxl_cursor() we
verify the size of the chunked data ahead, checking we can
access 'sizeof(QXLCursor) + chunk->data_size' bytes.
Since in the SPICE_CURSOR_TYPE_MONO case the cursor is
assumed to fit in one chunk, no change are required.
In SPICE_CURSOR_TYPE_ALPHA the ahead read is handled in
qxl_unpack_chunks().
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-Id: <20221128202741.4945-4-philmd@linaro.org>
Diffstat (limited to 'dump/dump.c')
0 files changed, 0 insertions, 0 deletions