summary refs log tree commit diff stats
path: root/hw/display/virtio-gpu.c
diff options
context:
space:
mode:
authorAlex Bennée <alex.bennee@linaro.org>2024-11-11 23:00:40 +0000
committerAlex Bennée <alex.bennee@linaro.org>2024-11-18 15:54:48 +0000
commitd6902d7022ba1405a991c94a99b37259d0a6d3a7 (patch)
tree0b9c3f41cd43d69017c63297a6f5f6666d229399 /hw/display/virtio-gpu.c
parentc873a6569ff08317578c9810ca049f2c70e3ad99 (diff)
downloadfocaccia-qemu-d6902d7022ba1405a991c94a99b37259d0a6d3a7.tar.gz
focaccia-qemu-d6902d7022ba1405a991c94a99b37259d0a6d3a7.zip
hw/display: check frame buffer can hold blob
Coverity reports (CID 1564769, 1564770) that we potentially overflow
by doing some 32x32 multiplies for something that ends up in a 64 bit
value. Fix this by first using stride for all lines and casting input
to uint64_t to ensure a 64 bit multiply is used.

Reviewed-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Tested-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20241111230040.68470-3-alex.bennee@linaro.org>
Diffstat (limited to 'hw/display/virtio-gpu.c')
-rw-r--r--hw/display/virtio-gpu.c3
1 files changed, 1 insertions, 2 deletions
diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
index e7ca8fd1cf..7d22d03bbf 100644
--- a/hw/display/virtio-gpu.c
+++ b/hw/display/virtio-gpu.c
@@ -742,8 +742,7 @@ bool virtio_gpu_scanout_blob_to_fb(struct virtio_gpu_framebuffer *fb,
     fb->offset = ss->offsets[0] + ss->r.x * fb->bytes_pp + ss->r.y * fb->stride;
 
     fbend = fb->offset;
-    fbend += fb->stride * (ss->r.height - 1);
-    fbend += fb->bytes_pp * ss->r.width;
+    fbend += (uint64_t) fb->stride * ss->r.height;
 
     if (fbend > blob_size) {
         qemu_log_mask(LOG_GUEST_ERROR,