diff options
author | Gerd Hoffmann <kraxel@redhat.com> | 2020-04-29 13:52:35 +0200 |
---|---|---|
committer | Gerd Hoffmann <kraxel@redhat.com> | 2020-05-18 15:43:51 +0200 |
commit | 819c83e27895472befbfee67d3d7d089c61d7fbd (patch) | |
tree | 9ccd752a832f7b0721880fdafb621ccb82589b8d /hw/display | |
parent | 19aaee2a65a26693fe0a30b5a0746f967774e278 (diff) | |
download | qemu-819c83e27895472befbfee67d3d7d089c61d7fbd.zip qemu-819c83e27895472befbfee67d3d7d089c61d7fbd.tar.gz qemu-819c83e27895472befbfee67d3d7d089c61d7fbd.tar.bz2 |
ramfb: add sanity checks to ramfb_create_display_surface
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Message-id: 20200429115236.28709-6-kraxel@redhat.com
Diffstat (limited to 'hw/display')
-rw-r--r-- | hw/display/ramfb.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/hw/display/ramfb.c b/hw/display/ramfb.c index 1a20bde..52dae78 100644 --- a/hw/display/ramfb.c +++ b/hw/display/ramfb.c @@ -15,6 +15,7 @@ #include "qapi/error.h" #include "hw/loader.h" #include "hw/display/ramfb.h" +#include "hw/display/bochs-vbe.h" /* for limits */ #include "ui/console.h" #include "sysemu/reset.h" @@ -49,6 +50,11 @@ static DisplaySurface *ramfb_create_display_surface(int width, int height, hwaddr size; void *data; + if (width < 16 || width > VBE_DISPI_MAX_XRES || + height < 16 || height > VBE_DISPI_MAX_YRES || + format == 0 /* unknown format */) + return NULL; + if (linesize == 0) { linesize = width * PIXMAN_FORMAT_BPP(format) / 8; } |