On 04/29/20 13:52, Gerd Hoffmann wrote:
> Signed-off-by: Gerd Hoffmann <kra...@redhat.com>
> ---
> hw/display/ramfb.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/hw/display/ramfb.c b/hw/display/ramfb.c
> index eb8b4bc49a2f..be884c9ea837 100644
> --- a/hw/display/ramfb.c
> +++ b/hw/display/ramfb.c
> @@ -15,6 +15,7 @@
> #include "qapi/error.h"
> #include "hw/loader.h"
> #include "hw/display/ramfb.h"
> +#include "hw/display/bochs-vbe.h" /* for limits */
> #include "ui/console.h"
> #include "sysemu/reset.h"
>
> @@ -49,6 +50,11 @@ static DisplaySurface *ramfb_create_display_surface(int
> width, int height,
> hwaddr size;
> void *data;
>
> + if (width < 16 || width > VBE_DISPI_MAX_XRES ||
> + height < 16 || height > VBE_DISPI_MAX_YRES ||
> + format == 0 /* unknown format */)
> + return NULL;
> +
> if (linesize == 0) {
> linesize = width * PIXMAN_FORMAT_BPP(format) / 8;
> }
>
Reviewed-by: Laszlo Ersek <ler...@redhat.com>
