From patchwork Tue Jan 24 09:58:34 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Li Qiang <liq3ea@gmail.com>
X-Patchwork-Id: 9534815
Return-Path: 
 <qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	AEA8C6042D for <patchwork-qemu-devel@patchwork.kernel.org>;
	Tue, 24 Jan 2017 10:28:00 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A05D32029B
	for <patchwork-qemu-devel@patchwork.kernel.org>;
	Tue, 24 Jan 2017 10:28:00 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 953BA26B41; Tue, 24 Jan 2017 10:28:00 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,
	DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI,
	T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from lists.gnu.org (lists.gnu.org [208.118.235.17])
	(using TLSv1 with cipher AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 15FA12029B
	for <patchwork-qemu-devel@patchwork.kernel.org>;
	Tue, 24 Jan 2017 10:28:00 +0000 (UTC)
Received: from localhost ([::1]:47484 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71) (envelope-from
	<qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org>)
	id 1cVyKV-0005iy-2l for patchwork-qemu-devel@patchwork.kernel.org;
	Tue, 24 Jan 2017 05:27:59 -0500
Received: from eggs.gnu.org ([2001:4830:134:3::10]:46246)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <liq3ea@gmail.com>) id 1cVxsC-0005UM-RK
	for qemu-devel@nongnu.org; Tue, 24 Jan 2017 04:58:45 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <liq3ea@gmail.com>) id 1cVxs9-0006cA-4f
	for qemu-devel@nongnu.org; Tue, 24 Jan 2017 04:58:44 -0500
Received: from mail-io0-x243.google.com ([2607:f8b0:4001:c06::243]:34519)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <liq3ea@gmail.com>) id 1cVxs8-0006c5-Vu
	for qemu-devel@nongnu.org; Tue, 24 Jan 2017 04:58:41 -0500
Received: by mail-io0-x243.google.com with SMTP id c80so17982663iod.1
	for <qemu-devel@nongnu.org>; Tue, 24 Jan 2017 01:58:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=message-id:from:to:cc:subject:date;
	bh=qXu4Yf+OYWVwsxH3bh3Legi//x0e37DPfHChoCg4Pe0=;
	b=b2GPaWPN6DqLe8fBTDRpllvrRdr2Oq/m20ySXEC8EtfN+OX+B865OkDFCXy+VKpcJA
	02HofehQM4aqp8kEPY8nyYHAHJ/41adB3wb6P28ku5h5nXyPZ37IoP7t0H7jTrSChfeI
	vZRXg8+cbu9C/rSUTATqGCueLne+o8tuBoAX5iw6MnblKU2HS41bDr2pmTwkYqCD0TiQ
	RYIK03eCvSOnaT6TXnzePiDgY2Pnea1FTN0U61aEuvXtZfwxhLZKNocIE6zP8MmDYkQe
	trxJjK+d5JLvJaim8LDSn9C1jlYlnZOWr791BW2+ZGcdZVuQHzVl9Di0a9V+mYplHotL
	GLfA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:message-id:from:to:cc:subject:date;
	bh=qXu4Yf+OYWVwsxH3bh3Legi//x0e37DPfHChoCg4Pe0=;
	b=YlM2PNBbSyPTHCeI0crbuduvNh6nE+l0lPSxaHJuh/yX/Yx3L2gp3cuZDoQGaUsBxK
	TUTSI3ZIyA1Bxb1T/9iylRIp5fyc2BWD8E7RpW42vpmlpBrWkChllhGpjl9aK0+M+SI1
	/SADSYqyOR8xwGZ8dmcgaiFcLoyUa22E3rQH2qwyBpBTh0dvJcxarvV98u4vEuxPITXD
	46MgwRbF0yt/b8QHK+gqgOhn3qow8o6tc4DQjxrMmKpWmCezI/E0FPl2FC4YYJfSfp5+
	UnYFeZ7drkXPWf10NhwTBxdNHVyKFK7Nb2a5CRuA2Fkxvas7QR5FF/45m/lf7gpIoxd1
	RdFA==
X-Gm-Message-State: 
 AIkVDXLLZ3s6TTYG4c5TjfjFX247GY8HcrSu5w/OkO3ZtEwcDyFJtt5mHB6JbVKi7G8dYw==
X-Received: by 10.107.16.14 with SMTP id y14mr26843985ioi.164.1485251920236;
	Tue, 24 Jan 2017 01:58:40 -0800 (PST)
Received: from localhost.localdomain.localdomain ([104.192.110.250])
	by smtp.gmail.com with ESMTPSA id
	m128sm8015070itm.16.2017.01.24.01.58.38
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Tue, 24 Jan 2017 01:58:39 -0800 (PST)
Message-ID: <5887254f.863a240a.2c122.5500@mx.google.com>
X-Google-Original-Message-ID: 
 <1485251914-77455-1-git-send-email-Qiang(liqiang6-s@360.cn)>
From: Li Qiang <liq3ea@gmail.com>
X-Google-Original-From: Li Qiang(liqiang6-s@360.cn)
To: kraxel@redhat.com,
	qemu-devel@nongnu.org
Date: Tue, 24 Jan 2017 01:58:34 -0800
X-Mailer: git-send-email 1.8.3.1
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2607:f8b0:4001:c06::243
Subject: [Qemu-devel] [PATCH] cirrus: fix oob access issue
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: liqiang6-s@360.cn
Errors-To: 
 qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org
Sender: "Qemu-devel"
	<qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: Li Qiang <liqiang6-s@360.cn>

When doing bitblt copy in backward mode, we should minus the
blt width first just like the adding in the forward mode. This
can avoid the oob access of the front of vga's vram.

Signed-off-by: Li Qiang <liqiang6-s@360.cn>
---
 hw/display/cirrus_vga.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
index 379910d..fa56730 100644
--- a/hw/display/cirrus_vga.c
+++ b/hw/display/cirrus_vga.c
@@ -277,7 +277,8 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
     }
     if (pitch < 0) {
         int64_t min = addr
-            + ((int64_t)s->cirrus_blt_height-1) * pitch;
+            + ((int64_t)s->cirrus_blt_height - 1) * pitch
+            - s->cirrus_blt_width;
         int32_t max = addr
             + s->cirrus_blt_width;
         if (min < 0 || max > s->vga.vram_size) {