From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1L8ZMV-00089g-AF
	for qemu-devel@nongnu.org; Fri, 05 Dec 2008 07:00:47 -0500
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1L8ZMS-00088s-Lk
	for qemu-devel@nongnu.org; Fri, 05 Dec 2008 07:00:46 -0500
Received: from [199.232.76.173] (port=49730 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1L8ZMS-00088n-DI
	for qemu-devel@nongnu.org; Fri, 05 Dec 2008 07:00:44 -0500
Received: from mr01.hansenet.de ([213.191.74.10]:36895)
	by monty-python.gnu.org with esmtp (Exim 4.60)
	(envelope-from <rene@exactcode.de>) id 1L8ZMR-0002MM-Rw
	for qemu-devel@nongnu.org; Fri, 05 Dec 2008 07:00:44 -0500
Message-ID: <493917E3.5020404@exactcode.de>
Date: Fri, 05 Dec 2008 13:00:35 +0100
From: =?ISO-8859-1?Q?Ren=E9_Rebe?= <rene@exactcode.de>
MIME-Version: 1.0
Subject: Re: [Qemu-devel] [PATCH] do boundary check based on absolute value
References: <1228427046-28875-1-git-send-email-glommer@redhat.com>
In-Reply-To: <1228427046-28875-1-git-send-email-glommer@redhat.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: Quoted-Printable
Reply-To: qemu-devel@nongnu.org
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org
Cc: avi@redhat.com, kvm@vger.kernel.org

Hi,

Glauber Costa wrote:
> For backward operations, dstpitch and srcpitch can
> be negative. This leads BLTUNSAFE macro into an
> overflow, and as a result, it avoids performing
> operations that are perfectly valid.
>
> The visible effect that led to that patch was the gnome-panel
> bar in Fedora10. Before this patch, you could see garbage
> clobbering a big portion of the bar.
>
> After this patch, this garbage is gone.
>  =20
Confirmed to fix corruption with simple window mangers like
blackbox/fluxbox when moving windows out of the screen
bounds, which had on my TODO for review.
> Signed-off-by: Glauber Costa <glommer@redhat.com>
> ---
>  hw/cirrus_vga.c |    6 ++++--
>  1 files changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/hw/cirrus_vga.c b/hw/cirrus_vga.c
> index e0cf458..5690719 100644
> --- a/hw/cirrus_vga.c
> +++ b/hw/cirrus_vga.c
> @@ -221,15 +221,17 @@
>  #define CIRRUS_HOOK_NOT_HANDLED 0
>  #define CIRRUS_HOOK_HANDLED 1
> =20
> +#define ABS(a) ((signed)(a) > 0 ? a : -a)
> +
>  #define BLTUNSAFE(s) \
>      ( \
>          ( /* check dst is within bounds */ \
> -            (s)->cirrus_blt_height * (s)->cirrus_blt_dstpitch \
> +            (s)->cirrus_blt_height * ABS((s)->cirrus_blt_dstpitch) \
>                  + ((s)->cirrus_blt_dstaddr & (s)->cirrus_addr_mask) > =
\
>                      (s)->vram_size \
>          ) || \
>          ( /* check src is within bounds */ \
> -            (s)->cirrus_blt_height * (s)->cirrus_blt_srcpitch \
> +            (s)->cirrus_blt_height * ABS((s)->cirrus_blt_srcpitch) \
>                  + ((s)->cirrus_blt_srcaddr & (s)->cirrus_addr_mask) > =
\
>                      (s)->vram_size \
>          ) \
>  =20

--=20
  Ren=E9 Rebe - ExactCODE GmbH - Europe, Germany, Berlin
  http://exactcode.de | http://t2-project.org | http://rene.rebe.name