ia64/xen-unstable
changeset 14912:9e86260b95a4
[qemu-dm] Add bounds checks for cirrus bitblit memory accesses.
Signed-off-by: Christian Limpach <Christian.Limpach@xensource.com>
Signed-off-by: Christian Limpach <Christian.Limpach@xensource.com>
| author | Christian Limpach <Christian.Limpach@xensource.com> |
|---|---|
| date | Tue Apr 24 17:02:07 2007 +0100 (2007-04-24) |
| parents | a99093e602c6 |
| children | 837d12d4d2d1 |
| files | tools/ioemu/hw/cirrus_vga.c tools/ioemu/hw/cirrus_vga_rop.h tools/ioemu/hw/cirrus_vga_rop2.h |
line diff
1.1 --- a/tools/ioemu/hw/cirrus_vga.c Tue Apr 24 16:52:15 2007 +0100 1.2 +++ b/tools/ioemu/hw/cirrus_vga.c Tue Apr 24 17:02:07 2007 +0100 1.3 @@ -601,7 +601,8 @@ static void cirrus_invalidate_region(Cir 1.4 off_cur_end = off_cur + bytesperline; 1.5 off_cur &= TARGET_PAGE_MASK; 1.6 while (off_cur < off_cur_end) { 1.7 - cpu_physical_memory_set_dirty(s->vram_offset + off_cur); 1.8 + cpu_physical_memory_set_dirty(s->vram_offset + 1.9 + (off_cur & s->cirrus_addr_mask)); 1.10 off_cur += TARGET_PAGE_SIZE; 1.11 } 1.12 off_begin += off_pitch;
2.1 --- a/tools/ioemu/hw/cirrus_vga_rop.h Tue Apr 24 16:52:15 2007 +0100 2.2 +++ b/tools/ioemu/hw/cirrus_vga_rop.h Tue Apr 24 17:02:07 2007 +0100 2.3 @@ -22,18 +22,36 @@ 2.4 * THE SOFTWARE. 2.5 */ 2.6 2.7 +#define get_base(p, s, b) do { \ 2.8 + if ((p) >= (s)->vram_ptr && (p) < (s)->vram_ptr + (s)->vram_size) \ 2.9 + (b) = (s)->vram_ptr; \ 2.10 + else if ((p) >= &(s)->cirrus_bltbuf[0] && \ 2.11 + (p) < &(s)->cirrus_bltbuf[CIRRUS_BLTBUFSIZE]) \ 2.12 + (b) = &(s)->cirrus_bltbuf[0]; \ 2.13 + else \ 2.14 + return; \ 2.15 +} while(0) 2.16 + 2.17 +#define m(x) ((x) & s->cirrus_addr_mask) 2.18 + 2.19 static void 2.20 glue(cirrus_bitblt_rop_fwd_, ROP_NAME)(CirrusVGAState *s, 2.21 - uint8_t *dst,const uint8_t *src, 2.22 + uint8_t *dst_,const uint8_t *src_, 2.23 int dstpitch,int srcpitch, 2.24 int bltwidth,int bltheight) 2.25 { 2.26 int x,y; 2.27 + uint32_t dst, src; 2.28 + uint8_t *dst_base, *src_base; 2.29 + get_base(dst_, s, dst_base); 2.30 + get_base(src_, s, src_base); 2.31 + dst = dst_ - dst_base; 2.32 + src = src_ - src_base; 2.33 dstpitch -= bltwidth; 2.34 srcpitch -= bltwidth; 2.35 for (y = 0; y < bltheight; y++) { 2.36 for (x = 0; x < bltwidth; x++) { 2.37 - ROP_OP(*dst, *src); 2.38 + ROP_OP(*(dst_base + m(dst)), *(src_base + m(src))); 2.39 dst++; 2.40 src++; 2.41 } 2.42 @@ -44,16 +62,22 @@ glue(cirrus_bitblt_rop_fwd_, ROP_NAME)(C 2.43 2.44 static void 2.45 glue(cirrus_bitblt_rop_bkwd_, ROP_NAME)(CirrusVGAState *s, 2.46 - uint8_t *dst,const uint8_t *src, 2.47 + uint8_t *dst_,const uint8_t *src_, 2.48 int dstpitch,int srcpitch, 2.49 int bltwidth,int bltheight) 2.50 { 2.51 int x,y; 2.52 + uint32_t dst, src; 2.53 + uint8_t *dst_base, *src_base; 2.54 + get_base(dst_, s, dst_base); 2.55 + get_base(src_, s, src_base); 2.56 + dst = dst_ - dst_base; 2.57 + src = src_ - src_base; 2.58 dstpitch += bltwidth; 2.59 srcpitch += bltwidth; 2.60 for (y = 0; y < bltheight; y++) { 2.61 for (x = 0; x < bltwidth; x++) { 2.62 - ROP_OP(*dst, *src); 2.63 + ROP_OP(*(dst_base + m(dst)), *(src_base + m(src))); 2.64 dst--; 2.65 src--; 2.66 } 2.67 @@ -76,3 +100,6 @@ glue(cirrus_bitblt_rop_bkwd_, ROP_NAME)( 2.68 2.69 #undef ROP_NAME 2.70 #undef ROP_OP 2.71 + 2.72 +#undef get_base 2.73 +#undef m
