diff options
| author | aliguori <aliguori@c046a42c-6fe2-441c-8c8c-71466251a162> | 2008-12-04 22:36:38 +0000 |
|---|---|---|
| committer | aliguori <aliguori@c046a42c-6fe2-441c-8c8c-71466251a162> | 2008-12-04 22:36:38 +0000 |
| commit | b2b183c2700d40210df51ff3ec9a2568ce9f5a43 (patch) | |
| tree | 8435d2a51180a3800ad42ac130ceb1b947b2623a | |
| parent | 4dc822d726376fd4369089f04eb8605d2f94b74f (diff) | |
do boundary check based on absolute value (Glauber Costa)
For backward operations, dstpitch and srcpitch can
be negative. This leads BLTUNSAFE macro into an
overflow, and as a result, it avoids performing
operations that are perfectly valid.
The visible effect that led to that patch was the gnome-panel
bar in Fedora10. Before this patch, you could see garbage
clobbering a big portion of the bar.
After this patch, this garbage is gone.
Signed-off-by: Glauber Costa <glommer@redhat.com>
git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@5880 c046a42c-6fe2-441c-8c8c-71466251a162
| -rw-r--r-- | hw/cirrus_vga.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/hw/cirrus_vga.c b/hw/cirrus_vga.c index e0cf458d76..56907193d5 100644 --- a/hw/cirrus_vga.c +++ b/hw/cirrus_vga.c @@ -221,15 +221,17 @@ #define CIRRUS_HOOK_NOT_HANDLED 0 #define CIRRUS_HOOK_HANDLED 1 +#define ABS(a) ((signed)(a) > 0 ? a : -a) + #define BLTUNSAFE(s) \ ( \ ( /* check dst is within bounds */ \ - (s)->cirrus_blt_height * (s)->cirrus_blt_dstpitch \ + (s)->cirrus_blt_height * ABS((s)->cirrus_blt_dstpitch) \ + ((s)->cirrus_blt_dstaddr & (s)->cirrus_addr_mask) > \ (s)->vram_size \ ) || \ ( /* check src is within bounds */ \ - (s)->cirrus_blt_height * (s)->cirrus_blt_srcpitch \ + (s)->cirrus_blt_height * ABS((s)->cirrus_blt_srcpitch) \ + ((s)->cirrus_blt_srcaddr & (s)->cirrus_addr_mask) > \ (s)->vram_size \ ) \ |