From: Prasad J Pandit <p...@fedoraproject.org> While accessing VGA registers via ati_mm_read/write routines, a guest may set 's->regs.mm_index' such that it leads to infinite recursion. Increment the mm_index value to avoid it.
Reported-by: Ren Ding <rd...@gatech.edu> Reported-by: Hanqing Zhao <hanq...@gatech.edu> Reported-by: Yi Ren <c4t...@gmail.com> Signed-off-by: Prasad J Pandit <p...@fedoraproject.org> --- hw/display/ati.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/hw/display/ati.c b/hw/display/ati.c index 065f197678..fa9061ad0b 100644 --- a/hw/display/ati.c +++ b/hw/display/ati.c @@ -286,7 +286,8 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr, unsigned int size) val = ldn_le_p(s->vga.vram_ptr + idx, size); } } else { - val = ati_mm_read(s, s->regs.mm_index + addr - MM_DATA, size); + uint32_t idx = s->regs.mm_index++; + val = ati_mm_read(s, idx + addr - MM_DATA, size); } break; case BIOS_0_SCRATCH ... BUS_CNTL - 1: @@ -521,7 +522,8 @@ static void ati_mm_write(void *opaque, hwaddr addr, stn_le_p(s->vga.vram_ptr + idx, size, data); } } else { - ati_mm_write(s, s->regs.mm_index + addr - MM_DATA, data, size); + uint32_t idx = s->regs.mm_index++; + ati_mm_write(s, idx + addr - MM_DATA, data, size); } break; case BIOS_0_SCRATCH ... BUS_CNTL - 1: -- 2.26.2