diff options
| author | Radim Krčmář <rkrcmar@redhat.com> | 2015-02-17 17:30:51 +0100 |
|---|---|---|
| committer | Gerd Hoffmann <kraxel@redhat.com> | 2015-03-03 08:33:08 +0100 |
| commit | 876d516311c1538a7d29f2abec48b7cda0645eea (patch) | |
| tree | 5b3ff196cabf460f9ae287031430359c4effd8dd /hw/display/vga.c | |
| parent | 03d9825d15e17e444e00bd4caa9edb0d57022794 (diff) | |
| download | qemu-876d516311c1538a7d29f2abec48b7cda0645eea.tar.gz | |
spice: fix invalid memory access to vga.vram
vga_common_init() doesn't allow more than 256 MiB vram size and silently
shrinks any larger value. qxl_dirty_surfaces() used the unshrinked size
via qxl->shadow_rom.surface0_area_size when accessing the memory, which
resulted in segfault.
Add a workaround for this case and an assert if it happens again.
We have to bump the vga memory limit too, because 256 MiB wouldn't have
allowed 8k (it requires more than 128 MiB).
1024 MiB doesn't work, but 512 MiB seems fine.
Proposed-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Diffstat (limited to 'hw/display/vga.c')
| -rw-r--r-- | hw/display/vga.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/hw/display/vga.c b/hw/display/vga.c index c8c49abc6e..6e4ca7e9ab 100644 --- a/hw/display/vga.c +++ b/hw/display/vga.c @@ -2121,10 +2121,10 @@ void vga_common_init(VGACommonState *s, Object *obj, bool global_vmstate) expand4to8[i] = v; } - /* valid range: 1 MB -> 256 MB */ + /* valid range: 1 MB -> 512 MB */ s->vram_size = 1024 * 1024; while (s->vram_size < (s->vram_size_mb << 20) && - s->vram_size < (256 << 20)) { + s->vram_size < (512 << 20)) { s->vram_size <<= 1; } s->vram_size_mb = s->vram_size >> 20; |