| Message ID | 20190912121835.18362-3-kraxel@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | ati: fix ati_cursor_define bug. | expand |
On Thu, 12 Sep 2019, Gerd Hoffmann wrote: > This makes sure reads are confined to vga video memory. > > Reported-by: xu hang <flier_m@outlook.com> > Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> > --- > hw/display/ati.c | 11 ++++++----- > 1 file changed, 6 insertions(+), 5 deletions(-) > > diff --git a/hw/display/ati.c b/hw/display/ati.c > index 8f940eee221a..6d77c40b8287 100644 > --- a/hw/display/ati.c > +++ b/hw/display/ati.c > @@ -19,6 +19,7 @@ > #include "qemu/osdep.h" > #include "ati_int.h" > #include "ati_regs.h" > +#include "vga-access.h" > #include "hw/qdev-properties.h" > #include "vga_regs.h" > #include "qemu/log.h" > @@ -135,19 +136,19 @@ static void ati_vga_switch_mode(ATIVGAState *s) > static void ati_cursor_define(ATIVGAState *s) > { > uint8_t data[1024]; > - uint8_t *src; > + unsigned srcoff; > int i, j, idx = 0; > > if ((s->regs.cur_offset & BIT(31)) || s->cursor_guest_mode) { > return; /* Do not update cursor if locked or rendered by guest */ > } > /* FIXME handle cur_hv_offs correctly */ > - src = s->vga.vram_ptr + s->regs.cur_offset - > - (s->regs.cur_hv_offs >> 16) - (s->regs.cur_hv_offs & 0xffff) * 16; > + srcoff = s->regs.cur_offset - > + (s->regs.cur_hv_offs >> 16) - (s->regs.cur_hv_offs & 0xffff) * 16; Do we need similar fix in ati_cursor_draw_line() as well which also accesses cursor data when guest_hwcursor property is true? Regards, BALATON Zoltan > for (i = 0; i < 64; i++) { > for (j = 0; j < 8; j++, idx++) { > - data[idx] = src[i * 16 + j]; > - data[512 + idx] = src[i * 16 + j + 8]; > + data[idx] = vga_read_byte(&s->vga, srcoff + i * 16 + j); > + data[512 + idx] = vga_read_byte(&s->vga, srcoff + i * 16 + j + 8); > } > } > if (!s->cursor) { >
diff --git a/hw/display/ati.c b/hw/display/ati.c index 8f940eee221a..6d77c40b8287 100644 --- a/hw/display/ati.c +++ b/hw/display/ati.c @@ -19,6 +19,7 @@ #include "qemu/osdep.h" #include "ati_int.h" #include "ati_regs.h" +#include "vga-access.h" #include "hw/qdev-properties.h" #include "vga_regs.h" #include "qemu/log.h" @@ -135,19 +136,19 @@ static void ati_vga_switch_mode(ATIVGAState *s) static void ati_cursor_define(ATIVGAState *s) { uint8_t data[1024]; - uint8_t *src; + unsigned srcoff; int i, j, idx = 0; if ((s->regs.cur_offset & BIT(31)) || s->cursor_guest_mode) { return; /* Do not update cursor if locked or rendered by guest */ } /* FIXME handle cur_hv_offs correctly */ - src = s->vga.vram_ptr + s->regs.cur_offset - - (s->regs.cur_hv_offs >> 16) - (s->regs.cur_hv_offs & 0xffff) * 16; + srcoff = s->regs.cur_offset - + (s->regs.cur_hv_offs >> 16) - (s->regs.cur_hv_offs & 0xffff) * 16; for (i = 0; i < 64; i++) { for (j = 0; j < 8; j++, idx++) { - data[idx] = src[i * 16 + j]; - data[512 + idx] = src[i * 16 + j + 8]; + data[idx] = vga_read_byte(&s->vga, srcoff + i * 16 + j); + data[512 + idx] = vga_read_byte(&s->vga, srcoff + i * 16 + j + 8); } } if (!s->cursor) {
This makes sure reads are confined to vga video memory. Reported-by: xu hang <flier_m@outlook.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> --- hw/display/ati.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-)