WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-changelog

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Xen-changelog] [xen-3.0.5-testing] [qemu-dm] Add bounds checks for cirr

from [Xen patchbot-3.0.5-testing] [Permanent Link][Original]
To: xen-changelog@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-changelog] [xen-3.0.5-testing] [qemu-dm] Add bounds checks for cirrus bitblit memory accesses.
From: "Xen patchbot-3.0.5-testing" <patchbot-3.0.5-testing@xxxxxxxxxxxxxxxxxxx>
Date: Wed, 25 Apr 2007 08:40:39 -0700
Delivery-date: Wed, 25 Apr 2007 09:54:08 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-changelog-request@lists.xensource.com?subject=help>
List-id: BK change log <xen-changelog.lists.xensource.com>
List-post: <mailto:xen-changelog@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=unsubscribe>
Reply-to: xen-devel@xxxxxxxxxxxxxxxxxxx
Sender: xen-changelog-bounces@xxxxxxxxxxxxxxxxxxx 
# HG changeset patch
# User Christian Limpach <Christian.Limpach@xxxxxxxxxxxxx>
# Date 1177430527 -3600
# Node ID 9e86260b95a4fad1fa0ae8e3df13453311bf2f34
# Parent  a99093e602c6646cb2b4617dd0544ea17edef724
[qemu-dm] Add bounds checks for cirrus bitblit memory accesses.

Signed-off-by: Christian Limpach <Christian.Limpach@xxxxxxxxxxxxx>
---
 tools/ioemu/hw/cirrus_vga.c      |    3 
 tools/ioemu/hw/cirrus_vga_rop.h  |   35 +++++++++-
 tools/ioemu/hw/cirrus_vga_rop2.h |  132 ++++++++++++++++++++++++---------------
 3 files changed, 116 insertions(+), 54 deletions(-)

diff -r a99093e602c6 -r 9e86260b95a4 tools/ioemu/hw/cirrus_vga.c
--- a/tools/ioemu/hw/cirrus_vga.c       Tue Apr 24 16:52:15 2007 +0100
+++ b/tools/ioemu/hw/cirrus_vga.c       Tue Apr 24 17:02:07 2007 +0100
@@ -601,7 +601,8 @@ static void cirrus_invalidate_region(Cir
        off_cur_end = off_cur + bytesperline;
        off_cur &= TARGET_PAGE_MASK;
        while (off_cur < off_cur_end) {
-           cpu_physical_memory_set_dirty(s->vram_offset + off_cur);
+           cpu_physical_memory_set_dirty(s->vram_offset +
+                                         (off_cur & s->cirrus_addr_mask));
            off_cur += TARGET_PAGE_SIZE;
        }
        off_begin += off_pitch;
diff -r a99093e602c6 -r 9e86260b95a4 tools/ioemu/hw/cirrus_vga_rop.h
--- a/tools/ioemu/hw/cirrus_vga_rop.h   Tue Apr 24 16:52:15 2007 +0100
+++ b/tools/ioemu/hw/cirrus_vga_rop.h   Tue Apr 24 17:02:07 2007 +0100
@@ -22,18 +22,36 @@
  * THE SOFTWARE.
  */
 
+#define get_base(p, s, b) do { \
+    if ((p) >= (s)->vram_ptr && (p) < (s)->vram_ptr + (s)->vram_size) \
+       (b) = (s)->vram_ptr; \
+    else if ((p) >= &(s)->cirrus_bltbuf[0] && \
+            (p) < &(s)->cirrus_bltbuf[CIRRUS_BLTBUFSIZE]) \
+       (b) = &(s)->cirrus_bltbuf[0]; \
+    else \
+       return; \
+} while(0)
+
+#define m(x) ((x) & s->cirrus_addr_mask)
+
 static void
 glue(cirrus_bitblt_rop_fwd_, ROP_NAME)(CirrusVGAState *s,
-                             uint8_t *dst,const uint8_t *src,
+                             uint8_t *dst_,const uint8_t *src_,
                              int dstpitch,int srcpitch,
                              int bltwidth,int bltheight)
 {
     int x,y;
+    uint32_t dst, src;
+    uint8_t *dst_base, *src_base;
+    get_base(dst_, s, dst_base);
+    get_base(src_, s, src_base);
+    dst = dst_ - dst_base;
+    src = src_ - src_base;
     dstpitch -= bltwidth;
     srcpitch -= bltwidth;
     for (y = 0; y < bltheight; y++) {
         for (x = 0; x < bltwidth; x++) {
-            ROP_OP(*dst, *src);
+            ROP_OP(*(dst_base + m(dst)), *(src_base + m(src)));
             dst++;
             src++;
         }
@@ -44,16 +62,22 @@ glue(cirrus_bitblt_rop_fwd_, ROP_NAME)(C
 
