aboutsummaryrefslogtreecommitdiff
path: root/hw/display
diff options
context:
space:
mode:
authorBenjamin Herrenschmidt <benh@kernel.crashing.org>2014-07-07 10:32:34 +1000
committerGerd Hoffmann <kraxel@redhat.com>2014-07-11 10:17:02 +0200
commitd16136d22af0fcf0d651de04c9e3cbc7137cc6f9 (patch)
treeb667e257de01f24e77031f64ca21f5c31b414bd5 /hw/display
parente8ee4b68bed36471b014c23209299c84b8d4a01b (diff)
downloadqemu-d16136d22af0fcf0d651de04c9e3cbc7137cc6f9.zip
qemu-d16136d22af0fcf0d651de04c9e3cbc7137cc6f9.tar.gz
qemu-d16136d22af0fcf0d651de04c9e3cbc7137cc6f9.tar.bz2
cirrus: Fix host CPU blits
Commit b2eb849d4b1fdb6f35d5c46958c7f703cf64cfef "CVE-2007-1320 - Cirrus LGD-54XX "bitblt" heap overflow" broke cpu to video blits. When the ROP function is called from cirrus_bitblt_cputovideo_next(), we pass 0 for the pitch but only operate on one line at a time. The added test was tripping because after the initial substraction, the pitch becomes negative. Make the test only trip when the height is larger than one (ie. the pitch is actually used). This fixes HW cursor support in Windows NT4.0 (which otherwise was a white rectangle) and general display of icons in that OS when using 8bpp mode. Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Diffstat (limited to 'hw/display')
-rw-r--r--hw/display/cirrus_vga_rop.h3
1 files changed, 1 insertions, 2 deletions
diff --git a/hw/display/cirrus_vga_rop.h b/hw/display/cirrus_vga_rop.h
index 9c7bb09..0925a00 100644
--- a/hw/display/cirrus_vga_rop.h
+++ b/hw/display/cirrus_vga_rop.h
@@ -52,8 +52,7 @@ glue(cirrus_bitblt_rop_fwd_, ROP_NAME)(CirrusVGAState *s,
dstpitch -= bltwidth;
srcpitch -= bltwidth;
- if (dstpitch < 0 || srcpitch < 0) {
- /* is 0 valid? srcpitch == 0 could be useful */
+ if (bltheight > 1 && (dstpitch < 0 || srcpitch < 0)) {
return;
}