hw/display: check frame buffer can hold blob
Coverity reports (CID 1564769, 1564770) that we potentially overflow by doing some 32x32 multiplies for something that ends up in a 64 bit value. Fix this by first using stride for all lines and casting input to uint64_t to ensure a 64 bit multiply is used. Signed-off-by: Alex Bennée <alex.bennee@linaro.org> Cc: Dmitry Osipenko <dmitry.osipenko@collabora.com> Reviewed-by: Dmitry Osipenko <dmitry.osipenko@collabora.com> Tested-by: Dmitry Osipenko <dmitry.osipenko@collabora.com> Message-ID: <20241111230040.68470-3-alex.bennee@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
This commit is contained in:
Alex Bennée
Philippe Mathieu-Daudé
parent
c4e1c361b3
commit
7b55742254
@ -742,8 +742,7 @@ bool virtio_gpu_scanout_blob_to_fb(struct virtio_gpu_framebuffer *fb,
|
|||||||
fb->offset = ss->offsets[0] + ss->r.x * fb->bytes_pp + ss->r.y * fb->stride;
|
fb->offset = ss->offsets[0] + ss->r.x * fb->bytes_pp + ss->r.y * fb->stride;
|
||||||
|
|
||||||
fbend = fb->offset;
|
fbend = fb->offset;
|
||||||
fbend += fb->stride * (ss->r.height - 1);
|
fbend += (uint64_t) fb->stride * ss->r.height;
|
||||||
fbend += fb->bytes_pp * ss->r.width;
|
|
||||||
|
|
||||||
if (fbend > blob_size) {
|
if (fbend > blob_size) {
|
||||||
qemu_log_mask(LOG_GUEST_ERROR,
|
qemu_log_mask(LOG_GUEST_ERROR,
|
||||||
|
|||||||
@ -340,7 +340,7 @@ void virtio_gpu_update_cursor_data(VirtIOGPU *g,
|
|||||||
* blob_size: size of scanout blob data
|
* blob_size: size of scanout blob data
|
||||||
*
|
*
|
||||||
* This will check we have enough space for the frame taking into
|
* This will check we have enough space for the frame taking into
|
||||||
* account that stride for all but the last line.
|
* account that stride.
|
||||||
*
|
*
|
||||||
* Returns true on success, otherwise logs guest error and returns false
|
* Returns true on success, otherwise logs guest error and returns false
|
||||||
*/
|
*/
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user