From: "Alex Bennée" <alex.bennee@linaro.org>
To: qemu-devel@nongnu.org
Cc: "Michael S. Tsirkin" <mst@redhat.com>,
"Alex Bennée" <alex.bennee@linaro.org>,
"Dmitry Osipenko" <dmitry.osipenko@collabora.com>
Subject: [PATCH 2/2] hw/display: check frame buffer can hold blob
Date: Mon, 4 Nov 2024 16:53:48 +0000 [thread overview]
Message-ID: <20241104165348.2361299-3-alex.bennee@linaro.org> (raw)
In-Reply-To: <20241104165348.2361299-1-alex.bennee@linaro.org>
Coverity reports (CID 1564769, 1564770) that we potentially overflow
by doing some 32x32 multiplies for something that ends up in a 64 bit
value. Fix this by casting the first input to uint64_t to ensure a 64
bit multiply is used.
While we are at it note why we split the calculation into stride and
bytes_pp parts.
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Cc: Dmitry Osipenko <dmitry.osipenko@collabora.com>
---
hw/display/virtio-gpu.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
index e7ca8fd1cf..572e4d92c6 100644
--- a/hw/display/virtio-gpu.c
+++ b/hw/display/virtio-gpu.c
@@ -741,9 +741,14 @@ bool virtio_gpu_scanout_blob_to_fb(struct virtio_gpu_framebuffer *fb,
fb->stride = ss->strides[0];
fb->offset = ss->offsets[0] + ss->r.x * fb->bytes_pp + ss->r.y * fb->stride;
+ /*
+ * We calculate fb->stride for every line but the last which we
+ * calculate purely by its width. The stride will often be larger
+ * than width to meet alignment requirements.
+ */
fbend = fb->offset;
- fbend += fb->stride * (ss->r.height - 1);
- fbend += fb->bytes_pp * ss->r.width;
+ fbend += (uint64_t) fb->stride * (ss->r.height - 1);
+ fbend += (uint64_t) fb->bytes_pp * ss->r.width;
if (fbend > blob_size) {
qemu_log_mask(LOG_GUEST_ERROR,
--
2.39.5
next prev parent reply other threads:[~2024-11-04 16:54 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-04 16:53 [PATCH 0/2] virtio-gpu: coverity fixes Alex Bennée
2024-11-04 16:53 ` [PATCH 1/2] hw/display: factor out the scanout blob to fb conversion Alex Bennée
2024-11-06 0:33 ` Dmitry Osipenko
2024-11-06 17:36 ` Alex Bennée
2024-11-04 16:53 ` Alex Bennée [this message]
2024-11-06 0:56 ` [PATCH 2/2] hw/display: check frame buffer can hold blob Dmitry Osipenko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241104165348.2361299-3-alex.bennee@linaro.org \
--to=alex.bennee@linaro.org \
--cc=dmitry.osipenko@collabora.com \
--cc=mst@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).