On 28.07.2025 14:06, Philippe Mathieu-Daudé wrote:
On 21/2/25 14:48, Michael Tokarev wrote:
In case of multiple chunks, code in qxl_unpack_chunks() takes size of the
wrong (next in the chain) chunk, instead of using current chunk size.
This leads to wrong number of bytes being copied, and to crashes if next
chunk size is larger than the current one.
Based on the code by Gao Yong.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1628
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
---
hw/display/qxl-render.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c
index eda6d3de37..c6a9ac1da1 100644
--- a/hw/display/qxl-render.c
+++ b/hw/display/qxl-render.c
@@ -222,6 +222,7 @@ static void qxl_unpack_chunks(void *dest, size_t
size, PCIQXLDevice *qxl,
uint32_t max_chunks = 32;
size_t offset = 0;
size_t bytes;
+ QXLPHYSICAL next_chunk_phys = 0;
Thanks, queued (without zero-initialization).
Heh. Indeed, the init isn't needed here.
But you're a bit too late: this version has already been
applied. Dunno if it's worth the effort to remove the
initializer here, - probably not.
Philippe, you can at least pick up another patch from the
trivial patches queue (since I don't have any other patches) -
this is "roms/Makefile: fix npcmNxx_bootrom build rules".
(There are 2 more changes pending in this area though -
it is the rules for ast270x0 vbootrom, waiting for the
upstream git tree to fix a build bug in there).
Thanks,
/mjt