3.1 --- a/tools/ioemu/hw/cirrus_vga_rop2.h Tue Apr 24 16:52:15 2007 +0100 3.2 +++ b/tools/ioemu/hw/cirrus_vga_rop2.h Tue Apr 24 17:02:07 2007 +0100 3.3 @@ -23,36 +23,42 @@ 3.4 */ 3.5 3.6 #if DEPTH == 8 3.7 -#define PUTPIXEL() ROP_OP(d[0], col) 3.8 +#define PUTPIXEL() ROP_OP((dst_base + m(d))[0], col) 3.9 #elif DEPTH == 16 3.10 -#define PUTPIXEL() ROP_OP(((uint16_t *)d)[0], col); 3.11 +#define PUTPIXEL() ROP_OP(((uint16_t *)(dst_base + m(d)))[0], col); 3.12 #elif DEPTH == 24 3.13 -#define PUTPIXEL() ROP_OP(d[0], col); \ 3.14 - ROP_OP(d[1], (col >> 8)); \ 3.15 - ROP_OP(d[2], (col >> 16)) 3.16 +#define PUTPIXEL() ROP_OP((dst_base + m(d))[0], col); \ 3.17 + ROP_OP((dst_base + m(d))[1], (col >> 8)); \ 3.18 + ROP_OP((dst_base + m(d))[2], (col >> 16)) 3.19 #elif DEPTH == 32 3.20 -#define PUTPIXEL() ROP_OP(((uint32_t *)d)[0], col) 3.21 +#define PUTPIXEL() ROP_OP(((uint32_t *)(dst_base + m(d)))[0], col) 3.22 #else 3.23 #error unsupported DEPTH 3.24 #endif 3.25 3.26 static void 3.27 glue(glue(glue(cirrus_patternfill_, ROP_NAME), _),DEPTH) 3.28 - (CirrusVGAState * s, uint8_t * dst, 3.29 - const uint8_t * src, 3.30 + (CirrusVGAState * s, uint8_t * dst_, 3.31 + const uint8_t * src_, 3.32 int dstpitch, int srcpitch, 3.33 int bltwidth, int bltheight) 3.34 { 3.35 - uint8_t *d; 3.36 + uint8_t *dst_base, *src_base; 3.37 + uint32_t src, dst; 3.38 + uint32_t d; 3.39 int x, y, pattern_y, pattern_pitch, pattern_x; 3.40 unsigned int col; 3.41 - const uint8_t *src1; 3.42 + uint32_t src1; 3.43 #if DEPTH == 24 3.44 int skipleft = s->gr[0x2f] & 0x1f; 3.45 #else 3.46 int skipleft = (s->gr[0x2f] & 0x07) * (DEPTH / 8); 3.47 #endif 3.48 3.49 + get_base(dst_, s, dst_base); 3.50 + get_base(src_, s, src_base); 3.51 + dst = dst_ - dst_base; 3.52 + src = src_ - src_base; 3.53 #if DEPTH == 8 3.54 pattern_pitch = 8; 3.55 #elif DEPTH == 16 3.56 @@ -67,19 +73,19 @@ glue(glue(glue(cirrus_patternfill_, ROP_ 3.57 src1 = src + pattern_y * pattern_pitch; 3.58 for (x = skipleft; x < bltwidth; x += (DEPTH / 8)) { 3.59 #if DEPTH == 8 3.60 - col = src1[pattern_x]; 3.61 + col = *(src_base + m(src1 + pattern_x)); 3.62 pattern_x = (pattern_x + 1) & 7; 3.63 #elif DEPTH == 16 3.64 - col = ((uint16_t *)(src1 + pattern_x))[0]; 3.65 + col = *(uint16_t *)(src_base + m(src1 + pattern_x)); 3.66 pattern_x = (pattern_x + 2) & 15; 3.67 #elif DEPTH == 24 3.68 { 3.69 - const uint8_t *src2 = src1 + pattern_x * 3; 3.70 + const uint8_t *src2 = src_base + m(src1 + pattern_x * 3); 3.71 col = src2[0] | (src2[1] << 8) | (src2[2] << 16); 3.72 pattern_x = (pattern_x + 1) & 7; 3.73 } 3.74 #else 3.75 - col = ((uint32_t *)(src1 + pattern_x))[0]; 3.76 + col = *(uint32_t *)(src_base + m(src1 + pattern_x)); 3.77 pattern_x = (pattern_x + 4) & 31; 3.78 #endif 