On 28/11/22 17:29, Philippe Mathieu-Daudé wrote:
On 28/11/22 17:18, Philippe Mathieu-Daudé wrote:
On 28/11/22 16:41, Philippe Mathieu-Daudé wrote:
On 28/11/22 16:08, Gerd Hoffmann wrote:
Also at least one code path (processing SPICE_CURSOR_TYPE_MONO in
qxl_cursor) goes access chunk.data[] wi
On 28/11/22 17:18, Philippe Mathieu-Daudé wrote:
On 28/11/22 16:41, Philippe Mathieu-Daudé wrote:
On 28/11/22 16:08, Gerd Hoffmann wrote:
Also at least one code path (processing SPICE_CURSOR_TYPE_MONO in
qxl_cursor) goes access chunk.data[] without calling
qxl_unpack_chunks(), that needs addi
On 28/11/22 16:41, Philippe Mathieu-Daudé wrote:
On 28/11/22 16:08, Gerd Hoffmann wrote:
Also at least one code path (processing SPICE_CURSOR_TYPE_MONO in
qxl_cursor) goes access chunk.data[] without calling
qxl_unpack_chunks(), that needs additional verification too (or
switch it to call qxl_
On Mon, Nov 28, 2022 at 04:41:14PM +0100, Philippe Mathieu-Daudé wrote:
> On 28/11/22 16:08, Gerd Hoffmann wrote:
> > > @@ -228,7 +230,7 @@ static void qxl_unpack_chunks(void *dest, size_t
> > > size, PCIQXLDevice *qxl,
> > > if (offset == size) {
> > > return;
> > >
On 28/11/22 16:08, Gerd Hoffmann wrote:
@@ -228,7 +230,7 @@ static void qxl_unpack_chunks(void *dest, size_t size,
PCIQXLDevice *qxl,
if (offset == size) {
return;
}
-chunk = qxl_phys2virt(qxl, chunk->next_chunk, group_id);
+chunk = qxl_phys2virt
> @@ -228,7 +230,7 @@ static void qxl_unpack_chunks(void *dest, size_t size,
> PCIQXLDevice *qxl,
> if (offset == size) {
> return;
> }
> -chunk = qxl_phys2virt(qxl, chunk->next_chunk, group_id);
> +chunk = qxl_phys2virt(qxl, chunk->next_chunk, group_
Hi
On Mon, Nov 28, 2022 at 5:48 PM Philippe Mathieu-Daudé
wrote:
> Currently qxl_phys2virt() doesn't check for buffer overrun.
> In order to do so in the next commit, pass the buffer size
> as argument.
>
> Signed-off-by: Philippe Mathieu-Daudé
> ---
> RFC: Please double-check qxl_render_update
Currently qxl_phys2virt() doesn't check for buffer overrun.
In order to do so in the next commit, pass the buffer size
as argument.
Signed-off-by: Philippe Mathieu-Daudé
---
RFC: Please double-check qxl_render_update_area_unlocked()
---
hw/display/qxl-logger.c | 11 ---
hw/display/qxl-re