ia64/xen-unstable

changeset 14912:9e86260b95a4

[qemu-dm] Add bounds checks for cirrus bitblit memory accesses.

Signed-off-by: Christian Limpach <Christian.Limpach@xensource.com>
author Christian Limpach <Christian.Limpach@xensource.com>
date Tue Apr 24 17:02:07 2007 +0100 (2007-04-24)
parents a99093e602c6
children 837d12d4d2d1
files tools/ioemu/hw/cirrus_vga.c tools/ioemu/hw/cirrus_vga_rop.h tools/ioemu/hw/cirrus_vga_rop2.h
line diff
     1.1 --- a/tools/ioemu/hw/cirrus_vga.c	Tue Apr 24 16:52:15 2007 +0100
     1.2 +++ b/tools/ioemu/hw/cirrus_vga.c	Tue Apr 24 17:02:07 2007 +0100
     1.3 @@ -601,7 +601,8 @@ static void cirrus_invalidate_region(Cir
     1.4  	off_cur_end = off_cur + bytesperline;
     1.5  	off_cur &= TARGET_PAGE_MASK;
     1.6  	while (off_cur < off_cur_end) {
     1.7 -	    cpu_physical_memory_set_dirty(s->vram_offset + off_cur);
     1.8 +	    cpu_physical_memory_set_dirty(s->vram_offset +
     1.9 +					  (off_cur & s->cirrus_addr_mask));
    1.10  	    off_cur += TARGET_PAGE_SIZE;
    1.11  	}
    1.12  	off_begin += off_pitch;
     2.1 --- a/tools/ioemu/hw/cirrus_vga_rop.h	Tue Apr 24 16:52:15 2007 +0100
     2.2 +++ b/tools/ioemu/hw/cirrus_vga_rop.h	Tue Apr 24 17:02:07 2007 +0100
     2.3 @@ -22,18 +22,36 @@
     2.4   * THE SOFTWARE.
     2.5   */
     2.6  
     2.7 +#define get_base(p, s, b) do { \
     2.8 +    if ((p) >= (s)->vram_ptr && (p) < (s)->vram_ptr + (s)->vram_size) \
     2.9 +	(b) = (s)->vram_ptr; \
    2.10 +    else if ((p) >= &(s)->cirrus_bltbuf[0] && \
    2.11 +	     (p) < &(s)->cirrus_bltbuf[CIRRUS_BLTBUFSIZE]) \
    2.12 +	(b) = &(s)->cirrus_bltbuf[0]; \
    2.13 +    else \
    2.14 +	return; \
    2.15 +} while(0)
    2.16 +
    2.17 +#define m(x) ((x) & s->cirrus_addr_mask)
    2.18 +
    2.19  static void
    2.20  glue(cirrus_bitblt_rop_fwd_, ROP_NAME)(CirrusVGAState *s,
    2.21 -                             uint8_t *dst,const uint8_t *src,
    2.22 +                             uint8_t *dst_,const uint8_t *src_,
    2.23                               int dstpitch,int srcpitch,
    2.24                               int bltwidth,int bltheight)
    2.25  {
    2.26      int x,y;
    2.27 +    uint32_t dst, src;
    2.28 +    uint8_t *dst_base, *src_base;
    2.29 +    get_base(dst_, s, dst_base);
    2.30 +    get_base(src_, s, src_base);
    2.31 +    dst = dst_ - dst_base;
    2.32 +    src = src_ - src_base;
    2.33      dstpitch -= bltwidth;
    2.34      srcpitch -= bltwidth;
    2.35      for (y = 0; y < bltheight; y++) {
    2.36          for (x = 0; x < bltwidth; x++) {
    2.37 -            ROP_OP(*dst, *src);
    2.38 +            ROP_OP(*(dst_base + m(dst)), *(src_base + m(src)));
    2.39              dst++;
    2.40              src++;
    2.41          }
    2.42 @@ -44,16 +62,22 @@ glue(cirrus_bitblt_rop_fwd_, ROP_NAME)(C
    2.43  
    2.44  static void
    2.45  glue(cirrus_bitblt_rop_bkwd_, ROP_NAME)(CirrusVGAState *s,
    2.46 -                                        uint8_t *dst,const uint8_t *src,
