From: BALATON Zoltan <balaton@eik.bme.hu>
To: qemu-devel@nongnu.org
Cc: "Gerd Hoffmann" <kraxel@redhat.com>,
marcandre.lureau@redhat.com,
"Chad Jablonski" <chad@jablonski.xyz>,
"Philippe Mathieu-Daudé" <philmd@linaro.org>
Subject: [PATCH v5 8/8] ati-vga: Make sure hardware cursor data is within vram
Date: Sat, 21 Mar 2026 02:04:26 +0100 (CET) [thread overview]
Message-ID: <671a065693316a8e5a330dce2c10c6b1370f4649.1774054635.git.balaton@eik.bme.hu> (raw)
In-Reply-To: <cover.1774054635.git.balaton@eik.bme.hu>
Add check to make sure we don't read past the end of vram when getting
mouse pointer image.
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
---
hw/display/ati.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/hw/display/ati.c b/hw/display/ati.c
index c278d11d34..12ef180828 100644
--- a/hw/display/ati.c
+++ b/hw/display/ati.c
@@ -151,6 +151,9 @@ static void ati_cursor_define(ATIVGAState *s)
/* FIXME handle cur_hv_offs correctly */
srcoff = s->regs.cur_offset - (s->regs.cur_hv_offs >> 16) -
(s->regs.cur_hv_offs & 0xffff) * 16;
+ if (srcoff + 64 * 16 > s->vga.vram_size) {
+ return;
+ }
for (int i = 0; i < 64; i++, srcoff += 16) {
if (s->vga.big_endian_fb) {
data[i] = wswap64(ldq_be_p(&s->vga.vram_ptr[srcoff]));
@@ -210,6 +213,9 @@ static void ati_cursor_draw_line(VGACommonState *vga, uint8_t *d, int scr_y)
}
/* FIXME handle cur_hv_offs correctly */
srcoff = s->cursor_offset + (scr_y - vga->hw_cursor_y) * 16;
+ if (srcoff + 16 > s->vga.vram_size) {
+ return;
+ }
dp = &dp[vga->hw_cursor_x];
h = ((s->regs.crtc_h_total_disp >> 16) + 1) * 8;
abits = ldq_le_p(&vga->vram_ptr[srcoff]);
--
2.41.3
prev parent reply other threads:[~2026-03-21 1:05 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-21 1:04 [PATCH v5 0/8] ati-vga fixes BALATON Zoltan
2026-03-21 1:04 ` [PATCH v5 1/8] ati-vga: Fix colors when frame buffer endianness does not match host BALATON Zoltan
2026-03-21 1:04 ` [PATCH v5 2/8] ati-vga: Also switch mode on HW cursor enable bit change BALATON Zoltan
2026-03-21 1:04 ` [PATCH v5 3/8] ati-vga: Do not add crtc offset to src and dst data address BALATON Zoltan
2026-03-21 1:04 ` [PATCH v5 4/8] ati-vga: Avoid warnings about sign extension BALATON Zoltan
2026-03-21 1:04 ` [PATCH v5 5/8] ati-vga: Fix display updates in non-32 bit modes BALATON Zoltan
2026-03-21 1:04 ` [PATCH v5 6/8] ati-vga: Add work around for fuloong2e BALATON Zoltan
2026-03-21 1:04 ` [PATCH v5 7/8] ati-vga: Fix mouse pointer on big endian frame buffer BALATON Zoltan
2026-03-21 1:04 ` BALATON Zoltan [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=671a065693316a8e5a330dce2c10c6b1370f4649.1774054635.git.balaton@eik.bme.hu \
--to=balaton@eik.bme.hu \
--cc=chad@jablonski.xyz \
--cc=kraxel@redhat.com \
--cc=marcandre.lureau@redhat.com \
--cc=philmd@linaro.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox