Commits · 18a536f1f8d6222e562f59179e837fdfd8b92718 · Anton / libtcg

May 28, 2023

ui/cursor: make width/height unsigned 16-bit integer · 4c93ce54

Mauro Matteo Cascella authored 1 year ago


Although not actually exploitable at the moment, a negative width/height
could make datasize wrap around and potentially lead to buffer overflow.
Since there is no reason a negative width/height is ever appropriate,
modify QEMUCursor struct and cursor_alloc prototype to accept uint16_t.
This protects us against accidentally introducing future bugs.

Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
Reported-by: Jacek Halon <jacek.halon@gmail.com>
Reported-by: Yair Mizrahi <yairh33@gmail.com>
Reported-by: Elsayed El-Refa'ei <e.elrefaei99@gmail.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Message-Id: <20230523163023.608121-1-mcascell@redhat.com>

4c93ce54

Mar 13, 2023

ui: rename cursor_{get->ref}, return it · 2512a026

Marc-André Lureau authored 2 years ago


The naming is more conventional in QEMU code, and allows to simplify
some code by changing the API design, so it returns the input parameter,
instead of void.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>

2512a026

ui: rename cursor_{put->unref} · f4579e28

Marc-André Lureau authored 2 years ago


The naming is more conventional in QEMU.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>

f4579e28

Apr 07, 2022

ui/cursor: fix integer overflow in cursor_alloc (CVE-2021-4206) · fa892e9a

Mauro Matteo Cascella authored 2 years ago

Prevent potential integer overflow by limiting 'width' and 'height' to
512x512. Also change 'datasize' type to size_t. Refer to security
advisory https://starlabs.sg/advisories/22-4206/

 for more information.

Fixes: CVE-2021-4206
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20220407081712.345609-1-mcascell@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

fa892e9a

Jun 12, 2019

Include qemu-common.h exactly where needed · a8d25326

Markus Armbruster authored 5 years ago


No header includes qemu-common.h after this commit, as prescribed by
qemu-common.h's file comment.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <20190523143508.25387-5-armbru@redhat.com>
[Rebased with conflicts resolved automatically, except for
include/hw/arm/xlnx-zynqmp.h hw/arm/nrf51_soc.c hw/arm/msf2-soc.c
block/qcow2-refcount.c block/qcow2-cluster.c block/qcow2-cache.c
target/arm/cpu.h target/lm32/cpu.h target/m68k/cpu.h target/mips/cpu.h
target/moxie/cpu.h target/nios2/cpu.h target/openrisc/cpu.h
target/riscv/cpu.h target/tilegx/cpu.h target/tricore/cpu.h
target/unicore32/cpu.h target/xtensa/cpu.h; bsd-user/main.c and
net/tap-bsd.c fixed up]

a8d25326

Sep 27, 2018

qxl: support mono cursors with inverted colors · 36ffc122

Peter Wu authored 6 years ago

Monochrome cursors are still used by Windows guests with the
QXL-WDDM-DOD driver. Such cursor types have one odd feature, inversion
of colors. GDK does not seem to support it, so implement an alternative
solution: fill the inverted pixels and add an outline to make the cursor
more visible. Tested with the text cursor in Notepad and Windows 10.

cursor_set_mono is also used by the vmware GPU, so add a special check
to avoid breaking its 32bpp format (tested with Kubuntu 14.04.4). I was
unable to find a guest which supports the 1bpp format with a vmware GPU.

The old implementation was buggy and removed in v2.10.0-108-g79c5a10cdd
("qxl: drop mono cursor support"), this version improves upon that by
adding bounds validation, clarifying the semantics of the two masks and
adds a workaround for inverted colors support.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1611984


Signed-off-by: Peter Wu <peter@lekensteyn.nl>
Message-id: 20180903145447.17142-1-peter@lekensteyn.nl

[ kraxel: minor codestyle fix ]

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

36ffc122

Jan 22, 2018

Replace all occurances of __FUNCTION__ with __func__ · a89f364a

Alistair Francis authored 7 years ago


Replace all occurs of __FUNCTION__ except for the check in checkpatch
with the non GCC specific __func__.

One line in hcd-musb.c was manually tweaked to pass checkpatch.

Signed-off-by: Alistair Francis <alistair.francis@xilinx.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Anthony PERARD <anthony.perard@citrix.com>
Reviewed-by: Juan Quintela <quintela@redhat.com>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
[THH: Removed hunks related to pxa2xx_mmci.c (fixed already)]
Signed-off-by: Thomas Huth <thuth@redhat.com>

a89f364a

Aug 31, 2017

ui: use DIV_ROUND_UP · 935b3332

Marc-André Lureau authored 7 years ago

I used the clang-tidy qemu-round check to generate the fix:
https://github.com/elmarco/clang-tools-extra



Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Richard Henderson <rth@twiddle.net>

935b3332

Jun 20, 2016

coccinelle: Remove unnecessary variables for function return value · 9be38598

Eduardo Habkost authored 8 years ago


Use Coccinelle script to replace 'ret = E; return ret' with
'return E'. The script will do the substitution only when the
function return type and variable type are the same.

Manual fixups:

* audio/audio.c: coding style of "read (...)" and "write (...)"
* block/qcow2-cluster.c: wrap line to make it shorter
* block/qcow2-refcount.c: change indentation of wrapped line
* target-tricore/op_helper.c: fix coding style of
  "remainder|quotient"
* target-mips/dsp_helper.c: reverted changes because I don't
  want to argue about checkpatch.pl
* ui/qemu-pixman.c: fix line indentation
* block/rbd.c: restore blank line between declarations and
  statements

Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
Message-Id: <1465855078-19435-4-git-send-email-ehabkost@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
[Unused Coccinelle rule name dropped along with a redundant comment;
whitespace touched up in block/qcow2-cluster.c; stale commit message
paragraph deleted]
Signed-off-by: Markus Armbruster <armbru@redhat.com>

9be38598

Feb 04, 2016

ui: Clean up includes · e16f4c87

Peter Maydell authored 9 years ago


Clean up includes so that osdep.h is included first and headers
which it implies are not included manually.

This commit was created with scripts/clean-includes.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1454089805-5470-2-git-send-email-peter.maydell@linaro.org

e16f4c87

Dec 19, 2012
- ui: move files to ui/ and include/ui/ · 28ecbaee
  Paolo Bonzini authored 12 years ago
  
  Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
  28ecbaee
Mar 07, 2012

Fix sign of sscanf format specifiers · 1c467855

Stefan Weil authored 13 years ago


All values read by sscanf are unsigned, so replace %d by %u.

This signed / unsigned mismatch was detected by splint.

Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>

1c467855

Aug 21, 2011

Use glib memory allocation and free functions · 7267c094

Anthony Liguori authored 13 years ago


qemu_malloc/qemu_free no longer exist after this commit.

Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>

7267c094

May 24, 2010

cursor: add cursor functions. · 254e5950

Gerd Hoffmann authored 14 years ago


Add a new cursor type to console.h and a bunch of functions to
deal with cursors the (new) cursor.c file.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>

254e5950