    2.47 +                                        uint8_t *dst_,const uint8_t *src_,
    2.48                                          int dstpitch,int srcpitch,
    2.49                                          int bltwidth,int bltheight)
    2.50  {
    2.51      int x,y;
    2.52 +    uint32_t dst, src;
    2.53 +    uint8_t *dst_base, *src_base;
    2.54 +    get_base(dst_, s, dst_base);
    2.55 +    get_base(src_, s, src_base);
    2.56 +    dst = dst_ - dst_base;
    2.57 +    src = src_ - src_base;
    2.58      dstpitch += bltwidth;
    2.59      srcpitch += bltwidth;
    2.60      for (y = 0; y < bltheight; y++) {
    2.61          for (x = 0; x < bltwidth; x++) {
    2.62 -            ROP_OP(*dst, *src);
    2.63 +            ROP_OP(*(dst_base + m(dst)), *(src_base + m(src)));
    2.64              dst--;
    2.65              src--;
    2.66          }
    2.67 @@ -76,3 +100,6 @@ glue(cirrus_bitblt_rop_bkwd_, ROP_NAME)(
    2.68  
    2.69  #undef ROP_NAME
    2.70  #undef ROP_OP
    2.71 +
    2.72 +#undef get_base
    2.73 +#undef m
     3.1 --- a/tools/ioemu/hw/cirrus_vga_rop2.h	Tue Apr 24 16:52:15 2007 +0100
     3.2 +++ b/tools/ioemu/hw/cirrus_vga_rop2.h	Tue Apr 24 17:02:07 2007 +0100
     3.3 @@ -23,36 +23,42 @@
     3.4   */
     3.5  
     3.6  #if DEPTH == 8
     3.7 -#define PUTPIXEL()    ROP_OP(d[0], col)
     3.8 +#define PUTPIXEL()    ROP_OP((dst_base + m(d))[0], col)
     3.9  #elif DEPTH == 16
    3.10 -#define PUTPIXEL()    ROP_OP(((uint16_t *)d)[0], col);
    3.11 +#define PUTPIXEL()    ROP_OP(((uint16_t *)(dst_base + m(d)))[0], col);
    3.12  #elif DEPTH == 24
    3.13 -#define PUTPIXEL()    ROP_OP(d[0], col); \
    3.14 -                      ROP_OP(d[1], (col >> 8)); \
    3.15 -                      ROP_OP(d[2], (col >> 16))
    3.16 +#define PUTPIXEL()    ROP_OP((dst_base + m(d))[0], col); \
    3.17 +                      ROP_OP((dst_base + m(d))[1], (col >> 8)); \
    3.18 +                      ROP_OP((dst_base + m(d))[2], (col >> 16))
    3.19  #elif DEPTH == 32
    3.20 -#define PUTPIXEL()    ROP_OP(((uint32_t *)d)[0], col)
    3.21 +#define PUTPIXEL()    ROP_OP(((uint32_t *)(dst_base + m(d)))[0], col)
    3.22  #else
    3.23  #error unsupported DEPTH
    3.24  #endif                
    3.25  
    3.26  static void
    3.27  glue(glue(glue(cirrus_patternfill_, ROP_NAME), _),DEPTH)
    3.28 -     (CirrusVGAState * s, uint8_t * dst,
    3.29 -      const uint8_t * src, 
    3.30 +     (CirrusVGAState * s, uint8_t * dst_,
    3.31 +      const uint8_t * src_, 
    3.32        int dstpitch, int srcpitch, 
    3.33        int bltwidth, int bltheight)
    3.34  {
    3.35 -    uint8_t *d;
    3.36 +    uint8_t *dst_base, *src_base;
    3.37 +    uint32_t src, dst;
    3.38 +    uint32_t d;
    3.39      int x, y, pattern_y, pattern_pitch, pattern_x;
    3.40      unsigned int col;
    3.41 -    const uint8_t *src1;
    3.42 +    uint32_t src1;
    3.43  #if DEPTH == 24
    3.44      int skipleft = s->gr[0x2f] & 0x1f;