 static void
 glue(cirrus_bitblt_rop_bkwd_, ROP_NAME)(CirrusVGAState *s,
-                                        uint8_t *dst,const uint8_t *src,
+                                        uint8_t *dst_,const uint8_t *src_,
                                         int dstpitch,int srcpitch,
                                         int bltwidth,int bltheight)
 {
     int x,y;
+    uint32_t dst, src;
+    uint8_t *dst_base, *src_base;
+    get_base(dst_, s, dst_base);
+    get_base(src_, s, src_base);
+    dst = dst_ - dst_base;
+    src = src_ - src_base;
     dstpitch += bltwidth;
     srcpitch += bltwidth;
     for (y = 0; y < bltheight; y++) {
         for (x = 0; x < bltwidth; x++) {
-            ROP_OP(*dst, *src);
+            ROP_OP(*(dst_base + m(dst)), *(src_base + m(src)));
             dst--;
             src--;
         }
@@ -76,3 +100,6 @@ glue(cirrus_bitblt_rop_bkwd_, ROP_NAME)(
 
 #undef ROP_NAME
 #undef ROP_OP
+
+#undef get_base
+#undef m
diff -r a99093e602c6 -r 9e86260b95a4 tools/ioemu/hw/cirrus_vga_rop2.h
--- a/tools/ioemu/hw/cirrus_vga_rop2.h  Tue Apr 24 16:52:15 2007 +0100
+++ b/tools/ioemu/hw/cirrus_vga_rop2.h  Tue Apr 24 17:02:07 2007 +0100
@@ -23,36 +23,42 @@
  */
 
 #if DEPTH == 8
-#define PUTPIXEL()    ROP_OP(d[0], col)
+#define PUTPIXEL()    ROP_OP((dst_base + m(d))[0], col)
 #elif DEPTH == 16
-#define PUTPIXEL()    ROP_OP(((uint16_t *)d)[0], col);
+#define PUTPIXEL()    ROP_OP(((uint16_t *)(dst_base + m(d)))[0], col);
 #elif DEPTH == 24
-#define PUTPIXEL()    ROP_OP(d[0], col); \
-                      ROP_OP(d[1], (col >> 8)); \
-                      ROP_OP(d[2], (col >> 16))
+#define PUTPIXEL()    ROP_OP((dst_base + m(d))[0], col); \
+                      ROP_OP((dst_base + m(d))[1], (col >> 8)); \
+                      ROP_OP((dst_base + m(d))[2], (col >> 16))
 #elif DEPTH == 32
-#define PUTPIXEL()    ROP_OP(((uint32_t *)d)[0], col)
+#define PUTPIXEL()    ROP_OP(((uint32_t *)(dst_base + m(d)))[0], col)
 #else
 #error unsupported DEPTH
 #endif                
 
 static void
 glue(glue(glue(cirrus_patternfill_, ROP_NAME), _),DEPTH)
-     (CirrusVGAState * s, uint8_t * dst,
-      const uint8_t * src, 
-      int dstpitch, int srcpitch, 
-      int bltwidth, int bltheight)
-{
-    uint8_t *d;
+     (CirrusVGAState * s, uint8_t * dst_,
+      const uint8_t * src_, 
+      int dstpitch, int srcpitch, 
+      int bltwidth, int bltheight)
+{
+    uint8_t *dst_base, *src_base;
+    uint32_t src, dst;
+    uint32_t d;
     int x, y, pattern_y, pattern_pitch, pattern_x;
     unsigned int col;
-    const uint8_t *src1;
+    uint32_t src1;
 #if DEPTH == 24
     int skipleft = s->gr[0x2f] & 0x1f;
 #else
     int skipleft = (s->gr[0x2f] & 0x07) * (DEPTH / 8);
 #endif
 
