|
| From: | Philippe Mathieu-Daudé |
| Subject: | Re: [RFC PATCH-for-7.2 3/4] hw/display/qxl: Pass requested buffer size to qxl_phys2virt() |
| Date: | Mon, 28 Nov 2022 12:11:37 +0100 |
| User-agent: | Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.5.0 |
On 28/11/22 09:22, Marc-André Lureau wrote:
On Fri, Nov 25, 2022 at 9:35 PM Philippe Mathieu-Daudé <[email protected]> wrote:Currently qxl_phys2virt() doesn't check for buffer overrun. In order to do so in the next commit, pass the buffer size as argument. Signed-off-by: Philippe Mathieu-Daudé <[email protected]>--- RFC: Please double-check qxl_render_update_area_unlocked() --- hw/display/qxl-logger.c | 11 ++++++++--- hw/display/qxl-render.c | 11 +++++++---- hw/display/qxl.c | 14 +++++++++----- hw/display/qxl.h | 4 +++- 4 files changed, 27 insertions(+), 13 deletions(-)
diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c index ca217004bf..1b0a50c1aa 100644 --- a/hw/display/qxl-render.c +++ b/hw/display/qxl-render.c @@ -107,7 +107,8 @@ static void qxl_render_update_area_unlocked(PCIQXLDevice *qxl) qxl->guest_primary.resized = 0; qxl->guest_primary.data = qxl_phys2virt(qxl, qxl->guest_primary.surface.mem, - MEMSLOT_GROUP_GUEST); + MEMSLOT_GROUP_GUEST, + sizeof(uint32_t) * width * height);It looks wrong, I think it should be: qxl->guest_primary.abs_stride * height * qxl->guest_primary.bytes_pp
Isn't "bytes_pp" included in "abs_stride"? If so, then "qxl->guest_primary.abs_stride * height" is enough..
| [Prev in Thread] | Current Thread | [Next in Thread] |