xenbits.xensource.com Git - qemu-xen.git/commit

author	Philippe Mathieu-Daudé <philmd@linaro.org>
	Mon, 28 Nov 2022 20:27:39 +0000 (21:27 +0100)
committer	Stefan Hajnoczi <stefanha@redhat.com>
	Tue, 29 Nov 2022 23:15:26 +0000 (18:15 -0500)
commit	8efec0ef8bbc1e75a7ebf6e325a35806ece9b39f
tree	9c7f3b4dc9f8ea7aa7f207475d3aae1a25fe95f8	tree
parent	b1901de83a9456cde26fc755f71ca2b7b3ef50fc	commit \| diff

hw/display/qxl: Pass requested buffer size to qxl_phys2virt()

Currently qxl_phys2virt() doesn't check for buffer overrun.
In order to do so in the next commit, pass the buffer size
as argument.

For QXLCursor in qxl_render_cursor() -> qxl_cursor() we
verify the size of the chunked data ahead, checking we can
access 'sizeof(QXLCursor) + chunk->data_size' bytes.
Since in the SPICE_CURSOR_TYPE_MONO case the cursor is
assumed to fit in one chunk, no change are required.
In SPICE_CURSOR_TYPE_ALPHA the ahead read is handled in
qxl_unpack_chunks().

Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-Id: <20221128202741.4945-4-philmd@linaro.org>

hw/display/qxl-logger.c		diff \| blob \| blame \| history
hw/display/qxl-render.c		diff \| blob \| blame \| history
hw/display/qxl.c		diff \| blob \| blame \| history
hw/display/qxl.h		diff \| blob \| blame \| history