    3.45  #else
    3.46      int skipleft = (s->gr[0x2f] & 0x07) * (DEPTH / 8);
    3.47  #endif
    3.48  
    3.49 +    get_base(dst_, s, dst_base);
    3.50 +    get_base(src_, s, src_base);
    3.51 +    dst = dst_ - dst_base;
    3.52 +    src = src_ - src_base;
    3.53  #if DEPTH == 8
    3.54      pattern_pitch = 8;
    3.55  #elif DEPTH == 16
    3.56 @@ -67,19 +73,19 @@ glue(glue(glue(cirrus_patternfill_, ROP_
    3.57          src1 = src + pattern_y * pattern_pitch;
    3.58          for (x = skipleft; x < bltwidth; x += (DEPTH / 8)) {
    3.59  #if DEPTH == 8
    3.60 -            col = src1[pattern_x];
    3.61 +            col = *(src_base + m(src1 + pattern_x));
    3.62              pattern_x = (pattern_x + 1) & 7;
    3.63  #elif DEPTH == 16
    3.64 -            col = ((uint16_t *)(src1 + pattern_x))[0];
    3.65 +            col = *(uint16_t *)(src_base + m(src1 + pattern_x));
    3.66              pattern_x = (pattern_x + 2) & 15;
    3.67  #elif DEPTH == 24
    3.68              {
    3.69 -                const uint8_t *src2 = src1 + pattern_x * 3;
    3.70 +                const uint8_t *src2 = src_base + m(src1 + pattern_x * 3);
    3.71                  col = src2[0] | (src2[1] << 8) | (src2[2] << 16);
    3.72                  pattern_x = (pattern_x + 1) & 7;
    3.73              }
    3.74  #else
    3.75 -            col = ((uint32_t *)(src1 + pattern_x))[0];
    3.76 +            col = *(uint32_t *)(src_base + m(src1 + pattern_x));
    3.77              pattern_x = (pattern_x + 4) & 31;
    3.78  #endif
    3.79              PUTPIXEL();
    3.80 @@ -93,12 +99,14 @@ glue(glue(glue(cirrus_patternfill_, ROP_
    3.81  /* NOTE: srcpitch is ignored */
    3.82  static void
    3.83  glue(glue(glue(cirrus_colorexpand_transp_, ROP_NAME), _),DEPTH)
    3.84 -     (CirrusVGAState * s, uint8_t * dst,
    3.85 -      const uint8_t * src, 
    3.86 +     (CirrusVGAState * s, uint8_t * dst_,
    3.87 +      const uint8_t * src_, 
    3.88        int dstpitch, int srcpitch, 
    3.89        int bltwidth, int bltheight)
    3.90  {
    3.91 -    uint8_t *d;
    3.92 +    uint8_t *dst_base, *src_base;
    3.93 +    uint32_t src, dst;
    3.94 +    uint32_t d;
    3.95      int x, y;
    3.96      unsigned bits, bits_xor;
    3.97      unsigned int col;
    3.98 @@ -112,6 +120,10 @@ glue(glue(glue(cirrus_colorexpand_transp
    3.99      int dstskipleft = srcskipleft * (DEPTH / 8);
   3.100  #endif
   3.101  
   3.102 +    get_base(dst_, s, dst_base);
   3.103 +    get_base(src_, s, src_base);
   3.104 +    dst = dst_ - dst_base;
   3.105 +    src = src_ - src_base;
   3.106      if (s->cirrus_blt_modeext & CIRRUS_BLTMODEEXT_COLOREXPINV) {
   3.107          bits_xor = 0xff;
   3.108          col = s->cirrus_blt_bgcol;
   3.109 @@ -122,12 +134,12 @@ glue(glue(glue(cirrus_colorexpand_transp
   3.110  
   3.111      for(y = 0; y < bltheight; y++) {
   3.112          bitmask = 0x80 >> srcskipleft;
   3.113 -        bits = *src++ ^ bits_xor;
