* [PATCH] ati-vga: Fix check for overflowing vram
@ 2026-04-08 1:28 BALATON Zoltan
2026-04-08 18:56 ` Marc-André Lureau
0 siblings, 1 reply; 2+ messages in thread
From: BALATON Zoltan @ 2026-04-08 1:28 UTC (permalink / raw)
To: qemu-devel
Cc: Gerd Hoffmann, marcandre.lureau, Chad Jablonski,
Philippe Mathieu-Daudé, Peter Maydell
Take into account the bytes per pixels when checking for accessing
beyond end of vram area.
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
---
hw/display/ati_2d.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/hw/display/ati_2d.c b/hw/display/ati_2d.c
index f0f77cecc6..2450bb5e74 100644
--- a/hw/display/ati_2d.c
+++ b/hw/display/ati_2d.c
@@ -146,6 +146,7 @@ static uint32_t make_filler(int bpp, uint32_t color)
static bool ati_2d_do_blt(ATI2DCtx *ctx, uint8_t use_pixman)
{
QemuRect vis_src, vis_dst;
+ unsigned int x, y, i, j, bypp = ctx->bpp / 8;
if (!ctx->bpp) {
qemu_log_mask(LOG_GUEST_ERROR, "Invalid bpp\n");
@@ -156,7 +157,7 @@ static bool ati_2d_do_blt(ATI2DCtx *ctx, uint8_t use_pixman)
return false;
}
if (ctx->dst.x > 0x3fff || ctx->dst.y > 0x3fff ||
- ctx->dst_bits >= ctx->vram_end || ctx->dst_bits + ctx->dst.x +
+ ctx->dst_bits >= ctx->vram_end || ctx->dst_bits + ctx->dst.x * bypp +
(ctx->dst.y + ctx->dst.height) * ctx->dst_stride >= ctx->vram_end) {
qemu_log_mask(LOG_UNIMP, "blt outside vram not implemented\n");
return false;
@@ -194,7 +195,7 @@ static bool ati_2d_do_blt(ATI2DCtx *ctx, uint8_t use_pixman)
}
if (!ctx->host_data_active &&
(vis_src.x > 0x3fff || vis_src.y > 0x3fff ||
- ctx->src_bits >= ctx->vram_end || ctx->src_bits + vis_src.x +
+ ctx->src_bits >= ctx->vram_end || ctx->src_bits + vis_src.x * bypp +
(vis_src.y + vis_dst.height) * ctx->src_stride >= ctx->vram_end)) {
qemu_log_mask(LOG_UNIMP, "blt outside vram not implemented\n");
return false;
@@ -240,7 +241,6 @@ static bool ati_2d_do_blt(ATI2DCtx *ctx, uint8_t use_pixman)
fallback = true;
}
if (fallback) {
- unsigned int y, i, j, bypp = ctx->bpp / 8;
for (y = 0; y < vis_dst.height; y++) {
i = vis_dst.x * bypp;
j = vis_src.x * bypp;
@@ -299,7 +299,6 @@ static bool ati_2d_do_blt(ATI2DCtx *ctx, uint8_t use_pixman)
#endif
{
/* fallback when pixman failed or we don't want to call it */
- unsigned int x, y, i, bypp = ctx->bpp / 8;
for (y = 0; y < vis_dst.height; y++) {
i = vis_dst.x * bypp + (vis_dst.y + y) * ctx->dst_stride;
for (x = 0; x < vis_dst.width; x++, i += bypp) {
--
2.41.3
^ permalink raw reply related [flat|nested] 2+ messages in thread* Re: [PATCH] ati-vga: Fix check for overflowing vram
2026-04-08 1:28 [PATCH] ati-vga: Fix check for overflowing vram BALATON Zoltan
@ 2026-04-08 18:56 ` Marc-André Lureau
0 siblings, 0 replies; 2+ messages in thread
From: Marc-André Lureau @ 2026-04-08 18:56 UTC (permalink / raw)
To: BALATON Zoltan
Cc: qemu-devel, Gerd Hoffmann, Chad Jablonski,
Philippe Mathieu-Daudé, Peter Maydell
On Wed, Apr 8, 2026 at 5:29 AM BALATON Zoltan <balaton@eik.bme.hu> wrote:
>
> Take into account the bytes per pixels when checking for accessing
> beyond end of vram area.
>
> Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
> ---
> hw/display/ati_2d.c | 7 +++----
> 1 file changed, 3 insertions(+), 4 deletions(-)
>
> diff --git a/hw/display/ati_2d.c b/hw/display/ati_2d.c
> index f0f77cecc6..2450bb5e74 100644
> --- a/hw/display/ati_2d.c
> +++ b/hw/display/ati_2d.c
> @@ -146,6 +146,7 @@ static uint32_t make_filler(int bpp, uint32_t color)
> static bool ati_2d_do_blt(ATI2DCtx *ctx, uint8_t use_pixman)
> {
> QemuRect vis_src, vis_dst;
> + unsigned int x, y, i, j, bypp = ctx->bpp / 8;
>
> if (!ctx->bpp) {
> qemu_log_mask(LOG_GUEST_ERROR, "Invalid bpp\n");
> @@ -156,7 +157,7 @@ static bool ati_2d_do_blt(ATI2DCtx *ctx, uint8_t use_pixman)
> return false;
> }
> if (ctx->dst.x > 0x3fff || ctx->dst.y > 0x3fff ||
> - ctx->dst_bits >= ctx->vram_end || ctx->dst_bits + ctx->dst.x +
> + ctx->dst_bits >= ctx->vram_end || ctx->dst_bits + ctx->dst.x * bypp +
> (ctx->dst.y + ctx->dst.height) * ctx->dst_stride >= ctx->vram_end) {
> qemu_log_mask(LOG_UNIMP, "blt outside vram not implemented\n");
> return false;
> @@ -194,7 +195,7 @@ static bool ati_2d_do_blt(ATI2DCtx *ctx, uint8_t use_pixman)
> }
> if (!ctx->host_data_active &&
> (vis_src.x > 0x3fff || vis_src.y > 0x3fff ||
> - ctx->src_bits >= ctx->vram_end || ctx->src_bits + vis_src.x +
> + ctx->src_bits >= ctx->vram_end || ctx->src_bits + vis_src.x * bypp +
> (vis_src.y + vis_dst.height) * ctx->src_stride >= ctx->vram_end)) {
> qemu_log_mask(LOG_UNIMP, "blt outside vram not implemented\n");
> return false;
> @@ -240,7 +241,6 @@ static bool ati_2d_do_blt(ATI2DCtx *ctx, uint8_t use_pixman)
> fallback = true;
> }
> if (fallback) {
> - unsigned int y, i, j, bypp = ctx->bpp / 8;
> for (y = 0; y < vis_dst.height; y++) {
> i = vis_dst.x * bypp;
> j = vis_src.x * bypp;
> @@ -299,7 +299,6 @@ static bool ati_2d_do_blt(ATI2DCtx *ctx, uint8_t use_pixman)
> #endif
> {
> /* fallback when pixman failed or we don't want to call it */
> - unsigned int x, y, i, bypp = ctx->bpp / 8;
> for (y = 0; y < vis_dst.height; y++) {
> i = vis_dst.x * bypp + (vis_dst.y + y) * ctx->dst_stride;
> for (x = 0; x < vis_dst.width; x++, i += bypp) {
> --
> 2.41.3
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-04-08 19:33 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-08 1:28 [PATCH] ati-vga: Fix check for overflowing vram BALATON Zoltan
2026-04-08 18:56 ` Marc-André Lureau
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.