From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1L8MoK-0004mO-Lz
	for qemu-devel@nongnu.org; Thu, 04 Dec 2008 17:36:40 -0500
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1L8MoK-0004mB-Ag
	for qemu-devel@nongnu.org; Thu, 04 Dec 2008 17:36:40 -0500
Received: from [199.232.76.173] (port=58500 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1L8MoK-0004m0-1L
	for qemu-devel@nongnu.org; Thu, 04 Dec 2008 17:36:40 -0500
Received: from savannah.gnu.org ([199.232.41.3]:36719 helo=sv.gnu.org)
	by monty-python.gnu.org with esmtps (TLS-1.0:RSA_AES_256_CBC_SHA1:32)
	(Exim 4.60) (envelope-from <INVALID.NOREPLY@gnu.org>)
	id 1L8MoJ-0001Nr-Hj
	for qemu-devel@nongnu.org; Thu, 04 Dec 2008 17:36:39 -0500
Received: from cvs.savannah.gnu.org ([199.232.41.69])
	by sv.gnu.org with esmtp (Exim 4.63)
	(envelope-from <INVALID.NOREPLY@gnu.org>) id 1L8MoJ-00089f-1L
	for qemu-devel@nongnu.org; Thu, 04 Dec 2008 22:36:39 +0000
Received: from aliguori by cvs.savannah.gnu.org with local (Exim 4.63)
	(envelope-from <aliguori@savannah.gnu.org>) id 1L8MoI-00089a-Ok
	for qemu-devel@nongnu.org; Thu, 04 Dec 2008 22:36:38 +0000
MIME-Version: 1.0
Errors-To: aliguori
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
From: Anthony Liguori <anthony@codemonkey.ws>
Message-Id: <E1L8MoI-00089a-Ok@cvs.savannah.gnu.org>
Date: Thu, 04 Dec 2008 22:36:38 +0000
Subject: [Qemu-devel] [5880] do boundary check based on absolute value
	(Glauber Costa)
Reply-To: qemu-devel@nongnu.org
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org

Revision: 5880
          http://svn.sv.gnu.org/viewvc/?view=rev&root=qemu&revision=5880
Author:   aliguori
Date:     2008-12-04 22:36:38 +0000 (Thu, 04 Dec 2008)

Log Message:
-----------
do boundary check based on absolute value (Glauber  Costa)

For backward operations, dstpitch and srcpitch can
be negative. This leads BLTUNSAFE macro into an
overflow, and as a result, it avoids performing
operations that are perfectly valid.

The visible effect that led to that patch was the gnome-panel
bar in Fedora10. Before this patch, you could see garbage
clobbering a big portion of the bar.

After this patch, this garbage is gone.

Signed-off-by: Glauber Costa <glommer@redhat.com>

Modified Paths:
--------------
    trunk/hw/cirrus_vga.c

Modified: trunk/hw/cirrus_vga.c
===================================================================
--- trunk/hw/cirrus_vga.c	2008-12-04 21:39:21 UTC (rev 5879)
+++ trunk/hw/cirrus_vga.c	2008-12-04 22:36:38 UTC (rev 5880)
@@ -221,15 +221,17 @@
 #define CIRRUS_HOOK_NOT_HANDLED 0
 #define CIRRUS_HOOK_HANDLED 1
 
+#define ABS(a) ((signed)(a) > 0 ? a : -a)
+
 #define BLTUNSAFE(s) \
     ( \
         ( /* check dst is within bounds */ \
-            (s)->cirrus_blt_height * (s)->cirrus_blt_dstpitch \
+            (s)->cirrus_blt_height * ABS((s)->cirrus_blt_dstpitch) \
                 + ((s)->cirrus_blt_dstaddr & (s)->cirrus_addr_mask) > \
                     (s)->vram_size \
         ) || \
         ( /* check src is within bounds */ \
-            (s)->cirrus_blt_height * (s)->cirrus_blt_srcpitch \
+            (s)->cirrus_blt_height * ABS((s)->cirrus_blt_srcpitch) \
                 + ((s)->cirrus_blt_srcaddr & (s)->cirrus_addr_mask) > \
                     (s)->vram_size \
         ) \