> @@ -228,7 +230,8 @@ static void qxl_unpack_chunks(void *dest, size_t size,
> PCIQXLDevice *qxl,
> if (offset == size) {
> return;
> }
> - chunk = qxl_phys2virt(qxl, chunk->next_chunk, group_id);
> + chunk = qxl_phys2virt(qxl, chunk->next_chunk, group_id,
> + sizeof(QXLDataChunk) + chunk->data_size);
> if (!chunk) {
> return;
> }
Not checking the first chunk?
> @@ -314,7 +318,15 @@ int qxl_render_cursor(PCIQXLDevice *qxl, QXLCommandExt
> *ext)
> }
> switch (cmd->type) {
> case QXL_CURSOR_SET:
> - cursor = qxl_phys2virt(qxl, cmd->u.set.shape, ext->group_id);
> + /* First read the QXLCursor to get QXLDataChunk::data_size ... */
> + cursor = qxl_phys2virt(qxl, cmd->u.set.shape, ext->group_id,
> + sizeof(QXLCursor));
> + if (!cursor) {
> + return 1;
> + }
> + /* Then read including the chunked data following QXLCursor. */
> + cursor = qxl_phys2virt(qxl, cmd->u.set.shape, ext->group_id,
> + sizeof(QXLCursor) + cursor->chunk.data_size);
> if (!cursor) {
> return 1;
> }
Ah, you do it here. Good.
Series:
Acked-by: Gerd Hoffmann <kra...@redhat.com>
take care,
Gerd
