ati-vga: Fix check for blt outside vram

Fix the check preventing calling pixman functions that would access
memory outside allocated vram. The r128 X driver sometimes seem to try
blits that span outside vram, this check prevents crashing QEMU in
that case. (The r128 X driver may have problems even on real hardware
so I'm not sure if it's a client bug or emulation problem but at least
QEMU should survive.)

Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Tested-by: Andrew Randrianasulu <randrianasulu@gmail.com>
---
 hw/display/ati_2d.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

This patch looks 4.0 worthwhile.

On 4/9/19 12:56 PM, BALATON Zoltan wrote:
> Fix the check preventing calling pixman functions that would access
> memory outside allocated vram. The r128 X driver sometimes seem to try
> blits that span outside vram, this check prevents crashing QEMU in
> that case. (The r128 X driver may have problems even on real hardware
> so I'm not sure if it's a client bug or emulation problem but at least
> QEMU should survive.)
> 
> Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
> Tested-by: Andrew Randrianasulu <randrianasulu@gmail.com>
> ---
>  hw/display/ati_2d.c | 12 ++++++------
>  1 file changed, 6 insertions(+), 6 deletions(-)
> 
> diff --git a/hw/display/ati_2d.c b/hw/display/ati_2d.c
> index bc98ba6eeb..fe3ae14864 100644
> --- a/hw/display/ati_2d.c
> +++ b/hw/display/ati_2d.c
> @@ -79,10 +79,10 @@ void ati_2d_blt(ATIVGAState *s)
>                  s->regs.dst_width, s->regs.dst_height);
>          end = s->vga.vram_ptr + s->vga.vram_size;
>          if (src_bits >= end || dst_bits >= end ||
> -            src_bits + (s->regs.src_y + s->regs.dst_height) * src_stride +
> -            s->regs.src_x >= end ||
> -            dst_bits + (s->regs.dst_y + s->regs.dst_height) * dst_stride +
> -            s->regs.dst_x >= end) {
> +            src_bits + s->regs.src_x + (s->regs.src_y + s->regs.dst_height) *
> +            src_stride * sizeof(uint32_t) >= end ||
> +            dst_bits + s->regs.dst_x + (s->regs.dst_y + s->regs.dst_height) *
> +            dst_stride * sizeof(uint32_t) >= end) {
>              qemu_log_mask(LOG_UNIMP, "blt outside vram not implemented\n");
>              return;
>          }
> @@ -140,8 +140,8 @@ void ati_2d_blt(ATIVGAState *s)
>                  filler);
>          end = s->vga.vram_ptr + s->vga.vram_size;
>          if (dst_bits >= end ||
> -            dst_bits + (s->regs.dst_y + s->regs.dst_height) * dst_stride +
> -            s->regs.dst_x >= end) {
> +            dst_bits + s->regs.dst_x + (s->regs.dst_y + s->regs.dst_height) *
> +            dst_stride * sizeof(uint32_t) >= end) {
>              qemu_log_mask(LOG_UNIMP, "blt outside vram not implemented\n");
>              return;
>          }
>

On Tue, 9 Apr 2019, Philippe Mathieu-Daudé wrote:
> This patch looks 4.0 worthwhile.

Now that it seems we'll have another rc, will this get in? Gerd, I think 
you have to send a pull request with it for that.

Regards,
BALATON Zoltan

> On 4/9/19 12:56 PM, BALATON Zoltan wrote:
>> Fix the check preventing calling pixman functions that would access
>> memory outside allocated vram. The r128 X driver sometimes seem to try
>> blits that span outside vram, this check prevents crashing QEMU in
>> that case. (The r128 X driver may have problems even on real hardware
>> so I'm not sure if it's a client bug or emulation problem but at least
>> QEMU should survive.)
>>
>> Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
>> Tested-by: Andrew Randrianasulu <randrianasulu@gmail.com>
>> ---
>>  hw/display/ati_2d.c | 12 ++++++------
>>  1 file changed, 6 insertions(+), 6 deletions(-)
>>
>> diff --git a/hw/display/ati_2d.c b/hw/display/ati_2d.c
>> index bc98ba6eeb..fe3ae14864 100644
>> --- a/hw/display/ati_2d.c
>> +++ b/hw/display/ati_2d.c
>> @@ -79,10 +79,10 @@ void ati_2d_blt(ATIVGAState *s)
>>                  s->regs.dst_width, s->regs.dst_height);
>>          end = s->vga.vram_ptr + s->vga.vram_size;
>>          if (src_bits >= end || dst_bits >= end ||
>> -            src_bits + (s->regs.src_y + s->regs.dst_height) * src_stride +
>> -            s->regs.src_x >= end ||
>> -            dst_bits + (s->regs.dst_y + s->regs.dst_height) * dst_stride +
>> -            s->regs.dst_x >= end) {
>> +            src_bits + s->regs.src_x + (s->regs.src_y + s->regs.dst_height) *
>> +            src_stride * sizeof(uint32_t) >= end ||
>> +            dst_bits + s->regs.dst_x + (s->regs.dst_y + s->regs.dst_height) *
>> +            dst_stride * sizeof(uint32_t) >= end) {
>>              qemu_log_mask(LOG_UNIMP, "blt outside vram not implemented\n");
>>              return;
>>          }
>> @@ -140,8 +140,8 @@ void ati_2d_blt(ATIVGAState *s)
>>                  filler);
>>          end = s->vga.vram_ptr + s->vga.vram_size;
>>          if (dst_bits >= end ||
>> -            dst_bits + (s->regs.dst_y + s->regs.dst_height) * dst_stride +
>> -            s->regs.dst_x >= end) {
>> +            dst_bits + s->regs.dst_x + (s->regs.dst_y + s->regs.dst_height) *
>> +            dst_stride * sizeof(uint32_t) >= end) {
>>              qemu_log_mask(LOG_UNIMP, "blt outside vram not implemented\n");
>>              return;
>>          }
>>
>
>

