[PULL 01/13] sm501: Fix bounds checks

qemu-ppc

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PULL 01/13] sm501: Fix bounds checks

From:	Gerd Hoffmann
Subject:	[PULL 01/13] sm501: Fix bounds checks
Date:	Wed, 1 Jul 2020 17:04:13 +0200

From: BALATON Zoltan <balaton@eik.bme.hu>

We don't need to add width to pitch when calculating last point, that
would reject valid ops within the card's local_mem.

Fixes: b15a22bbcbe6a78dc3d88fe3134985e4cdd87de4
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 
ddb5781d12913bb9d6dbfd9e5b1e2b893e2b3e2d.1592686588.git.balaton@eik.bme.hu
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 hw/display/sm501.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/hw/display/sm501.c b/hw/display/sm501.c
index a7fc08c52b2b..5ceee4166f6b 100644
--- a/hw/display/sm501.c
+++ b/hw/display/sm501.c
@@ -723,8 +723,8 @@ static void sm501_2d_operation(SM501State *s)
         dst_y -= height - 1;
     }
 
-    if (dst_base >= get_local_mem_size(s) || dst_base +
-        (dst_x + width + (dst_y + height) * (dst_pitch + width)) *
+    if (dst_base >= get_local_mem_size(s) ||
+        dst_base + (dst_x + width + (dst_y + height) * dst_pitch) *
         (1 << format) >= get_local_mem_size(s)) {
         qemu_log_mask(LOG_GUEST_ERROR, "sm501: 2D op dest is outside vram.\n");
         return;
@@ -749,8 +749,8 @@ static void sm501_2d_operation(SM501State *s)
             src_y -= height - 1;
         }
 
-        if (src_base >= get_local_mem_size(s) || src_base +
-            (src_x + width + (src_y + height) * (src_pitch + width)) *
+        if (src_base >= get_local_mem_size(s) ||
+            src_base + (src_x + width + (src_y + height) * src_pitch) *
             (1 << format) >= get_local_mem_size(s)) {
             qemu_log_mask(LOG_GUEST_ERROR,
                           "sm501: 2D op src is outside vram.\n");
-- 
2.18.4

[Prev in Thread]

Current Thread

[Next in Thread]

[PULL 00/13] Vga 20200701 patches, Gerd Hoffmann, 2020/07/01
- [PULL 01/13] sm501: Fix bounds checks, Gerd Hoffmann <=
- [PULL 13/13] configure: vgabios cleanups, Gerd Hoffmann, 2020/07/01
- [PULL 03/13] sm501: Ignore no-op blits, Gerd Hoffmann, 2020/07/01
- [PULL 06/13] sm501: Use stn_he_p/ldn_he_p instead of switch/case, Gerd Hoffmann, 2020/07/01
- [PULL 09/13] sm501: Fix and optimize overlap check, Gerd Hoffmann, 2020/07/01
- [PULL 10/13] ati-vga: Support unaligned access to hardware cursor registers, Gerd Hoffmann, 2020/07/01
- [PULL 04/13] sm501: Introduce variable for commonly used value for better readability, Gerd Hoffmann, 2020/07/01
- [PULL 08/13] sm501: Convert debug printfs to traces, Gerd Hoffmann, 2020/07/01
- [PULL 02/13] sm501: Drop unneded variable, Gerd Hoffmann, 2020/07/01
- [PULL 12/13] ati-vga: Add dummy MEM_SDRAM_MODE_REG, Gerd Hoffmann, 2020/07/01
- [PULL 11/13] ati-vga: Do not assert on error, Gerd Hoffmann, 2020/07/01

Prev by Date: [PULL 00/13] Vga 20200701 patches
Next by Date: [PULL 13/13] configure: vgabios cleanups
Previous by thread: [PULL 00/13] Vga 20200701 patches
Next by thread: [PULL 13/13] configure: vgabios cleanups
Index(es):
- Date
- Thread