From 9c18a9234bab9d5e903f897b30fb4a37888aebfc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Date: Tue, 4 Jul 2023 11:16:42 +0200 Subject: [PATCH] virtio-gpu: fix potential divide-by-zero regression MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Commit 9462ff4695aa0 ("virtio-gpu/win32: allocate shareable 2d resources/images") introduces a division, which can lead to crashes when "height" is 0. Fixes: https://gitlab.com/qemu-project/qemu/-/issues/1744 Reviewed-by: Alexander Bulekov Signed-off-by: Marc-André Lureau --- hw/display/virtio-gpu.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c index befa7d6d78..e937c4e348 100644 --- a/hw/display/virtio-gpu.c +++ b/hw/display/virtio-gpu.c @@ -303,10 +303,11 @@ static void virtio_gpu_resource_create_2d(VirtIOGPU *g, goto end; } #endif - res->image = pixman_image_create_bits(pformat, - c2d.width, - c2d.height, - bits, res->hostmem / c2d.height); + res->image = pixman_image_create_bits( + pformat, + c2d.width, + c2d.height, + bits, c2d.height ? res->hostmem / c2d.height : 0); #ifdef WIN32 if (res->image) { pixman_image_set_destroy_function(res->image, win32_pixman_image_destroy, res->handle); @@ -1272,9 +1273,10 @@ static int virtio_gpu_load(QEMUFile *f, void *opaque, size_t size, return -EINVAL; } #endif - res->image = pixman_image_create_bits(pformat, - res->width, res->height, - bits, res->hostmem / res->height); + res->image = pixman_image_create_bits( + pformat, + res->width, res->height, + bits, res->height ? res->hostmem / res->height : 0); if (!res->image) { g_free(res); return -EINVAL;