From ec32d84bd7ee57ab1089dc7b3cb5703aa98e8d25 Mon Sep 17 00:00:00 2001
Message-Id: <ec32d84bd7ee57ab1089dc7b3cb5703aa98e8d25.1427148003.git.jen@redhat.com>
In-Reply-To: <b8c4fd0ae93c624609d61e4789afa7daaf50a8f1.1427148003.git.jen@redhat.com>
References: <b8c4fd0ae93c624609d61e4789afa7daaf50a8f1.1427148003.git.jen@redhat.com>
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Wed, 11 Mar 2015 15:10:59 -0500
Subject: [CHANGE 5/9] hw/display/qxl: fix signed to unsigned comparison
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
To: rhvirt-patches@redhat.com,
    jen@redhat.com

RH-Author: Gerd Hoffmann <kraxel@redhat.com>
Message-id: <1426086663-17937-6-git-send-email-kraxel@redhat.com>
Patchwork-id: 64286
O-Subject: [RHEL-6.7 qemu-kvm PATCH v4 5/9] hw/display/qxl: fix signed to unsigned comparison
Bugzilla: 1053039
RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
RH-Acked-by: Marc-André Lureau <mlureau@redhat.com>
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>

From: Alon Levy <alevy@redhat.com>

Several small signedness / overflow corrections to qxl_create_guest_primary:
1. use 64 bit unsigned for size to avoid overflow possible from two 32
bit multiplicants.
2. correct sign for requested_height
3. add a more verbose error message when setting guest bug state (which
causes a complete guess blackout until reset, so it helps if it is
verbose).

Signed-off-by: Alon Levy <alevy@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 3761abb167847e9d848588bf15c5d7476845f7e8)
---
 hw/qxl.c | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

Signed-off-by: Jeff E. Nelson <jen@redhat.com>
---
 hw/qxl.c | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/hw/qxl.c b/hw/qxl.c
index 9dc9241..dc6d8af 100644
--- a/hw/qxl.c
+++ b/hw/qxl.c
@@ -20,6 +20,7 @@
 
 #include <pthread.h>
 #include <zlib.h>
+#include <stdint.h>
 
 #include "qemu-common.h"
 #include "qemu-timer.h"
@@ -1372,14 +1373,16 @@ static void qxl_create_guest_primary(PCIQXLDevice *qxl, int loadvm,
 {
     QXLDevSurfaceCreate surface;
     QXLSurfaceCreate *sc = &qxl->guest_primary.surface;
-    int size;
-    int requested_height = le32_to_cpu(sc->height);
+    uint32_t requested_height = le32_to_cpu(sc->height);
     int requested_stride = le32_to_cpu(sc->stride);
 
-    size = abs(requested_stride) * requested_height;
-    if (size > qxl->vgamem_size) {
-        qxl_set_guest_bug(qxl, "%s: requested primary larger then framebuffer"
-                               " size", __func__);
+    if (requested_stride == INT32_MIN ||
+        abs(requested_stride) * (uint64_t)requested_height
+                                        > qxl->vgamem_size) {
+        qxl_set_guest_bug(qxl, "%s: requested primary larger than framebuffer"
+                               " stride %d x height %" PRIu32 " > %" PRIu32,
+                               __func__, requested_stride, requested_height,
+                               qxl->vgamem_size);
         return;
     }
 
-- 
2.1.0