hw/display/qxl: Pass requested buffer size to qxl_phys2virt()

Currently qxl_phys2virt() doesn't check for buffer overrun. In order to do so in the next commit, pass the buffer size as argument. For QXLCursor in qxl_render_cursor() -> qxl_cursor() we verify the size of the chunked data ahead, checking we can access 'sizeof(QXLCursor) + chunk->data_size' bytes. Since in the SPICE_CURSOR_TYPE_MONO case the cursor is assumed to fit in one chunk, no change are required. In SPICE_CURSOR_TYPE_ALPHA the ahead read is handled in qxl_unpack_chunks(). Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Acked-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Message-Id: <20221128202741.4945-4-philmd@linaro.org>
2025-08-04 16:23:55 -06:00 · 2022-11-28 21:27:39 +01:00 · 2022-11-28 21:27:39 +01:00 · 8efec0ef8b
commit 8efec0ef8b
parent b1901de83a
4 changed files with 36 additions and 13 deletions
--- a/hw/display/qxl.h
+++ b/hw/display/qxl.h
@ -153,6 +153,7 @@ OBJECT_DECLARE_SIMPLE_TYPE(PCIQXLDevice, PCI_QXL)
 * @qxl: QXL device
 * @phys: physical offset of buffer within the VRAM
 * @group_id: memory slot group
+ * @size: size of the buffer
 *
 * Returns a host pointer to a buffer placed at offset @phys within the
 * active slot @group_id of the PCI VGA RAM memory region associated with
@ -166,7 +167,8 @@ OBJECT_DECLARE_SIMPLE_TYPE(PCIQXLDevice, PCI_QXL)
 * the incoming ram_addr_t.
 *
 */
-void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL phys, int group_id);
+void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL phys, int group_id,
+                    size_t size);
 void qxl_set_guest_bug(PCIQXLDevice *qxl, const char *msg, ...)
    G_GNUC_PRINTF(2, 3);