3.79 PUTPIXEL(); 3.80 @@ -93,12 +99,14 @@ glue(glue(glue(cirrus_patternfill_, ROP_ 3.81 /* NOTE: srcpitch is ignored */ 3.82 static void 3.83 glue(glue(glue(cirrus_colorexpand_transp_, ROP_NAME), _),DEPTH) 3.84 - (CirrusVGAState * s, uint8_t * dst, 3.85 - const uint8_t * src, 3.86 + (CirrusVGAState * s, uint8_t * dst_, 3.87 + const uint8_t * src_, 3.88 int dstpitch, int srcpitch, 3.89 int bltwidth, int bltheight) 3.90 { 3.91 - uint8_t *d; 3.92 + uint8_t *dst_base, *src_base; 3.93 + uint32_t src, dst; 3.94 + uint32_t d; 3.95 int x, y; 3.96 unsigned bits, bits_xor; 3.97 unsigned int col; 3.98 @@ -112,6 +120,10 @@ glue(glue(glue(cirrus_colorexpand_transp 3.99 int dstskipleft = srcskipleft * (DEPTH / 8); 3.100 #endif 3.101 3.102 + get_base(dst_, s, dst_base); 3.103 + get_base(src_, s, src_base); 3.104 + dst = dst_ - dst_base; 3.105 + src = src_ - src_base; 3.106 if (s->cirrus_blt_modeext & CIRRUS_BLTMODEEXT_COLOREXPINV) { 3.107 bits_xor = 0xff; 3.108 col = s->cirrus_blt_bgcol; 3.109 @@ -122,12 +134,12 @@ glue(glue(glue(cirrus_colorexpand_transp 3.110 3.111 for(y = 0; y < bltheight; y++) { 3.112 bitmask = 0x80 >> srcskipleft; 3.113 - bits = *src++ ^ bits_xor; 3.114 + bits = *(src_base + m(src++)) ^ bits_xor; 3.115 d = dst + dstskipleft; 3.116 for (x = dstskipleft; x < bltwidth; x += (DEPTH / 8)) { 3.117 if ((bitmask & 0xff) == 0) { 3.118 bitmask = 0x80; 3.119 - bits = *src++ ^ bits_xor; 3.120 + bits = *(src_base + m(src++)) ^ bits_xor; 3.121 } 3.122 index = (bits & bitmask); 3.123 if (index) { 3.124 @@ -142,13 +154,15 @@ glue(glue(glue(cirrus_colorexpand_transp 3.125 3.126 static void 3.127 glue(glue(glue(cirrus_colorexpand_, ROP_NAME), _),DEPTH) 3.128 - (CirrusVGAState * s, uint8_t * dst, 3.129 - const uint8_t * src, 3.130 + (CirrusVGAState * s, uint8_t * dst_, 3.131 + const uint8_t * src_, 3.132 int dstpitch, int srcpitch, 3.133 int bltwidth, int bltheight) 3.134 { 3.135 + uint8_t *dst_base, *src_base; 3.136 + uint32_t src, dst; 3.137 uint32_t colors[2]; 3.138 - uint8_t *d; 3.139 + uint32_t d; 3.140 int x, y; 3.141 unsigned bits; 3.142 unsigned int col; 3.143 @@ -156,16 +170,20 @@ glue(glue(glue(cirrus_colorexpand_, ROP_ 3.144 int srcskipleft = s->gr[0x2f] & 0x07; 3.145 int dstskipleft = srcskipleft * (DEPTH / 8); 3.146 3.147 + get_base(dst_, s, dst_base); 3.148 + get_base(src_, s, src_base); 3.149 + dst = dst_ - dst_base; 3.150 + src = src_ - src_base; 3.151 colors[0] = s->cirrus_blt_bgcol; 3.152 colors[1] = s->cirrus_blt_fgcol; 3.153 for(y = 0; y < bltheight; y++) { 3.154 bitmask = 0x80 >> srcskipleft; 3.155 - bits = *src++; 3.156 + bits = *(src_base + m(src++)); 3.157 d = dst + dstskipleft; 3.158 for (x = dstskipleft; x < bltwidth; x += (DEPTH / 8)) { 3.159 if ((bitmask & 0xff) == 0) { 3.160 bitmask = 0x80; 3.161 - bits = *src++; 3.162 + bits = *(src_base + m(src++)); 3.163 } 3.164 col = colors[!!