From 7b5574225429621e7122a83c06d1b23931f152df Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alex=20Benn=C3=A9e?= Date: Mon, 11 Nov 2024 23:00:40 +0000 Subject: hw/display: check frame buffer can hold blob MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Coverity reports (CID 1564769, 1564770) that we potentially overflow by doing some 32x32 multiplies for something that ends up in a 64 bit value. Fix this by first using stride for all lines and casting input to uint64_t to ensure a 64 bit multiply is used. Signed-off-by: Alex Bennée Cc: Dmitry Osipenko Reviewed-by: Dmitry Osipenko Tested-by: Dmitry Osipenko Message-ID: <20241111230040.68470-3-alex.bennee@linaro.org> Signed-off-by: Philippe Mathieu-Daudé --- hw/display/virtio-gpu.c | 3 +-- include/hw/virtio/virtio-gpu.h | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c index e7ca8fd1cf..7d22d03bbf 100644 --- a/hw/display/virtio-gpu.c +++ b/hw/display/virtio-gpu.c @@ -742,8 +742,7 @@ bool virtio_gpu_scanout_blob_to_fb(struct virtio_gpu_framebuffer *fb, fb->offset = ss->offsets[0] + ss->r.x * fb->bytes_pp + ss->r.y * fb->stride; fbend = fb->offset; - fbend += fb->stride * (ss->r.height - 1); - fbend += fb->bytes_pp * ss->r.width; + fbend += (uint64_t) fb->stride * ss->r.height; if (fbend > blob_size) { qemu_log_mask(LOG_GUEST_ERROR, diff --git a/include/hw/virtio/virtio-gpu.h b/include/hw/virtio/virtio-gpu.h index 924eb8737e..8c977beebd 100644 --- a/include/hw/virtio/virtio-gpu.h +++ b/include/hw/virtio/virtio-gpu.h @@ -340,7 +340,7 @@ void virtio_gpu_update_cursor_data(VirtIOGPU *g, * blob_size: size of scanout blob data * * This will check we have enough space for the frame taking into - * account that stride for all but the last line. + * account that stride. * * Returns true on success, otherwise logs guest error and returns false */ -- cgit v1.2.3