Re: [RFC PATCH-for-7.2 3/5] hw/display/qxl: Pass requested buffer size to qxl_phys2virt()

On 28/11/22 17:29, Philippe Mathieu-Daudé wrote: On 28/11/22 17:18, Philippe Mathieu-Daudé wrote: On 28/11/22 16:41, Philippe Mathieu-Daudé wrote: On 28/11/22 16:08, Gerd Hoffmann wrote: Also at least one code path (processing SPICE_CURSOR_TYPE_MONO in qxl_cursor) goes access chunk.data[] wi

Re: [RFC PATCH-for-7.2 3/5] hw/display/qxl: Pass requested buffer size to qxl_phys2virt()

On 28/11/22 17:18, Philippe Mathieu-Daudé wrote: On 28/11/22 16:41, Philippe Mathieu-Daudé wrote: On 28/11/22 16:08, Gerd Hoffmann wrote: Also at least one code path (processing SPICE_CURSOR_TYPE_MONO in qxl_cursor) goes access chunk.data[] without calling qxl_unpack_chunks(), that needs addi

Re: [RFC PATCH-for-7.2 3/5] hw/display/qxl: Pass requested buffer size to qxl_phys2virt()

On 28/11/22 16:41, Philippe Mathieu-Daudé wrote: On 28/11/22 16:08, Gerd Hoffmann wrote: Also at least one code path (processing SPICE_CURSOR_TYPE_MONO in qxl_cursor) goes access chunk.data[] without calling qxl_unpack_chunks(), that needs additional verification too (or switch it to call qxl_

Re: [RFC PATCH-for-7.2 3/5] hw/display/qxl: Pass requested buffer size to qxl_phys2virt()

On Mon, Nov 28, 2022 at 04:41:14PM +0100, Philippe Mathieu-Daudé wrote: > On 28/11/22 16:08, Gerd Hoffmann wrote: > > > @@ -228,7 +230,7 @@ static void qxl_unpack_chunks(void *dest, size_t > > > size, PCIQXLDevice *qxl, > > > if (offset == size) { > > > return; > > >

Re: [RFC PATCH-for-7.2 3/5] hw/display/qxl: Pass requested buffer size to qxl_phys2virt()

On 28/11/22 16:08, Gerd Hoffmann wrote: @@ -228,7 +230,7 @@ static void qxl_unpack_chunks(void *dest, size_t size, PCIQXLDevice *qxl, if (offset == size) { return; } -chunk = qxl_phys2virt(qxl, chunk->next_chunk, group_id); +chunk = qxl_phys2virt

Re: [RFC PATCH-for-7.2 3/5] hw/display/qxl: Pass requested buffer size to qxl_phys2virt()

> @@ -228,7 +230,7 @@ static void qxl_unpack_chunks(void *dest, size_t size, > PCIQXLDevice *qxl, > if (offset == size) { > return; > } > -chunk = qxl_phys2virt(qxl, chunk->next_chunk, group_id); > +chunk = qxl_phys2virt(qxl, chunk->next_chunk, group_

Re: [RFC PATCH-for-7.2 3/5] hw/display/qxl: Pass requested buffer size to qxl_phys2virt()

Hi On Mon, Nov 28, 2022 at 5:48 PM Philippe Mathieu-Daudé wrote: > Currently qxl_phys2virt() doesn't check for buffer overrun. > In order to do so in the next commit, pass the buffer size > as argument. > > Signed-off-by: Philippe Mathieu-Daudé > --- > RFC: Please double-check qxl_render_update

[RFC PATCH-for-7.2 3/5] hw/display/qxl: Pass requested buffer size to qxl_phys2virt()

Currently qxl_phys2virt() doesn't check for buffer overrun. In order to do so in the next commit, pass the buffer size as argument. Signed-off-by: Philippe Mathieu-Daudé --- RFC: Please double-check qxl_render_update_area_unlocked() --- hw/display/qxl-logger.c | 11 --- hw/display/qxl-re