(bits & bitmask)]; 3.165 PUTPIXEL(); 3.166 @@ -178,12 +196,14 @@ glue(glue(glue(cirrus_colorexpand_, ROP_ 3.167 3.168 static void 3.169 glue(glue(glue(cirrus_colorexpand_pattern_transp_, ROP_NAME), _),DEPTH) 3.170 - (CirrusVGAState * s, uint8_t * dst, 3.171 - const uint8_t * src, 3.172 + (CirrusVGAState * s, uint8_t * dst_, 3.173 + const uint8_t * src_, 3.174 int dstpitch, int srcpitch, 3.175 int bltwidth, int bltheight) 3.176 { 3.177 - uint8_t *d; 3.178 + uint8_t *dst_base, *src_base; 3.179 + uint32_t src, dst; 3.180 + uint32_t d; 3.181 int x, y, bitpos, pattern_y; 3.182 unsigned int bits, bits_xor; 3.183 unsigned int col; 3.184 @@ -195,6 +215,10 @@ glue(glue(glue(cirrus_colorexpand_patter 3.185 int dstskipleft = srcskipleft * (DEPTH / 8); 3.186 #endif 3.187 3.188 + get_base(dst_, s, dst_base); 3.189 + get_base(src_, s, src_base); 3.190 + dst = dst_ - dst_base; 3.191 + src = src_ - src_base; 3.192 if (s->cirrus_blt_modeext & CIRRUS_BLTMODEEXT_COLOREXPINV) { 3.193 bits_xor = 0xff; 3.194 col = s->cirrus_blt_bgcol; 3.195 @@ -205,7 +229,7 @@ glue(glue(glue(cirrus_colorexpand_patter 3.196 pattern_y = s->cirrus_blt_srcaddr & 7; 3.197 3.198 for(y = 0; y < bltheight; y++) { 3.199 - bits = src[pattern_y] ^ bits_xor; 3.200 + bits = *(src_base + m(src + pattern_y)) ^ bits_xor; 3.201 bitpos = 7 - srcskipleft; 3.202 d = dst + dstskipleft; 3.203 for (x = dstskipleft; x < bltwidth; x += (DEPTH / 8)) { 3.204 @@ -222,25 +246,31 @@ glue(glue(glue(cirrus_colorexpand_patter 3.205 3.206 static void 3.207 glue(glue(glue(cirrus_colorexpand_pattern_, ROP_NAME), _),DEPTH) 3.208 - (CirrusVGAState * s, uint8_t * dst, 3.209 - const uint8_t * src, 3.210 + (CirrusVGAState * s, uint8_t * dst_, 3.211 + const uint8_t * src_, 3.212 int dstpitch, int srcpitch, 3.213 int bltwidth, int bltheight) 3.214 { 3.215 + uint8_t *dst_base, *src_base; 3.216 + uint32_t src, dst; 3.217 uint32_t colors[2]; 3.218 - uint8_t *d; 3.219 + uint32_t d; 3.220 int x, y, bitpos, pattern_y; 3.221 unsigned int bits; 3.222 unsigned int col; 3.223 int srcskipleft = s->gr[0x2f] & 0x07; 3.224 int dstskipleft = srcskipleft * (DEPTH / 8); 3.225 3.226 + get_base(dst_, s, dst_base); 3.227 + get_base(src_, s, src_base); 3.228 + dst = dst_ - dst_base; 3.229 + src = src_ - src_base; 3.230 colors[0] = s->cirrus_blt_bgcol; 3.231 colors[1] = s->cirrus_blt_fgcol; 3.232 pattern_y = s->cirrus_blt_srcaddr & 7; 3.233 3.234 for(y = 0; y < bltheight; y++) { 3.235 - bits = src[pattern_y]; 3.236 + bits = *(src_base + m(src + pattern_y)); 3.237 bitpos = 7 - srcskipleft; 3.238 d = dst + dstskipleft; 3.239 for (x = dstskipleft; x < bltwidth; x += (DEPTH / 8)) { 3.240 @@ -257,13 +287,17 @@ glue(glue(glue(cirrus_colorexpand_patter 3.241 static void 3.242 glue(glue(glue(cirrus_fill_, ROP_NAME), _),DEPTH) 3.243 (CirrusVGAState *s, 3.244 - uint8_t *dst, int dst_pitch, 3.245 + uint8_t *dst_, int dst_pitch, 3.246 int width, int height) 3.247 { 3.248 - uint8_t *d, *d1; 3.249 + uint8_t *dst_base; 3.250 + uint32_t dst; 3.251 + uint32_t d, d1; 3.252 uint32_t col; 3.253 int x, y; 3.254 3.255 + get_base(dst_, s, dst_base); 3.256 + dst = dst_ - dst_base; 3.257 col = s->cirrus_blt_fgcol; 3.258 3.259 d1 = dst;