+    get_base(dst_, s, dst_base);
+    get_base(src_, s, src_base);
+    dst = dst_ - dst_base;
+    src = src_ - src_base;
 #if DEPTH == 8
     pattern_pitch = 8;
 #elif DEPTH == 16
@@ -67,19 +73,19 @@ glue(glue(glue(cirrus_patternfill_, ROP_
         src1 = src + pattern_y * pattern_pitch;
         for (x = skipleft; x < bltwidth; x += (DEPTH / 8)) {
 #if DEPTH == 8
-            col = src1[pattern_x];
+            col = *(src_base + m(src1 + pattern_x));
             pattern_x = (pattern_x + 1) & 7;
 #elif DEPTH == 16
-            col = ((uint16_t *)(src1 + pattern_x))[0];
+            col = *(uint16_t *)(src_base + m(src1 + pattern_x));
             pattern_x = (pattern_x + 2) & 15;
 #elif DEPTH == 24
             {
-                const uint8_t *src2 = src1 + pattern_x * 3;
+                const uint8_t *src2 = src_base + m(src1 + pattern_x * 3);
                 col = src2[0] | (src2[1] << 8) | (src2[2] << 16);
                 pattern_x = (pattern_x + 1) & 7;
             }
 #else
-            col = ((uint32_t *)(src1 + pattern_x))[0];
+            col = *(uint32_t *)(src_base + m(src1 + pattern_x));
             pattern_x = (pattern_x + 4) & 31;
 #endif
             PUTPIXEL();
@@ -93,12 +99,14 @@ glue(glue(glue(cirrus_patternfill_, ROP_
 /* NOTE: srcpitch is ignored */
 static void
 glue(glue(glue(cirrus_colorexpand_transp_, ROP_NAME), _),DEPTH)
-     (CirrusVGAState * s, uint8_t * dst,
-      const uint8_t * src, 
-      int dstpitch, int srcpitch, 
-      int bltwidth, int bltheight)
-{
-    uint8_t *d;
+     (CirrusVGAState * s, uint8_t * dst_,
+      const uint8_t * src_, 
+      int dstpitch, int srcpitch, 
+      int bltwidth, int bltheight)
+{
+    uint8_t *dst_base, *src_base;
+    uint32_t src, dst;
+    uint32_t d;
     int x, y;
     unsigned bits, bits_xor;
     unsigned int col;
@@ -112,6 +120,10 @@ glue(glue(glue(cirrus_colorexpand_transp
     int dstskipleft = srcskipleft * (DEPTH / 8);
 #endif
 
+    get_base(dst_, s, dst_base);
+    get_base(src_, s, src_base);
+    dst = dst_ - dst_base;
+    src = src_ - src_base;
     if (s->cirrus_blt_modeext & CIRRUS_BLTMODEEXT_COLOREXPINV) {
         bits_xor = 0xff;
         col = s->cirrus_blt_bgcol;
@@ -122,12 +134,12 @@ glue(glue(glue(cirrus_colorexpand_transp
 
     for(y = 0; y < bltheight; y++) {
         bitmask = 0x80 >> srcskipleft;
-        bits = *src++ ^ bits_xor;
+        bits = *(src_base + m(src++)) ^ bits_xor;
         d = dst + dstskipleft;
         for (x = dstskipleft; x < bltwidth; x += (DEPTH / 8)) {
             if ((bitmask & 0xff) == 0) {
                 bitmask = 0x80;
-                bits = *src++ ^ bits_xor;
+                bits = *(src_base + m(src++)) ^ bits_xor;
             }
             index = (bits & bitmask);
             if (index) {
@@ -142,13 +154,15 @@ glue(glue(glue(cirrus_colorexpand_transp
 
 static void
 glue(glue(glue(cirrus_colorexpand_, ROP_NAME), _),DEPTH)
-     (CirrusVGAState * s, uint8_t * dst,
-      const uint8_t * src, 
-      int dstpitch, int srcpitch, 
-      int bltwidth, int bltheight)
-{
+     (CirrusVGAState * s, uint8_t * dst_,
+      const uint8_t * src_, 
+      int dstpitch, int srcpitch, 
+      int bltwidth, int bltheight)
+{
+    uint8_t *dst_base, *src_base;
+    uint32_t src, dst;
     uint32_t colors[2];
-    uint8_t *d;
+    uint32_t d;
     int x, y;
     unsigned bits;
     unsigned int col;
@@ -156,16 +170,20 @@ glue(glue(glue(cirrus_colorexpand_, ROP_
     int srcskipleft = s->gr[0x2f] & 0x07;
     int dstskipleft = srcskipleft * (DEPTH / 8);
 
+    get_base(dst_, s, dst_base);
+    get_base(src_, s, src_base);
+    dst = dst_ - dst_base;
+    src = src_ - src_base;
     colors[0] = s->cirrus_blt_bgcol;
     colors[1] = s->cirrus_blt_fgcol;
     for(y = 0; y < bltheight; y++) {
         bitmask = 0x80 >> srcskipleft;
-        bits = *src++;
+        bits = *(src_base + m(src++));
         d = dst + dstskipleft;
         for (x = dstskipleft; x < bltwidth; x += (DEPTH / 8)) {
             if ((bitmask & 0xff) == 0) {
                 bitmask = 0x80;
-                bits = *src++;
+                bits = *(src_base + m(src++));
             }
             col = colors[!!(bits & bitmask)];
             PUTPIXEL();
@@ -178,12 +196,14 @@ glue(glue(glue(cirrus_colorexpand_, ROP_
 
