Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/2223109/?format=api
{ "id": 2223109, "url": "http://patchwork.ozlabs.org/api/patches/2223109/?format=api", "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20260414132100.53861-4-philmd@linaro.org/", "project": { "id": 14, "url": "http://patchwork.ozlabs.org/api/projects/14/?format=api", "name": "QEMU Development", "link_name": "qemu-devel", "list_id": "qemu-devel.nongnu.org", "list_email": "qemu-devel@nongnu.org", "web_url": "", "scm_url": "", "webscm_url": "", "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20260414132100.53861-4-philmd@linaro.org>", "list_archive_url": null, "date": "2026-04-14T13:20:59", "name": "[PULL,3/3] ati-vga: fix unsigned integer overflow in cursor bounds checks", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "cddd3feba53abe88b4ad029eb6946793d549d038", "submitter": { "id": 85046, "url": "http://patchwork.ozlabs.org/api/people/85046/?format=api", "name": "Philippe Mathieu-Daudé", "email": "philmd@linaro.org" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20260414132100.53861-4-philmd@linaro.org/mbox/", "series": [ { "id": 499841, "url": "http://patchwork.ozlabs.org/api/series/499841/?format=api", "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/list/?series=499841", "date": "2026-04-14T13:20:57", "name": "[PULL,1/3] hw/ppc/e500: fix bus-frequency property hardcoded to zero in CPU FDT node", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/499841/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2223109/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2223109/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>", "X-Original-To": "incoming@patchwork.ozlabs.org", "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256\n header.s=google header.b=J85Qq5X2;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists1p.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)" ], "Received": [ "from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fw4gM0gyNz1y2d\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 14 Apr 2026 23:21:51 +1000 (AEST)", "from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists1p.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from <qemu-devel-bounces@nongnu.org>)\n\tid 1wCdho-0000s6-Fg; Tue, 14 Apr 2026 09:21:28 -0400", "from eggs.gnu.org ([2001:470:142:3::10])\n by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <philmd@linaro.org>) id 1wCdhm-0000rS-UX\n for qemu-devel@nongnu.org; Tue, 14 Apr 2026 09:21:26 -0400", "from mail-wr1-x434.google.com ([2a00:1450:4864:20::434])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.90_1) (envelope-from <philmd@linaro.org>) id 1wCdhl-00080k-C6\n for qemu-devel@nongnu.org; Tue, 14 Apr 2026 09:21:26 -0400", "by mail-wr1-x434.google.com with SMTP id\n ffacd0b85a97d-43d43e09de5so3327998f8f.1\n for <qemu-devel@nongnu.org>; Tue, 14 Apr 2026 06:21:24 -0700 (PDT)", "from localhost.localdomain (88-187-86-199.subs.proxad.net.\n [88.187.86.199]) by smtp.gmail.com with ESMTPSA id\n ffacd0b85a97d-43d7b543057sm14033448f8f.6.2026.04.14.06.21.22\n for <qemu-devel@nongnu.org>\n (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256);\n Tue, 14 Apr 2026 06:21:22 -0700 (PDT)" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=linaro.org; s=google; t=1776172883; x=1776777683; darn=nongnu.org;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:to:from:from:to:cc:subject:date:message-id\n :reply-to; bh=RTP8G/3syFvWMTvC3Oy537xBcJoeDL0PeXldlkypUIc=;\n b=J85Qq5X29zkEt1ZE1zj9GJQlt7eexi+4l0GXiEk8yc1aMMBcx9Qnw62+LLXlp2QfKw\n LhO6HVe3u/8mW2SoGw91mshmCBatY90XnwJ55kregXaNwMEk9/WpD26BPZVpqtJ0ziUX\n iP/Z9dfFZgJueIkXcO9ia9nPqKcqyRwJ4qHEnUS4UcvQittIjSFmGjfXo7zcIA/mwb7t\n H5guz3DN3n2am/TJE7maT0+03C6aVbcmikp1Yx4jCyPatO/EV/bYyaZyhFxMsBXROdIF\n PsYRtR8a/CHaiSXSv+2d4VAlo5w3/oUxTk1t0tIrG/ychSOMwxe+asm96yZUQqlM9bLs\n weTg==", "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1776172883; x=1776777683;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to\n :cc:subject:date:message-id:reply-to;\n bh=RTP8G/3syFvWMTvC3Oy537xBcJoeDL0PeXldlkypUIc=;\n b=ZccWG1VM+kDw+bKd5oCM8Ec8DRnWHstu2FkUT2EcfqLCzJNLfg0eCuEcPwAichdxLR\n yXjyW7Bfh4niN3kAR6uO9QgFZ/afCwgqI6v2WbmD9HYjTbqk81Yj9NN8jFs+eXqpUuqG\n 9uroiDlKupoDZMlS2Oy8sRqZcaBDP6IRCAmYIRBEnEQ/SOrE+OB9etmJMD/RQ6DH+Wz2\n e3g6T4i94UKNCMtBGRVg+9tmZ6M3ivzfUpITnn8Pf/Y2MC4lvssAE2PkdeSyRFBv9sPu\n