cirrus: don't overflow CirrusVGAState->cirrus_bltbuf

author Gerd Hoffmann <kraxel@redhat.com>

Wed, 19 Nov 2014 12:27:28 +0000 (13:27 +0100)

committer Stefano Stabellini <stefano.stabellini@eu.citrix.com>

Thu, 5 Mar 2015 14:53:22 +0000 (14:53 +0000)
author Gerd Hoffmann <kraxel@redhat.com>
Wed, 19 Nov 2014 12:27:28 +0000 (13:27 +0100)
committer Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Thu, 5 Mar 2015 14:53:22 +0000 (14:53 +0000)
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c

index 64e489eff05e6ef89bfdbc2a2507355b6a8b86b5..f16960b072515e7f0cf9abcc7c65a0b7a57c676d 100644 (file)
--- a/hw/display/cirrus_vga.c
+++ b/hw/display/cirrus_vga.c
@@ -292,6 +292,10 @@ static bool blit_is_unsafe(struct CirrusVGAState *s)
      assert(s->cirrus_blt_width > 0);
      assert(s->cirrus_blt_height > 0);
  
+    if (s->cirrus_blt_width > CIRRUS_BLTBUFSIZE) {
+        return true;
+    }
+
      if (blit_region_is_unsafe(s, s->cirrus_blt_dstpitch,
                                s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) {
          return true;
author	Gerd Hoffmann <kraxel@redhat.com>
	Wed, 19 Nov 2014 12:27:28 +0000 (13:27 +0100)
committer	Stefano Stabellini <stefano.stabellini@eu.citrix.com>
	Thu, 5 Mar 2015 14:53:22 +0000 (14:53 +0000)