diff mbox series

cirrus_vga: fix potential memory overflow

Message ID 20220929122352.1891-1-luzhipeng@cestc.cn (mailing list archive)
State New, archived
Headers show
Series cirrus_vga: fix potential memory overflow | expand

Commit Message

Zhipeng Lu Sept. 29, 2022, 12:23 p.m. UTC 
From: lu zhipeng <luzhipeng@cestc.cn>

Signed-off-by: lu zhipeng <luzhipeng@cestc.cn>
---
 hw/display/cirrus_vga.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Gerd Hoffmann Oct. 12, 2022, 9:01 a.m. UTC | #1 
On Thu, Sep 29, 2022 at 08:23:52PM +0800, luzhipeng wrote:
> From: lu zhipeng <luzhipeng@cestc.cn>
> 
> Signed-off-by: lu zhipeng <luzhipeng@cestc.cn>

> -                copy_count = s->cirrus_srcptr_end - end_ptr;
> +                copy_count = MIN(s->cirrus_srcptr_end - end_ptr, CIRRUS_BLTBUFSIZE);

Added to patch queue.

thanks,
  Gerd
diff mbox series

Patch

diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
index 3bb6a58698..2577005d03 100644
--- a/hw/display/cirrus_vga.c
+++ b/hw/display/cirrus_vga.c
@@ -834,7 +834,7 @@  static void cirrus_bitblt_cputovideo_next(CirrusVGAState * s)
                    word alignment, so we keep them for the next line */
                 /* XXX: keep alignment to speed up transfer */
                 end_ptr = s->cirrus_bltbuf + s->cirrus_blt_srcpitch;
-                copy_count = s->cirrus_srcptr_end - end_ptr;
+                copy_count = MIN(s->cirrus_srcptr_end - end_ptr, CIRRUS_BLTBUFSIZE);
                 memmove(s->cirrus_bltbuf, end_ptr, copy_count);
                 s->cirrus_srcptr = s->cirrus_bltbuf + copy_count;
                 s->cirrus_srcptr_end = s->cirrus_bltbuf + s->cirrus_blt_srcpitch;