{"id":806556,"url":"http://patchwork.ozlabs.org/api/1.0/patches/806556/?format=json","project":{"id":14,"url":"http://patchwork.ozlabs.org/api/1.0/projects/14/?format=json","name":"QEMU Development","link_name":"qemu-devel","list_id":"qemu-devel.nongnu.org","list_email":"qemu-devel@nongnu.org","web_url":"","scm_url":"","webscm_url":""},"msgid":"<20170828122906.18993-1-kraxel@redhat.com>","date":"2017-08-28T12:29:06","name":"[v2] vga: stop passing pointers to vga_draw_line* functions","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"9d28e5a88ba3928d520921a1421be3aa16448c9c","submitter":{"id":589,"url":"http://patchwork.ozlabs.org/api/1.0/people/589/?format=json","name":"Gerd Hoffmann","email":"kraxel@redhat.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/qemu-devel/patch/20170828122906.18993-1-kraxel@redhat.com/mbox/","series":[{"id":156,"url":"http://patchwork.ozlabs.org/api/1.0/series/156/?format=json","date":"2017-08-28T12:29:06","name":"[v2] vga: stop passing pointers to vga_draw_line* functions","version":2,"mbox":"http://patchwork.ozlabs.org/series/156/mbox/"}],"check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/806556/checks/","tags":{},"headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":["ozlabs.org;\n\tspf=pass (mailfrom) smtp.mailfrom=nongnu.org\n\t(client-ip=2001:4830:134:3::11; helo=lists.gnu.org;\n\tenvelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n\treceiver=)","ext-mx04.extmail.prod.ext.phx2.redhat.com;\n\tdmarc=none (p=none dis=none) header.from=redhat.com","ext-mx04.extmail.prod.ext.phx2.redhat.com;\n\tspf=fail smtp.mailfrom=kraxel@redhat.com"],"Received":["from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11])\n\t(using TLSv1 with cipher AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 3xgrgp71lrz9sDB\n\tfor ;\n\tMon, 28 Aug 2017 22:29:58 +1000 (AEST)","from localhost ([::1]:39640 helo=lists.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.71) (envelope-from\n\t)\n\tid 1dmJAy-00035g-Sx\n\tfor incoming@patchwork.ozlabs.org; Mon, 28 Aug 2017 08:29:56 -0400","from eggs.gnu.org ([2001:4830:134:3::10]:41055)\n\tby lists.gnu.org with esmtp (Exim 4.71)\n\t(envelope-from ) id 1dmJAN-000339-TA\n\tfor qemu-devel@nongnu.org; Mon, 28 Aug 2017 08:29:22 -0400","from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)\n\t(envelope-from ) id 1dmJAI-0004U6-Uy\n\tfor qemu-devel@nongnu.org; Mon, 28 Aug 2017 08:29:19 -0400","from mx1.redhat.com ([209.132.183.28]:55026)\n\tby eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)\n\t(Exim 4.71) (envelope-from ) id 1dmJAI-0004TP-LJ\n\tfor qemu-devel@nongnu.org; Mon, 28 Aug 2017 08:29:14 -0400","from smtp.corp.redhat.com\n\t(int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12])\n\t(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby mx1.redhat.com (Postfix) with ESMTPS id 91C8C80467;\n\tMon, 28 Aug 2017 12:29:12 +0000 (UTC)","from sirius.home.kraxel.org (ovpn-116-70.ams2.redhat.com\n\t[10.36.116.70])\n\tby smtp.corp.redhat.com (Postfix) with ESMTP id 084E360F8C;\n\tMon, 28 Aug 2017 12:29:09 +0000 (UTC)","by sirius.home.kraxel.org (Postfix, from userid 1000)\n\tid 1840016E06; Mon, 28 Aug 2017 14:29:06 +0200 (CEST)"],"DMARC-Filter":"OpenDMARC Filter v1.3.2 mx1.redhat.com 91C8C80467","From":"Gerd Hoffmann ","To":"qemu-devel@nongnu.org","Date":"Mon, 28 Aug 2017 14:29:06 +0200","Message-Id":"<20170828122906.18993-1-kraxel@redhat.com>","X-Scanned-By":"MIMEDefang 2.79 on 10.5.11.12","X-Greylist":"Sender IP whitelisted, not delayed by milter-greylist-4.5.16\n\t(mx1.redhat.com [10.5.110.28]);\n\tMon, 28 Aug 2017 12:29:12 +0000 (UTC)","X-detected-operating-system":"by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]\n\t[fuzzy]","X-Received-From":"209.132.183.28","Subject":"[Qemu-devel] [PATCH v2] vga: stop passing pointers to\n\tvga_draw_line* functions","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.21","Precedence":"list","List-Id":"","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","Cc":"Gerd Hoffmann , d@vidbuchanan.co.uk,\n\tP J P ","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"\"Qemu-devel\"\n\t"},"content":"Instead pass around the address (aka offset into vga memory).\nAdd vga_read_* helper functions which apply vbe_size_mask to\nthe address, to make sure the address stays within the valid\nrange, similar to the cirrus blitter fixes (commits ffaf857778\nand 026aeffcb4).\n\nImpact: DoS for privileged guest users. qemu crashes with\na segfault, when hitting the guard page after vga memory\nallocation, while reading vga memory for display updates.\n\nFixes: CVE-2017-13672\nCc: P J P \nReported-by: David Buchanan \nSigned-off-by: Gerd Hoffmann \n---\n hw/display/vga-helpers.h | 202 ++++++++++++++++++++++++++---------------------\n hw/display/vga_int.h | 1 +\n hw/display/vga.c | 5 +-\n 3 files changed, 114 insertions(+), 94 deletions(-)","diff":"diff --git a/hw/display/vga-helpers.h b/hw/display/vga-helpers.h\nindex 94f6de2046..5a752b3f9e 100644\n--- a/hw/display/vga-helpers.h\n+++ b/hw/display/vga-helpers.h\n@@ -95,20 +95,46 @@ static void vga_draw_glyph9(uint8_t *d, int linesize,\n } while (--h);\n }\n \n+static inline uint8_t vga_read_byte(VGACommonState *vga, uint32_t addr)\n+{\n+ return vga->vram_ptr[addr & vga->vbe_size_mask];\n+}\n+\n+static inline uint16_t vga_read_word_le(VGACommonState *vga, uint32_t addr)\n+{\n+ uint32_t offset = addr & vga->vbe_size_mask & ~1;\n+ uint16_t *ptr = (uint16_t *)(vga->vram_ptr + offset);\n+ return lduw_le_p(ptr);\n+}\n+\n+static inline uint16_t vga_read_word_be(VGACommonState *vga, uint32_t addr)\n+{\n+ uint32_t offset = addr & vga->vbe_size_mask & ~1;\n+ uint16_t *ptr = (uint16_t *)(vga->vram_ptr + offset);\n+ return lduw_be_p(ptr);\n+}\n+\n+static inline uint32_t vga_read_dword_le(VGACommonState *vga, uint32_t addr)\n+{\n+ uint32_t offset = addr & vga->vbe_size_mask & ~3;\n+ uint32_t *ptr = (uint32_t *)(vga->vram_ptr + offset);\n+ return ldl_le_p(ptr);\n+}\n+\n /*\n * 4 color mode\n */\n-static void vga_draw_line2(VGACommonState *s1, uint8_t *d,\n- const uint8_t *s, int width)\n+static void vga_draw_line2(VGACommonState *vga, uint8_t *d,\n+ uint32_t addr, int width)\n {\n uint32_t plane_mask, *palette, data, v;\n int x;\n \n- palette = s1->last_palette;\n- plane_mask = mask16[s1->ar[VGA_ATC_PLANE_ENABLE] & 0xf];\n+ palette = vga->last_palette;\n+ plane_mask = mask16[vga->ar[VGA_ATC_PLANE_ENABLE] & 0xf];\n width >>= 3;\n for(x = 0; x < width; x++) {\n- data = ((uint32_t *)s)[0];\n+ data = vga_read_dword_le(vga, addr);\n data &= plane_mask;\n v = expand2[GET_PLANE(data, 0)];\n v |= expand2[GET_PLANE(data, 2)] << 2;\n@@ -124,7 +150,7 @@ static void vga_draw_line2(VGACommonState *s1, uint8_t *d,\n ((uint32_t *)d)[6] = palette[(v >> 4) & 0xf];\n ((uint32_t *)d)[7] = palette[(v >> 0) & 0xf];\n d += 32;\n- s += 4;\n+ addr += 4;\n }\n }\n \n@@ -134,17 +160,17 @@ static void vga_draw_line2(VGACommonState *s1, uint8_t *d,\n /*\n * 4 color mode, dup2 horizontal\n */\n-static void vga_draw_line2d2(VGACommonState *s1, uint8_t *d,\n- const uint8_t *s, int width)\n+static void vga_draw_line2d2(VGACommonState *vga, uint8_t *d,\n+ uint32_t addr, int width)\n {\n uint32_t plane_mask, *palette, data, v;\n int x;\n \n- palette = s1->last_palette;\n- plane_mask = mask16[s1->ar[VGA_ATC_PLANE_ENABLE] & 0xf];\n+ palette = vga->last_palette;\n+ plane_mask = mask16[vga->ar[VGA_ATC_PLANE_ENABLE] & 0xf];\n width >>= 3;\n for(x = 0; x < width; x++) {\n- data = ((uint32_t *)s)[0];\n+ data = vga_read_dword_le(vga, addr);\n data &= plane_mask;\n v = expand2[GET_PLANE(data, 0)];\n v |= expand2[GET_PLANE(data, 2)] << 2;\n@@ -160,24 +186,24 @@ static void vga_draw_line2d2(VGACommonState *s1, uint8_t *d,\n PUT_PIXEL2(d, 6, palette[(v >> 4) & 0xf]);\n PUT_PIXEL2(d, 7, palette[(v >> 0) & 0xf]);\n d += 64;\n- s += 4;\n+ addr += 4;\n }\n }\n \n /*\n * 16 color mode\n */\n-static void vga_draw_line4(VGACommonState *s1, uint8_t *d,\n- const uint8_t *s, int width)\n+static void vga_draw_line4(VGACommonState *vga, uint8_t *d,\n+ uint32_t addr, int width)\n {\n uint32_t plane_mask, data, v, *palette;\n int x;\n \n- palette = s1->last_palette;\n- plane_mask = mask16[s1->ar[VGA_ATC_PLANE_ENABLE] & 0xf];\n+ palette = vga->last_palette;\n+ plane_mask = mask16[vga->ar[VGA_ATC_PLANE_ENABLE] & 0xf];\n width >>= 3;\n for(x = 0; x < width; x++) {\n- data = ((uint32_t *)s)[0];\n+ data = vga_read_dword_le(vga, addr);\n data &= plane_mask;\n v = expand4[GET_PLANE(data, 0)];\n v |= expand4[GET_PLANE(data, 1)] << 1;\n@@ -192,24 +218,24 @@ static void vga_draw_line4(VGACommonState *s1, uint8_t *d,\n ((uint32_t *)d)[6] = palette[(v >> 4) & 0xf];\n ((uint32_t *)d)[7] = palette[(v >> 0) & 0xf];\n d += 32;\n- s += 4;\n+ addr += 4;\n }\n }\n \n /*\n * 16 color mode, dup2 horizontal\n */\n-static void vga_draw_line4d2(VGACommonState *s1, uint8_t *d,\n- const uint8_t *s, int width)\n+static void vga_draw_line4d2(VGACommonState *vga, uint8_t *d,\n+ uint32_t addr, int width)\n {\n