{"id":2223109,"url":"http://patchwork.ozlabs.org/api/patches/2223109/?format=json","web_url":"http://patchwork.ozlabs.org/project/qemu-devel/patch/20260414132100.53861-4-philmd@linaro.org/","project":{"id":14,"url":"http://patchwork.ozlabs.org/api/projects/14/?format=json","name":"QEMU Development","link_name":"qemu-devel","list_id":"qemu-devel.nongnu.org","list_email":"qemu-devel@nongnu.org","web_url":"","scm_url":"","webscm_url":"","list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260414132100.53861-4-philmd@linaro.org>","list_archive_url":null,"date":"2026-04-14T13:20:59","name":"[PULL,3/3] ati-vga: fix unsigned integer overflow in cursor bounds checks","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"cddd3feba53abe88b4ad029eb6946793d549d038","submitter":{"id":85046,"url":"http://patchwork.ozlabs.org/api/people/85046/?format=json","name":"Philippe Mathieu-Daudé","email":"philmd@linaro.org"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/qemu-devel/patch/20260414132100.53861-4-philmd@linaro.org/mbox/","series":[{"id":499841,"url":"http://patchwork.ozlabs.org/api/series/499841/?format=json","web_url":"http://patchwork.ozlabs.org/project/qemu-devel/list/?series=499841","date":"2026-04-14T13:20:57","name":"[PULL,1/3] hw/ppc/e500: fix bus-frequency property hardcoded to zero in CPU FDT node","version":1,"mbox":"http://patchwork.ozlabs.org/series/499841/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2223109/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2223109/checks/","tags":{},"related":[],"headers":{"Return-Path":"<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256\n header.s=google header.b=J85Qq5X2;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists1p.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fw4gM0gyNz1y2d\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 14 Apr 2026 23:21:51 +1000 (AEST)","from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists1p.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from <qemu-devel-bounces@nongnu.org>)\n\tid 1wCdho-0000s6-Fg; Tue, 14 Apr 2026 09:21:28 -0400","from eggs.gnu.org ([2001:470:142:3::10])\n by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <philmd@linaro.org>) id 1wCdhm-0000rS-UX\n for qemu-devel@nongnu.org; Tue, 14 Apr 2026 09:21:26 -0400","from mail-wr1-x434.google.com ([2a00:1450:4864:20::434])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.90_1) (envelope-from <philmd@linaro.org>) id 1wCdhl-00080k-C6\n for qemu-devel@nongnu.org; Tue, 14 Apr 2026 09:21:26 -0400","by mail-wr1-x434.google.com with SMTP id\n ffacd0b85a97d-43d43e09de5so3327998f8f.1\n for <qemu-devel@nongnu.org>; Tue, 14 Apr 2026 06:21:24 -0700 (PDT)","from localhost.localdomain (88-187-86-199.subs.proxad.net.\n [88.187.86.199]) by smtp.gmail.com with ESMTPSA id\n ffacd0b85a97d-43d7b543057sm14033448f8f.6.2026.04.14.06.21.22\n for <qemu-devel@nongnu.org>\n (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256);\n Tue, 14 Apr 2026 06:21:22 -0700 (PDT)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=linaro.org; s=google; t=1776172883; x=1776777683; darn=nongnu.org;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:to:from:from:to:cc:subject:date:message-id\n :reply-to; bh=RTP8G/3syFvWMTvC3Oy537xBcJoeDL0PeXldlkypUIc=;\n b=J85Qq5X29zkEt1ZE1zj9GJQlt7eexi+4l0GXiEk8yc1aMMBcx9Qnw62+LLXlp2QfKw\n LhO6HVe3u/8mW2SoGw91mshmCBatY90XnwJ55kregXaNwMEk9/WpD26BPZVpqtJ0ziUX\n iP/Z9dfFZgJueIkXcO9ia9nPqKcqyRwJ4qHEnUS4UcvQittIjSFmGjfXo7zcIA/mwb7t\n H5guz3DN3n2am/TJE7maT0+03C6aVbcmikp1Yx4jCyPatO/EV/bYyaZyhFxMsBXROdIF\n PsYRtR8a/CHaiSXSv+2d4VAlo5w3/oUxTk1t0tIrG/ychSOMwxe+asm96yZUQqlM9bLs\n weTg==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1776172883; x=1776777683;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to\n :cc:subject:date:message-id:reply-to;\n bh=RTP8G/3syFvWMTvC3Oy537xBcJoeDL0PeXldlkypUIc=;\n b=ZccWG1VM+kDw+bKd5oCM8Ec8DRnWHstu2FkUT2EcfqLCzJNLfg0eCuEcPwAichdxLR\n yXjyW7Bfh4niN3kAR6uO9QgFZ/afCwgqI6v2WbmD9HYjTbqk81Yj9NN8jFs+eXqpUuqG\n 9uroiDlKupoDZMlS2Oy8sRqZcaBDP6IRCAmYIRBEnEQ/SOrE+OB9etmJMD/RQ6DH+Wz2\n e3g6T4i94UKNCMtBGRVg+9tmZ6M3ivzfUpITnn8Pf/Y2MC4lvssAE2PkdeSyRFBv9sPu\n vz9OSXx6LwUGEYe6rP5zdbGH5OJcwyIAhC+LDvwGMU4k429y4G4ySt+F9Fdy53S5jEAd\n ZBPQ==","X-Gm-Message-State":"AOJu0YwCgOFMPkAYKxdua1V/JwBenWHkfp+kLdXmcoaGRBML10jaYzop\n zBO5f9TOlxY1HTnTvikUmjbNp7Qnb201Tu9OjrPEeplnUdZAkPVpe8XmoEisZvzX7IYos5Iszkh\n +01NUAA8=","X-Gm-Gg":"AeBDietnEfjRvyAcaH7hdMLNE10kUEdYAlyesyHWLzhxUAZCGs4ccsqSKIjHMgBkRlx\n HF9LyfSn8Pp8JdmMb14+4BKzszPEQd38LwX5rRXKCT3aQUFu3/o5ZH2Fn2R3eDs76d2BY7aQfRh\n kFkRxCZQLaCGZiAhTe/qZrEG9sD3lZlyLqCqD05REklDbqq7HfF7XjbyjruovlLHgv9lSiUpz3q\n 0bgeHqP4scAbTmxeC1X/qUKfLF/6YXq/zO98wfOfa5c0naHvqU44ZgaPNKSzHipVlb8anobkEI3\n JQyiA1DbH2oOJXp4RmmUcGRgdvMotqLjQQ2FXu12vXfqzrGkwloTSYus3lAltnklmYwjZJpANma\n 0CsOQ/wNiCSY05ZEXu/zjn9+KCPRzDxYHJ/Km++6Mj3YQH+aU8N6du0mv0AcJlYxodfITM9Hczv\n XR4vdoLX1x40lFd6t1iWKWH9gq3ceTzdq+1Lr04F/owqSwFSruyR/g8p6mibUjYmYHmthKF62f","X-Received":"by 2002:a05:6000:612:b0:43e:a81d:c475 with SMTP id\n ffacd0b85a97d-43ea81dc4d7mr2249966f8f.6.1776172883117;\n Tue, 14 Apr 2026 06:21:23 -0700 (PDT)","From":"=?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= <philmd@linaro.org>","To":"qemu-devel@nongnu.org","Subject":"[PULL 3/3] ati-vga: fix unsigned integer overflow in cursor bounds\n checks","Date":"Tue, 14 Apr 2026 15:20:59 +0200","Message-ID":"<20260414132100.53861-4-philmd@linaro.org>","X-Mailer":"git-send-email 2.53.0","In-Reply-To":"<20260414132100.53861-1-philmd@linaro.org>","References":"<20260414132100.53861-1-philmd@linaro.org>","MIME-Version":"1.0","Content-Type":"text/plain; charset=UTF-8","Content-Transfer-Encoding":"8bit","Received-SPF":"pass client-ip=2a00:1450:4864:20::434;\n envelope-from=philmd@linaro.org; helo=mail-wr1-x434.google.com","X-Spam_score_int":"-20","X-Spam_score":"-2.1","X-Spam_bar":"--","X-Spam_report":"(-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,\n DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,\n RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,\n SPF_PASS=-0.001 autolearn=ham autolearn_force=no","X-Spam_action":"no action","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"qemu development <qemu-devel.nongnu.org>","List-Unsubscribe":"<https://lists.nongnu.org/mailman/options/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>","List-Archive":"<https://lists.nongnu.org/archive/html/qemu-devel>","List-Post":"<mailto:qemu-devel@nongnu.org>","List-Help":"<mailto:qemu-devel-request@nongnu.org?subject=help>","List-Subscribe":"<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=subscribe>","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org"},"content":"From: Junjie Cao <junjie.cao@intel.com>\n\nThe cursor bounds checks compare (srcoff + N) against vram_size, but\nboth sides are uint32_t so the addition can wrap past UINT32_MAX when\nsrcoff underflows from the cur_hv_offs subtraction, causing the check\nto be bypassed.\n\nRewrite the checks as (srcoff > vram_size - N) to avoid the\noverflow-prone addition, matching the style already used in\nati_mm_read() and ati_mm_write().\n\nCc: qemu-stable@nongnu.org\nFixes: 2f1fbe6ee9b5 (\"ati-vga: Make sure hardware cursor data is within vram\")\nSigned-off-by: Junjie Cao <junjie.cao@intel.com>\nMessage-ID: <20260414141458.1076014-1-junjie.cao@intel.com>\nReviewed-by: BALATON Zoltan <balaton@eik.bme.hu>\nSigned-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>\n---\n hw/display/ati.c | 4 ++--\n 1 file changed, 2 insertions(+), 2 deletions(-)","diff":"diff --git a/hw/display/ati.c b/hw/display/ati.c\nindex 88a5bbbf07a..0489995d00b 100644\n--- a/hw/display/ati.c\n+++ b/hw/display/ati.c\n@@ -149,7 +149,7 @@ static void ati_cursor_define(ATIVGAState *s)\n     /* FIXME handle cur_hv_offs correctly */\n     srcoff = s->regs.cur_offset - (s->regs.cur_hv_offs >> 16) -\n              (s->regs.cur_hv_offs & 0xffff) * 16;\n-    if (srcoff + 64 * 16 > s->vga.vram_size) {\n+    if (srcoff > s->vga.vram_size - 64 * 16) {\n         return;\n     }\n     for (int i = 0; i < 64; i++, srcoff += 16) {\n@@ -206,7 +206,7 @@ static void ati_cursor_draw_line(VGACommonState *vga, uint8_t *d, int scr_y)\n     }\n     /* FIXME handle cur_hv_offs correctly */\n     srcoff = s->cursor_offset + (scr_y - vga->hw_cursor_y) * 16;\n-    if (srcoff + 16 > s->vga.vram_size) {\n+    if (srcoff > s->vga.vram_size - 16) {\n         return;\n     }\n     dp = &dp[vga->hw_cursor_x];\n","prefixes":["PULL","3/3"]}