[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [qemu-xen-traditional stable-4.6] cirrus_vga: fix division by 0 for color expansion rop



commit fd7c9bfa4955fa8c32bbaaa2b515ed2414ef9bc5
Author:     Aurelien Jarno <aurelien@xxxxxxxxxxx>
AuthorDate: Tue Jan 4 21:58:24 2011 +0100
Commit:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
CommitDate: Fri Oct 16 16:52:06 2015 +0100

    cirrus_vga: fix division by 0 for color expansion rop
    
    Commit d85d0d3883f5a567fa2969a0396e42e0a662b3fa introduces a regression
    with Windows ME that leads to a division by 0 and a crash.
    
    It uses the color expansion rop with the source pitch set to 0. This is
    something allowed, as the manual explicitely says "When the source of
    color-expand data is display memory, the source pitch is ignored.".
    
    This patch fixes this regression by computing sx, sy and others
    variables only if they are going to be used later, that is for a plain
    copy ROP. It basically consists in moving code.
    
    Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
---
 hw/cirrus_vga.c |   70 +++++++++++++++++++++++++++---------------------------
 1 files changed, 35 insertions(+), 35 deletions(-)

diff --git a/hw/cirrus_vga.c b/hw/cirrus_vga.c
index d3bf4cf..e6c3893 100644
--- a/hw/cirrus_vga.c
+++ b/hw/cirrus_vga.c
@@ -754,46 +754,46 @@ static int 
cirrus_bitblt_videotovideo_patterncopy(CirrusVGAState * s)
 
 static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
 {
-    int sx, sy;
-    int dx, dy;
-    int width, height;
-    int depth;
+    int sx = 0, sy = 0;
+    int dx = 0, dy = 0;
+    int depth = 0;
     int notify = 0;
 
-    depth = s->get_bpp((VGAState *)s) / 8;
-    s->get_resolution((VGAState *)s, &width, &height);
-
-    /* extra x, y */
-    sx = (src % ABS(s->cirrus_blt_srcpitch)) / depth;
-    sy = (src / ABS(s->cirrus_blt_srcpitch));
-    dx = (dst % ABS(s->cirrus_blt_dstpitch)) / depth;
-    dy = (dst / ABS(s->cirrus_blt_dstpitch));
-
-    /* normalize width */
-    w /= depth;
-
-    /* if we're doing a backward copy, we have to adjust
-       our x/y to be the upper left corner (instead of the lower
-       right corner) */
-    if (s->cirrus_blt_dstpitch < 0) {
-       sx -= (s->cirrus_blt_width / depth) - 1;
-       dx -= (s->cirrus_blt_width / depth) - 1;
-       sy -= s->cirrus_blt_height - 1;
-       dy -= s->cirrus_blt_height - 1;
-    }
+    /* make sure to only copy if it's a plain copy ROP */
+    if (*s->cirrus_rop == cirrus_bitblt_rop_fwd_src ||
+        *s->cirrus_rop == cirrus_bitblt_rop_bkwd_src) {
+        int width, height;
+
+        depth = s->get_bpp((VGAState *)s) / 8;
+        s->get_resolution((VGAState *)s, &width, &height);
+
+        /* extra x, y */
+        sx = (src % ABS(s->cirrus_blt_srcpitch)) / depth;
+        sy = (src / ABS(s->cirrus_blt_srcpitch));
+        dx = (dst % ABS(s->cirrus_blt_dstpitch)) / depth;
+        dy = (dst / ABS(s->cirrus_blt_dstpitch));
+
+        /* normalize width */
+        w /= depth;
+
+        /* if we're doing a backward copy, we have to adjust
+           our x/y to be the upper left corner (instead of the lower
+           right corner) */
+        if (s->cirrus_blt_dstpitch < 0) {
+            sx -= (s->cirrus_blt_width / depth) - 1;
+            dx -= (s->cirrus_blt_width / depth) - 1;
+            sy -= s->cirrus_blt_height - 1;
+            dy -= s->cirrus_blt_height - 1;
+        }
 
-    /* are we in the visible portion of memory? */
-    if (sx >= 0 && sy >= 0 && dx >= 0 && dy >= 0 &&
-       (sx + w) <= width && (sy + h) <= height &&
-       (dx + w) <= width && (dy + h) <= height) {
-       notify = 1;
+        /* are we in the visible portion of memory? */
+        if (sx >= 0 && sy >= 0 && dx >= 0 && dy >= 0 &&
+            (sx + w) <= width && (sy + h) <= height &&
+            (dx + w) <= width && (dy + h) <= height) {
+            notify = 1;
+        }
     }
 
-    /* make to sure only copy if it's a plain copy ROP */
-    if (*s->cirrus_rop != cirrus_bitblt_rop_fwd_src &&
-       *s->cirrus_rop != cirrus_bitblt_rop_bkwd_src)
-       notify = 0;
-
     /* we have to flush all pending changes so that the copy
        is generated at the appropriate moment in time */
     if (notify)
--
generated by git-patchbot for /home/xen/git/qemu-xen-traditional.git#stable-4.6

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.