On Sun, 14 Apr 2019, BALATON Zoltan wrote:
> On Tue, 9 Apr 2019, Philippe Mathieu-Daudé wrote:
>> This patch looks 4.0 worthwhile.
>
> Now that it seems we'll have another rc, will this get in? Gerd, I think you 
> have to send a pull request with it for that.

Ping? This has missed two rc-s. This prevents a crash so you might want to 
queue it for stable as well now.

Regards,
BALATON Zoltan

>
>> On 4/9/19 12:56 PM, BALATON Zoltan wrote:
>>> Fix the check preventing calling pixman functions that would access
>>> memory outside allocated vram. The r128 X driver sometimes seem to try
>>> blits that span outside vram, this check prevents crashing QEMU in
>>> that case. (The r128 X driver may have problems even on real hardware
>>> so I'm not sure if it's a client bug or emulation problem but at least
>>> QEMU should survive.)
>>> 
>>> Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
>>> Tested-by: Andrew Randrianasulu <randrianasulu@gmail.com>
>>> ---
>>>  hw/display/ati_2d.c | 12 ++++++------
>>>  1 file changed, 6 insertions(+), 6 deletions(-)
>>> 
>>> diff --git a/hw/display/ati_2d.c b/hw/display/ati_2d.c
>>> index bc98ba6eeb..fe3ae14864 100644
>>> --- a/hw/display/ati_2d.c
>>> +++ b/hw/display/ati_2d.c
>>> @@ -79,10 +79,10 @@ void ati_2d_blt(ATIVGAState *s)
>>>                  s->regs.dst_width, s->regs.dst_height);
>>>          end = s->vga.vram_ptr + s->vga.vram_size;
>>>          if (src_bits >= end || dst_bits >= end ||
>>> -            src_bits + (s->regs.src_y + s->regs.dst_height) * src_stride 
>>> +
>>> -            s->regs.src_x >= end ||
>>> -            dst_bits + (s->regs.dst_y + s->regs.dst_height) * dst_stride 
>>> +
>>> -            s->regs.dst_x >= end) {
>>> +            src_bits + s->regs.src_x + (s->regs.src_y + 
>>> s->regs.dst_height) *
>>> +            src_stride * sizeof(uint32_t) >= end ||
>>> +            dst_bits + s->regs.dst_x + (s->regs.dst_y + 
>>> s->regs.dst_height) *
>>> +            dst_stride * sizeof(uint32_t) >= end) {
>>>              qemu_log_mask(LOG_UNIMP, "blt outside vram not 
>>> implemented\n");
>>>              return;
>>>          }
>>> @@ -140,8 +140,8 @@ void ati_2d_blt(ATIVGAState *s)
>>>                  filler);
>>>          end = s->vga.vram_ptr + s->vga.vram_size;
>>>          if (dst_bits >= end ||
>>> -            dst_bits + (s->regs.dst_y + s->regs.dst_height) * dst_stride 
>>> +
>>> -            s->regs.dst_x >= end) {
>>> +            dst_bits + s->regs.dst_x + (s->regs.dst_y + 
>>> s->regs.dst_height) *
>>> +            dst_stride * sizeof(uint32_t) >= end) {
>>>              qemu_log_mask(LOG_UNIMP, "blt outside vram not 
>>> implemented\n");
>>>              return;
>>>          }
>>> 
>> 
>> 
>
>

On Tue, Apr 09, 2019 at 12:56:18PM +0200, BALATON Zoltan wrote:
> Fix the check preventing calling pixman functions that would access
> memory outside allocated vram. The r128 X driver sometimes seem to try
> blits that span outside vram, this check prevents crashing QEMU in
> that case. (The r128 X driver may have problems even on real hardware
> so I'm not sure if it's a client bug or emulation problem but at least
> QEMU should survive.)

Added to vga queue.

thanks,
  Gerd