On Fri, Nov 25, 2022 at 9:35 PM Philippe Mathieu-Daudé
<philmd@linaro.org> wrote:
Currently qxl_phys2virt() doesn't check for buffer overrun.
In order to do so in the next commit, pass the buffer size
as argument.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
---
RFC: Please double-check qxl_render_update_area_unlocked()
---
hw/display/qxl-logger.c | 11 ++++++++---
hw/display/qxl-render.c | 11 +++++++----
hw/display/qxl.c | 14 +++++++++-----
hw/display/qxl.h | 4 +++-
4 files changed, 27 insertions(+), 13 deletions(-)
diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c
index ca217004bf..1b0a50c1aa 100644
--- a/hw/display/qxl-render.c
+++ b/hw/display/qxl-render.c
@@ -107,7 +107,8 @@ static void qxl_render_update_area_unlocked(PCIQXLDevice
*qxl)
qxl->guest_primary.resized = 0;
qxl->guest_primary.data = qxl_phys2virt(qxl,
qxl->guest_primary.surface.mem,
- MEMSLOT_GROUP_GUEST);
+ MEMSLOT_GROUP_GUEST,
+ sizeof(uint32_t) * width *
height);
It looks wrong, I think it should be:
qxl->guest_primary.abs_stride * height * qxl->guest_primary.bytes_pp