From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:60344) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Y9Gzu-00042W-UQ for qemu-devel@nongnu.org; Thu, 08 Jan 2015 12:36:11 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Y9Gzi-0006hu-UL for qemu-devel@nongnu.org; Thu, 08 Jan 2015 12:35:50 -0500 Received: from e38.co.us.ibm.com ([32.97.110.159]:53025) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Y9Gzi-0006h0-7L for qemu-devel@nongnu.org; Thu, 08 Jan 2015 12:35:38 -0500 Received: from /spool/local by e38.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 8 Jan 2015 10:35:37 -0700 From: Michael Roth Date: Thu, 8 Jan 2015 11:33:49 -0600 Message-Id: <1420738472-23267-46-git-send-email-mdroth@linux.vnet.ibm.com> In-Reply-To: <1420738472-23267-1-git-send-email-mdroth@linux.vnet.ibm.com> References: <1420738472-23267-1-git-send-email-mdroth@linux.vnet.ibm.com> Subject: [Qemu-devel] [PATCH 45/88] vmware-vga: use vmsvga_verify_rect in vmsvga_copy_rect List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org From: Gerd Hoffmann Add verification to vmsvga_copy_rect, re-enable HW_RECT_ACCEL. Cc: qemu-stable@nongnu.org Signed-off-by: Gerd Hoffmann Reviewed-by: Don Koch (cherry picked from commit 61b41b4c20eba08d2185297767e69153d7f3e09d) Signed-off-by: Michael Roth --- hw/display/vmware_vga.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c index 718746e..c2e0a43 100644 --- a/hw/display/vmware_vga.c +++ b/hw/display/vmware_vga.c @@ -29,8 +29,8 @@ #include "hw/pci/pci.h" #undef VERBOSE -#if 0 #define HW_RECT_ACCEL +#if 0 #define HW_FILL_ACCEL #endif #define HW_MOUSE_ACCEL @@ -406,7 +406,7 @@ static inline void vmsvga_update_rect_flush(struct vmsvga_state_s *s) } #ifdef HW_RECT_ACCEL -static inline void vmsvga_copy_rect(struct vmsvga_state_s *s, +static inline int vmsvga_copy_rect(struct vmsvga_state_s *s, int x0, int y0, int x1, int y1, int w, int h) { DisplaySurface *surface = qemu_console_surface(s->vga.con); @@ -417,6 +417,13 @@ static inline void vmsvga_copy_rect(struct vmsvga_state_s *s, int line = h; uint8_t *ptr[2]; + if (!vmsvga_verify_rect(surface, "vmsvga_copy_rect/src", x0, y0, w, h)) { + return -1; + } + if (!vmsvga_verify_rect(surface, "vmsvga_copy_rect/dst", x1, y1, w, h)) { + return -1; + } + if (y1 > y0) { ptr[0] = vram + bypp * x0 + bypl * (y0 + h - 1); ptr[1] = vram + bypp * x1 + bypl * (y1 + h - 1); @@ -432,6 +439,7 @@ static inline void vmsvga_copy_rect(struct vmsvga_state_s *s, } vmsvga_update_rect_delayed(s, x1, y1, w, h); + return 0; } #endif @@ -625,12 +633,12 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s) width = vmsvga_fifo_read(s); height = vmsvga_fifo_read(s); #ifdef HW_RECT_ACCEL - vmsvga_copy_rect(s, x, y, dx, dy, width, height); - break; -#else + if (vmsvga_copy_rect(s, x, y, dx, dy, width, height) == 0) { + break; + } +#endif args = 0; goto badcmd; -#endif case SVGA_CMD_DEFINE_CURSOR: len -= 8; -- 1.9.1