fridtjof/qemu-cr16
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

hw/display/qxl-render: fix qxl_unpack_chunks() chunk size calculation

Browse source 
In case of multiple chunks, code in qxl_unpack_chunks() takes size of the
wrong (next in the chain) chunk, instead of using current chunk size.
This leads to wrong number of bytes being copied, and to crashes if next
chunk size is larger than the current one.

Based on the code by Gao Yong.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1628
Tested-by: Thaddeus Hogan <thaddeus@thogan.com>
Tested-by: Vadim Zeitlin <vadim@wxwidgets.org>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20250221134856.478806-1-mjt@tls.msk.ru>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
This commit is contained in:
Michael Tokarev 2025-02-21 16:48:56 +03:00 committed by Philippe Mathieu-Daudé
parent e895095c78
commit 8e8cb3b572
1 changed files with 10 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

11
hw/display/qxl-render.c
View file

@ -222,6 +222,7 @@ static void qxl_unpack_chunks(void *dest, size_t size, PCIQXLDevice *qxl,
uint32_t max_chunks = 32;
size_t offset = 0;
size_t bytes;
QXLPHYSICAL next_chunk_phys = 0;
for (;;) {
bytes = MIN(size - offset, chunk->data_size);
@ -230,7 +231,15 @@ static void qxl_unpack_chunks(void *dest, size_t size, PCIQXLDevice *qxl,
if (offset == size) {
return;
}
chunk = qxl_phys2virt(qxl, chunk->next_chunk, group_id,
next_chunk_phys = chunk->next_chunk;
/* fist time, only get the next chunk's data size */
chunk = qxl_phys2virt(qxl, next_chunk_phys, group_id,
sizeof(QXLDataChunk));
if (!chunk) {
return;
}
/* second time, check data size and get data */
chunk = qxl_phys2virt(qxl, next_chunk_phys, group_id,
sizeof(QXLDataChunk) + chunk->data_size);
if (!chunk) {
return;