diff options
author | balrog <balrog@c046a42c-6fe2-441c-8c8c-71466251a162> | 2008-03-06 20:43:34 +0000 |
---|---|---|
committer | balrog <balrog@c046a42c-6fe2-441c-8c8c-71466251a162> | 2008-03-06 20:43:34 +0000 |
commit | a8fbaf96e0791d72078d22b75c5f3c1f1d1ee45d (patch) | |
tree | bd822aa03551053953a6abc988fe965e904e8214 | |
parent | 3016d80bff9ba63e67c1b18798180b2a9ffb58c0 (diff) |
Check for out of range update regions (original patch from Anthony Liguori).
git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@4024 c046a42c-6fe2-441c-8c8c-71466251a162
-rw-r--r-- | hw/vmware_vga.c | 33 |
1 files changed, 27 insertions, 6 deletions
diff --git a/hw/vmware_vga.c b/hw/vmware_vga.c index 54c320a2c4..f2ffa211de 100644 --- a/hw/vmware_vga.c +++ b/hw/vmware_vga.c @@ -291,12 +291,33 @@ static inline void vmsvga_update_rect(struct vmsvga_state_s *s, int x, int y, int w, int h) { #ifndef DIRECT_VRAM - int line = h; - int bypl = s->bypp * s->width; - int width = s->bypp * w; - int start = s->bypp * x + bypl * y; - uint8_t *src = s->vram + start; - uint8_t *dst = s->ds->data + start; + int line; + int bypl; + int width; + int start; + uint8_t *src; + uint8_t *dst; + + if (x + w > s->width) { + fprintf(stderr, "%s: update width too large x: %d, w: %d\n", + __FUNCTION__, x, w); + x = MIN(x, s->width); + w = s->width - x; + } + + if (y + h > s->height) { + fprintf(stderr, "%s: update height too large y: %d, h: %d\n", + __FUNCTION__, y, h); + y = MIN(y, s->height); + h = s->height - y; + } + + line = h; + bypl = s->bypp * s->width; + width = s->bypp * w; + start = s->bypp * x + bypl * y; + src = s->vram + start; + dst = s->ds->data + start; for (; line > 0; line --, src += bypl, dst += bypl) memcpy(dst, src, width); |