haraldwolff/qemu-patch-raspberry4
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity
qemu-patch-raspberry4/hw/display
History
Marc-André Lureau 2c8ebac7cc vga: fix invalid read after free 
After calling dpy_gfx_replace_surface(s->con, surface), the outer
surface is invalid.

==5370== Invalid read of size 4
==5370==    at 0x460229: surface_bits_per_pixel (console.h:250)
==5370==    by 0x466A81: get_depth_index (vga.c:1173)
==5370==    by 0x467EC2: vga_draw_graphic (vga.c:1718)
==5370==    by 0x4687A5: vga_update_display (vga.c:1914)
==5370==    by 0x2A782E: qxl_hw_update (qxl.c:1766)
==5370==    by 0x3EB83B: graphic_hw_update (console.c:254)
==5370==    by 0x3FBE31: qemu_spice_display_refresh (spice-display.c:418)
==5370==    by 0x2A7D01: display_refresh (qxl.c:1886)
==5370==    by 0x3EEE1C: dpy_refresh (console.c:1436)
==5370==    by 0x3EB543: gui_update (console.c:192)
==5370==    by 0x3C43B3: timerlist_run_timers (qemu-timer.c:488)
==5370==    by 0x3C4416: qemu_clock_run_timers (qemu-timer.c:499)
==5370==  Address 0x22ffb1e0 is 0 bytes inside a block of size 56 free'd
==5370==    at 0x4A074C4: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==5370==    by 0x4245FC: free_and_trace (vl.c:2771)
==5370==    by 0x50899AE: g_free (gmem.c:252)
==5370==    by 0x3EE8D3: qemu_free_displaysurface (console.c:1332)
==5370==    by 0x3EEDB7: dpy_gfx_replace_surface (console.c:1427)
==5370==    by 0x467EB6: vga_draw_graphic (vga.c:1714)
==5370==    by 0x4687A5: vga_update_display (vga.c:1914)
==5370==    by 0x2A782E: qxl_hw_update (qxl.c:1766)
==5370==    by 0x3EB83B: graphic_hw_update (console.c:254)
==5370==    by 0x3FBE31: qemu_spice_display_refresh (spice-display.c:418)
==5370==    by 0x2A7D01: display_refresh (qxl.c:1886)
==5370==    by 0x3EEE1C: dpy_refresh (console.c:1436)

Signed-off-by: Marc-André Lureau <marcandre.lureau@gmail.com>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1383664554-15248-1-git-send-email-marcandre.lureau@gmail.com
Signed-off-by: Anthony Liguori <aliguori@amazon.com>
2013-11-05 20:01:11 -08:00
..
ads7846.c hw: move target-independent files to subdirectories 2013-04-08 18:13:12 +02:00
blizzard.c console: add device link to QemuConsoles 2013-04-25 14:45:46 -05:00
blizzard_template.h hw: move private headers to hw/ subdirectories. 2013-04-08 18:13:16 +02:00
cirrus_vga.c cirrus: Mark vga io region as coalesced MMIO flushing 2013-10-17 17:24:15 +02:00
cirrus_vga_rop.h hw: move private headers to hw/ subdirectories. 2013-04-08 18:13:16 +02:00
cirrus_vga_rop2.h hw: move private headers to hw/ subdirectories. 2013-04-08 18:13:16 +02:00
cirrus_vga_template.h hw: move private headers to hw/ subdirectories. 2013-04-08 18:13:16 +02:00
exynos4210_fimd.c exynos4210_fimd: QOM cast cleanup 2013-07-29 21:05:58 +02:00
framebuffer.c memory: add ref/unref calls 2013-07-04 17:42:45 +02:00
framebuffer.h hw: move private headers to hw/ subdirectories. 2013-04-08 18:13:16 +02:00
g364fb.c g364fb: QOM cast cleanup 2013-07-29 21:05:58 +02:00
jazz_led.c jazz_led: QOM cast cleanup 2013-07-29 21:05:59 +02:00
Makefile.objs qxl: compile only once 2013-09-18 11:13:29 +02:00
milkymist-tmu2.c milkymist-tmu2: QOM cast cleanup 2013-07-29 21:06:02 +02:00
milkymist-vgafb.c milkymist-vgafb: QOM cast cleanup 2013-07-29 21:06:05 +02:00
milkymist-vgafb_template.h hw: move private headers to hw/ subdirectories. 2013-04-08 18:13:16 +02:00
omap_dss.c memory: add owner argument to initialization functions 2013-07-04 17:42:44 +02:00
omap_lcd_template.h hw: move private headers to hw/ subdirectories. 2013-04-08 18:13:16 +02:00
omap_lcdc.c memory: add owner argument to initialization functions 2013-07-04 17:42:44 +02:00
pl110.c pl110: Clarify comment about PL110 ID on VersatilePB 2013-09-10 19:09:33 +01:00
pl110_template.h hw: move private headers to hw/ subdirectories. 2013-04-08 18:13:16 +02:00
pxa2xx_lcd.c memory: add owner argument to initialization functions 2013-07-04 17:42:44 +02:00
pxa2xx_template.h hw: move private headers to hw/ subdirectories. 2013-04-08 18:13:16 +02:00
qxl-logger.c aio / timers: Switch entire codebase to the new timer API 2013-08-22 19:14:24 +02:00
qxl-render.c qxl: fix local renderer 2013-09-10 11:14:08 +02:00
qxl.c qxl: replace pipe signaling with bottom half 2013-11-04 12:31:42 +01:00
qxl.h qxl: replace pipe signaling with bottom half 2013-11-04 12:31:42 +01:00
sm501.c memory: add owner argument to initialization functions 2013-07-04 17:42:44 +02:00
sm501_template.h hw: move private headers to hw/ subdirectories. 2013-04-08 18:13:16 +02:00
ssd0303.c console: add device link to QemuConsoles 2013-04-25 14:45:46 -05:00
ssd0323.c console: add device link to QemuConsoles 2013-04-25 14:45:46 -05:00
tc6393xb.c memory: add owner argument to initialization functions 2013-07-04 17:42:44 +02:00
tc6393xb_template.h hw: move private headers to hw/ subdirectories. 2013-04-08 18:13:16 +02:00
tcx.c tcx: QOM cast cleanup 2013-07-29 21:06:05 +02:00
vga-isa-mm.c vga: pass owner to vga_init_vbe 2013-07-04 17:42:46 +02:00
vga-isa.c devices: Associate devices to their logical category 2013-07-29 10:37:09 -05:00
vga-pci.c devices: Associate devices to their logical category 2013-07-29 10:37:09 -05:00
vga.c vga: fix invalid read after free 2013-11-05 20:01:11 -08:00
vga.h hw: move private headers to hw/ subdirectories. 2013-04-08 18:13:16 +02:00
vga_int.h vga: pass owner to vga_init_io 2013-07-04 17:42:46 +02:00
vga_template.h bswap.h: Remove cpu_to_32wu() 2013-11-05 19:57:47 -08:00
vmware_vga.c devices: Associate devices to their logical category 2013-07-29 10:37:09 -05:00
xenfb.c console: qom-ify QemuConsole 2013-04-25 14:45:46 -05:00