summaryrefslogtreecommitdiffstats
path: root/hw/display/sm501.c
diff options
context:
space:
mode:
authorBALATON Zoltan2020-06-20 22:56:28 +0200
committerGerd Hoffmann2020-06-30 22:46:28 +0200
commit84ec3f940289dfba9b6de531c9aac7f089fc6c8f (patch)
treef2cf0ea1dcdc16dcbb76b5d2e31693e7dd5453cb /hw/display/sm501.c
parenthw/misc/pca9552: Add missing TypeInfo::class_size field (diff)
downloadqemu-84ec3f940289dfba9b6de531c9aac7f089fc6c8f.tar.gz
qemu-84ec3f940289dfba9b6de531c9aac7f089fc6c8f.tar.xz
qemu-84ec3f940289dfba9b6de531c9aac7f089fc6c8f.zip
sm501: Fix bounds checks
We don't need to add width to pitch when calculating last point, that would reject valid ops within the card's local_mem. Fixes: b15a22bbcbe6a78dc3d88fe3134985e4cdd87de4 Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Message-id: ddb5781d12913bb9d6dbfd9e5b1e2b893e2b3e2d.1592686588.git.balaton@eik.bme.hu Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Diffstat (limited to 'hw/display/sm501.c')
-rw-r--r--hw/display/sm501.c8
1 files changed, 4 insertions, 4 deletions
diff --git a/hw/display/sm501.c b/hw/display/sm501.c
index a7fc08c52b..5ceee4166f 100644
--- a/hw/display/sm501.c
+++ b/hw/display/sm501.c
@@ -723,8 +723,8 @@ static void sm501_2d_operation(SM501State *s)
dst_y -= height - 1;
}
- if (dst_base >= get_local_mem_size(s) || dst_base +
- (dst_x + width + (dst_y + height) * (dst_pitch + width)) *
+ if (dst_base >= get_local_mem_size(s) ||
+ dst_base + (dst_x + width + (dst_y + height) * dst_pitch) *
(1 << format) >= get_local_mem_size(s)) {
qemu_log_mask(LOG_GUEST_ERROR, "sm501: 2D op dest is outside vram.\n");
return;
@@ -749,8 +749,8 @@ static void sm501_2d_operation(SM501State *s)
src_y -= height - 1;
}
- if (src_base >= get_local_mem_size(s) || src_base +
- (src_x + width + (src_y + height) * (src_pitch + width)) *
+ if (src_base >= get_local_mem_size(s) ||
+ src_base + (src_x + width + (src_y + height) * src_pitch) *
(1 << format) >= get_local_mem_size(s)) {
qemu_log_mask(LOG_GUEST_ERROR,
"sm501: 2D op src is outside vram.\n");