Check for out of range update regions (original patch from Anthony Liguori).

git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@4024 c046a42c-6fe2-441c-8c8c-71466251a162

Check for out of range update regions (original patch from Anthony Liguori).
git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@4024 c046a42c-6fe2-441c-8c8c-71466251a162
balrog
1 parent 3016d80b
Showing 1 changed file with 27 additions and 6 deletions
hw/vmware_vga.c
@@ -291,12 +291,33 @@ static inline void vmsvga_update_rect(struct vmsvga_state_s *s,
                 int x, int y, int w, int h)
 {
 #ifndef DIRECT_VRAM
-    int line = h;
-    int bypl = s->bypp * s->width;
-    int width = s->bypp * w;
-    int start = s->bypp * x + bypl * y;
-    uint8_t *src = s->vram + start;
-    uint8_t *dst = s->ds->data + start;
+    int line;
+    int bypl;
+    int width;
+    int start;
+    uint8_t *src;
+    uint8_t *dst;
+
+    if (x + w > s->width) {
+        fprintf(stderr, "%s: update width too large x: %d, w: %d\n",
+                        __FUNCTION__, x, w);
+        x = MIN(x, s->width);
+        w = s->width - x;
+    }
+
+    if (y + h > s->height) {
+        fprintf(stderr, "%s: update height too large y: %d, h: %d\n",
+                        __FUNCTION__, y, h);
+        y = MIN(y, s->height);
+        h = s->height - y;
+    }
+
+    line = h;
+    bypl = s->bypp * s->width;
+    width = s->bypp * w;
+    start = s->bypp * x + bypl * y;
+    src = s->vram + start;
+    dst = s->ds->data + start;
     for (; line > 0; line --, src += bypl, dst += bypl)
         memcpy(dst, src, width);