vz9OSXx6LwUGEYe6rP5zdbGH5OJcwyIAhC+LDvwGMU4k429y4G4ySt+F9Fdy53S5jEAd\n ZBPQ==", "X-Gm-Message-State": "AOJu0YwCgOFMPkAYKxdua1V/JwBenWHkfp+kLdXmcoaGRBML10jaYzop\n zBO5f9TOlxY1HTnTvikUmjbNp7Qnb201Tu9OjrPEeplnUdZAkPVpe8XmoEisZvzX7IYos5Iszkh\n +01NUAA8=", "X-Gm-Gg": "AeBDietnEfjRvyAcaH7hdMLNE10kUEdYAlyesyHWLzhxUAZCGs4ccsqSKIjHMgBkRlx\n HF9LyfSn8Pp8JdmMb14+4BKzszPEQd38LwX5rRXKCT3aQUFu3/o5ZH2Fn2R3eDs76d2BY7aQfRh\n kFkRxCZQLaCGZiAhTe/qZrEG9sD3lZlyLqCqD05REklDbqq7HfF7XjbyjruovlLHgv9lSiUpz3q\n 0bgeHqP4scAbTmxeC1X/qUKfLF/6YXq/zO98wfOfa5c0naHvqU44ZgaPNKSzHipVlb8anobkEI3\n JQyiA1DbH2oOJXp4RmmUcGRgdvMotqLjQQ2FXu12vXfqzrGkwloTSYus3lAltnklmYwjZJpANma\n 0CsOQ/wNiCSY05ZEXu/zjn9+KCPRzDxYHJ/Km++6Mj3YQH+aU8N6du0mv0AcJlYxodfITM9Hczv\n XR4vdoLX1x40lFd6t1iWKWH9gq3ceTzdq+1Lr04F/owqSwFSruyR/g8p6mibUjYmYHmthKF62f", "X-Received": "by 2002:a05:6000:612:b0:43e:a81d:c475 with SMTP id\n ffacd0b85a97d-43ea81dc4d7mr2249966f8f.6.1776172883117;\n Tue, 14 Apr 2026 06:21:23 -0700 (PDT)", "From": "=?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= <philmd@linaro.org>", "To": "qemu-devel@nongnu.org", "Subject": "[PULL 3/3] ati-vga: fix unsigned integer overflow in cursor bounds\n checks", "Date": "Tue, 14 Apr 2026 15:20:59 +0200", "Message-ID": "<20260414132100.53861-4-philmd@linaro.org>", "X-Mailer": "git-send-email 2.53.0", "In-Reply-To": "<20260414132100.53861-1-philmd@linaro.org>", "References": "<20260414132100.53861-1-philmd@linaro.org>", "MIME-Version": "1.0", "Content-Type": "text/plain; charset=UTF-8", "Content-Transfer-Encoding": "8bit", "Received-SPF": "pass client-ip=2a00:1450:4864:20::434;\n envelope-from=philmd@linaro.org; helo=mail-wr1-x434.google.com", "X-Spam_score_int": "-20", "X-Spam_score": "-2.1", "X-Spam_bar": "--", "X-Spam_report": "(-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,\n DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,\n RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,\n SPF_PASS=-0.001 autolearn=ham autolearn_force=no", "X-Spam_action": "no action", "X-BeenThere": "qemu-devel@nongnu.org", "X-Mailman-Version": "2.1.29", "Precedence": "list", "List-Id": "qemu development <qemu-devel.nongnu.org>", "List-Unsubscribe": "<https://lists.nongnu.org/mailman/options/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>", "List-Archive": "<https://lists.nongnu.org/archive/html/qemu-devel>", "List-Post": "<mailto:qemu-devel@nongnu.org>", "List-Help": "<mailto:qemu-devel-request@nongnu.org?subject=help>", "List-Subscribe": "<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=subscribe>", "Errors-To": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org", "Sender": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org" }, "content": "From: Junjie Cao <junjie.cao@intel.com>\n\nThe cursor bounds checks compare (srcoff + N) against vram_size, but\nboth sides are uint32_t so the addition can wrap past UINT32_MAX when\nsrcoff underflows from the cur_hv_offs subtraction, causing the check\nto be bypassed.\n\nRewrite the checks as (srcoff > vram_size - N) to avoid the\noverflow-prone addition, matching the style already used in\nati_mm_read() and ati_mm_write().\n\nCc: qemu-stable@nongnu.org\nFixes: 2f1fbe6ee9b5 (\"ati-vga: Make sure hardware cursor data is within vram\")\nSigned-off-by: Junjie Cao <junjie.cao@intel.com>\nMessage-ID: <20260414141458.1076014-1-junjie.cao@intel.com>\nReviewed-by: BALATON Zoltan <balaton@eik.bme.hu>\nSigned-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>\n---\n hw/display/ati.c | 4 ++--\n 1 file changed, 2 insertions(+), 2 deletions(-)", "diff": "diff --git a/hw/display/ati.c b/hw/display/ati.c\nindex 88a5bbbf07a..0489995d00b 100644\n--- a/hw/display/ati.c\n+++ b/hw/display/ati.c\n@@ -149,7 +149,7 @@ static void ati_cursor_define(ATIVGAState *s)\n /* FIXME handle cur_hv_offs correctly */\n srcoff = s->regs.cur_offset - (s->regs.cur_hv_offs >> 16) -\n (s->regs.cur_hv_offs & 0xffff) * 16;\n- if (srcoff + 64 * 16 > s->vga.vram_size) {\n+ if (srcoff > s->vga.vram_size - 64 * 16) {\n return;\n }\n for (int i = 0; i < 64; i++, srcoff += 16) {\n@@ -206,7 +206,7 @@ static void ati_cursor_draw_line(VGACommonState *vga, uint8_t *d, int scr_y)\n }\n /* FIXME handle cur_hv_offs correctly */\n srcoff = s->cursor_offset + (scr_y - vga->hw_cursor_y) * 16;\n- if (srcoff + 16 > s->vga.vram_size) {\n+ if (srcoff > s->vga.vram_size - 16) {\n return;\n }\n dp = &dp[vga->hw_cursor_x];\n", "prefixes": [ "PULL", "3/3" ] }