[Qemu-devel] [PULL 0/2] vga: minor cirrus/qxl bugfixes.

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

* [Qemu-devel] [PULL 0/2] vga: minor cirrus/qxl bugfixes.
@ 2016-03-01  7:17 Gerd Hoffmann
  2016-03-01  7:17 ` [Qemu-devel] [PULL 1/2] cirrus_vga: fix off-by-one in blit_region_is_unsafe Gerd Hoffmann
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Gerd Hoffmann @ 2016-03-01  7:17 UTC (permalink / raw)
  To: qemu-devel; +Cc: Gerd Hoffmann

  Hi,

Yet another small bugfix pull request, this time for vga.

please pull,
  Gerd

The following changes since commit 071608b519adf62bc29c914343a21c5407ab1ac9:

  Merge remote-tracking branch 'remotes/kraxel/tags/pull-usb-20160229-1' into staging (2016-02-29 12:24:26 +0000)

are available in the git repository at:


  git://git.kraxel.org/qemu tags/pull-vga-20160301-1

for you to fetch changes up to 05fa1c742fd6f66978b989ded0dd981ef11c4a0c:

  qxl: lock current_async update in qxl_soft_reset (2016-03-01 07:51:32 +0100)

----------------------------------------------------------------
vga: minor cirrus/qxl bugfixes.

----------------------------------------------------------------
Gerd Hoffmann (1):
      qxl: lock current_async update in qxl_soft_reset

Paolo Bonzini (1):
      cirrus_vga: fix off-by-one in blit_region_is_unsafe

 hw/display/cirrus_vga.c | 4 ++--
 hw/display/qxl.c        | 2 ++
 2 files changed, 4 insertions(+), 2 deletions(-)

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [Qemu-devel] [PULL 1/2] cirrus_vga: fix off-by-one in blit_region_is_unsafe
  2016-03-01  7:17 [Qemu-devel] [PULL 0/2] vga: minor cirrus/qxl bugfixes Gerd Hoffmann
@ 2016-03-01  7:17 ` Gerd Hoffmann
  2016-03-01  7:17 ` [Qemu-devel] [PULL 2/2] qxl: lock current_async update in qxl_soft_reset Gerd Hoffmann
  2016-03-01 11:14 ` [Qemu-devel] [PULL 0/2] vga: minor cirrus/qxl bugfixes Peter Maydell
  2 siblings, 0 replies; 4+ messages in thread
From: Gerd Hoffmann @ 2016-03-01  7:17 UTC (permalink / raw)
  To: qemu-devel; +Cc: Paolo Bonzini, Gerd Hoffmann

From: Paolo Bonzini <pbonzini@redhat.com>

The "max" value is being compared with >=, but addr + width points to
the first byte that will _not_ be copied.  Laszlo suggested using a
"greater than" comparison, instead of subtracting one like it is
already done above for the height, so that max remains always positive.

The mistake is "safe"---it will reject some blits, but will never cause
out-of-bounds writes.

Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Message-id: 1455121059-18280-1-git-send-email-pbonzini@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 hw/display/cirrus_vga.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
index b6ce1c8..57b91a7 100644
--- a/hw/display/cirrus_vga.c
+++ b/hw/display/cirrus_vga.c
@@ -276,14 +276,14 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
             + ((int64_t)s->cirrus_blt_height-1) * pitch;
         int32_t max = addr
             + s->cirrus_blt_width;
-        if (min < 0 || max >= s->vga.vram_size) {
+        if (min < 0 || max > s->vga.vram_size) {
             return true;
         }
     } else {
         int64_t max = addr
             + ((int64_t)s->cirrus_blt_height-1) * pitch
             + s->cirrus_blt_width;
-        if (max >= s->vga.vram_size) {
+        if (max > s->vga.vram_size) {
             return true;
         }
     }
-- 
1.8.3.1

