]>
Commit | Line | Data |
---|---|---|
b1f15bc3 WB |
1 | From b162e22e5f0c1081efeec646999616ce1a7e3875 Mon Sep 17 00:00:00 2001 |
2 | From: Gerd Hoffmann <kraxel@redhat.com> | |
3 | Date: Wed, 11 Oct 2017 10:43:14 +0200 | |
4 | Subject: [PATCH 23/23] cirrus: fix oob access in mode4and5 write functions | |
5 | ||
6 | Move dst calculation into the loop, so we apply the mask on each | |
7 | interation and will not overflow vga memory. | |
8 | ||
9 | Cc: Prasad J Pandit <pjp@fedoraproject.org> | |
10 | Reported-by: Niu Guoxiang <niuguoxiang@huawei.com> | |
11 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | |
12 | Message-id: 20171011084314.21752-1-kraxel@redhat.com | |
13 | --- | |
14 | hw/display/cirrus_vga.c | 6 ++---- | |
15 | 1 file changed, 2 insertions(+), 4 deletions(-) | |
16 | ||
17 | diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c | |
18 | index afc290ab91..077a8cb74f 100644 | |
19 | --- a/hw/display/cirrus_vga.c | |
20 | +++ b/hw/display/cirrus_vga.c | |
21 | @@ -2038,15 +2038,14 @@ static void cirrus_mem_writeb_mode4and5_8bpp(CirrusVGAState * s, | |
22 | unsigned val = mem_value; | |
23 | uint8_t *dst; | |
24 | ||
25 | - dst = s->vga.vram_ptr + (offset &= s->cirrus_addr_mask); | |
26 | for (x = 0; x < 8; x++) { | |
27 | + dst = s->vga.vram_ptr + ((offset + x) & s->cirrus_addr_mask); | |
28 | if (val & 0x80) { | |
29 | *dst = s->cirrus_shadow_gr1; | |
30 | } else if (mode == 5) { | |
31 | *dst = s->cirrus_shadow_gr0; | |
32 | } | |
33 | val <<= 1; | |
34 | - dst++; | |
35 | } | |
36 | memory_region_set_dirty(&s->vga.vram, offset, 8); | |
37 | } | |
38 | @@ -2060,8 +2059,8 @@ static void cirrus_mem_writeb_mode4and5_16bpp(CirrusVGAState * s, | |
39 | unsigned val = mem_value; | |
40 | uint8_t *dst; | |
41 | ||
42 | - dst = s->vga.vram_ptr + (offset &= s->cirrus_addr_mask); | |
43 | for (x = 0; x < 8; x++) { | |
44 | + dst = s->vga.vram_ptr + ((offset + 2 * x) & s->cirrus_addr_mask & ~1); | |
45 | if (val & 0x80) { | |
46 | *dst = s->cirrus_shadow_gr1; | |
47 | *(dst + 1) = s->vga.gr[0x11]; | |
48 | @@ -2070,7 +2069,6 @@ static void cirrus_mem_writeb_mode4and5_16bpp(CirrusVGAState * s, | |
49 | *(dst + 1) = s->vga.gr[0x10]; | |
50 | } | |
51 | val <<= 1; | |
52 | - dst += 2; | |
53 | } | |
54 | memory_region_set_dirty(&s->vga.vram, offset, 16); | |
55 | } | |
56 | -- | |
57 | 2.11.0 | |
58 |