aboutsummaryrefslogtreecommitdiff
path: root/hw/display
diff options
context:
space:
mode:
authorGerd Hoffmann <kraxel@redhat.com>2020-04-29 13:52:35 +0200
committerGerd Hoffmann <kraxel@redhat.com>2020-05-18 15:43:51 +0200
commit819c83e27895472befbfee67d3d7d089c61d7fbd (patch)
tree9ccd752a832f7b0721880fdafb621ccb82589b8d /hw/display
parent19aaee2a65a26693fe0a30b5a0746f967774e278 (diff)
downloadqemu-819c83e27895472befbfee67d3d7d089c61d7fbd.zip
qemu-819c83e27895472befbfee67d3d7d089c61d7fbd.tar.gz
qemu-819c83e27895472befbfee67d3d7d089c61d7fbd.tar.bz2
ramfb: add sanity checks to ramfb_create_display_surface
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Message-id: 20200429115236.28709-6-kraxel@redhat.com
Diffstat (limited to 'hw/display')
-rw-r--r--hw/display/ramfb.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/hw/display/ramfb.c b/hw/display/ramfb.c
index 1a20bde..52dae78 100644
--- a/hw/display/ramfb.c
+++ b/hw/display/ramfb.c
@@ -15,6 +15,7 @@
#include "qapi/error.h"
#include "hw/loader.h"
#include "hw/display/ramfb.h"
+#include "hw/display/bochs-vbe.h" /* for limits */
#include "ui/console.h"
#include "sysemu/reset.h"
@@ -49,6 +50,11 @@ static DisplaySurface *ramfb_create_display_surface(int width, int height,
hwaddr size;
void *data;
+ if (width < 16 || width > VBE_DISPI_MAX_XRES ||
+ height < 16 || height > VBE_DISPI_MAX_YRES ||
+ format == 0 /* unknown format */)
+ return NULL;
+
if (linesize == 0) {
linesize = width * PIXMAN_FORMAT_BPP(format) / 8;
}