diff options
| author | Philippe Mathieu-Daudé <philmd@linaro.org> | 2022-11-28 21:27:39 +0100 |
|---|---|---|
| committer | Stefan Hajnoczi <stefanha@redhat.com> | 2022-11-29 18:15:26 -0500 |
| commit | 8efec0ef8bbc1e75a7ebf6e325a35806ece9b39f (patch) | |
| tree | 9c7f3b4dc9f8ea7aa7f207475d3aae1a25fe95f8 /hw/display/qxl-logger.c | |
| parent | b1901de83a9456cde26fc755f71ca2b7b3ef50fc (diff) | |
| download | focaccia-qemu-8efec0ef8bbc1e75a7ebf6e325a35806ece9b39f.tar.gz focaccia-qemu-8efec0ef8bbc1e75a7ebf6e325a35806ece9b39f.zip | |
hw/display/qxl: Pass requested buffer size to qxl_phys2virt()
Currently qxl_phys2virt() doesn't check for buffer overrun. In order to do so in the next commit, pass the buffer size as argument. For QXLCursor in qxl_render_cursor() -> qxl_cursor() we verify the size of the chunked data ahead, checking we can access 'sizeof(QXLCursor) + chunk->data_size' bytes. Since in the SPICE_CURSOR_TYPE_MONO case the cursor is assumed to fit in one chunk, no change are required. In SPICE_CURSOR_TYPE_ALPHA the ahead read is handled in qxl_unpack_chunks(). Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Acked-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Message-Id: <20221128202741.4945-4-philmd@linaro.org>
Diffstat (limited to 'hw/display/qxl-logger.c')
| -rw-r--r-- | hw/display/qxl-logger.c | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/hw/display/qxl-logger.c b/hw/display/qxl-logger.c index 1bcf803db6..35c38f6252 100644 --- a/hw/display/qxl-logger.c +++ b/hw/display/qxl-logger.c @@ -106,7 +106,7 @@ static int qxl_log_image(PCIQXLDevice *qxl, QXLPHYSICAL addr, int group_id) QXLImage *image; QXLImageDescriptor *desc; - image = qxl_phys2virt(qxl, addr, group_id); + image = qxl_phys2virt(qxl, addr, group_id, sizeof(QXLImage)); if (!image) { return 1; } @@ -214,7 +214,8 @@ int qxl_log_cmd_cursor(PCIQXLDevice *qxl, QXLCursorCmd *cmd, int group_id) cmd->u.set.position.y, cmd->u.set.visible ? "yes" : "no", cmd->u.set.shape); - cursor = qxl_phys2virt(qxl, cmd->u.set.shape, group_id); + cursor = qxl_phys2virt(qxl, cmd->u.set.shape, group_id, + sizeof(QXLCursor)); if (!cursor) { return 1; } @@ -236,6 +237,7 @@ int qxl_log_command(PCIQXLDevice *qxl, const char *ring, QXLCommandExt *ext) { bool compat = ext->flags & QXL_COMMAND_FLAG_COMPAT; void *data; + size_t datasz; int ret; if (!qxl->cmdlog) { @@ -249,15 +251,18 @@ int qxl_log_command(PCIQXLDevice *qxl, const char *ring, QXLCommandExt *ext) switch (ext->cmd.type) { case QXL_CMD_DRAW: + datasz = compat ? sizeof(QXLCompatDrawable) : sizeof(QXLDrawable); break; case QXL_CMD_SURFACE: + datasz = sizeof(QXLSurfaceCmd); break; case QXL_CMD_CURSOR: + datasz = sizeof(QXLCursorCmd); break; default: goto out; } - data = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id); + data = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id, datasz); if (!data) { return 1; } |