aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorbalrog <balrog@c046a42c-6fe2-441c-8c8c-71466251a162>2008-03-06 20:43:34 +0000
committerbalrog <balrog@c046a42c-6fe2-441c-8c8c-71466251a162>2008-03-06 20:43:34 +0000
commita8fbaf96e0791d72078d22b75c5f3c1f1d1ee45d (patch)
treebd822aa03551053953a6abc988fe965e904e8214
parent3016d80bff9ba63e67c1b18798180b2a9ffb58c0 (diff)
Check for out of range update regions (original patch from Anthony Liguori).
git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@4024 c046a42c-6fe2-441c-8c8c-71466251a162
-rw-r--r--hw/vmware_vga.c33
1 files changed, 27 insertions, 6 deletions
diff --git a/hw/vmware_vga.c b/hw/vmware_vga.c
index 54c320a2c4..f2ffa211de 100644
--- a/hw/vmware_vga.c
+++ b/hw/vmware_vga.c
@@ -291,12 +291,33 @@ static inline void vmsvga_update_rect(struct vmsvga_state_s *s,
int x, int y, int w, int h)
{
#ifndef DIRECT_VRAM
- int line = h;
- int bypl = s->bypp * s->width;
- int width = s->bypp * w;
- int start = s->bypp * x + bypl * y;
- uint8_t *src = s->vram + start;
- uint8_t *dst = s->ds->data + start;
+ int line;
+ int bypl;
+ int width;
+ int start;
+ uint8_t *src;
+ uint8_t *dst;
+
+ if (x + w > s->width) {
+ fprintf(stderr, "%s: update width too large x: %d, w: %d\n",
+ __FUNCTION__, x, w);
+ x = MIN(x, s->width);
+ w = s->width - x;
+ }
+
+ if (y + h > s->height) {
+ fprintf(stderr, "%s: update height too large y: %d, h: %d\n",
+ __FUNCTION__, y, h);
+ y = MIN(y, s->height);
+ h = s->height - y;
+ }
+
+ line = h;
+ bypl = s->bypp * s->width;
+ width = s->bypp * w;
+ start = s->bypp * x + bypl * y;
+ src = s->vram + start;
+ dst = s->ds->data + start;
for (; line > 0; line --, src += bypl, dst += bypl)
memcpy(dst, src, width);