1 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
2 From: Gerd Hoffmann <kraxel@redhat.com>
3 Date: Fri, 21 Apr 2017 11:16:26 +0200
4 Subject: [PATCH] vga: add vga_scanline_invalidated helper
6 Add vga_scanline_invalidated helper to check whenever a scanline was
7 invalidated. Add a sanity check to fix OOB read access for display
8 heights larger than 2048.
10 Only cirrus uses this, for hardware cursor rendering, so having this
11 work properly for the first 2048 scanlines only shouldn't be a problem
12 as the cirrus can't handle large resolutions anyway. Also changing the
13 invalidated_y_table size would break live migration.
15 Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
16 Message-id: 20170421091632.30900-4-kraxel@redhat.com
17 Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
19 hw/display/vga.c | 14 +++++++++++---
20 1 file changed, 11 insertions(+), 3 deletions(-)
22 diff --git a/hw/display/vga.c b/hw/display/vga.c
23 index 69c3e1d674..3991b88aac 100644
24 --- a/hw/display/vga.c
25 +++ b/hw/display/vga.c
26 @@ -1434,6 +1434,14 @@ void vga_invalidate_scanlines(VGACommonState *s, int y1, int y2)
30 +static bool vga_scanline_invalidated(VGACommonState *s, int y)
32 + if (y >= VGA_MAX_HEIGHT) {
35 + return s->invalidated_y_table[y >> 5] & (1 << (y & 0x1f));
38 void vga_sync_dirty_bitmap(VGACommonState *s)
40 memory_region_sync_dirty_bitmap(&s->vram);
41 @@ -1638,8 +1646,8 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
42 page1 = addr + bwidth - 1;
43 update |= memory_region_get_dirty(&s->vram, page0, page1 - page0,
45 - /* explicit invalidation for the hardware cursor */
46 - update |= (s->invalidated_y_table[y >> 5] >> (y & 0x1f)) & 1;
47 + /* explicit invalidation for the hardware cursor (cirrus only) */
48 + update |= vga_scanline_invalidated(s, y);
52 @@ -1686,7 +1694,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
56 - memset(s->invalidated_y_table, 0, ((height + 31) >> 5) * 4);
57 + memset(s->invalidated_y_table, 0, sizeof(s->invalidated_y_table));
60 static void vga_draw_blank(VGACommonState *s, int full_update)