ramfb: add sanity checks to ramfb_create_display_surface

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Message-id: 20200429115236.28709-6-kraxel@redhat.com
author: Gerd Hoffmann <kraxel@redhat.com> 2020-04-29 13:52:35 +0200
committer: Gerd Hoffmann <kraxel@redhat.com> 2020-05-18 15:43:51 +0200
commit: 819c83e27895472befbfee67d3d7d089c61d7fbd (patch)
tree: 9ccd752a832f7b0721880fdafb621ccb82589b8d /hw/display
parent: 19aaee2a65a26693fe0a30b5a0746f967774e278 (diff)
download: focaccia-qemu-819c83e27895472befbfee67d3d7d089c61d7fbd.tar.gz
focaccia-qemu-819c83e27895472befbfee67d3d7d089c61d7fbd.zip
1 files changed, 6 insertions, 0 deletions
diff --git a/hw/display/ramfb.c b/hw/display/ramfb.c
index 1a20bdec41..52dae78db4 100644
--- a/hw/display/ramfb.c
+++ b/hw/display/ramfb.c
@@ -15,6 +15,7 @@
 #include "qapi/error.h"
 #include "hw/loader.h"
 #include "hw/display/ramfb.h"
+#include "hw/display/bochs-vbe.h" /* for limits */
 #include "ui/console.h"
 #include "sysemu/reset.h"
 
@@ -49,6 +50,11 @@ static DisplaySurface *ramfb_create_display_surface(int width, int height,
     hwaddr size;
     void *data;
 
+    if (width < 16 || width > VBE_DISPI_MAX_XRES ||
+        height < 16 || height > VBE_DISPI_MAX_YRES ||
+        format == 0 /* unknown format */)
+        return NULL;
+
     if (linesize == 0) {
         linesize = width * PIXMAN_FORMAT_BPP(format) / 8;
     }
author	Gerd Hoffmann <kraxel@redhat.com>	2020-04-29 13:52:35 +0200
committer	Gerd Hoffmann <kraxel@redhat.com>	2020-05-18 15:43:51 +0200
commit	819c83e27895472befbfee67d3d7d089c61d7fbd (patch)
tree	9ccd752a832f7b0721880fdafb621ccb82589b8d /hw/display
parent	19aaee2a65a26693fe0a30b5a0746f967774e278 (diff)
download	focaccia-qemu-819c83e27895472befbfee67d3d7d089c61d7fbd.tar.gz focaccia-qemu-819c83e27895472befbfee67d3d7d089c61d7fbd.zip