uint32_t plane_mask, data, v, *palette;\n int x;\n \n- palette = s1->last_palette;\n- plane_mask = mask16[s1->ar[VGA_ATC_PLANE_ENABLE] & 0xf];\n+ palette = vga->last_palette;\n+ plane_mask = mask16[vga->ar[VGA_ATC_PLANE_ENABLE] & 0xf];\n width >>= 3;\n for(x = 0; x < width; x++) {\n- data = ((uint32_t *)s)[0];\n+ data = vga_read_dword_le(vga, addr);\n data &= plane_mask;\n v = expand4[GET_PLANE(data, 0)];\n v |= expand4[GET_PLANE(data, 1)] << 1;\n@@ -224,7 +250,7 @@ static void vga_draw_line4d2(VGACommonState *s1, uint8_t *d,\n PUT_PIXEL2(d, 6, palette[(v >> 4) & 0xf]);\n PUT_PIXEL2(d, 7, palette[(v >> 0) & 0xf]);\n d += 64;\n- s += 4;\n+ addr += 4;\n }\n }\n \n@@ -233,21 +259,21 @@ static void vga_draw_line4d2(VGACommonState *s1, uint8_t *d,\n *\n * XXX: add plane_mask support (never used in standard VGA modes)\n */\n-static void vga_draw_line8d2(VGACommonState *s1, uint8_t *d,\n- const uint8_t *s, int width)\n+static void vga_draw_line8d2(VGACommonState *vga, uint8_t *d,\n+ uint32_t addr, int width)\n {\n uint32_t *palette;\n int x;\n \n- palette = s1->last_palette;\n+ palette = vga->last_palette;\n width >>= 3;\n for(x = 0; x < width; x++) {\n- PUT_PIXEL2(d, 0, palette[s[0]]);\n- PUT_PIXEL2(d, 1, palette[s[1]]);\n- PUT_PIXEL2(d, 2, palette[s[2]]);\n- PUT_PIXEL2(d, 3, palette[s[3]]);\n+ PUT_PIXEL2(d, 0, palette[vga_read_byte(vga, addr + 0)]);\n+ PUT_PIXEL2(d, 1, palette[vga_read_byte(vga, addr + 1)]);\n+ PUT_PIXEL2(d, 2, palette[vga_read_byte(vga, addr + 2)]);\n+ PUT_PIXEL2(d, 3, palette[vga_read_byte(vga, addr + 3)]);\n d += 32;\n- s += 4;\n+ addr += 4;\n }\n }\n \n@@ -256,63 +282,63 @@ static void vga_draw_line8d2(VGACommonState *s1, uint8_t *d,\n *\n * XXX: add plane_mask support (never used in standard VGA modes)\n */\n-static void vga_draw_line8(VGACommonState *s1, uint8_t *d,\n- const uint8_t *s, int width)\n+static void vga_draw_line8(VGACommonState *vga, uint8_t *d,\n+ uint32_t addr, int width)\n {\n uint32_t *palette;\n int x;\n \n- palette = s1->last_palette;\n+ palette = vga->last_palette;\n width >>= 3;\n for(x = 0; x < width; x++) {\n- ((uint32_t *)d)[0] = palette[s[0]];\n- ((uint32_t *)d)[1] = palette[s[1]];\n- ((uint32_t *)d)[2] = palette[s[2]];\n- ((uint32_t *)d)[3] = palette[s[3]];\n- ((uint32_t *)d)[4] = palette[s[4]];\n- ((uint32_t *)d)[5] = palette[s[5]];\n- ((uint32_t *)d)[6] = palette[s[6]];\n- ((uint32_t *)d)[7] = palette[s[7]];\n+ ((uint32_t *)d)[0] = palette[vga_read_byte(vga, addr + 0)];\n+ ((uint32_t *)d)[1] = palette[vga_read_byte(vga, addr + 1)];\n+ ((uint32_t *)d)[2] = palette[vga_read_byte(vga, addr + 2)];\n+ ((uint32_t *)d)[3] = palette[vga_read_byte(vga, addr + 3)];\n+ ((uint32_t *)d)[4] = palette[vga_read_byte(vga, addr + 4)];\n+ ((uint32_t *)d)[5] = palette[vga_read_byte(vga, addr + 5)];\n+ ((uint32_t *)d)[6] = palette[vga_read_byte(vga, addr + 6)];\n+ ((uint32_t *)d)[7] = palette[vga_read_byte(vga, addr + 7)];\n d += 32;\n- s += 8;\n+ addr += 8;\n }\n }\n \n /*\n * 15 bit color\n */\n-static void