 static void
 glue(glue(glue(cirrus_colorexpand_pattern_transp_, ROP_NAME), _),DEPTH)
-     (CirrusVGAState * s, uint8_t * dst,
-      const uint8_t * src, 
-      int dstpitch, int srcpitch, 
-      int bltwidth, int bltheight)
-{
-    uint8_t *d;
+     (CirrusVGAState * s, uint8_t * dst_,
+      const uint8_t * src_, 
+      int dstpitch, int srcpitch, 
+      int bltwidth, int bltheight)
+{
+    uint8_t *dst_base, *src_base;
+    uint32_t src, dst;
+    uint32_t d;
     int x, y, bitpos, pattern_y;
     unsigned int bits, bits_xor;
     unsigned int col;
@@ -195,6 +215,10 @@ glue(glue(glue(cirrus_colorexpand_patter
     int dstskipleft = srcskipleft * (DEPTH / 8);
 #endif
 
+    get_base(dst_, s, dst_base);
+    get_base(src_, s, src_base);
+    dst = dst_ - dst_base;
+    src = src_ - src_base;
     if (s->cirrus_blt_modeext & CIRRUS_BLTMODEEXT_COLOREXPINV) {
         bits_xor = 0xff;
         col = s->cirrus_blt_bgcol;
@@ -205,7 +229,7 @@ glue(glue(glue(cirrus_colorexpand_patter
     pattern_y = s->cirrus_blt_srcaddr & 7;
 
     for(y = 0; y < bltheight; y++) {
-        bits = src[pattern_y] ^ bits_xor;
+        bits = *(src_base + m(src + pattern_y)) ^ bits_xor;
         bitpos = 7 - srcskipleft;
         d = dst + dstskipleft;
         for (x = dstskipleft; x < bltwidth; x += (DEPTH / 8)) {
@@ -222,25 +246,31 @@ glue(glue(glue(cirrus_colorexpand_patter
 
 static void
 glue(glue(glue(cirrus_colorexpand_pattern_, ROP_NAME), _),DEPTH)
-     (CirrusVGAState * s, uint8_t * dst,
-      const uint8_t * src, 
-      int dstpitch, int srcpitch, 
-      int bltwidth, int bltheight)
-{
+     (CirrusVGAState * s, uint8_t * dst_,
+      const uint8_t * src_, 
+      int dstpitch, int srcpitch, 
+      int bltwidth, int bltheight)
+{
+    uint8_t *dst_base, *src_base;
+    uint32_t src, dst;
     uint32_t colors[2];
-    uint8_t *d;
+    uint32_t d;
     int x, y, bitpos, pattern_y;
     unsigned int bits;
     unsigned int col;
     int srcskipleft = s->gr[0x2f] & 0x07;
     int dstskipleft = srcskipleft * (DEPTH / 8);
 
+    get_base(dst_, s, dst_base);
+    get_base(src_, s, src_base);
+    dst = dst_ - dst_base;
+    src = src_ - src_base;
     colors[0] = s->cirrus_blt_bgcol;
     colors[1] = s->cirrus_blt_fgcol;
     pattern_y = s->cirrus_blt_srcaddr & 7;
 
     for(y = 0; y < bltheight; y++) {
-        bits = src[pattern_y];
+        bits = *(src_base + m(src + pattern_y));
         bitpos = 7 - srcskipleft;
         d = dst + dstskipleft;
         for (x = dstskipleft; x < bltwidth; x += (DEPTH / 8)) {
@@ -257,13 +287,17 @@ static void
 static void 
 glue(glue(glue(cirrus_fill_, ROP_NAME), _),DEPTH)
      (CirrusVGAState *s,
-      uint8_t *dst, int dst_pitch, 
+      uint8_t *dst_, int dst_pitch, 
       int width, int height)
 {
-    uint8_t *d, *d1;
+    uint8_t *dst_base;
+    uint32_t dst;
+    uint32_t d, d1;
     uint32_t col;
     int x, y;
 
+    get_base(dst_, s, dst_base);
+    dst = dst_ - dst_base;
     col = s->cirrus_blt_fgcol;
 
     d1 = dst;

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-changelog] [xen-3.0.5-testing] [qemu-dm] Add bounds checks for cirrus bitblit memory accesses., Xen patchbot-3.0.5-testing <=
Previous by Date:  [Xen-changelog] [xen-3.0.5-testing] [IA64] Fix ptc.g race, Xen patchbot-3.0.5-testing
Next by Date:  [Xen-changelog] [xen-3.0.5-testing] acm: Changes to XML schema of the policy, Xen patchbot-3.0.5-testing
Previous by Thread:  [Xen-changelog] [xen-3.0.5-testing] [IA64] Fix ptc.g race, Xen patchbot-3.0.5-testing
Next by Thread:  [Xen-changelog] [xen-3.0.5-testing] acm: Changes to XML schema of the policy, Xen patchbot-3.0.5-testing
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy