summaryrefslogtreecommitdiffstats
path: root/dump/dump.c
diff options
context:
space:
mode:
authorPhilippe Mathieu-Daudé2022-11-28 21:27:39 +0100
committerStefan Hajnoczi2022-11-30 00:15:26 +0100
commit8efec0ef8bbc1e75a7ebf6e325a35806ece9b39f (patch)
tree9c7f3b4dc9f8ea7aa7f207475d3aae1a25fe95f8 /dump/dump.c
parenthw/display/qxl: Document qxl_phys2virt() (diff)
downloadqemu-8efec0ef8bbc1e75a7ebf6e325a35806ece9b39f.tar.gz
qemu-8efec0ef8bbc1e75a7ebf6e325a35806ece9b39f.tar.xz
qemu-8efec0ef8bbc1e75a7ebf6e325a35806ece9b39f.zip
hw/display/qxl: Pass requested buffer size to qxl_phys2virt()
Currently qxl_phys2virt() doesn't check for buffer overrun. In order to do so in the next commit, pass the buffer size as argument. For QXLCursor in qxl_render_cursor() -> qxl_cursor() we verify the size of the chunked data ahead, checking we can access 'sizeof(QXLCursor) + chunk->data_size' bytes. Since in the SPICE_CURSOR_TYPE_MONO case the cursor is assumed to fit in one chunk, no change are required. In SPICE_CURSOR_TYPE_ALPHA the ahead read is handled in qxl_unpack_chunks(). Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Acked-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Message-Id: <20221128202741.4945-4-philmd@linaro.org>
Diffstat (limited to 'dump/dump.c')
0 files changed, 0 insertions, 0 deletions