vga_draw_line15_le(VGACommonState *s1, uint8_t *d,\n- const uint8_t *s, int width)\n+static void vga_draw_line15_le(VGACommonState *vga, uint8_t *d,\n+ uint32_t addr, int width)\n {\n int w;\n uint32_t v, r, g, b;\n \n w = width;\n do {\n- v = lduw_le_p((void *)s);\n+ v = vga_read_word_le(vga, addr);\n r = (v >> 7) & 0xf8;\n g = (v >> 2) & 0xf8;\n b = (v << 3) & 0xf8;\n ((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b);\n- s += 2;\n+ addr += 2;\n d += 4;\n } while (--w != 0);\n }\n \n-static void vga_draw_line15_be(VGACommonState *s1, uint8_t *d,\n- const uint8_t *s, int width)\n+static void vga_draw_line15_be(VGACommonState *vga, uint8_t *d,\n+ uint32_t addr, int width)\n {\n int w;\n uint32_t v, r, g, b;\n \n w = width;\n do {\n- v = lduw_be_p((void *)s);\n+ v = vga_read_word_be(vga, addr);\n r = (v >> 7) & 0xf8;\n g = (v >> 2) & 0xf8;\n b = (v << 3) & 0xf8;\n ((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b);\n- s += 2;\n+ addr += 2;\n d += 4;\n } while (--w != 0);\n }\n@@ -320,38 +346,38 @@ static void vga_draw_line15_be(VGACommonState *s1, uint8_t *d,\n /*\n * 16 bit color\n */\n-static void vga_draw_line16_le(VGACommonState *s1, uint8_t *d,\n- const uint8_t *s, int width)\n+static void vga_draw_line16_le(VGACommonState *vga, uint8_t *d,\n+ uint32_t addr, int width)\n {\n int w;\n uint32_t v, r, g, b;\n \n w = width;\n do {\n- v = lduw_le_p((void *)s);\n+ v = vga_read_word_le(vga, addr);\n r = (v >> 8) & 0xf8;\n g = (v >> 3) & 0xfc;\n b = (v << 3) & 0xf8;\n ((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b);\n- s += 2;\n+ addr += 2;\n d += 4;\n } while (--w != 0);\n }\n \n-static void vga_draw_line16_be(VGACommonState *s1, uint8_t *d,\n- const uint8_t *s, int width)\n+static void vga_draw_line16_be(VGACommonState *vga, uint8_t *d,\n+ uint32_t addr, int width)\n {\n int w;\n uint32_t v, r, g, b;\n \n w = width;\n do {\n- v = lduw_be_p((void *)s);\n+ v = vga_read_word_be(vga, addr);\n r = (v >> 8) & 0xf8;\n g = (v >> 3) & 0xfc;\n b = (v << 3) & 0xf8;\n ((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b);\n- s += 2;\n+ addr += 2;\n d += 4;\n } while (--w != 0);\n }\n@@ -359,36 +385,36 @@ static void vga_draw_line16_be(VGACommonState *s1, uint8_t *d,\n /*\n * 24 bit color\n */\n-static void vga_draw_line24_le(VGACommonState *s1, uint8_t *d,\n- const uint8_t *s, int width)\n+static void vga_draw_line24_le(VGACommonState *vga, uint8_t *d,\n+ uint32_t addr, int width)\n {\n int w;\n uint32_t r, g, b;\n \n w = width;\n do {\n- b = s[0];\n- g = s[1];\n- r = s[2];\n+ b = vga_read_byte(vga, addr + 0);\n+ g = vga_read_byte(vga, addr + 1);\n+ r = vga_read_byte(vga, addr + 2);\n ((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b);\n- s += 3;\n+ addr += 3;\n d += 4;\n } while (--w != 0);\n }\n \n-static void vga_draw_line24_be(VGACommonState *s1, uint8_t *d,\n- const uint8_t *s, int width)\n+static void vga_draw_line24_be(VGACommonState *vga, uint8_t *d,\n+ uint32_t addr, int width)\n {\n int w;\n uint32_t r, g, b;\n \n w = width;\n do {\n- r = s[0];\n- g = s[1];\n- b = s[2];\n+ r = vga_read_byte(vga, addr + 0);\n+ g = vga_read_byte(vga, addr + 1);\n+ b = vga_read_byte(vga, addr + 2);\n ((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b);\n- s += 3;\n+ addr += 3;\n d += 4;\n } while (--w != 0);\n }\n@@ -396,44 +422,36 @@ static void vga_draw_line24_be(VGACommonState *s1, uint8_t *d,\n /*\n * 32 bit color\n */\n-static void vga_draw_line32_le(VGACommonState *s1, uint8_t *d,\n- const uint8_t *s, int width)\n+static void vga_draw_line32_le(VGACommonState *vga, uint8_t *d,\n+ uint32_t addr, int width)\n {\n-#ifndef HOST_WORDS_BIGENDIAN\n- memcpy(d, s, width * 4);\n-#else\n int w;\n uint32_t r, g, b;\n \n w = width;\n do {\n- b = s[0];\n- g = s[1];\n- r = s[2];\n+ b = vga_read_byte(vga, addr + 0);\n+ g = vga_read_byte(vga, addr + 1);\n+ r = vga_read_byte(vga, addr + 2);\n ((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b);\n- s += 4;\n+ addr += 4;\n d += 4;\n } while (--w != 0);\n-#endif\n }\n \n-static void vga_draw_line32_be(VGACommonState *s1, uint8_t *d,\n- const uint8_t *s, int width)\n+static void vga_draw_line32_be(VGACommonState *vga, uint8_t *d,\n+ uint32_t addr, int width)\n {\n-#ifdef HOST_WORDS_BIGENDIAN\n- memcpy(d, s, width * 4);\n-#else\n int w;\n uint32_t r, g, b;\n \n w = width;\n do {\n- r = s[1];\n- g = s[2];\n- b = s[3];\n+ r = vga_read_byte(vga, addr + 1);\n+ g = vga_read_byte(vga, addr + 2);\n+ b = vga_read_byte(vga, addr + 3);\n ((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b);\n- s += 4;\n+ addr += 4;\n d += 4;\n } while (--w != 0);\n-#endif\n }\ndiff --git a/hw/display/vga_int.h b/hw/display/vga_int.h\nindex dd6c958da3..ad34a1f048 100644\n--- a/hw/display/vga_int.h\n+++ b/hw/display/vga_int.h\n@@ -94,6 +94,7 @@ typedef struct VGACommonState {\n uint32_t vram_size;\n uint32_t vram_size_mb; /* property */\n uint32_t vbe_size;\n+ uint32_t vbe_size_mask;\n uint32_t latch;\n bool has_chain4_alias;\n MemoryRegion chain4_alias;\ndiff --git a/hw/display/vga.c b/hw/display/vga.c\nindex 63421f9ee8..4c2ee0be28 100644\n--- a/hw/display/vga.c\n+++ b/hw/display/vga.c\n@@ -1005,7 +1005,7 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)\n }\n \n typedef void vga_draw_line_func(VGACommonState *s1, uint8_t *d,\n- const uint8_t *s, int width);\n+ uint32_t srcaddr, int width);\n \n #include \"vga-helpers.h\"\n \n@@ -1660,7 +1660,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)\n if (y_start < 0)\n y_start = y;\n if (!(is_buffer_shared(surface))) {\n- vga_draw_line(s, d, s->vram_ptr + addr, width);\n+ vga_draw_line(s, d, addr, width);\n if (s->cursor_draw_line)\n s->cursor_draw_line(s, d, y);\n }\n@@ -2164,6 +2164,7 @@ void vga_common_init(VGACommonState *s, Object *obj, bool global_vmstate)\n if (!s->vbe_size) {\n s->vbe_size = s->vram_size;\n }\n+ s->vbe_size_mask = s->vbe_size - 1;\n \n s->is_vbe_vmstate = 1;\n memory_region_init_ram_nomigrate(&s->vram, obj, \"vga.vram\", s->vram_size,\n","prefixes":["v2"]}