Invalid I/O writes can craft an offset out of the vram_buffer
range.
We avoid:
Program terminated with signal SIGSEGV, Segmentation fault.
519 artist_rop8(s, buf, dst + column, buf->data[src +
column]);
(gdb) bt
#0 0x000055fa83b05e0a in block_move (s=0x55fa8647e510, source_x=0,
source_y=0, dest_x=255, dest_y=-5, width=22, height=16705) at
hw/display/artist.c:519
#1 0x000055fa83b071da in artist_reg_write (opaque=0x55fa8647e510,
addr=1051392, val=16777211, size=4) at hw/display/artist.c:954
Reported-by: LLVM libFuzzer
Signed-off-by: Philippe Mathieu-Daudé <f4...@amsat.org>
---
hw/display/artist.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/hw/display/artist.c b/hw/display/artist.c
index 6f61b85a24..320e3c5050 100644
--- a/hw/display/artist.c
+++ b/hw/display/artist.c
@@ -513,6 +513,11 @@ static void block_move(ARTISTState *s, int source_x, int
source_y, int dest_x,
dst = dest_x + ((line + dest_y) * buf->width);
for (column = startcolumn; column != endcolumn; column += columnincr) {
+ if ((int)src + column < 0 || src + column >= buf->size) {
+ qemu_log_mask(LOG_GUEST_ERROR,
+ "block_move src:%d column:%d\n", src, column);
+ continue; /* FIXME */
+ }
if (dst + column > buf->size || src + column > buf->size) {
continue;
}
--
2.21.3
