|
| From: | Philippe Mathieu-Daudé |
| Subject: | Re: [RFC PATCH-for-7.2 3/5] hw/display/qxl: Pass requested buffer size to qxl_phys2virt() |
| Date: | Mon, 28 Nov 2022 17:52:07 +0100 |
| User-agent: | Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.5.0 |
On 28/11/22 17:29, Philippe Mathieu-Daudé wrote:
On 28/11/22 17:18, Philippe Mathieu-Daudé wrote:On 28/11/22 16:41, Philippe Mathieu-Daudé wrote:On 28/11/22 16:08, Gerd Hoffmann wrote:Also at least one code path (processing SPICE_CURSOR_TYPE_MONO in qxl_cursor) goes access chunk.data[] without calling qxl_unpack_chunks(), that needs additional verification too (or switch it to call qxl_unpack_chunks, or just drop it because nobody uses mono chrome cursors anyway).Per commit 36ffc122dc ("qxl: support mono cursors with inverted colors") "Monochrome cursors are still used by Windows guests" (i.e. Win2008R2) :/Hmm I guess I'm missing something in qxl_cursor() following the SPICE_CURSOR_TYPE_MONO case. - cursor_alloc() allocate QEMUCursor* c but doesn't set c->data,
Sorry long day, cursor_alloc() does allocate c->data:
typedef struct QEMUCursor {
int width, height;
int hot_x, hot_y;
int refcount;
uint32_t data[];
} QEMUCursor;
QEMUCursor *cursor_alloc(int width, int height)
{
QEMUCursor *c;
size_t datasize = width * height * sizeof(uint32_t);
if (width > 512 || height > 512) {
return NULL;
}
c = g_malloc0(sizeof(QEMUCursor) + datasize);
- nothing seems to set c->data - cursor_set_mono() is called and *(c->data) is assigned... ?
| [Prev in Thread] | Current Thread | [Next in Thread] |