@@ -1204,6 +1204,16 @@ static void qxl_create_guest_primary(PCIQXLDevice *qxl, int loadvm,
{
QXLDevSurfaceCreate surface;
QXLSurfaceCreate *sc = &qxl->guest_primary.surface;
+ int size;
+ int requested_height = le32_to_cpu(sc->height);
+ int requested_stride = le32_to_cpu(sc->stride);
+
+ size = abs(requested_stride) * requested_height;
+ if (size > qxl->fb_size) {
+ qxl_set_guest_bug(qxl, "%s: requested primary larger then framebuffer"
+ " size", __func__);
+ return;
+ }
if (qxl->mode == QXL_MODE_NATIVE) {
qxl_set_guest_bug(qxl, "%s: nop since already in QXL_MODE_NATIVE",
Signed-off-by: Alon Levy <alevy@redhat.com> --- hw/qxl.c | 10 ++++++++++ 1 file changed, 10 insertions(+)