   3.114 +        bits = *(src_base + m(src++)) ^ bits_xor;
   3.115          d = dst + dstskipleft;
   3.116          for (x = dstskipleft; x < bltwidth; x += (DEPTH / 8)) {
   3.117              if ((bitmask & 0xff) == 0) {
   3.118                  bitmask = 0x80;
   3.119 -                bits = *src++ ^ bits_xor;
   3.120 +                bits = *(src_base + m(src++)) ^ bits_xor;
   3.121              }
   3.122              index = (bits & bitmask);
   3.123              if (index) {
   3.124 @@ -142,13 +154,15 @@ glue(glue(glue(cirrus_colorexpand_transp
   3.125  
   3.126  static void
   3.127  glue(glue(glue(cirrus_colorexpand_, ROP_NAME), _),DEPTH)
   3.128 -     (CirrusVGAState * s, uint8_t * dst,
   3.129 -      const uint8_t * src, 
   3.130 +     (CirrusVGAState * s, uint8_t * dst_,
   3.131 +      const uint8_t * src_, 
   3.132        int dstpitch, int srcpitch, 
   3.133        int bltwidth, int bltheight)
   3.134  {
   3.135 +    uint8_t *dst_base, *src_base;
   3.136 +    uint32_t src, dst;
   3.137      uint32_t colors[2];
   3.138 -    uint8_t *d;
   3.139 +    uint32_t d;
   3.140      int x, y;
   3.141      unsigned bits;
   3.142      unsigned int col;
   3.143 @@ -156,16 +170,20 @@ glue(glue(glue(cirrus_colorexpand_, ROP_
   3.144      int srcskipleft = s->gr[0x2f] & 0x07;
   3.145      int dstskipleft = srcskipleft * (DEPTH / 8);
   3.146  
   3.147 +    get_base(dst_, s, dst_base);
   3.148 +    get_base(src_, s, src_base);
   3.149 +    dst = dst_ - dst_base;
   3.150 +    src = src_ - src_base;
   3.151      colors[0] = s->cirrus_blt_bgcol;
   3.152      colors[1] = s->cirrus_blt_fgcol;
   3.153      for(y = 0; y < bltheight; y++) {
   3.154          bitmask = 0x80 >> srcskipleft;
   3.155 -        bits = *src++;
   3.156 +        bits = *(src_base + m(src++));
   3.157          d = dst + dstskipleft;
   3.158          for (x = dstskipleft; x < bltwidth; x += (DEPTH / 8)) {
   3.159              if ((bitmask & 0xff) == 0) {
   3.160                  bitmask = 0x80;
   3.161 -                bits = *src++;
   3.162 +                bits = *(src_base + m(src++));
   3.163              }
   3.164              col = colors[!!(bits & bitmask)];
   3.165              PUTPIXEL();
   3.166 @@ -178,12 +196,14 @@ glue(glue(glue(cirrus_colorexpand_, ROP_
   3.167  
   3.168  static void
   3.169  glue(glue(glue(cirrus_colorexpand_pattern_transp_, ROP_NAME), _),DEPTH)
   3.170 -     (CirrusVGAState * s, uint8_t * dst,
   3.171 -      const uint8_t * src, 
   3.172 +     (CirrusVGAState * s, uint8_t * dst_,
   3.173 +      const uint8_t * src_, 
   3.174        int dstpitch, int srcpitch, 
   3.175        int bltwidth, int bltheight)
   3.176  {
   3.177 -    uint8_t *d;
   3.178 +    uint8_t *dst_base, *src_base;
   3.179 +    uint32_t src, dst;
   3.180 +    uint32_t d;
   3.181      int x, y, bitpos, pattern_y;
   3.182      unsigned int bits, bits_xor;
   3.183      unsigned int col;
   3.184 @@ -195,6 +215,10 @@ glue(glue(glue(cirrus_colorexpand_patter
