summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_2.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/CVE-2020-12829_2.patch')
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-12829_2.patch139
1 files changed, 139 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_2.patch
new file mode 100644
index 0000000000..e7258a43d3
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_2.patch
@@ -0,0 +1,139 @@
+From 6f8183b5dc5b309378687830a25e85ea8fb860ea Mon Sep 17 00:00:00 2001
+From: BALATON Zoltan <balaton@eik.bme.hu>
+Date: Thu, 21 May 2020 21:39:44 +0200
+Subject: [PATCH 2/5] sm501: Shorten long variable names in sm501_2d_operation
+
+This increases readability and cleans up some confusing naming.
+
+Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
+Message-id: b9b67b94c46e945252a73c77dfd117132c63c4fb.1590089984.git.balaton@eik.bme.hu
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2020-12829 dep#2
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ hw/display/sm501.c | 45 ++++++++++++++++++++++-----------------------
+ 1 file changed, 22 insertions(+), 23 deletions(-)
+
+diff --git a/hw/display/sm501.c b/hw/display/sm501.c
+index bd3ccfe311..f42d05e1e4 100644
+--- a/hw/display/sm501.c
++++ b/hw/display/sm501.c
+@@ -700,17 +700,16 @@ static inline void hwc_invalidate(SM501State *s, int crt)
+ static void sm501_2d_operation(SM501State *s)
+ {
+ /* obtain operation parameters */
+- int operation = (s->twoD_control >> 16) & 0x1f;
++ int cmd = (s->twoD_control >> 16) & 0x1F;
+ int rtl = s->twoD_control & 0x8000000;
+ int src_x = (s->twoD_source >> 16) & 0x01FFF;
+ int src_y = s->twoD_source & 0xFFFF;
+ int dst_x = (s->twoD_destination >> 16) & 0x01FFF;
+ int dst_y = s->twoD_destination & 0xFFFF;
+- int operation_width = (s->twoD_dimension >> 16) & 0x1FFF;
+- int operation_height = s->twoD_dimension & 0xFFFF;
++ int width = (s->twoD_dimension >> 16) & 0x1FFF;
++ int height = s->twoD_dimension & 0xFFFF;
+ uint32_t color = s->twoD_foreground;
+- int format_flags = (s->twoD_stretch >> 20) & 0x3;
+- int addressing = (s->twoD_stretch >> 16) & 0xF;
++ int format = (s->twoD_stretch >> 20) & 0x3;
+ int rop_mode = (s->twoD_control >> 15) & 0x1; /* 1 for rop2, else rop3 */
+ /* 1 if rop2 source is the pattern, otherwise the source is the bitmap */
+ int rop2_source_is_pattern = (s->twoD_control >> 14) & 0x1;
+@@ -721,12 +720,12 @@ static void sm501_2d_operation(SM501State *s)
+ /* get frame buffer info */
+ uint8_t *src = s->local_mem + src_base;
+ uint8_t *dst = s->local_mem + dst_base;
+- int src_width = s->twoD_pitch & 0x1FFF;
+- int dst_width = (s->twoD_pitch >> 16) & 0x1FFF;
++ int src_pitch = s->twoD_pitch & 0x1FFF;
++ int dst_pitch = (s->twoD_pitch >> 16) & 0x1FFF;
+ int crt = (s->dc_crt_control & SM501_DC_CRT_CONTROL_SEL) ? 1 : 0;
+ int fb_len = get_width(s, crt) * get_height(s, crt) * get_bpp(s, crt);
+
+- if (addressing != 0x0) {
++ if ((s->twoD_stretch >> 16) & 0xF) {
+ qemu_log_mask(LOG_UNIMP, "sm501: only XY addressing is supported.\n");
+ return;
+ }
+@@ -758,20 +757,20 @@ static void sm501_2d_operation(SM501State *s)
+ return;
+ }
+
+- switch (operation) {
++ switch (cmd) {
+ case 0x00: /* copy area */
+ #define COPY_AREA(_bpp, _pixel_type, rtl) { \
+ int y, x, index_d, index_s; \
+- for (y = 0; y < operation_height; y++) { \
+- for (x = 0; x < operation_width; x++) { \
++ for (y = 0; y < height; y++) { \
++ for (x = 0; x < width; x++) { \
+ _pixel_type val; \
+ \
+ if (rtl) { \
+- index_s = ((src_y - y) * src_width + src_x - x) * _bpp; \
+- index_d = ((dst_y - y) * dst_width + dst_x - x) * _bpp; \
++ index_s = ((src_y - y) * src_pitch + src_x - x) * _bpp; \
++ index_d = ((dst_y - y) * dst_pitch + dst_x - x) * _bpp; \
+ } else { \
+- index_s = ((src_y + y) * src_width + src_x + x) * _bpp; \
+- index_d = ((dst_y + y) * dst_width + dst_x + x) * _bpp; \
++ index_s = ((src_y + y) * src_pitch + src_x + x) * _bpp; \
++ index_d = ((dst_y + y) * dst_pitch + dst_x + x) * _bpp; \
+ } \
+ if (rop_mode == 1 && rop == 5) { \
+ /* Invert dest */ \
+@@ -783,7 +782,7 @@ static void sm501_2d_operation(SM501State *s)
+ } \
+ } \
+ }
+- switch (format_flags) {
++ switch (format) {
+ case 0:
+ COPY_AREA(1, uint8_t, rtl);
+ break;
+@@ -799,15 +798,15 @@ static void sm501_2d_operation(SM501State *s)
+ case 0x01: /* fill rectangle */
+ #define FILL_RECT(_bpp, _pixel_type) { \
+ int y, x; \
+- for (y = 0; y < operation_height; y++) { \
+- for (x = 0; x < operation_width; x++) { \
+- int index = ((dst_y + y) * dst_width + dst_x + x) * _bpp; \
++ for (y = 0; y < height; y++) { \
++ for (x = 0; x < width; x++) { \
++ int index = ((dst_y + y) * dst_pitch + dst_x + x) * _bpp; \
+ *(_pixel_type *)&dst[index] = (_pixel_type)color; \
+ } \
+ } \
+ }
+
+- switch (format_flags) {
++ switch (format) {
+ case 0:
+ FILL_RECT(1, uint8_t);
+ break;
+@@ -824,14 +823,14 @@ static void sm501_2d_operation(SM501State *s)
+
+ default:
+ qemu_log_mask(LOG_UNIMP, "sm501: not implemented 2D operation: %d\n",
+- operation);
++ cmd);
+ return;
+ }
+
+ if (dst_base >= get_fb_addr(s, crt) &&
+ dst_base <= get_fb_addr(s, crt) + fb_len) {
+- int dst_len = MIN(fb_len, ((dst_y + operation_height - 1) * dst_width +
+- dst_x + operation_width) * (1 << format_flags));
++ int dst_len = MIN(fb_len, ((dst_y + height - 1) * dst_pitch +
++ dst_x + width) * (1 << format));
+ if (dst_len) {
+ memory_region_set_dirty(&s->local_mem_region, dst_base, dst_len);
+ }
+--
+2.25.1
+
generated by cgit 1.2.3-korg (git 2.39.0) at 2024-05-03 11:32:47 +0000