summaryrefslogtreecommitdiffstats
path: root/hw/display/ati_2d.c
diff options
context:
space:
mode:
authorBALATON Zoltan2019-04-09 12:56:18 +0200
committerGerd Hoffmann2019-05-07 09:55:13 +0200
commit349ebdd76d3a932204f5831950a2af413c29c477 (patch)
treeee0d441a582cbe37758550ce2f2d5590822401e7 /hw/display/ati_2d.c
parentqxl: avoid unaligned pointer reads/writes (diff)
downloadqemu-349ebdd76d3a932204f5831950a2af413c29c477.tar.gz
qemu-349ebdd76d3a932204f5831950a2af413c29c477.tar.xz
qemu-349ebdd76d3a932204f5831950a2af413c29c477.zip
ati-vga: Fix check for blt outside vram
Fix the check preventing calling pixman functions that would access memory outside allocated vram. The r128 X driver sometimes seem to try blits that span outside vram, this check prevents crashing QEMU in that case. (The r128 X driver may have problems even on real hardware so I'm not sure if it's a client bug or emulation problem but at least QEMU should survive.) Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu> Tested-by: Andrew Randrianasulu <randrianasulu@gmail.com> Message-Id: <20190409110732.5C5FF7465DB@zero.eik.bme.hu> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Diffstat (limited to 'hw/display/ati_2d.c')
-rw-r--r--hw/display/ati_2d.c12
1 files changed, 6 insertions, 6 deletions
diff --git a/hw/display/ati_2d.c b/hw/display/ati_2d.c
index bc98ba6eeb..fe3ae14864 100644
--- a/hw/display/ati_2d.c
+++ b/hw/display/ati_2d.c
@@ -79,10 +79,10 @@ void ati_2d_blt(ATIVGAState *s)
s->regs.dst_width, s->regs.dst_height);
end = s->vga.vram_ptr + s->vga.vram_size;
if (src_bits >= end || dst_bits >= end ||
- src_bits + (s->regs.src_y + s->regs.dst_height) * src_stride +
- s->regs.src_x >= end ||
- dst_bits + (s->regs.dst_y + s->regs.dst_height) * dst_stride +
- s->regs.dst_x >= end) {
+ src_bits + s->regs.src_x + (s->regs.src_y + s->regs.dst_height) *
+ src_stride * sizeof(uint32_t) >= end ||
+ dst_bits + s->regs.dst_x + (s->regs.dst_y + s->regs.dst_height) *
+ dst_stride * sizeof(uint32_t) >= end) {
qemu_log_mask(LOG_UNIMP, "blt outside vram not implemented\n");
return;
}
@@ -140,8 +140,8 @@ void ati_2d_blt(ATIVGAState *s)
filler);
end = s->vga.vram_ptr + s->vga.vram_size;
if (dst_bits >= end ||
- dst_bits + (s->regs.dst_y + s->regs.dst_height) * dst_stride +
- s->regs.dst_x >= end) {
+ dst_bits + s->regs.dst_x + (s->regs.dst_y + s->regs.dst_height) *
+ dst_stride * sizeof(uint32_t) >= end) {
qemu_log_mask(LOG_UNIMP, "blt outside vram not implemented\n");
return;
}