debian/patches/extra/0008-vga-add-vga_scanline_invalidated-helper.patch

   1 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
   2 From: Gerd Hoffmann <kraxel@redhat.com>
   3 Date: Fri, 21 Apr 2017 11:16:26 +0200
   4 Subject: [PATCH] vga: add vga_scanline_invalidated helper
   5
   6 Add vga_scanline_invalidated helper to check whenever a scanline was
   7 invalidated.  Add a sanity check to fix OOB read access for display
   8 heights larger than 2048.
   9
  10 Only cirrus uses this, for hardware cursor rendering, so having this
  11 work properly for the first 2048 scanlines only shouldn't be a problem
  12 as the cirrus can't handle large resolutions anyway.  Also changing the
  13 invalidated_y_table size would break live migration.
  14
  15 Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
  16 Message-id: 20170421091632.30900-4-kraxel@redhat.com
  17 Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
  18 ---
  19  hw/display/vga.c | 14 +++++++++++---
  20  1 file changed, 11 insertions(+), 3 deletions(-)
  21
  22 diff --git a/hw/display/vga.c b/hw/display/vga.c
  23 index 69c3e1d674..3991b88aac 100644
  24 --- a/hw/display/vga.c
  25 +++ b/hw/display/vga.c
  26 @@ -1434,6 +1434,14 @@ void vga_invalidate_scanlines(VGACommonState *s, int y1, int y2)
  27      }
  28  }
  29
  30 +static bool vga_scanline_invalidated(VGACommonState *s, int y)
  31 +{
  32 +    if (y >= VGA_MAX_HEIGHT) {
  33 +        return false;
  34 +    }
  35 +    return s->invalidated_y_table[y >> 5] & (1 << (y & 0x1f));
  36 +}
  37 +
  38  void vga_sync_dirty_bitmap(VGACommonState *s)
  39  {
  40      memory_region_sync_dirty_bitmap(&s->vram);
  41 @@ -1638,8 +1646,8 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
  42          page1 = addr + bwidth - 1;
  43          update |= memory_region_get_dirty(&s->vram, page0, page1 - page0,
  44                                            DIRTY_MEMORY_VGA);
  45 -        /* explicit invalidation for the hardware cursor */
  46 -        update |= (s->invalidated_y_table[y >> 5] >> (y & 0x1f)) & 1;
  47 +        /* explicit invalidation for the hardware cursor (cirrus only) */
  48 +        update |= vga_scanline_invalidated(s, y);
  49          if (update) {
  50              if (y_start < 0)
  51                  y_start = y;
  52 @@ -1686,7 +1694,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
  53                                    page_max - page_min,
  54                                    DIRTY_MEMORY_VGA);
  55      }
  56 -    memset(s->invalidated_y_table, 0, ((height + 31) >> 5) * 4);
  57 +    memset(s->invalidated_y_table, 0, sizeof(s->invalidated_y_table));
  58  }
  59
  60  static void vga_draw_blank(VGACommonState *s, int full_update)
  61 --
  62 2.11.0
  63