[PULL 2/9] hw/display/qxl-render: fix qxl_unpack_chunks() chunk size calculation

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: "Philippe Mathieu-Daudé" <philmd@linaro.org>
To: qemu-devel@nongnu.org
Cc: "Michael Tokarev" <mjt@tls.msk.ru>,
	"Thaddeus Hogan" <thaddeus@thogan.com>,
	"Vadim Zeitlin" <vadim@wxwidgets.org>,
	"Thomas Huth" <thuth@redhat.com>,
	"Philippe Mathieu-Daudé" <philmd@linaro.org>
Subject: [PULL 2/9] hw/display/qxl-render: fix qxl_unpack_chunks() chunk size calculation
Date: Tue, 29 Jul 2025 13:57:27 +0200	[thread overview]
Message-ID: <20250729115735.33619-3-philmd@linaro.org> (raw)
In-Reply-To: <20250729115735.33619-1-philmd@linaro.org>

From: Michael Tokarev <mjt@tls.msk.ru>

In case of multiple chunks, code in qxl_unpack_chunks() takes size of the
wrong (next in the chain) chunk, instead of using current chunk size.
This leads to wrong number of bytes being copied, and to crashes if next
chunk size is larger than the current one.

Based on the code by Gao Yong.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1628
Tested-by: Thaddeus Hogan <thaddeus@thogan.com>
Tested-by: Vadim Zeitlin <vadim@wxwidgets.org>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20250221134856.478806-1-mjt@tls.msk.ru>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
---
 hw/display/qxl-render.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c
index eda6d3de37c..c6a9ac1da10 100644
--- a/hw/display/qxl-render.c
+++ b/hw/display/qxl-render.c
@@ -222,6 +222,7 @@ static void qxl_unpack_chunks(void *dest, size_t size, PCIQXLDevice *qxl,
     uint32_t max_chunks = 32;
     size_t offset = 0;
     size_t bytes;
+    QXLPHYSICAL next_chunk_phys = 0;
 
     for (;;) {
         bytes = MIN(size - offset, chunk->data_size);
@@ -230,7 +231,15 @@ static void qxl_unpack_chunks(void *dest, size_t size, PCIQXLDevice *qxl,
         if (offset == size) {
             return;
         }
-        chunk = qxl_phys2virt(qxl, chunk->next_chunk, group_id,
+        next_chunk_phys = chunk->next_chunk;
+        /* fist time, only get the next chunk's data size */
+        chunk = qxl_phys2virt(qxl, next_chunk_phys, group_id,
+                              sizeof(QXLDataChunk));
+        if (!chunk) {
+            return;
+        }
+        /* second time, check data size and get data */
+        chunk = qxl_phys2virt(qxl, next_chunk_phys, group_id,
                               sizeof(QXLDataChunk) + chunk->data_size);
         if (!chunk) {
             return;
-- 
2.49.0

next prev parent reply	other threads:[~2025-07-29 11:59 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-07-29 11:57 [PULL 0/9] Misc HW patches for 2025-07-29 Philippe Mathieu-Daudé
2025-07-29 11:57 ` [PULL 1/9] target/mips: Only update MVPControl.EVP bit if executed by master VPE Philippe Mathieu-Daudé
2025-07-29 11:57 ` Philippe Mathieu-Daudé [this message]
2025-07-29 11:57 ` [PULL 3/9] hw/vfio/vfio-migration: Remove unnecessary 'qemu/typedefs.h' include Philippe Mathieu-Daudé
2025-07-29 11:57 ` [PULL 4/9] migration: rename target.c to vfio.c Philippe Mathieu-Daudé
2025-07-29 11:57 ` [PULL 5/9] hw/net/cadence_gem: fix register mask initialization Philippe Mathieu-Daudé
2025-07-29 11:57 ` [PULL 6/9] hw/xen/passthrough: add missing error-report include Philippe Mathieu-Daudé
2025-07-29 11:57 ` [PULL 7/9] system/physmem: fix use-after-free with dispatch Philippe Mathieu-Daudé
2025-07-29 11:57 ` [PULL 8/9] roms/Makefile: fix npcmNxx_bootrom build rules Philippe Mathieu-Daudé
2025-07-29 11:57 ` [PULL 9/9] hw/display/sm501: fix missing error-report.h Philippe Mathieu-Daudé
2025-07-29 16:59 ` [PULL 0/9] Misc HW patches for 2025-07-29 Stefan Hajnoczi

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:eda6d3de37 dfblob:c6a9ac1da1 )
 OR (
bs:"[PULL 2/9] hw/display/qxl-render: fix qxl_unpack_chunks() chunk size calculation" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250729115735.33619-3-philmd@linaro.org \
    --to=philmd@linaro.org \
    --cc=mjt@tls.msk.ru \
    --cc=qemu-devel@nongnu.org \
    --cc=thaddeus@thogan.com \
    --cc=thuth@redhat.com \
    --cc=vadim@wxwidgets.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).