[pve-qemu.git] / debian / patches / extra / 0008-vga-add-vga_scanline_invalidated-helper.patch

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Fri, 21 Apr 2017 11:16:26 +0200
Subject: [PATCH] vga: add vga_scanline_invalidated helper

Add vga_scanline_invalidated helper to check whenever a scanline was
invalidated.  Add a sanity check to fix OOB read access for display
heights larger than 2048.

Only cirrus uses this, for hardware cursor rendering, so having this
work properly for the first 2048 scanlines only shouldn't be a problem
as the cirrus can't handle large resolutions anyway.  Also changing the
invalidated_y_table size would break live migration.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 20170421091632.30900-4-kraxel@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 hw/display/vga.c | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/hw/display/vga.c b/hw/display/vga.c
index 69c3e1d674..3991b88aac 100644
--- a/hw/display/vga.c
+++ b/hw/display/vga.c
@@ -1434,6 +1434,14 @@ void vga_invalidate_scanlines(VGACommonState *s, int y1, int y2)
     }
 }
 
+static bool vga_scanline_invalidated(VGACommonState *s, int y)
+{
+    if (y >= VGA_MAX_HEIGHT) {
+        return false;
+    }
+    return s->invalidated_y_table[y >> 5] & (1 << (y & 0x1f));
+}
+
 void vga_sync_dirty_bitmap(VGACommonState *s)
 {
     memory_region_sync_dirty_bitmap(&s->vram);
@@ -1638,8 +1646,8 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
         page1 = addr + bwidth - 1;
         update |= memory_region_get_dirty(&s->vram, page0, page1 - page0,
                                           DIRTY_MEMORY_VGA);
-        /* explicit invalidation for the hardware cursor */
-        update |= (s->invalidated_y_table[y >> 5] >> (y & 0x1f)) & 1;
+        /* explicit invalidation for the hardware cursor (cirrus only) */
+        update |= vga_scanline_invalidated(s, y);
         if (update) {
             if (y_start < 0)
                 y_start = y;
@@ -1686,7 +1694,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
                                   page_max - page_min,
                                   DIRTY_MEMORY_VGA);
     }
-    memset(s->invalidated_y_table, 0, ((height + 31) >> 5) * 4);
+    memset(s->invalidated_y_table, 0, sizeof(s->invalidated_y_table));
 }
 
 static void vga_draw_blank(VGACommonState *s, int full_update)
-- 
2.11.0
Commit	Line	Data
3dcc8d3b	1	From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
ddbcf45e WB	2	From: Gerd Hoffmann <kraxel@redhat.com>
ddbcf45e WB	3	Date: Fri, 21 Apr 2017 11:16:26 +0200
3dcc8d3b	4	Subject: [PATCH] vga: add vga_scanline_invalidated helper
ddbcf45e WB	5
	6	Add vga_scanline_invalidated helper to check whenever a scanline was
	7	invalidated. Add a sanity check to fix OOB read access for display
	8	heights larger than 2048.
	9
	10	Only cirrus uses this, for hardware cursor rendering, so having this
	11	work properly for the first 2048 scanlines only shouldn't be a problem
	12	as the cirrus can't handle large resolutions anyway. Also changing the
	13	invalidated_y_table size would break live migration.
	14
	15	Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
	16	Message-id: 20170421091632.30900-4-kraxel@redhat.com
	17	Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
	18	---
	19	hw/display/vga.c \| 14 +++++++++++---
	20	1 file changed, 11 insertions(+), 3 deletions(-)
	21
	22	diff --git a/hw/display/vga.c b/hw/display/vga.c
	23	index 69c3e1d674..3991b88aac 100644
	24	--- a/hw/display/vga.c
	25	+++ b/hw/display/vga.c
	26	@@ -1434,6 +1434,14 @@ void vga_invalidate_scanlines(VGACommonState *s, int y1, int y2)
	27	}
	28	}
	29
	30	+static bool vga_scanline_invalidated(VGACommonState *s, int y)
	31	+{
	32	+ if (y >= VGA_MAX_HEIGHT) {
	33	+ return false;
	34	+ }
	35	+ return s->invalidated_y_table[y >> 5] & (1 << (y & 0x1f));
	36	+}
	37	+
	38	void vga_sync_dirty_bitmap(VGACommonState *s)
	39	{
	40	memory_region_sync_dirty_bitmap(&s->vram);
	41	@@ -1638,8 +1646,8 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
	42	page1 = addr + bwidth - 1;
	43	update \|= memory_region_get_dirty(&s->vram, page0, page1 - page0,
	44	DIRTY_MEMORY_VGA);
	45	- /* explicit invalidation for the hardware cursor */
	46	- update \|= (s->invalidated_y_table[y >> 5] >> (y & 0x1f)) & 1;
	47	+ /* explicit invalidation for the hardware cursor (cirrus only) */
	48	+ update \|= vga_scanline_invalidated(s, y);
	49	if (update) {
	50	if (y_start < 0)
	51	y_start = y;
	52	@@ -1686,7 +1694,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
	53	page_max - page_min,
	54	DIRTY_MEMORY_VGA);
	55	}
	56	- memset(s->invalidated_y_table, 0, ((height + 31) >> 5) * 4);
	57	+ memset(s->invalidated_y_table, 0, sizeof(s->invalidated_y_table));
	58	}
	59
	60	static void vga_draw_blank(VGACommonState *s, int full_update)
	61	--
	62	2.11.0
	63