diff options
| author | Dongwon Kim | 2022-09-09 03:40:52 +0200 |
|---|---|---|
| committer | Gerd Hoffmann | 2022-09-27 07:32:31 +0200 |
| commit | 49a99ecb2290571b2e3f464c13e9c73b87ca91c4 (patch) | |
| tree | 9794bfc654ac6c940bea944140688895de2be4f9 /hw/display | |
| parent | hw/display/ati_2d: Fix buffer overflow in ati_2d_blt (CVE-2021-3638) (diff) | |
| download | qemu-49a99ecb2290571b2e3f464c13e9c73b87ca91c4.tar.gz qemu-49a99ecb2290571b2e3f464c13e9c73b87ca91c4.tar.xz qemu-49a99ecb2290571b2e3f464c13e9c73b87ca91c4.zip | |
virtio-gpu: update scanout if there is any area covered by the rect
The scanout is currently updated only if the whole rect is inside the
scanout space. This is not a correct condition because the scanout should
be updated even a small area in the scanout space is covered by the rect.
Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Dongwon Kim <dongwon.kim@intel.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20220909014052.7297-1-dongwon.kim@intel.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Diffstat (limited to 'hw/display')
| -rw-r--r-- | hw/display/virtio-gpu.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c index 20cc703dcc..5e15c79b94 100644 --- a/hw/display/virtio-gpu.c +++ b/hw/display/virtio-gpu.c @@ -515,9 +515,10 @@ static void virtio_gpu_resource_flush(VirtIOGPU *g, for (i = 0; i < g->parent_obj.conf.max_outputs; i++) { scanout = &g->parent_obj.scanout[i]; if (scanout->resource_id == res->resource_id && - rf.r.x >= scanout->x && rf.r.y >= scanout->y && - rf.r.x + rf.r.width <= scanout->x + scanout->width && - rf.r.y + rf.r.height <= scanout->y + scanout->height && + rf.r.x < scanout->x + scanout->width && + rf.r.x + rf.r.width >= scanout->x && + rf.r.y < scanout->y + scanout->height && + rf.r.y + rf.r.height >= scanout->y && console_has_gl(scanout->con)) { dpy_gl_update(scanout->con, 0, 0, scanout->width, scanout->height); |