On Mon, 28 Nov 2022 at 15:30, Philippe Mathieu-Daudé <phi...@linaro.org> wrote: > > Since v2: > - Do not abort checking guest-provided addresses (Stefan) > - Handle chunked QEMUCursor (Gerd) > > Since v1: > - Moved overrun check in qxl_get_check_slot_offset (Marc-André) > > memory_region_get_ram_ptr() returns a host pointer for a > MemoryRegion. Sometimes we do offset calculation using this > pointer without checking the underlying MemoryRegion size. > > Wenxu Yin reported a buffer overrun in QXL. This series > aims to fix it. I haven't audited the other _get_ram_ptr() > uses (yet). Eventually we could rename it _get_ram_ptr_unsafe > and add a safer helper which checks for overrun. > > Worth considering for 7.2?
Merged, thanks! Stefan
