From 2fba4e9c4938406fa676bfd3566e416e095cf93a Mon Sep 17 00:00:00 2001
From: lu zhipeng <luzhipeng@cestc.cn>
Date: Thu, 29 Sep 2022 20:23:52 +0800
Subject: cirrus_vga: fix potential memory overflow

Signed-off-by: lu zhipeng <luzhipeng@cestc.cn>
Message-Id: <20220929122352.1891-1-luzhipeng@cestc.cn>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 hw/display/cirrus_vga.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'hw/display/cirrus_vga.c')

diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
index 3bb6a58..2577005 100644
--- a/hw/display/cirrus_vga.c
+++ b/hw/display/cirrus_vga.c
@@ -834,7 +834,7 @@ static void cirrus_bitblt_cputovideo_next(CirrusVGAState * s)
                    word alignment, so we keep them for the next line */
                 /* XXX: keep alignment to speed up transfer */
                 end_ptr = s->cirrus_bltbuf + s->cirrus_blt_srcpitch;
-                copy_count = s->cirrus_srcptr_end - end_ptr;
+                copy_count = MIN(s->cirrus_srcptr_end - end_ptr, CIRRUS_BLTBUFSIZE);
                 memmove(s->cirrus_bltbuf, end_ptr, copy_count);
                 s->cirrus_srcptr = s->cirrus_bltbuf + copy_count;
                 s->cirrus_srcptr_end = s->cirrus_bltbuf + s->cirrus_blt_srcpitch;
-- 
cgit v1.1