From: BALATON Zoltan <balaton@eik.bme.hu>
To: qemu-devel@nongnu.org
Cc: "Gerd Hoffmann" <kraxel@redhat.com>,
marcandre.lureau@redhat.com,
"Chad Jablonski" <chad@jablonski.xyz>,
"Philippe Mathieu-Daudé" <philmd@linaro.org>,
"Peter Maydell" <peter.maydell@linaro.org>
Subject: [PATCH] ati-vga: Fix check for overflowing vram
Date: Wed, 08 Apr 2026 03:28:53 +0200 (CEST) [thread overview]
Message-ID: <20260408012853.2A9F15969F6@zero.eik.bme.hu> (raw)
Take into account the bytes per pixels when checking for accessing
beyond end of vram area.
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
---
hw/display/ati_2d.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/hw/display/ati_2d.c b/hw/display/ati_2d.c
index f0f77cecc6..2450bb5e74 100644
--- a/hw/display/ati_2d.c
+++ b/hw/display/ati_2d.c
@@ -146,6 +146,7 @@ static uint32_t make_filler(int bpp, uint32_t color)
static bool ati_2d_do_blt(ATI2DCtx *ctx, uint8_t use_pixman)
{
QemuRect vis_src, vis_dst;
+ unsigned int x, y, i, j, bypp = ctx->bpp / 8;
if (!ctx->bpp) {
qemu_log_mask(LOG_GUEST_ERROR, "Invalid bpp\n");
@@ -156,7 +157,7 @@ static bool ati_2d_do_blt(ATI2DCtx *ctx, uint8_t use_pixman)
return false;
}
if (ctx->dst.x > 0x3fff || ctx->dst.y > 0x3fff ||
- ctx->dst_bits >= ctx->vram_end || ctx->dst_bits + ctx->dst.x +
+ ctx->dst_bits >= ctx->vram_end || ctx->dst_bits + ctx->dst.x * bypp +
(ctx->dst.y + ctx->dst.height) * ctx->dst_stride >= ctx->vram_end) {
qemu_log_mask(LOG_UNIMP, "blt outside vram not implemented\n");
return false;
@@ -194,7 +195,7 @@ static bool ati_2d_do_blt(ATI2DCtx *ctx, uint8_t use_pixman)
}
if (!ctx->host_data_active &&
(vis_src.x > 0x3fff || vis_src.y > 0x3fff ||
- ctx->src_bits >= ctx->vram_end || ctx->src_bits + vis_src.x +
+ ctx->src_bits >= ctx->vram_end || ctx->src_bits + vis_src.x * bypp +
(vis_src.y + vis_dst.height) * ctx->src_stride >= ctx->vram_end)) {
qemu_log_mask(LOG_UNIMP, "blt outside vram not implemented\n");
return false;
@@ -240,7 +241,6 @@ static bool ati_2d_do_blt(ATI2DCtx *ctx, uint8_t use_pixman)
fallback = true;
}
if (fallback) {
- unsigned int y, i, j, bypp = ctx->bpp / 8;
for (y = 0; y < vis_dst.height; y++) {
i = vis_dst.x * bypp;
j = vis_src.x * bypp;
@@ -299,7 +299,6 @@ static bool ati_2d_do_blt(ATI2DCtx *ctx, uint8_t use_pixman)
#endif
{
/* fallback when pixman failed or we don't want to call it */
- unsigned int x, y, i, bypp = ctx->bpp / 8;
for (y = 0; y < vis_dst.height; y++) {
i = vis_dst.x * bypp + (vis_dst.y + y) * ctx->dst_stride;
for (x = 0; x < vis_dst.width; x++, i += bypp) {
--
2.41.3
next reply other threads:[~2026-04-08 18:47 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-08 1:28 BALATON Zoltan [this message]
2026-04-08 18:56 ` [PATCH] ati-vga: Fix check for overflowing vram Marc-André Lureau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260408012853.2A9F15969F6@zero.eik.bme.hu \
--to=balaton@eik.bme.hu \
--cc=chad@jablonski.xyz \
--cc=kraxel@redhat.com \
--cc=marcandre.lureau@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=philmd@linaro.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.