Re: [RFC PATCH-for-7.2 v3 3/5] hw/display/qxl: Pass requested buffer siz

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [RFC PATCH-for-7.2 v3 3/5] hw/display/qxl: Pass requested buffer siz

From:	Gerd Hoffmann
Subject:	Re: [RFC PATCH-for-7.2 v3 3/5] hw/display/qxl: Pass requested buffer size to qxl_phys2virt()
Date:	Tue, 29 Nov 2022 08:09:42 +0100

> @@ -228,7 +230,8 @@ static void qxl_unpack_chunks(void *dest, size_t size, 
> PCIQXLDevice *qxl,
>          if (offset == size) {
>              return;
>          }
> -        chunk = qxl_phys2virt(qxl, chunk->next_chunk, group_id);
> +        chunk = qxl_phys2virt(qxl, chunk->next_chunk, group_id,
> +                              sizeof(QXLDataChunk) + chunk->data_size);
>          if (!chunk) {
>              return;
>          }

Not checking the first chunk?

> @@ -314,7 +318,15 @@ int qxl_render_cursor(PCIQXLDevice *qxl, QXLCommandExt 
> *ext)
>      }
>      switch (cmd->type) {
>      case QXL_CURSOR_SET:
> -        cursor = qxl_phys2virt(qxl, cmd->u.set.shape, ext->group_id);
> +        /* First read the QXLCursor to get QXLDataChunk::data_size ... */
> +        cursor = qxl_phys2virt(qxl, cmd->u.set.shape, ext->group_id,
> +                               sizeof(QXLCursor));
> +        if (!cursor) {
> +            return 1;
> +        }
> +        /* Then read including the chunked data following QXLCursor. */
> +        cursor = qxl_phys2virt(qxl, cmd->u.set.shape, ext->group_id,
> +                               sizeof(QXLCursor) + cursor->chunk.data_size);
>          if (!cursor) {
>              return 1;
>          }

Ah, you do it here.  Good.

Series:
Acked-by: Gerd Hoffmann <kraxel@redhat.com>

take care,
  Gerd

[Prev in Thread]

Current Thread

[Next in Thread]

[RFC PATCH-for-7.2 v3 0/5] hw/display/qxl: Avoid buffer overrun in qxl_phys2virt(), Philippe Mathieu-Daudé, 2022/11/28
- [PATCH-for-7.2 v3 1/5] hw/display/qxl: Have qxl_log_command Return early if no log_cmd handler, Philippe Mathieu-Daudé, 2022/11/28
- [PATCH-for-7.2 v3 2/5] hw/display/qxl: Document qxl_phys2virt(), Philippe Mathieu-Daudé, 2022/11/28
- [RFC PATCH-for-7.2 v3 3/5] hw/display/qxl: Pass requested buffer size to qxl_phys2virt(), Philippe Mathieu-Daudé, 2022/11/28
  - Re: [RFC PATCH-for-7.2 v3 3/5] hw/display/qxl: Pass requested buffer size to qxl_phys2virt(), Gerd Hoffmann <=
- [PATCH-for-8.0 v3 5/5] hw/display/qxl: Assert memory slot fits in preallocated MemoryRegion, Philippe Mathieu-Daudé, 2022/11/28
- [RFC PATCH-for-7.2 v3 4/5] hw/display/qxl: Avoid buffer overrun in qxl_phys2virt (CVE-2022-4144), Philippe Mathieu-Daudé, 2022/11/28
- Re: [RFC PATCH-for-7.2 v3 0/5] hw/display/qxl: Avoid buffer overrun in qxl_phys2virt(), Stefan Hajnoczi, 2022/11/30

Prev by Date: Re: [PATCH v14 4/5] hw/riscv: virt: Add PMU DT node to the device tree
Next by Date: Re: [PATCH v14 4/5] hw/riscv: virt: Add PMU DT node to the device tree
Previous by thread: [RFC PATCH-for-7.2 v3 3/5] hw/display/qxl: Pass requested buffer size to qxl_phys2virt()
Next by thread: [PATCH-for-8.0 v3 5/5] hw/display/qxl: Assert memory slot fits in preallocated MemoryRegion
Index(es):
- Date
- Thread