   3.185      int dstskipleft = srcskipleft * (DEPTH / 8);
   3.186  #endif
   3.187  
   3.188 +    get_base(dst_, s, dst_base);
   3.189 +    get_base(src_, s, src_base);
   3.190 +    dst = dst_ - dst_base;
   3.191 +    src = src_ - src_base;
   3.192      if (s->cirrus_blt_modeext & CIRRUS_BLTMODEEXT_COLOREXPINV) {
   3.193          bits_xor = 0xff;
   3.194          col = s->cirrus_blt_bgcol;
   3.195 @@ -205,7 +229,7 @@ glue(glue(glue(cirrus_colorexpand_patter
   3.196      pattern_y = s->cirrus_blt_srcaddr & 7;
   3.197  
   3.198      for(y = 0; y < bltheight; y++) {
   3.199 -        bits = src[pattern_y] ^ bits_xor;
   3.200 +        bits = *(src_base + m(src + pattern_y)) ^ bits_xor;
   3.201          bitpos = 7 - srcskipleft;
   3.202          d = dst + dstskipleft;
   3.203          for (x = dstskipleft; x < bltwidth; x += (DEPTH / 8)) {
   3.204 @@ -222,25 +246,31 @@ glue(glue(glue(cirrus_colorexpand_patter
   3.205  
   3.206  static void
   3.207  glue(glue(glue(cirrus_colorexpand_pattern_, ROP_NAME), _),DEPTH)
   3.208 -     (CirrusVGAState * s, uint8_t * dst,
   3.209 -      const uint8_t * src, 
   3.210 +     (CirrusVGAState * s, uint8_t * dst_,
   3.211 +      const uint8_t * src_, 
   3.212        int dstpitch, int srcpitch, 
   3.213        int bltwidth, int bltheight)
   3.214  {
   3.215 +    uint8_t *dst_base, *src_base;
   3.216 +    uint32_t src, dst;
   3.217      uint32_t colors[2];
   3.218 -    uint8_t *d;
   3.219 +    uint32_t d;
   3.220      int x, y, bitpos, pattern_y;
   3.221      unsigned int bits;
   3.222      unsigned int col;
   3.223      int srcskipleft = s->gr[0x2f] & 0x07;
   3.224      int dstskipleft = srcskipleft * (DEPTH / 8);
   3.225  
   3.226 +    get_base(dst_, s, dst_base);
   3.227 +    get_base(src_, s, src_base);
   3.228 +    dst = dst_ - dst_base;
   3.229 +    src = src_ - src_base;
   3.230      colors[0] = s->cirrus_blt_bgcol;
   3.231      colors[1] = s->cirrus_blt_fgcol;
   3.232      pattern_y = s->cirrus_blt_srcaddr & 7;
   3.233  
   3.234      for(y = 0; y < bltheight; y++) {
   3.235 -        bits = src[pattern_y];
   3.236 +        bits = *(src_base + m(src + pattern_y));
   3.237          bitpos = 7 - srcskipleft;
   3.238          d = dst + dstskipleft;
   3.239          for (x = dstskipleft; x < bltwidth; x += (DEPTH / 8)) {
   3.240 @@ -257,13 +287,17 @@ glue(glue(glue(cirrus_colorexpand_patter
   3.241  static void 
   3.242  glue(glue(glue(cirrus_fill_, ROP_NAME), _),DEPTH)
   3.243       (CirrusVGAState *s,
   3.244 -      uint8_t *dst, int dst_pitch, 
   3.245 +      uint8_t *dst_, int dst_pitch, 
   3.246        int width, int height)
   3.247  {
   3.248 -    uint8_t *d, *d1;
   3.249 +    uint8_t *dst_base;
   3.250 +    uint32_t dst;
   3.251 +    uint32_t d, d1;
   3.252      uint32_t col;
   3.253      int x, y;
   3.254  
   3.255 +    get_base(dst_, s, dst_base);
   3.256 +    dst = dst_ - dst_base;
   3.257      col = s->cirrus_blt_fgcol;
   3.258  
   3.259      d1 = dst;