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [Qemu-devel] [PULL 2/2] qxl: lock current_async update in qxl_soft_reset
  2016-03-01  7:17 [Qemu-devel] [PULL 0/2] vga: minor cirrus/qxl bugfixes Gerd Hoffmann
  2016-03-01  7:17 ` [Qemu-devel] [PULL 1/2] cirrus_vga: fix off-by-one in blit_region_is_unsafe Gerd Hoffmann
@ 2016-03-01  7:17 ` Gerd Hoffmann
  2016-03-01 11:14 ` [Qemu-devel] [PULL 0/2] vga: minor cirrus/qxl bugfixes Peter Maydell
  2 siblings, 0 replies; 4+ messages in thread
From: Gerd Hoffmann @ 2016-03-01  7:17 UTC (permalink / raw)
  To: qemu-devel; +Cc: Gerd Hoffmann

This should fix a defect report from Coverity.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
---
 hw/display/qxl.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/hw/display/qxl.c b/hw/display/qxl.c
index a423dee..919dc5c 100644
--- a/hw/display/qxl.c
+++ b/hw/display/qxl.c
@@ -1156,7 +1156,9 @@ static void qxl_soft_reset(PCIQXLDevice *d)
     trace_qxl_soft_reset(d->id);
     qxl_check_state(d);
     qxl_clear_guest_bug(d);
+    qemu_mutex_lock(&d->async_lock);
     d->current_async = QXL_UNDEFINED_IO;
+    qemu_mutex_unlock(&d->async_lock);
 
     if (d->id == 0) {
         qxl_enter_vga_mode(d);
-- 
1.8.3.1

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [Qemu-devel] [PULL 0/2] vga: minor cirrus/qxl bugfixes.
  2016-03-01  7:17 [Qemu-devel] [PULL 0/2] vga: minor cirrus/qxl bugfixes Gerd Hoffmann
  2016-03-01  7:17 ` [Qemu-devel] [PULL 1/2] cirrus_vga: fix off-by-one in blit_region_is_unsafe Gerd Hoffmann
  2016-03-01  7:17 ` [Qemu-devel] [PULL 2/2] qxl: lock current_async update in qxl_soft_reset Gerd Hoffmann
@ 2016-03-01 11:14 ` Peter Maydell
  2 siblings, 0 replies; 4+ messages in thread
From: Peter Maydell @ 2016-03-01 11:14 UTC (permalink / raw)
  To: Gerd Hoffmann; +Cc: QEMU Developers

On 1 March 2016 at 07:17, Gerd Hoffmann <kraxel@redhat.com> wrote:
>   Hi,
>
> Yet another small bugfix pull request, this time for vga.
>
> please pull,
>   Gerd
>
> The following changes since commit 071608b519adf62bc29c914343a21c5407ab1ac9:
>
>   Merge remote-tracking branch 'remotes/kraxel/tags/pull-usb-20160229-1' into staging (2016-02-29 12:24:26 +0000)
>
> are available in the git repository at:
>
>
>   git://git.kraxel.org/qemu tags/pull-vga-20160301-1
>
> for you to fetch changes up to 05fa1c742fd6f66978b989ded0dd981ef11c4a0c:
>
>   qxl: lock current_async update in qxl_soft_reset (2016-03-01 07:51:32 +0100)
>
> ----------------------------------------------------------------
> vga: minor cirrus/qxl bugfixes.

Applied, thanks.

-- PMM

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2016-03-01 11:15 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-03-01  7:17 [Qemu-devel] [PULL 0/2] vga: minor cirrus/qxl bugfixes Gerd Hoffmann
2016-03-01  7:17 ` [Qemu-devel] [PULL 1/2] cirrus_vga: fix off-by-one in blit_region_is_unsafe Gerd Hoffmann
2016-03-01  7:17 ` [Qemu-devel] [PULL 2/2] qxl: lock current_async update in qxl_soft_reset Gerd Hoffmann
2016-03-01 11:14 ` [Qemu-devel] [PULL 0/2] vga: minor cirrus/qxl bugfixes Peter Maydell

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).