diff options
| -rw-r--r-- | hw/display/vga.c | 4 | ||||
| -rw-r--r-- | hw/display/virtio-gpu.c | 16 | ||||
| -rw-r--r-- | hw/display/vmware_vga.c | 5 |
3 files changed, 18 insertions, 7 deletions
diff --git a/hw/display/vga.c b/hw/display/vga.c index 1d19f6bc48..a64a0942da 100644 --- a/hw/display/vga.c +++ b/hw/display/vga.c @@ -1666,9 +1666,9 @@ static void vga_draw_graphic(VGACommonState *s, int full_update) /* scanline wraps from end of video memory to the start */ assert(force_shadow); update = memory_region_snapshot_get_dirty(&s->vram, snap, - page0, 0); + page0, s->vbe_size - page0); update |= memory_region_snapshot_get_dirty(&s->vram, snap, - page1, 0); + 0, page1); } else { update = memory_region_snapshot_get_dirty(&s->vram, snap, page0, page1 - page0); diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c index 43bbe09ea0..274e365713 100644 --- a/hw/display/virtio-gpu.c +++ b/hw/display/virtio-gpu.c @@ -322,6 +322,18 @@ static pixman_format_code_t get_pixman_format(uint32_t virtio_gpu_format) } } +static uint32_t calc_image_hostmem(pixman_format_code_t pformat, + uint32_t width, uint32_t height) +{ + /* Copied from pixman/pixman-bits-image.c, skip integer overflow check. + * pixman_image_create_bits will fail in case it overflow. + */ + + int bpp = PIXMAN_FORMAT_BPP(pformat); + int stride = ((width * bpp + 0x1f) >> 5) * sizeof(uint32_t); + return height * stride; +} + static void virtio_gpu_resource_create_2d(VirtIOGPU *g, struct virtio_gpu_ctrl_command *cmd) { @@ -366,7 +378,7 @@ static void virtio_gpu_resource_create_2d(VirtIOGPU *g, return; } - res->hostmem = PIXMAN_FORMAT_BPP(pformat) * c2d.width * c2d.height; + res->hostmem = calc_image_hostmem(pformat, c2d.width, c2d.height); if (res->hostmem + g->hostmem < g->conf.max_hostmem) { res->image = pixman_image_create_bits(pformat, c2d.width, @@ -1087,7 +1099,7 @@ static int virtio_gpu_load(QEMUFile *f, void *opaque, size_t size, return -EINVAL; } - res->hostmem = PIXMAN_FORMAT_BPP(pformat) * res->width * res->height; + res->hostmem = calc_image_hostmem(pformat, res->width, res->height); res->addrs = g_new(uint64_t, res->iov_cnt); res->iov = g_new(struct iovec, res->iov_cnt); diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c index cdc3fed6ca..0e6673a911 100644 --- a/hw/display/vmware_vga.c +++ b/hw/display/vmware_vga.c @@ -679,10 +679,9 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s) if (cursor.width > 256 || cursor.height > 256 || cursor.bpp > 32 - || SVGA_BITMAP_SIZE(x, y) - > sizeof(cursor.mask) / sizeof(cursor.mask[0]) + || SVGA_BITMAP_SIZE(x, y) > ARRAY_SIZE(cursor.mask) || SVGA_PIXMAP_SIZE(x, y, cursor.bpp) - > sizeof(cursor.image) / sizeof(cursor.image[0])) { + > ARRAY_SIZE(cursor.image)) { goto badcmd; } |